API Reference

Zones

Delegated Grants

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Update delegated grant

PATCH/zones/{zoneId}/delegated-grants/{id}

Revokes an active delegated grant

Path ParametersExpand Collapse

zoneId: string

id: string

Body ParametersJSONExpand Collapse

status: "revoked"

ReturnsExpand Collapse

Grant = object { id, created_at, expires_at, 14 more }

User authorization for a resource to be accessed on their behalf. The grant links the user, resource, and the provider that issued the grant.

id: string

Unique identifier of the delegated grant

created_at: string

Entity creation timestamp

formatdate-time

expires_at: string

Date when grant expires

formatdate-time

organization_id: string

Organization that owns this grant

provider_id: string

ID of the provider that issued this grant

refresh_token_set: boolean

Indicates whether a refresh token is stored for this grant. Grants with refresh tokens can be refreshed even after access token expiration.

resource_id: string

ID of resource receiving grant

scopes: array of string

Granted OAuth scopes

status: "active" or "expired" or "revoked"

Accepts one of the following:

"active"

"expired"

"revoked"

updated_at: string

Entity update timestamp

formatdate-time

user_id: string

Reference to the user granting permission

zone_id: string

Zone this grant belongs to

Deprecatedactive: optional boolean

Whether the grant is currently active (deprecated - use status instead)

Deprecatedprovider: optional Provider { id, created_at, identifier, 12 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

owner_type: "platform" or "customer"

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id: optional string

OAuth 2.0 client identifier

client_secret_set: optional boolean

Indicates whether a client secret is configured

description: optional string

Human-readable description

maxLength2048

metadata: optional unknown

Provider metadata

protocols: optional object { oauth2, openid }

Protocol-specific configuration

oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more }

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint: optional string

formaturi

authorization_parameters: optional map[string]

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled: optional boolean

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter: optional string

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported: optional array of string

jwks_uri: optional string

formaturi

registration_endpoint: optional string

formaturi

scope_parameter: optional string

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator: optional string

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported: optional array of string

token_endpoint: optional string

formaturi

token_response_access_token_pointer: optional string

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid: optional object { userinfo_endpoint }

OpenID Connect protocol configuration

userinfo_endpoint: optional string

formaturi

type: optional "external" or "keycard-vault" or "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

refreshed_at: optional string

Timestamp when this grant's tokens were last refreshed. Omitted if grant was never refreshed.

formatdate-time

Deprecatedresource: optional Resource { id, application_type, created_at, 15 more }

A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.

id: string

Unique identifier of the resource

application_type: "native" or "web"

The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.

Accepts one of the following:

"native"

"web"

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this resource

owner_type: "platform" or "customer"

Who owns this resource. Platform-owned resources cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this resource belongs to

Deprecatedapplication: optional Application { id, created_at, dependencies_count, 10 more }

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: string

Unique identifier of the application

created_at: string

Entity creation timestamp

formatdate-time

dependencies_count: number

Number of resource dependencies

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this application

owner_type: "platform" or "customer"

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this application belongs to

description: optional string

Human-readable description

maxLength2048

metadata: optional Metadata { docs_url }

Entity metadata

docs_url: optional string

Documentation URL

formaturi

maxLength2048

protocols: optional object { oauth2 }

Protocol-specific configuration

oauth2: optional object { post_logout_redirect_uris, redirect_uris }

OAuth 2.0 protocol configuration

post_logout_redirect_uris: optional array of string

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris: optional array of string

OAuth 2.0 redirect URIs for this application

application_id: optional string

ID of the application that provides this resource

Deprecatedcredential_provider: optional Provider { id, created_at, identifier, 12 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

owner_type: "platform" or "customer"

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id: optional string

OAuth 2.0 client identifier

client_secret_set: optional boolean

Indicates whether a client secret is configured

description: optional string

Human-readable description

maxLength2048

metadata: optional unknown

Provider metadata

protocols: optional object { oauth2, openid }

Protocol-specific configuration

oauth2: optional object { issuer, authorization_endpoint, authorization_parameters, 10 more }

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint: optional string

formaturi

authorization_parameters: optional map[string]

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled: optional boolean

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter: optional string

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported: optional array of string

jwks_uri: optional string

formaturi

registration_endpoint: optional string

formaturi

scope_parameter: optional string

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator: optional string

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported: optional array of string

token_endpoint: optional string

formaturi

token_response_access_token_pointer: optional string

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid: optional object { userinfo_endpoint }

OpenID Connect protocol configuration

userinfo_endpoint: optional string

formaturi

type: optional "external" or "keycard-vault" or "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

credential_provider_id: optional string

ID of the credential provider for this resource

description: optional string

Human-readable description

maxLength2048

metadata: optional Metadata { docs_url }

Entity metadata

docs_url: optional string

Documentation URL

formaturi

maxLength2048

scopes: optional array of string

Scopes supported by the resource

when_accessing: optional array of string

List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.

