API Reference

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Zones

List zones

client.zones.list(ZoneListParams { after, before, cursor, 3 more } query?, RequestOptionsoptions?): ZoneListResponse { items, page_info, pagination }

GET/zones

Create zone

client.zones.create(ZoneCreateParams { name, default_mcp_gateway_application, description, 4 more } body, RequestOptionsoptions?): Zone { id, created_at, name, 12 more }

POST/zones

Get zone

client.zones.retrieve(stringzoneID, ZoneRetrieveParams { expand } query?, RequestOptionsoptions?): Zone { id, created_at, name, 12 more }

GET/zones/{zoneId}

Update zone

client.zones.update(stringzoneID, ZoneUpdateParams { default_mcp_gateway_application_id, default_resource_id, description, 6 more } body?, RequestOptionsoptions?): Zone { id, created_at, name, 12 more }

PATCH/zones/{zoneId}

Delete zone

client.zones.delete(stringzoneID, RequestOptionsoptions?): void

DELETE/zones/{zoneId}

ModelsExpand Collapse

EncryptionKeyAwsKmsConfig { arn, type }

AWS KMS configuration for zone encryption. When not specified, the default Keycard Cloud encryption key will be used.

arn: string

AWS KMS Key ARN for encrypting the zone's data

minLength1

type: "aws"

PageInfoPagination { has_next_page, has_previous_page, end_cursor, start_cursor }

Pagination information

has_next_page: boolean

Whether there are more items after the current page

has_previous_page: boolean

Whether there are items before the current page

end_cursor?: string | null

Cursor pointing to the last item in the current page

start_cursor?: string | null

Cursor pointing to the first item in the current page

Zone { id, created_at, name, 12 more }

A zone for organizing resources within an organization

id: string

Unique identifier of the zone

created_at: string

Entity creation timestamp

formatdate-time

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this zone

protocols: Protocols { oauth2, openid }

Protocol configuration for a zone

oauth2: Oauth2 { authorization_endpoint, authorization_server_metadata, dcr_enabled, 6 more }

OAuth 2.0 protocol configuration for a zone

authorization_endpoint: string

OAuth 2.0 authorization endpoint

formaturi

authorization_server_metadata: string

OAuth 2.0 Authorization Server Metadata endpoint (.well-known/oauth-authorization-server)

formaturi

dcr_enabled: boolean

Whether Dynamic Client Registration is enabled

issuer: string

OAuth 2.0 issuer identifier

formaturi

jwks_uri: string

JSON Web Key Set endpoint

formaturi

pkce_required: boolean

Whether PKCE is required for authorization code flows

redirect_uri: string

OAuth 2.0 redirect URI for this zone

formaturi

registration_endpoint: string

OAuth 2.0 Dynamic Client Registration endpoint

formaturi

token_endpoint: string

OAuth 2.0 token endpoint

formaturi

openid: Openid { provider_configuration, userinfo_endpoint }

OpenID Connect protocol configuration for a zone

provider_configuration: string

OpenID Connect Provider Configuration endpoint (.well-known/openid-configuration)

formaturi

userinfo_endpoint: string

OpenID Connect UserInfo endpoint

formaturi

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

default_mcp_gateway_application_id?: string

Application ID configured as the default MCP Gateway for the zone

default_resource_id?: string

Resource ID configured as the default resource for the zone

description?: string | null

Human-readable description

maxLength2048

encryption_key?: EncryptionKeyAwsKmsConfig { arn, type }

AWS KMS configuration for zone encryption. When not specified, the default Keycard Cloud encryption key will be used.

arn: string

AWS KMS Key ARN for encrypting the zone's data

minLength1

type: "aws"

login_flow?: "default" | "identifier_first"

Login flow style for the zone. 'default' uses standard authentication, 'identifier_first' uses identifier-based provider routing.

Accepts one of the following:

"default"

"identifier_first"

permissions?: Record<string, Record<string, boolean>>

Permissions granted to the authenticated principal. Only populated when expand[]=permissions query parameter is provided. Keys are resource types, values are objects mapping action names to boolean values.

requires_invitation?: boolean

Whether the zone requires an invitation for email/password registration, only applies when user_identity_provider_id is not set

user_identity_provider_id?: string

Provider ID configured for user login

ZonesApplications

List applications

client.zones.applications.list(stringzoneID, ApplicationListParams { after, before, cursor, 6 more } query?, RequestOptionsoptions?): ApplicationListResponse { items, page_info, pagination }

GET/zones/{zoneId}/applications

Create application

client.zones.applications.create(stringzoneID, ApplicationCreateParams { identifier, name, dependencies, 3 more } body, RequestOptionsoptions?): Application { id, created_at, dependencies_count, 10 more }

POST/zones/{zoneId}/applications

Get application

client.zones.applications.retrieve(stringid, ApplicationRetrieveParams { zoneId } params, RequestOptionsoptions?): Application { id, created_at, dependencies_count, 10 more }

GET/zones/{zoneId}/applications/{id}

Update application

client.zones.applications.update(stringid, ApplicationUpdateParams { zoneId, description, identifier, 3 more } params, RequestOptionsoptions?): Application { id, created_at, dependencies_count, 10 more }

PATCH/zones/{zoneId}/applications/{id}

Delete application

client.zones.applications.delete(stringid, ApplicationDeleteParams { zoneId } params, RequestOptionsoptions?): void

DELETE/zones/{zoneId}/applications/{id}

List application credentials

client.zones.applications.listCredentials(stringid, ApplicationListCredentialsParams { zoneId, after, before, 3 more } params, RequestOptionsoptions?): ApplicationListCredentialsResponse { items, page_info, pagination }

GET/zones/{zoneId}/applications/{id}/application-credentials

List application resources

client.zones.applications.listResources(stringid, ApplicationListResourcesParams { zoneId, after, before, 3 more } params, RequestOptionsoptions?): ApplicationListResourcesResponse { items, page_info, pagination }

GET/zones/{zoneId}/applications/{id}/resources

ModelsExpand Collapse

Application { id, created_at, dependencies_count, 10 more }

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: string

Unique identifier of the application

created_at: string

Entity creation timestamp

formatdate-time

dependencies_count: number

Number of resource dependencies

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this application

owner_type: "platform" | "customer"

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this application belongs to

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

post_logout_redirect_uris?: Array<string> | null

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris?: Array<string> | null

OAuth 2.0 redirect URIs for this application

ApplicationTrait = "gateway" | "mcp-provider"

