Delegated Grants
Delegated Grants
List delegated grants
Get delegated grant
Update delegated grant
Delete delegated grant
ModelsExpand Collapse
Grant = object { id, created_at, expires_at, 14 more } User authorization for a resource to be accessed on their behalf. The grant links the user, resource, and the provider that issued the grant.
User authorization for a resource to be accessed on their behalf. The grant links the user, resource, and the provider that issued the grant.
Unique identifier of the delegated grant
Entity creation timestamp
Date when grant expires
Organization that owns this grant
ID of the provider that issued this grant
Indicates whether a refresh token is stored for this grant. Grants with refresh tokens can be refreshed even after access token expiration.
ID of resource receiving grant
Granted OAuth scopes
status: "active" or "expired" or "revoked"
Entity update timestamp
Reference to the user granting permission
Zone this grant belongs to
Whether the grant is currently active (deprecated - use status instead)
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
Unique identifier of the provider
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this provider
owner_type: "platform" or "customer"Who owns this provider. Platform-owned providers cannot be modified via API.
Who owns this provider. Platform-owned providers cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this provider belongs to
OAuth 2.0 client identifier
Indicates whether a client secret is configured
Human-readable description
Provider metadata
protocols: optional object { oauth2, openid } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OIDC issuer URL used for discovery and token validation.
Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).
Whether to include the resource parameter in authorization requests.
The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.
The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".
The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".
Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".
openid: optional object { scopes, user_identifier_claim, userinfo_endpoint } OpenID Connect protocol configuration
OpenID Connect protocol configuration
Additional OIDC scopes to request from this provider during authentication (e.g. "groups"). Merged with the default scopes (openid, profile, email).
Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used.
type: optional "external" or "keycard-vault" or "keycard-sts"
Timestamp when this grant's tokens were last refreshed. Omitted if grant was never refreshed.
A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.
A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.
Unique identifier of the resource
application_type: "native" or "web"The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.
The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this resource
owner_type: "platform" or "customer"Who owns this resource. Platform-owned resources cannot be modified via API.
Who owns this resource. Platform-owned resources cannot be modified via API.
When true, the resource identifier is treated as a URI prefix, protecting all URLs that share the identifier as a prefix at path/query/fragment boundaries. Protocol and hostname must match exactly. When multiple prefix resources satisfy an identifier query, the resource with the longest prefix is matched.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this resource belongs to
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).
Unique identifier of the application
consent: "implicit" or "required"Consent mode for the application. 'implicit' means consent is automatically granted, 'required' means explicit user consent is needed.
Consent mode for the application. 'implicit' means consent is automatically granted, 'required' means explicit user consent is needed.
Entity creation timestamp
Number of resource dependencies
User specified identifier, unique within the zone
Human-readable name
Organization that owns this application
owner_type: "platform" or "customer"Who owns this application. Platform-owned applications cannot be modified via API.
Who owns this application. Platform-owned applications cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this application belongs to
Human-readable description
Entity metadata
Entity metadata
Documentation URL
protocols: optional object { oauth2 } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { post_logout_redirect_uris, redirect_uris } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OAuth 2.0 post-logout redirect URIs for this application
OAuth 2.0 redirect URIs for this application
ID of the application that provides this resource
Credential lifetime override in seconds. When set, overrides the default credential lifetime for this resource. When absent, the default from the provider or zone is used.
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.
Unique identifier of the provider
Entity creation timestamp
User specified identifier, unique within the zone
Human-readable name
Organization that owns this provider
owner_type: "platform" or "customer"Who owns this provider. Platform-owned providers cannot be modified via API.
Who owns this provider. Platform-owned providers cannot be modified via API.
URL-safe identifier, unique within the zone
Entity update timestamp
Zone this provider belongs to
OAuth 2.0 client identifier
Indicates whether a client secret is configured
Human-readable description
Provider metadata
protocols: optional object { oauth2, openid } Protocol-specific configuration
Protocol-specific configuration
oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more } OAuth 2.0 protocol configuration
OAuth 2.0 protocol configuration
OIDC issuer URL used for discovery and token validation.
Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).
Whether to include the resource parameter in authorization requests.
The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.
The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".
The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".
Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".
openid: optional object { scopes, user_identifier_claim, userinfo_endpoint } OpenID Connect protocol configuration
OpenID Connect protocol configuration
Additional OIDC scopes to request from this provider during authentication (e.g. "groups"). Merged with the default scopes (openid, profile, email).
Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used.
type: optional "external" or "keycard-vault" or "keycard-sts"
ID of the credential provider for this resource
Human-readable description
Entity metadata
Entity metadata
Documentation URL
Scopes supported by the resource
List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.
An authenticated user entity
An authenticated user entity
Unique identifier of the user
Entity creation timestamp
Email address of the user
Whether the email address has been verified
Zone-scoped user identifier. Defaults to the user's Keycard ID. When the provider has user_identifier_claim configured, the value is set from that claim at user creation time.
Organization that owns this user
status: "active" or "disabled"Status of the user. Disabled users cannot authenticate.
Status of the user. Disabled users cannot authenticate.
Entity update timestamp
Zone this user belongs to
Date when the user was last authenticated
Delegated-grant count for this user. Populated only when expand[]=grant_count is set on the listing endpoint.
Issuer identifier of the identity provider
Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.
role_assignments: optional array of object { role_id, role_identifier, scope } Role grants for this user within the zone. Populated only when expand[]=role-assignments is set on the listing endpoint.
Role grants for this user within the zone. Populated only when expand[]=role-assignments is set on the listing endpoint.
ID of the assigned role
Opaque role identifier. Treated as an opaque identifier by the API and unique within a zone.
scope: object { id, type } The resource this grant is scoped to, or null when the grant is unscoped (applies to the owning zone itself).
The resource this grant is scoped to, or null when the grant is unscoped (applies to the owning zone itself).
The ID of the scoped resource.
The kind of resource this grant is scoped to (e.g. zone).
Session count for this user. Populated only when expand[]=session_count is set on the listing endpoint.
Subject identifier from the identity provider