Deprecateduser: optional User { id, created_at, email, 8 more }

An authenticated user entity

id: string

Unique identifier of the user

created_at: string

Entity creation timestamp

formatdate-time

email: string

Email address of the user

formatemail

email_verified: boolean

Whether the email address has been verified

organization_id: string

Organization that owns this user

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this user belongs to

authenticated_at: optional string

Date when the user was last authenticated

issuer: optional string

Issuer identifier of the identity provider

provider_id: optional string

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

subject: optional string

Subject identifier from the identity provider

Update delegated grant

HTTP

HTTP

TypeScript

Python

Go

curl https://api.keycard.ai/zones/$ZONE_ID/delegated-grants/$ID \
    -X PATCH \
    -H 'Content-Type: application/json' \
    -d '{
          "status": "revoked"
        }'

200 example

{
  "id": "id",
  "created_at": "2019-12-27T18:11:19.117Z",
  "expires_at": "2019-12-27T18:11:19.117Z",
  "organization_id": "organization_id",
  "provider_id": "provider_id",
  "refresh_token_set": true,
  "resource_id": "resource_id",
  "scopes": [
    "string"
  ],
  "status": "active",
  "updated_at": "2019-12-27T18:11:19.117Z",
  "user_id": "user_id",
  "zone_id": "zone_id",
  "active": true,
  "provider": {
    "id": "id",
    "created_at": "2019-12-27T18:11:19.117Z",
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "owner_type": "platform",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "client_id": "client_id",
    "client_secret_set": true,
    "description": "description",
    "metadata": {},
    "protocols": {
      "oauth2": {
        "issuer": "https://example.com",
        "authorization_endpoint": "https://example.com",
        "authorization_parameters": {
          "foo": "string"
        },
        "authorization_resource_enabled": true,
        "authorization_resource_parameter": "authorization_resource_parameter",
        "code_challenge_methods_supported": [
          "string"
        ],
        "jwks_uri": "https://example.com",
        "registration_endpoint": "https://example.com",
        "scope_parameter": "scope_parameter",
        "scope_separator": "scope_separator",
        "scopes_supported": [
          "string"
        ],
        "token_endpoint": "https://example.com",
        "token_response_access_token_pointer": "token_response_access_token_pointer"
      },
      "openid": {
        "userinfo_endpoint": "https://example.com"
      }
    },
    "type": "external"
  },
  "refreshed_at": "2019-12-27T18:11:19.117Z",
  "resource": {
    "id": "id",
    "application_type": "native",
    "created_at": "2019-12-27T18:11:19.117Z",
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "owner_type": "platform",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "application": {
      "id": "id",
      "created_at": "2019-12-27T18:11:19.117Z",
      "dependencies_count": 0,
      "identifier": "x",
      "name": "x",
      "organization_id": "organization_id",
      "owner_type": "platform",
      "slug": "slug",
      "updated_at": "2019-12-27T18:11:19.117Z",
      "zone_id": "zone_id",
      "description": "description",
      "metadata": {
        "docs_url": "https://example.com"
      },
      "protocols": {
        "oauth2": {
          "post_logout_redirect_uris": [
            "https://example.com"
          ],
          "redirect_uris": [
            "https://example.com"
          ]
        }
      }
    },
    "application_id": "application_id",
    "credential_provider": {
      "id": "id",
      "created_at": "2019-12-27T18:11:19.117Z",
      "identifier": "x",
      "name": "x",
      "organization_id": "organization_id",
      "owner_type": "platform",
      "slug": "slug",
      "updated_at": "2019-12-27T18:11:19.117Z",
      "zone_id": "zone_id",
      "client_id": "client_id",
      "client_secret_set": true,
      "description": "description",
      "metadata": {},
      "protocols": {
        "oauth2": {
          "issuer": "https://example.com",
          "authorization_endpoint": "https://example.com",
          "authorization_parameters": {
            "foo": "string"
          },
          "authorization_resource_enabled": true,
          "authorization_resource_parameter": "authorization_resource_parameter",
          "code_challenge_methods_supported": [
            "string"
          ],
          "jwks_uri": "https://example.com",
          "registration_endpoint": "https://example.com",
          "scope_parameter": "scope_parameter",
          "scope_separator": "scope_separator",
          "scopes_supported": [
            "string"
          ],
          "token_endpoint": "https://example.com",
          "token_response_access_token_pointer": "token_response_access_token_pointer"
        },
        "openid": {
          "userinfo_endpoint": "https://example.com"
        }
      },
      "type": "external"
    },
    "credential_provider_id": "credential_provider_id",
    "description": "description",
    "metadata": {
      "docs_url": "https://example.com"
    },
    "scopes": [
      "string"
    ],
    "when_accessing": [
      "string"
    ]
  },
  "user": {
    "id": "id",
    "created_at": "2019-12-27T18:11:19.117Z",
    "email": "dev@stainless.com",
    "email_verified": true,
    "organization_id": "organization_id",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "authenticated_at": "authenticated_at",
    "issuer": "issuer",
    "provider_id": "provider_id",
    "subject": "subject"
  }
}