Traits ascribe behaviors and characteristics to an application, which may activate trait-specific user experiences, workflows, or other system behaviors

Accepts one of the following:

"gateway"

"mcp-provider"

Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

MetadataUpdate { docs_url }

Entity metadata (set to null or {} to remove metadata)

docs_url?: string | null

Documentation URL (set to null to unset)

formaturi

maxLength2048

ZonesApplicationsDependencies

List application dependencies

client.zones.applications.dependencies.list(stringid, DependencyListParams { zoneId, after, before, 4 more } params, RequestOptionsoptions?): DependencyListResponse { items, page_info, pagination }

GET/zones/{zoneId}/applications/{id}/dependencies

Add application dependency

client.zones.applications.dependencies.add(stringdependencyID, DependencyAddParams { zoneId, id, when_accessing } params, RequestOptionsoptions?): void

PUT/zones/{zoneId}/applications/{id}/dependencies/{dependencyId}

Remove application dependency

client.zones.applications.dependencies.remove(stringdependencyID, DependencyRemoveParams { zoneId, id } params, RequestOptionsoptions?): void

DELETE/zones/{zoneId}/applications/{id}/dependencies/{dependencyId}

Get application dependency

client.zones.applications.dependencies.retrieve(stringdependencyID, DependencyRetrieveParams { zoneId, id } params, RequestOptionsoptions?): Resource { id, application_type, created_at, 15 more }

GET/zones/{zoneId}/applications/{id}/dependencies/{dependencyId}

ModelsExpand Collapse

Resource { id, application_type, created_at, 15 more }

A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.

id: string

Unique identifier of the resource

application_type: "native" | "web"

The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.

Accepts one of the following:

"native"

"web"

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this resource

owner_type: "platform" | "customer"

Who owns this resource. Platform-owned resources cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this resource belongs to

Deprecatedapplication?: Application { id, created_at, dependencies_count, 10 more }

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: string

Unique identifier of the application

created_at: string

Entity creation timestamp

formatdate-time

dependencies_count: number

Number of resource dependencies

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this application

owner_type: "platform" | "customer"

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this application belongs to

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

post_logout_redirect_uris?: Array<string> | null

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris?: Array<string> | null

OAuth 2.0 redirect URIs for this application

application_id?: string

ID of the application that provides this resource

Deprecatedcredential_provider?: Provider { id, created_at, identifier, 12 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

owner_type: "platform" | "customer"

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id?: string | null

OAuth 2.0 client identifier

client_secret_set?: boolean

Indicates whether a client secret is configured

description?: string | null

Human-readable description

maxLength2048

metadata?: unknown

Provider metadata

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint?: string | null

formaturi

authorization_parameters?: Record<string, string> | null

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled?: boolean | null

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter?: string | null

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported?: Array<string> | null

jwks_uri?: string | null

formaturi

registration_endpoint?: string | null

formaturi

scope_parameter?: string | null

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator?: string | null

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported?: Array<string> | null

token_endpoint?: string | null

formaturi

token_response_access_token_pointer?: string | null

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid?: Openid | null

OpenID Connect protocol configuration

userinfo_endpoint?: string | null

formaturi

type?: "external" | "keycard-vault" | "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

credential_provider_id?: string

ID of the credential provider for this resource

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

scopes?: Array<string> | null

Scopes supported by the resource

when_accessing?: Array<string>

List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.

ZonesApplication Credentials

List application credentials

client.zones.applicationCredentials.list(stringzoneID, ApplicationCredentialListParams { after, applicationId, before, 4 more } query?, RequestOptionsoptions?): ApplicationCredentialListResponse { items, page_info, pagination }

GET/zones/{zoneId}/application-credentials

Create application credential

client.zones.applicationCredentials.create(stringzoneID, ApplicationCredentialCreateParamsbody, RequestOptionsoptions?): ApplicationCredentialCreateResponse

POST/zones/{zoneId}/application-credentials

Get application credential

client.zones.applicationCredentials.retrieve(stringid, ApplicationCredentialRetrieveParams { zoneId } params, RequestOptionsoptions?): Credential

GET/zones/{zoneId}/application-credentials/{id}

Update application credential

client.zones.applicationCredentials.update(stringid, ApplicationCredentialUpdateParamsparams, RequestOptionsoptions?): Credential

PATCH/zones/{zoneId}/application-credentials/{id}

Delete application credential

client.zones.applicationCredentials.delete(stringid, ApplicationCredentialDeleteParams { zoneId } params, RequestOptionsoptions?): void

DELETE/zones/{zoneId}/application-credentials/{id}

ModelsExpand Collapse

BaseFields { id, application_id, created_at, 5 more }

Common fields shared by all application credential types

id: string

Unique identifier of the credential

application_id: string

ID of the application this credential belongs to

created_at: string

Entity creation timestamp

formatdate-time

organization_id: string

Organization that owns this credential

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this credential belongs to

Deprecatedapplication?: Application { id, created_at, dependencies_count, 10 more }

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: string

Unique identifier of the application

created_at: string

Entity creation timestamp

formatdate-time

dependencies_count: number

Number of resource dependencies

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this application

owner_type: "platform" | "customer"

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this application belongs to

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

post_logout_redirect_uris?: Array<string> | null

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris?: Array<string> | null

OAuth 2.0 redirect URIs for this application

Credential = Token { identifier, provider_id, type, 2 more } | Password { identifier, type, password } | PublicKey { identifier, jwks_uri, type } | 2 more

Credentials for accessing external services from applications

Accepts one of the following:

Token extends BaseFields { id, application_id, created_at, 5 more } { identifier, provider_id, type, 2 more }

Token-based application credential

identifier: string

Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified.

provider_id: string

ID of the provider issuing tokens verified by this credential

type: "token"

Deprecatedprovider?: Provider { id, created_at, identifier, 12 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

owner_type: "platform" | "customer"

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id?: string | null

OAuth 2.0 client identifier

client_secret_set?: boolean

Indicates whether a client secret is configured

description?: string | null

Human-readable description

maxLength2048

metadata?: unknown

Provider metadata

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint?: string | null

formaturi

authorization_parameters?: Record<string, string> | null

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled?: boolean | null

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter?: string | null

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported?: Array<string> | null

jwks_uri?: string | null

formaturi

registration_endpoint?: string | null

formaturi

scope_parameter?: string | null

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator?: string | null

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported?: Array<string> | null

token_endpoint?: string | null

formaturi

token_response_access_token_pointer?: string | null

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid?: Openid | null

OpenID Connect protocol configuration

userinfo_endpoint?: string | null

formaturi

type?: "external" | "keycard-vault" | "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

subject?: string | null

Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims.

Password extends BaseFields { id, application_id, created_at, 5 more } { identifier, type, password }

Password-based application credential

identifier: string

Username for password credential, also used as OAuth 2.0 client ID

type: "password"

password?: string

Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret

PublicKey extends BaseFields { id, application_id, created_at, 5 more } { identifier, jwks_uri, type }

Public key-based application credential

identifier: string

Client ID for public key credential, also used as OAuth 2.0 client ID

jwks_uri: string

JWKS URI to retrieve public keys from

formaturi

type: "public-key"

URL extends BaseFields { id, application_id, created_at, 5 more } { identifier, type }

URL-based application credential

identifier: string

URL of the credential (must be a valid URL)

formaturi

type: "url"

Public extends BaseFields { id, application_id, created_at, 5 more } { identifier, type }

Public credential (no secret storage)

identifier: string

Identifier for public credential, also used as OAuth 2.0 client ID

type: "public"

Password extends BaseFields { id, application_id, created_at, 5 more } { identifier, type, password }

Password-based application credential

identifier: string

Username for password credential, also used as OAuth 2.0 client ID

type: "password"

password?: string

Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret

Public extends BaseFields { id, application_id, created_at, 5 more } { identifier, type }

Public credential (no secret storage)

identifier: string

Identifier for public credential, also used as OAuth 2.0 client ID

type: "public"

PublicKey extends BaseFields { id, application_id, created_at, 5 more } { identifier, jwks_uri, type }

Public key-based application credential

identifier: string

Client ID for public key credential, also used as OAuth 2.0 client ID

jwks_uri: string

JWKS URI to retrieve public keys from

formaturi

type: "public-key"

Token extends BaseFields { id, application_id, created_at, 5 more } { identifier, provider_id, type, 2 more }

Token-based application credential

identifier: string

Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified.

provider_id: string

ID of the provider issuing tokens verified by this credential

type: "token"

Deprecatedprovider?: Provider { id, created_at, identifier, 12 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

owner_type: "platform" | "customer"

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id?: string | null

OAuth 2.0 client identifier

client_secret_set?: boolean

Indicates whether a client secret is configured

description?: string | null

Human-readable description

maxLength2048

metadata?: unknown

Provider metadata

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint?: string | null

formaturi

authorization_parameters?: Record<string, string> | null

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled?: boolean | null

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter?: string | null

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported?: Array<string> | null

jwks_uri?: string | null

formaturi

registration_endpoint?: string | null

formaturi

scope_parameter?: string | null

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator?: string | null

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported?: Array<string> | null

token_endpoint?: string | null

formaturi

token_response_access_token_pointer?: string | null

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid?: Openid | null

OpenID Connect protocol configuration

userinfo_endpoint?: string | null

formaturi

type?: "external" | "keycard-vault" | "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

subject?: string | null

Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims.

URL extends BaseFields { id, application_id, created_at, 5 more } { identifier, type }

URL-based application credential

identifier: string

URL of the credential (must be a valid URL)

formaturi

type: "url"

ZonesDelegated Grants

List delegated grants

client.zones.delegatedGrants.list(stringzoneID, DelegatedGrantListParams { active, after, before, 5 more } query?, RequestOptionsoptions?): DelegatedGrantListResponse { items, pagination }

GET/zones/{zoneId}/delegated-grants

Get delegated grant

client.zones.delegatedGrants.retrieve(stringid, DelegatedGrantRetrieveParams { zoneId } params, RequestOptionsoptions?): Grant { id, created_at, expires_at, 14 more }

GET/zones/{zoneId}/delegated-grants/{id}

Update delegated grant

client.zones.delegatedGrants.update(stringid, DelegatedGrantUpdateParams { zoneId, status } params, RequestOptionsoptions?): Grant { id, created_at, expires_at, 14 more }

PATCH/zones/{zoneId}/delegated-grants/{id}

Delete delegated grant

client.zones.delegatedGrants.delete(stringid, DelegatedGrantDeleteParams { zoneId } params, RequestOptionsoptions?): void

DELETE/zones/{zoneId}/delegated-grants/{id}

ModelsExpand Collapse

Grant { id, created_at, expires_at, 14 more }

User authorization for a resource to be accessed on their behalf. The grant links the user, resource, and the provider that issued the grant.

id: string

Unique identifier of the delegated grant

created_at: string

Entity creation timestamp

formatdate-time

expires_at: string

Date when grant expires

formatdate-time

organization_id: string

Organization that owns this grant

provider_id: string

ID of the provider that issued this grant

refresh_token_set: boolean

Indicates whether a refresh token is stored for this grant. Grants with refresh tokens can be refreshed even after access token expiration.

resource_id: string

ID of resource receiving grant

scopes: Array<string>

Granted OAuth scopes

status: "active" | "expired" | "revoked"

Accepts one of the following:

"active"

"expired"

"revoked"

updated_at: string

Entity update timestamp

formatdate-time

user_id: string

Reference to the user granting permission

zone_id: string

Zone this grant belongs to

Deprecatedactive?: boolean

Whether the grant is currently active (deprecated - use status instead)

Deprecatedprovider?: Provider { id, created_at, identifier, 12 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

owner_type: "platform" | "customer"

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id?: string | null

OAuth 2.0 client identifier

client_secret_set?: boolean

Indicates whether a client secret is configured

description?: string | null

Human-readable description

maxLength2048

metadata?: unknown

Provider metadata

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint?: string | null

formaturi

authorization_parameters?: Record<string, string> | null

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled?: boolean | null

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter?: string | null

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported?: Array<string> | null

jwks_uri?: string | null

formaturi

registration_endpoint?: string | null

formaturi

scope_parameter?: string | null

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator?: string | null

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported?: Array<string> | null

token_endpoint?: string | null

formaturi

token_response_access_token_pointer?: string | null

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid?: Openid | null

OpenID Connect protocol configuration

userinfo_endpoint?: string | null

formaturi

type?: "external" | "keycard-vault" | "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

refreshed_at?: string

Timestamp when this grant's tokens were last refreshed. Omitted if grant was never refreshed.

formatdate-time

Deprecatedresource?: Resource { id, application_type, created_at, 15 more }

A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.

id: string

Unique identifier of the resource

application_type: "native" | "web"

The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.