Returns Examples

200 example

{
  "id": "id",
  "created_at": "2019-12-27T18:11:19.117Z",
  "expires_at": "2019-12-27T18:11:19.117Z",
  "organization_id": "organization_id",
  "provider_id": "provider_id",
  "refresh_token_set": true,
  "resource_id": "resource_id",
  "scopes": [
    "string"
  ],
  "status": "active",
  "updated_at": "2019-12-27T18:11:19.117Z",
  "user_id": "user_id",
  "zone_id": "zone_id",
  "active": true,
  "provider": {
    "id": "id",
    "created_at": "2019-12-27T18:11:19.117Z",
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "owner_type": "platform",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "client_id": "client_id",
    "client_secret_set": true,
    "description": "description",
    "metadata": {},
    "protocols": {
      "oauth2": {
        "issuer": "https://example.com",
        "authorization_endpoint": "https://example.com",
        "authorization_parameters": {
          "foo": "string"
        },
        "authorization_resource_enabled": true,
        "authorization_resource_parameter": "authorization_resource_parameter",
        "code_challenge_methods_supported": [
          "string"
        ],
        "jwks_uri": "https://example.com",
        "registration_endpoint": "https://example.com",
        "scope_parameter": "scope_parameter",
        "scope_separator": "scope_separator",
        "scopes_supported": [
          "string"
        ],
        "token_endpoint": "https://example.com",
        "token_response_access_token_pointer": "token_response_access_token_pointer"
      },
      "openid": {
        "userinfo_endpoint": "https://example.com"
      }
    },
    "type": "external"
  },
  "refreshed_at": "2019-12-27T18:11:19.117Z",
  "resource": {
    "id": "id",
    "application_type": "native",
    "created_at": "2019-12-27T18:11:19.117Z",
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "owner_type": "platform",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "application": {
      "id": "id",
      "created_at": "2019-12-27T18:11:19.117Z",
      "dependencies_count": 0,
      "identifier": "x",
      "name": "x",
      "organization_id": "organization_id",
      "owner_type": "platform",
      "slug": "slug",
      "updated_at": "2019-12-27T18:11:19.117Z",
      "zone_id": "zone_id",
      "description": "description",
      "metadata": {
        "docs_url": "https://example.com"
      },
      "protocols": {
        "oauth2": {
          "post_logout_redirect_uris": [
            "https://example.com"
          ],
          "redirect_uris": [
            "https://example.com"
          ]
        }
      }
    },
    "application_id": "application_id",
    "credential_provider": {
      "id": "id",
      "created_at": "2019-12-27T18:11:19.117Z",
      "identifier": "x",
      "name": "x",
      "organization_id": "organization_id",
      "owner_type": "platform",
      "slug": "slug",
      "updated_at": "2019-12-27T18:11:19.117Z",
      "zone_id": "zone_id",
      "client_id": "client_id",
      "client_secret_set": true,
      "description": "description",
      "metadata": {},
      "protocols": {
        "oauth2": {
          "issuer": "https://example.com",
          "authorization_endpoint": "https://example.com",
          "authorization_parameters": {
            "foo": "string"
          },
          "authorization_resource_enabled": true,
          "authorization_resource_parameter": "authorization_resource_parameter",
          "code_challenge_methods_supported": [
            "string"
          ],
          "jwks_uri": "https://example.com",
          "registration_endpoint": "https://example.com",
          "scope_parameter": "scope_parameter",
          "scope_separator": "scope_separator",
          "scopes_supported": [
            "string"
          ],
          "token_endpoint": "https://example.com",
          "token_response_access_token_pointer": "token_response_access_token_pointer"
        },
        "openid": {
          "userinfo_endpoint": "https://example.com"
        }
      },
      "type": "external"
    },
    "credential_provider_id": "credential_provider_id",
    "description": "description",
    "metadata": {
      "docs_url": "https://example.com"
    },
    "scopes": [
      "string"
    ],
    "when_accessing": [
      "string"
    ]
  },
  "user": {
    "id": "id",
    "created_at": "2019-12-27T18:11:19.117Z",
    "email": "dev@stainless.com",
    "email_verified": true,
    "organization_id": "organization_id",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "authenticated_at": "authenticated_at",
    "issuer": "issuer",
    "provider_id": "provider_id",
    "subject": "subject"
  }
}