Accepts one of the following:

"native"

"web"

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this resource

owner_type: "platform" | "customer"

Who owns this resource. Platform-owned resources cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this resource belongs to

Deprecatedapplication?: Application { id, created_at, dependencies_count, 10 more }

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: string

Unique identifier of the application

created_at: string

Entity creation timestamp

formatdate-time

dependencies_count: number

Number of resource dependencies

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this application

owner_type: "platform" | "customer"

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this application belongs to

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

post_logout_redirect_uris?: Array<string> | null

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris?: Array<string> | null

OAuth 2.0 redirect URIs for this application

application_id?: string

ID of the application that provides this resource

Deprecatedcredential_provider?: Provider { id, created_at, identifier, 12 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

owner_type: "platform" | "customer"

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id?: string | null

OAuth 2.0 client identifier

client_secret_set?: boolean

Indicates whether a client secret is configured

description?: string | null

Human-readable description

maxLength2048

metadata?: unknown

Provider metadata

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint?: string | null

formaturi

authorization_parameters?: Record<string, string> | null

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled?: boolean | null

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter?: string | null

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported?: Array<string> | null

jwks_uri?: string | null

formaturi

registration_endpoint?: string | null

formaturi

scope_parameter?: string | null

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator?: string | null

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported?: Array<string> | null

token_endpoint?: string | null

formaturi

token_response_access_token_pointer?: string | null

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid?: Openid | null

OpenID Connect protocol configuration

userinfo_endpoint?: string | null

formaturi

type?: "external" | "keycard-vault" | "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

credential_provider_id?: string

ID of the credential provider for this resource

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

scopes?: Array<string> | null

Scopes supported by the resource

when_accessing?: Array<string>

List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.

Deprecateduser?: User { id, created_at, email, 8 more }

An authenticated user entity

id: string

Unique identifier of the user

created_at: string

Entity creation timestamp

formatdate-time

email: string

Email address of the user

formatemail

email_verified: boolean

Whether the email address has been verified

organization_id: string

Organization that owns this user

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this user belongs to

authenticated_at?: string

Date when the user was last authenticated

issuer?: string

Issuer identifier of the identity provider

provider_id?: string

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

subject?: string

Subject identifier from the identity provider

ZonesProviders

List providers

client.zones.providers.list(stringzoneID, ProviderListParams { after, before, cursor, 5 more } query?, RequestOptionsoptions?): ProviderListResponse { items, page_info, pagination }

GET/zones/{zoneId}/providers

Create provider

client.zones.providers.create(stringzoneID, ProviderCreateParams { identifier, name, client_id, 4 more } body, RequestOptionsoptions?): Provider { id, created_at, identifier, 12 more }

POST/zones/{zoneId}/providers

Get provider

client.zones.providers.retrieve(stringid, ProviderRetrieveParams { zoneId } params, RequestOptionsoptions?): Provider { id, created_at, identifier, 12 more }

GET/zones/{zoneId}/providers/{id}

Update provider

client.zones.providers.update(stringid, ProviderUpdateParams { zoneId, client_id, client_secret, 5 more } params, RequestOptionsoptions?): Provider { id, created_at, identifier, 12 more }

PATCH/zones/{zoneId}/providers/{id}

Delete provider

client.zones.providers.delete(stringid, ProviderDeleteParams { zoneId } params, RequestOptionsoptions?): void

DELETE/zones/{zoneId}/providers/{id}

ModelsExpand Collapse

Provider { id, created_at, identifier, 12 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

owner_type: "platform" | "customer"

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id?: string | null

OAuth 2.0 client identifier

client_secret_set?: boolean

Indicates whether a client secret is configured

description?: string | null

Human-readable description

maxLength2048

metadata?: unknown

Provider metadata

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint?: string | null

formaturi

authorization_parameters?: Record<string, string> | null

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled?: boolean | null

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter?: string | null

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported?: Array<string> | null

jwks_uri?: string | null

formaturi

registration_endpoint?: string | null

formaturi

scope_parameter?: string | null

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator?: string | null

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported?: Array<string> | null

token_endpoint?: string | null

formaturi

token_response_access_token_pointer?: string | null

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid?: Openid | null

OpenID Connect protocol configuration

userinfo_endpoint?: string | null

formaturi

type?: "external" | "keycard-vault" | "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

ZonesResources

List resources

client.zones.resources.list(stringzoneID, ResourceListParams { after, before, credentialProviderId, 4 more } query?, RequestOptionsoptions?): ResourceListResponse { items, pagination }

GET/zones/{zoneId}/resources

Create resource

client.zones.resources.create(stringzoneID, ResourceCreateParams { identifier, name, application_id, 5 more } body, RequestOptionsoptions?): Resource { id, application_type, created_at, 15 more }

POST/zones/{zoneId}/resources

Get resource

client.zones.resources.retrieve(stringid, ResourceRetrieveParams { zoneId } params, RequestOptionsoptions?): Resource { id, application_type, created_at, 15 more }

GET/zones/{zoneId}/resources/{id}

Update resource

client.zones.resources.update(stringid, ResourceUpdateParams { zoneId, application_id, application_type, 6 more } params, RequestOptionsoptions?): Resource { id, application_type, created_at, 15 more }

PATCH/zones/{zoneId}/resources/{id}

Delete resource

client.zones.resources.delete(stringid, ResourceDeleteParams { zoneId } params, RequestOptionsoptions?): void

DELETE/zones/{zoneId}/resources/{id}

ZonesSessions

List sessions

client.zones.sessions.list(stringzoneID, SessionListParams { active, after, before, 6 more } query?, RequestOptionsoptions?): SessionListResponse { items, pagination }

GET/zones/{zoneId}/sessions

Get session

client.zones.sessions.retrieve(stringid, SessionRetrieveParams { zoneId } params, RequestOptionsoptions?): Session

GET/zones/{zoneId}/sessions/{id}

Update session

client.zones.sessions.update(stringid, SessionUpdateParams { zoneId, status } params, RequestOptionsoptions?): Session

PATCH/zones/{zoneId}/sessions/{id}

Delete session

client.zones.sessions.delete(stringid, SessionDeleteParams { zoneId } params, RequestOptionsoptions?): void

DELETE/zones/{zoneId}/sessions/{id}

ModelsExpand Collapse

Session = IamUserSessionType { session_type, user_id, id, 19 more } | IamApplicationSessionType { application_id, issuer, provider_id, 14 more }

An authenticated identity session. Sessions can be user sessions (representing end-user authentication) or application sessions (representing service-to-service authentication). User sessions support hierarchical relationships via parent_id, while application sessions are always standalone.

Accepts one of the following:

IamUserSessionType { session_type, user_id, id, 19 more }

User session type-specific fields

session_type: "user"

user_id: string

User ID

id?: string

Session ID

Deprecatedactive?: boolean

Whether the session is currently active (deprecated - use status instead)

Deprecatedapplication?: Application { id, created_at, dependencies_count, 10 more }

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: string

Unique identifier of the application

created_at: string

Entity creation timestamp

formatdate-time

dependencies_count: number

Number of resource dependencies

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this application

owner_type: "platform" | "customer"

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this application belongs to

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

post_logout_redirect_uris?: Array<string> | null

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris?: Array<string> | null

OAuth 2.0 redirect URIs for this application

application_id?: string

Application ID that initiated this session

authenticated_at?: string

Date when the session was authenticated

formatdate-time

created_at?: string

Entity creation timestamp

formatdate-time

expires_at?: string

Date when session expires

formatdate-time

issuer?: string

Issuer URL from IdP

formaturi

metadata?: Metadata { name }

Session metadata

name: string

Name of the initiating application or user agent

organization_id?: string

Organization that owns this session

parent_id?: string

Parent session ID for hierarchical sessions (user sessions only). When null, this is a web session - a top-level session initiated directly by a user. When set, this is a child session derived from the parent, used for token refresh or delegation. Application sessions cannot have parents.

provider_id?: string

Provider ID

session_data?: Record<string, unknown>

Session claims data (ID token claims for users, application claims for applications)

status?: "active" | "expired" | "revoked"

Accepts one of the following:

"active"

"expired"

"revoked"

subject?: string

Subject claim from IdP

updated_at?: string

Entity update timestamp

formatdate-time

Deprecateduser?: User { id, created_at, email, 8 more }

An authenticated user entity

id: string

Unique identifier of the user

created_at: string

Entity creation timestamp

formatdate-time

email: string

Email address of the user

formatemail

email_verified: boolean

Whether the email address has been verified

organization_id: string

Organization that owns this user

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this user belongs to

authenticated_at?: string

Date when the user was last authenticated

issuer?: string

Issuer identifier of the identity provider

provider_id?: string

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

subject?: string

Subject identifier from the identity provider

Deprecateduser_agent?: UserAgent { id, created_at, identifier, 5 more }

A User Agent represents a user agent (browser, desktop app, CLI tool) that can initiate user sessions via OAuth 2.0 Dynamic Client Registration.

id: string

Unique identifier of the user agent

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User agent identifier (serves as OAuth client_id). Format: ua:{sha256_hash}

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this user agent

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this user agent belongs to

user_agent_id?: string

User agent ID (browser/client) that initiated this session

zone_id?: string

Zone this session belongs to

IamApplicationSessionType { application_id, issuer, provider_id, 14 more }

Application session type-specific fields

application_id: string

Application ID that initiated this session

issuer: string

Issuer URL from IdP

formaturi

provider_id: string

Provider ID

session_type: "application"

subject: string

Subject claim from IdP

id?: string

Session ID

Deprecatedactive?: boolean

Whether the session is currently active (deprecated - use status instead)

Deprecatedapplication?: Application { id, created_at, dependencies_count, 10 more }

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: string

Unique identifier of the application

created_at: string

Entity creation timestamp

formatdate-time

dependencies_count: number

Number of resource dependencies

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this application

owner_type: "platform" | "customer"

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this application belongs to

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

post_logout_redirect_uris?: Array<string> | null

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris?: Array<string> | null

OAuth 2.0 redirect URIs for this application

authenticated_at?: string

Date when the session was authenticated

formatdate-time

created_at?: string

Entity creation timestamp

formatdate-time

expires_at?: string

Date when session expires

formatdate-time

metadata?: Metadata { name }

Session metadata

name: string

Name of the initiating application or user agent

organization_id?: string

Organization that owns this session

session_data?: Record<string, unknown>

Session claims data (ID token claims for users, application claims for applications)

status?: "active" | "expired" | "revoked"

Accepts one of the following:

"active"

"expired"

"revoked"

updated_at?: string

Entity update timestamp

formatdate-time

zone_id?: string

Zone this session belongs to

ZonesUser Agents

List user agents

client.zones.userAgents.list(stringzoneID, UserAgentListParams { after, before, expand, limit } query?, RequestOptionsoptions?): UserAgentListResponse { items, pagination }

GET/zones/{zoneId}/user-agents

Get user agent

client.zones.userAgents.retrieve(stringid, UserAgentRetrieveParams { zoneId } params, RequestOptionsoptions?): UserAgent { id, created_at, identifier, 5 more }

GET/zones/{zoneId}/user-agents/{id}

ModelsExpand Collapse

UserAgent { id, created_at, identifier, 5 more }

A User Agent represents a user agent (browser, desktop app, CLI tool) that can initiate user sessions via OAuth 2.0 Dynamic Client Registration.

id: string

Unique identifier of the user agent

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User agent identifier (serves as OAuth client_id). Format: ua:{sha256_hash}

name: string

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this user agent

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this user agent belongs to

ZonesUsers

List users

client.zones.users.list(stringzoneID, UserListParams { after, before, expand, limit } query?, RequestOptionsoptions?): UserListResponse { items, pagination }

GET/zones/{zoneId}/users

Get user

client.zones.users.retrieve(stringid, UserRetrieveParams { zoneId } params, RequestOptionsoptions?): User { id, created_at, email, 8 more }

GET/zones/{zoneId}/users/{id}

ModelsExpand Collapse

User { id, created_at, email, 8 more }

An authenticated user entity

id: string

Unique identifier of the user

created_at: string

Entity creation timestamp

formatdate-time

email: string

Email address of the user

formatemail

email_verified: boolean

Whether the email address has been verified

organization_id: string

Organization that owns this user

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this user belongs to

authenticated_at?: string

Date when the user was last authenticated

issuer?: string

Issuer identifier of the identity provider

provider_id?: string

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

subject?: string

Subject identifier from the identity provider

ZonesMembers

Add organization user to zone

client.zones.members.add(stringzoneID, MemberAddParams { organization_user_id, role } body, RequestOptionsoptions?): ZoneMember { id, _links, created_at, 5 more }

POST/zones/{zoneId}/members

List organization users in a zone

client.zones.members.list(stringzoneID, MemberListParams { after, before, expand, 2 more } query?, RequestOptionsoptions?): MemberListResponse { items, page_info, pagination }

GET/zones/{zoneId}/members

Get organization user in a zone

client.zones.members.retrieve(stringorganizationUserID, MemberRetrieveParams { zoneId } params, RequestOptionsoptions?): ZoneMember { id, _links, created_at, 5 more }

GET/zones/{zoneId}/members/{organizationUserId}

Update organization user role in a zone

client.zones.members.update(stringorganizationUserID, MemberUpdateParams { zoneId, role } params, RequestOptionsoptions?): ZoneMember { id, _links, created_at, 5 more }

PATCH/zones/{zoneId}/members/{organizationUserId}

Remove member from zone

client.zones.members.delete(stringorganizationUserID, MemberDeleteParams { zoneId } params, RequestOptionsoptions?): void

DELETE/zones/{zoneId}/members/{organizationUserId}

ModelsExpand Collapse

ZoneMember { id, _links, created_at, 5 more }

Represents an organization user's membership in a zone with an assigned role

id: string

Unique identifier of the zone member

_links: _Links { organization_user, self }

HAL-format hypermedia links for zone member resources

organization_user: OrganizationUser { href }

href: string

Link to the user resource

formaturi-reference

self: Self { href }

href: string

Link to this zone member resource

formaturi-reference

created_at: string

Entity creation timestamp

formatdate-time

organization_id: string

Organization ID that owns the zone

organization_user_id: string

Organization user ID of the zone member

role: ZoneRole

Zone role type. zone_manager has full management access, zone_viewer has read-only access.

Accepts one of the following:

"zone_manager"

"zone_viewer"

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone ID the organization user is a member of

ZoneRole = "zone_manager" | "zone_viewer"

Zone role type. zone_manager has full management access, zone_viewer has read-only access.

Accepts one of the following:

"zone_manager"

"zone_viewer"

ZonesSecrets

Create

client.zones.secrets.create(stringzoneID, SecretCreateParams { data, entity_id, name, 4 more } params, RequestOptionsoptions?): Secret { id, created_at, entity_id, 7 more }

POST/zones/{zone_id}/secrets

List

client.zones.secrets.list(stringzoneID, SecretListParams { entity_id, type, xClientRequestID } params?, RequestOptionsoptions?): SecretListResponse { id, created_at, entity_id, 7 more }

GET/zones/{zone_id}/secrets

Delete

client.zones.secrets.delete(stringid, SecretDeleteParams { zone_id, xClientRequestID } params, RequestOptionsoptions?): void

DELETE/zones/{zone_id}/secrets/{id}

Update

client.zones.secrets.update(stringid, SecretUpdateParams { zone_id, data, description, 3 more } params, RequestOptionsoptions?): Secret { id, created_at, entity_id, 7 more }

PATCH/zones/{zone_id}/secrets/{id}

Retrieve

client.zones.secrets.retrieve(stringid, SecretRetrieveParams { zone_id, xClientRequestID } params, RequestOptionsoptions?): SecretRetrieveResponse { id, created_at, data, 7 more }

GET/zones/{zone_id}/secrets/{id}

ModelsExpand Collapse

Secret { id, created_at, entity_id, 7 more }

id: string

A globally unique opaque identifier

minLength1

created_at: string

formatdate-time

entity_id: string

A globally unique opaque identifier

minLength1

name: string

A name for the entity to be displayed in UI

type: "token" | "password"

Accepts one of the following:

"token"

"password"

updated_at: string

formatdate-time

version: number

minimum1

zone_id: string

A globally unique opaque identifier

minLength1

description?: string

A description of the entity

maxLength128

metadata?: unknown

A JSON object containing arbitrary metadata. Metadata will not be encrypted.

SecretPasswordFields { password, type, username }

password: string

type: "password"

username: string

SecretTokenFields { token, type }

token: string

type: "token"

ZonesPolicy Schemas

List policy schemas

client.zones.policySchemas.list(stringzoneID, PolicySchemaListParams { after, before, expand, 7 more } params?, RequestOptionsoptions?): PolicySchemaListResponse { items, pagination }

GET/zones/{zone_id}/policy-schemas

Get a policy schema by version

client.zones.policySchemas.retrieve(stringversion, PolicySchemaRetrieveParams { zone_id, format, xAPIVersion, xClientRequestID } params, RequestOptionsoptions?): SchemaVersionWithZoneInfo { is_default }

GET/zones/{zone_id}/policy-schemas/{version}

Set the default policy schema for a zone

client.zones.policySchemas.setDefault(stringversion, PolicySchemaSetDefaultParams { zone_id, body, xAPIVersion, xClientRequestID } params, RequestOptionsoptions?): SchemaVersionWithZoneInfo { is_default }

PATCH/zones/{zone_id}/policy-schemas/{version}

ModelsExpand Collapse

SchemaVersion { created_at, status, updated_at, 5 more }

A versioned Cedar schema that defines the entity model, actions, and context shape used for policy evaluation. The schema contains the valid entity types (User, Application, Resource), their attributes, and the allowed attribute values. See the Credentials API spec for a full reference of entity attributes and valid values.

created_at: string

formatdate-time

status: "active" | "deprecated" | "archived"

Controls what can be done with this schema version:

• "active" - new policy versions can be created and validated against it.
• "deprecated" - superseded by a newer version but still accepts new policy versions.
• "archived" - closed to new policy versions. Existing policy set versions pinned to this schema still evaluate normally.

Accepts one of the following:

"active"

"deprecated"

"archived"

updated_at: string

formatdate-time

version: string

archived_at?: string | null

formatdate-time

cedar_schema?: string | null

Cedar schema in human-readable syntax. Populated when format=cedar.

cedar_schema_json?: unknown

Cedar schema as JSON object. Populated when format=json (default).

deprecated_at?: string | null

formatdate-time

SchemaVersionWithZoneInfo extends SchemaVersion { created_at, status, updated_at, 5 more } { is_default }

A versioned Cedar schema that defines the entity model, actions, and context shape used for policy evaluation. The schema contains the valid entity types (User, Application, Resource), their attributes, and the allowed attribute values. See the Credentials API spec for a full reference of entity attributes and valid values.

is_default: boolean

Whether this is the zone's default schema. Clients use this to pre-select which schema to write policies against. Has no effect on evaluation.

ZonesPolicies

List policies in a zone

client.zones.policies.list(stringzoneID, PolicyListParams { after, before, expand, 5 more } params?, RequestOptionsoptions?): PolicyListResponse { items, pagination }

GET/zones/{zone_id}/policies

Create a new policy

client.zones.policies.create(stringzoneID, PolicyCreateParams { name, description, xAPIVersion, xClientRequestID } params, RequestOptionsoptions?): Policy { id, created_at, created_by, 9 more }

POST/zones/{zone_id}/policies

Get a policy by ID

client.zones.policies.retrieve(stringpolicyID, PolicyRetrieveParams { zone_id, xAPIVersion, xClientRequestID } params, RequestOptionsoptions?): Policy { id, created_at, created_by, 9 more }

GET/zones/{zone_id}/policies/{policy_id}

Update a policy

client.zones.policies.update(stringpolicyID, PolicyUpdateParams { zone_id, description, name, 3 more } params, RequestOptionsoptions?): Policy { id, created_at, created_by, 9 more }

PATCH/zones/{zone_id}/policies/{policy_id}

Archive a policy

client.zones.policies.archive(stringpolicyID, PolicyArchiveParams { zone_id, xAPIVersion, xClientRequestID } params, RequestOptionsoptions?): Policy { id, created_at, created_by, 9 more }

DELETE/zones/{zone_id}/policies/{policy_id}

ModelsExpand Collapse

Policy { id, created_at, created_by, 9 more }

id: string

created_at: string

formatdate-time

created_by: string

name: string

owner_type: "platform" | "customer"

Who manages this policy:

• "platform" — managed by the Keycard platform (system policies).
• "customer" — managed by the tenant (custom policies).

Accepts one of the following:

"platform"

"customer"

updated_at: string

formatdate-time

zone_id: string

archived_at?: string | null

formatdate-time

description?: string | null

latest_version?: number | null

Human-readable version number of the latest version (e.g., 1, 2, 3)

latest_version_id?: string | null

updated_by?: string | null

PolicyDraft { cedar_json, created_at, policy_id, 3 more }

cedar_json: unknown

Cedar policy in JSON representation

created_at: string

formatdate-time

policy_id: string

schema_version: string

updated_at: string

formatdate-time

updated_by: string

ZonesPoliciesVersions

List versions of a policy

client.zones.policies.versions.list(stringpolicyID, VersionListParams { zone_id, after, before, 7 more } params, RequestOptionsoptions?): VersionListResponse { items, pagination }

GET/zones/{zone_id}/policies/{policy_id}/versions

Create a new immutable policy version

client.zones.policies.versions.create(stringpolicyID, VersionCreateParams { zone_id, schema_version, cedar_json, 3 more } params, RequestOptionsoptions?): PolicyVersion { id, created_at, created_by, 9 more }

POST/zones/{zone_id}/policies/{policy_id}/versions

Get a specific policy version

client.zones.policies.versions.retrieve(stringversionID, VersionRetrieveParams { zone_id, policy_id, format, 2 more } params, RequestOptionsoptions?): PolicyVersion { id, created_at, created_by, 9 more }

GET/zones/{zone_id}/policies/{policy_id}/versions/{version_id}

Archive a policy version

client.zones.policies.versions.archive(stringversionID, VersionArchiveParams { zone_id, policy_id, xAPIVersion, xClientRequestID } params, RequestOptionsoptions?): PolicyVersion { id, created_at, created_by, 9 more }

DELETE/zones/{zone_id}/policies/{policy_id}/versions/{version_id}

ModelsExpand Collapse

PolicyVersion { id, created_at, created_by, 9 more }

id: string

created_at: string

formatdate-time

created_by: string

policy_id: string

schema_version: string

Schema version this policy was validated against when created.

sha: string

Hex-encoded content hash

version: number

zone_id: string

archived_at?: string | null

formatdate-time

archived_by?: string | null

cedar_json?: unknown

Cedar policy in JSON representation. Populated when format=json (default).

cedar_raw?: string | null

Cedar policy in human-readable syntax. Populated when format=cedar.

ZonesPolicy Sets

List policy sets in a zone

client.zones.policySets.list(stringzoneID, PolicySetListParams { after, before, expand, 5 more } params?, RequestOptionsoptions?): PolicySetListResponse { items, pagination }

GET/zones/{zone_id}/policy-sets

Create a new policy set

client.zones.policySets.create(stringzoneID, PolicySetCreateParams { name, scope_type, xAPIVersion, xClientRequestID } params, RequestOptionsoptions?): PolicySetWithBinding { active, active_version, active_version_id, 2 more }

POST/zones/{zone_id}/policy-sets

Get a policy set by ID

client.zones.policySets.retrieve(stringpolicySetID, PolicySetRetrieveParams { zone_id, xAPIVersion, xClientRequestID } params, RequestOptionsoptions?): PolicySetWithBinding { active, active_version, active_version_id, 2 more }

GET/zones/{zone_id}/policy-sets/{policy_set_id}

Update a policy set

client.zones.policySets.update(stringpolicySetID, PolicySetUpdateParams { zone_id, name, ifMatch, 2 more } params, RequestOptionsoptions?): PolicySetWithBinding { active, active_version, active_version_id, 2 more }

PATCH/zones/{zone_id}/policy-sets/{policy_set_id}

Archive a policy set

client.zones.policySets.archive(stringpolicySetID, PolicySetArchiveParams { zone_id, ifMatch, xAPIVersion, xClientRequestID } params, RequestOptionsoptions?): PolicySetWithBinding { active, active_version, active_version_id, 2 more }

DELETE/zones/{zone_id}/policy-sets/{policy_set_id}

ModelsExpand Collapse

Attestation { payload, protected, signature }

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

payload: string

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

protected: string

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

signature: string

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.

AttestationStatement { attested_at, attested_by, manifest, 7 more }

Decoded content of an Attestation JWS payload. Describes the exact policy set version composition at attestation time. This schema defines what consumers see after base64url-decoding the Attestation.payload field.

attested_at: string

formatdate-time

attested_by: string

manifest: Array<PolicySetManifestEntry { policy_id, policy_version_id, sha } >

Snapshot of the policy set manifest at attestation time. Each entry pins a policy version by ID and content SHA.

policy_id: string

policy_version_id: string

sha?: string

SHA-256 of the policy version content, populated by the server

manifest_sha: string

SHA-256 of the policy set version manifest. Verifiers MUST check this matches the policy_set_version.manifest_sha to detect attestation/version mismatches.

policy_set_id: string

policy_set_version: number

status: "committed" | "re_signed"

Event that produced this attestation. "committed" is the initial attestation at version creation; "re_signed" is a re-attestation after key rotation (same content, new signature).

Accepts one of the following:

"committed"

"re_signed"

type: "policy_set_attestation"

Statement type discriminator

v: 1

Statement schema version

zone_id: string

PolicySet { id, created_at, created_by, 9 more }

id: string

created_at: string

formatdate-time

created_by: string

name: string

owner_type: "platform" | "customer"

Who manages this policy set:

• "platform" — managed by the Keycard platform (system policies).
• "customer" — managed by the tenant (custom policies).

Accepts one of the following:

"platform"

"customer"

scope_type: "zone" | "resource" | "user" | "session"

The scope at which this policy set applies:

• "zone" — applies to all requests in the zone.
• "resource" — scoped to a specific resource.
• "user" — scoped to a specific user.
• "session" — scoped to a specific session.

Accepts one of the following:

"zone"

"resource"

"user"

"session"

updated_at: string

formatdate-time

zone_id: string

archived_at?: string | null

formatdate-time

latest_version?: number | null

Human-readable version number of the latest version (e.g., 1, 2, 3)

latest_version_id?: string | null

updated_by?: string | null

PolicySetDraft { created_at, manifest, policy_set_id, 3 more }

created_at: string

formatdate-time

manifest: PolicySetManifest { entries }

entries: Array<PolicySetManifestEntry { policy_id, policy_version_id, sha } >

policy_id: string

policy_version_id: string

sha?: string

SHA-256 of the policy version content, populated by the server

policy_set_id: string

schema_version: string

updated_at: string

formatdate-time

updated_by: string

PolicySetManifest { entries }

entries: Array<PolicySetManifestEntry { policy_id, policy_version_id, sha } >

policy_id: string

policy_version_id: string

sha?: string

SHA-256 of the policy version content, populated by the server

PolicySetManifestEntry { policy_id, policy_version_id, sha }

policy_id: string

policy_version_id: string

sha?: string

SHA-256 of the policy version content, populated by the server

PolicySetWithBinding extends PolicySet { id, created_at, created_by, 9 more } { active, active_version, active_version_id, 2 more }

active?: boolean

Whether this policy set is currently bound to a scope

active_version?: number | null

Human-readable version number of the active version (e.g., 1, 2, 3)

active_version_id?: string | null

Public ID of the currently active (bound) version

mode?: "active" | "shadow" | null

Accepts one of the following:

"active"

"shadow"

scope_target_id?: string | null

ZonesPolicy SetsVersions

List versions of a policy set

client.zones.policySets.versions.list(stringpolicySetID, VersionListParams { zone_id, after, before, 6 more } params, RequestOptionsoptions?): VersionListResponse { items, pagination }

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions

Create a new immutable policy set version

client.zones.policySets.versions.create(stringpolicySetID, VersionCreateParams { zone_id, manifest, schema_version, 2 more } params, RequestOptionsoptions?): PolicySetVersion { id, created_at, created_by, 9 more }

POST/zones/{zone_id}/policy-sets/{policy_set_id}/versions

Get a specific policy set version

client.zones.policySets.versions.retrieve(stringversionID, VersionRetrieveParams { zone_id, policy_set_id, xAPIVersion, xClientRequestID } params, RequestOptionsoptions?): PolicySetVersion { id, created_at, created_by, 9 more }

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

Activate a policy set version

client.zones.policySets.versions.update(stringversionID, VersionUpdateParams { zone_id, policy_set_id, active, 2 more } params, RequestOptionsoptions?): PolicySetVersion { id, created_at, created_by, 9 more }

PATCH/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

Archive a policy set version

client.zones.policySets.versions.archive(stringversionID, VersionArchiveParams { zone_id, policy_set_id, xAPIVersion, xClientRequestID } params, RequestOptionsoptions?): PolicySetVersion { id, created_at, created_by, 9 more }

DELETE/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}

List policy versions in a policy set version

client.zones.policySets.versions.listPolicies(stringversionID, VersionListPoliciesParams { zone_id, policy_set_id, after, 8 more } params, RequestOptionsoptions?): VersionListPoliciesResponse { items, pagination }

GET/zones/{zone_id}/policy-sets/{policy_set_id}/versions/{version_id}/policies

ModelsExpand Collapse

PolicySetVersion { id, created_at, created_by, 9 more }

id: string

created_at: string

formatdate-time

created_by: string

manifest: PolicySetManifest { entries }

entries: Array<PolicySetManifestEntry { policy_id, policy_version_id, sha } >

policy_id: string

policy_version_id: string

sha?: string

SHA-256 of the policy version content, populated by the server

manifest_sha: string

Hex-encoded SHA-256 of the canonicalized manifest

policy_set_id: string

schema_version: string

Schema version pinned to this policy set version. Determines the Cedar schema used for evaluation when activated.

version: number

active?: boolean

Whether this policy set version is currently bound with mode='active'

archived_at?: string | null

formatdate-time

archived_by?: string | null

attestation?: Attestation { payload, protected, signature } | null

JWS Flattened JSON Serialization (RFC 7515 §7.2.2) of a policy set attestation. The protected header carries the signing algorithm and key identifier; the payload is a base64url-encoded AttestationStatement canonicalized per RFC 8785 (JCS). Verify using the zone JWKS endpoint (RFC 7517). Currently signed with RS256; future zone key types (e.g. EdDSA) will be indicated by the "alg" header — no envelope changes required.

payload: string

Base64url-encoded AttestationStatement (RFC 7515 §3). Decode to inspect attestation content. The RFC 8785 canonical form of the decoded JSON is the JWS Signing Input alongside the protected header.

protected: string

Base64url-encoded JWS protected header (RFC 7515 §4). Contains at minimum "alg" (signing algorithm — currently RS256, will migrate to EdDSA) and "kid" (signing key identifier resolvable via the zone JWKS endpoint).

signature: string

Base64url-encoded digital signature computed over the JWS Signing Input (ASCII(protected) || '.' || payload) per RFC 7515 §5.1.