# Application Credentials ## List `client.zones.applicationCredentials.list(stringzoneID, ApplicationCredentialListParamsquery?, RequestOptionsoptions?): ApplicationCredentialListResponse` **get** `/zones/{zoneId}/application-credentials` Returns a list of application credentials in the specified zone ### Parameters - `zoneID: string` - `query: ApplicationCredentialListParams` - `after?: string` Cursor for forward pagination - `applicationId?: string` - `before?: string` Cursor for backward pagination - `cursor?: string` - `expand?: "total_count" | Array<"total_count">` - `"total_count"` - `"total_count"` - `Array<"total_count">` - `"total_count"` - `limit?: number` Maximum number of items to return - `slug?: string` ### Returns - `ApplicationCredentialListResponse` - `items: Array` - `Token extends BaseFields` Token-based application credential - `identifier: string` Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified. - `provider_id: string` ID of the provider issuing tokens verified by this credential - `type: "token"` - `"token"` - `provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `subject?: string | null` Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims. - `Password extends BaseFields` Password-based application credential - `identifier: string` Username for password credential, also used as OAuth 2.0 client ID - `type: "password"` - `"password"` - `password?: string` Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret - `PublicKey extends BaseFields` Public key-based application credential - `identifier: string` Client ID for public key credential, also used as OAuth 2.0 client ID - `jwks_uri: string` JWKS URI to retrieve public keys from - `type: "public-key"` - `"public-key"` - `URL extends BaseFields` URL-based application credential - `identifier: string` URL of the credential (must be a valid URL) - `type: "url"` - `"url"` - `Public extends BaseFields` Public credential (no secret storage) - `identifier: string` Identifier for public credential, also used as OAuth 2.0 client ID - `type: "public"` - `"public"` - `page_info: PageInfoPagination` Pagination information - `has_next_page: boolean` Whether there are more items after the current page - `has_previous_page: boolean` Whether there are items before the current page - `end_cursor?: string | null` Cursor pointing to the last item in the current page - `start_cursor?: string | null` Cursor pointing to the first item in the current page - `pagination: Pagination` Cursor-based pagination metadata - `after_cursor: string | null` An opaque cursor used for paginating through a list of results - `before_cursor: string | null` An opaque cursor used for paginating through a list of results - `total_count?: number` Total number of items matching the query. Only included when expand[]=total_count is requested. ### Example ```typescript import KeycardAPI from '@keycardai/api'; const client = new KeycardAPI(); const applicationCredentials = await client.zones.applicationCredentials.list('zoneId'); console.log(applicationCredentials.items); ``` ## Create `client.zones.applicationCredentials.create(stringzoneID, ApplicationCredentialCreateParamsbody, RequestOptionsoptions?): ApplicationCredentialCreateResponse` **post** `/zones/{zoneId}/application-credentials` Creates a new application credential ### Parameters - `zoneID: string` - `ApplicationCredentialCreateParams = IamApplicationCredentialCreateToken | IamApplicationCredentialCreatePassword | IamApplicationCredentialCreatePublicKey | 2 more` - `ApplicationCredentialCreateParamsBase` - `application_id: string` ID of the application this credential belongs to - `provider_id: string` ID of the provider issuing tokens this credential verifies - `type: "token"` - `"token"` - `subject?: string` Subject identifier for the token. When omitted, any token from the provider is accepted without checking application-specific claims. - `IamApplicationCredentialCreateToken extends ApplicationCredentialCreateParamsBase` - `IamApplicationCredentialCreatePassword extends ApplicationCredentialCreateParamsBase` - `IamApplicationCredentialCreatePublicKey extends ApplicationCredentialCreateParamsBase` - `IamApplicationCredentialCreateURL extends ApplicationCredentialCreateParamsBase` - `IamApplicationCredentialCreatePublic extends ApplicationCredentialCreateParamsBase` ### Returns - `ApplicationCredentialCreateResponse = Token | Password | PublicKey | 2 more` Response for creating a new application credential - `Token extends BaseFields` Token-based application credential - `identifier: string` Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified. - `provider_id: string` ID of the provider issuing tokens verified by this credential - `type: "token"` - `"token"` - `provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `subject?: string | null` Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims. - `Password extends BaseFields` Password-based application credential - `identifier: string` Username for password credential, also used as OAuth 2.0 client ID - `type: "password"` - `"password"` - `password?: string` Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret - `PublicKey extends BaseFields` Public key-based application credential - `identifier: string` Client ID for public key credential, also used as OAuth 2.0 client ID - `jwks_uri: string` JWKS URI to retrieve public keys from - `type: "public-key"` - `"public-key"` - `URL extends BaseFields` URL-based application credential - `identifier: string` URL of the credential (must be a valid URL) - `type: "url"` - `"url"` - `Public extends BaseFields` Public credential (no secret storage) - `identifier: string` Identifier for public credential, also used as OAuth 2.0 client ID - `type: "public"` - `"public"` ### Example ```typescript import KeycardAPI from '@keycardai/api'; const client = new KeycardAPI(); const applicationCredential = await client.zones.applicationCredentials.create('zoneId', { application_id: 'application_id', provider_id: 'provider_id', type: 'token', }); console.log(applicationCredential); ``` ## Retrieve `client.zones.applicationCredentials.retrieve(stringid, ApplicationCredentialRetrieveParamsparams, RequestOptionsoptions?): Credential` **get** `/zones/{zoneId}/application-credentials/{id}` Returns details of a specific application credential by ID ### Parameters - `id: string` - `params: ApplicationCredentialRetrieveParams` - `zoneId: string` ### Returns - `Credential = Token | Password | PublicKey | 2 more` Credentials for accessing external services from applications - `Token extends BaseFields` Token-based application credential - `identifier: string` Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified. - `provider_id: string` ID of the provider issuing tokens verified by this credential - `type: "token"` - `"token"` - `provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `subject?: string | null` Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims. - `Password extends BaseFields` Password-based application credential - `identifier: string` Username for password credential, also used as OAuth 2.0 client ID - `type: "password"` - `"password"` - `password?: string` Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret - `PublicKey extends BaseFields` Public key-based application credential - `identifier: string` Client ID for public key credential, also used as OAuth 2.0 client ID - `jwks_uri: string` JWKS URI to retrieve public keys from - `type: "public-key"` - `"public-key"` - `URL extends BaseFields` URL-based application credential - `identifier: string` URL of the credential (must be a valid URL) - `type: "url"` - `"url"` - `Public extends BaseFields` Public credential (no secret storage) - `identifier: string` Identifier for public credential, also used as OAuth 2.0 client ID - `type: "public"` - `"public"` ### Example ```typescript import KeycardAPI from '@keycardai/api'; const client = new KeycardAPI(); const credential = await client.zones.applicationCredentials.retrieve('id', { zoneId: 'zoneId' }); console.log(credential); ``` ## Update `client.zones.applicationCredentials.update(stringid, ApplicationCredentialUpdateParamsparams, RequestOptionsoptions?): Credential` **patch** `/zones/{zoneId}/application-credentials/{id}` Updates an application credential's configuration ### Parameters - `id: string` - `ApplicationCredentialUpdateParams = IamTokenCredentialUpdate | IamPasswordCredentialUpdate | IamPublicKeyCredentialUpdate | 2 more` - `ApplicationCredentialUpdateParamsBase` - `zoneId: string` Path param - `subject?: string | null` Body param: Subject identifier for the token. Set to null to unset, which allows any token from the provider to be accepted without checking application-specific claims. - `type?: "token"` Body param - `"token"` - `IamTokenCredentialUpdate extends ApplicationCredentialUpdateParamsBase` - `IamPasswordCredentialUpdate extends ApplicationCredentialUpdateParamsBase` - `IamPublicKeyCredentialUpdate extends ApplicationCredentialUpdateParamsBase` - `IamURLCredentialUpdate extends ApplicationCredentialUpdateParamsBase` - `IamPublicCredentialUpdate extends ApplicationCredentialUpdateParamsBase` ### Returns - `Credential = Token | Password | PublicKey | 2 more` Credentials for accessing external services from applications - `Token extends BaseFields` Token-based application credential - `identifier: string` Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified. - `provider_id: string` ID of the provider issuing tokens verified by this credential - `type: "token"` - `"token"` - `provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `subject?: string | null` Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims. - `Password extends BaseFields` Password-based application credential - `identifier: string` Username for password credential, also used as OAuth 2.0 client ID - `type: "password"` - `"password"` - `password?: string` Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret - `PublicKey extends BaseFields` Public key-based application credential - `identifier: string` Client ID for public key credential, also used as OAuth 2.0 client ID - `jwks_uri: string` JWKS URI to retrieve public keys from - `type: "public-key"` - `"public-key"` - `URL extends BaseFields` URL-based application credential - `identifier: string` URL of the credential (must be a valid URL) - `type: "url"` - `"url"` - `Public extends BaseFields` Public credential (no secret storage) - `identifier: string` Identifier for public credential, also used as OAuth 2.0 client ID - `type: "public"` - `"public"` ### Example ```typescript import KeycardAPI from '@keycardai/api'; const client = new KeycardAPI(); const credential = await client.zones.applicationCredentials.update('id', { zoneId: 'zoneId' }); console.log(credential); ``` ## Delete `client.zones.applicationCredentials.delete(stringid, ApplicationCredentialDeleteParamsparams, RequestOptionsoptions?): void` **delete** `/zones/{zoneId}/application-credentials/{id}` Permanently deletes an application credential ### Parameters - `id: string` - `params: ApplicationCredentialDeleteParams` - `zoneId: string` ### Example ```typescript import KeycardAPI from '@keycardai/api'; const client = new KeycardAPI(); await client.zones.applicationCredentials.delete('id', { zoneId: 'zoneId' }); ``` ## Domain Types ### Base Fields - `BaseFields` Common fields shared by all application credential types - `id: string` Unique identifier of the credential - `application_id: string` ID of the application this credential belongs to - `created_at: string` Entity creation timestamp - `organization_id: string` Organization that owns this credential - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this credential belongs to - `application?: Application` An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access). - `id: string` Unique identifier of the application - `consent: "implicit" | "required"` Consent mode for the application. 'implicit' means consent is automatically granted, 'required' means explicit user consent is needed. - `"implicit"` - `"required"` - `created_at: string` Entity creation timestamp - `dependencies_count: number` Number of resource dependencies - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this application - `owner_type: "platform" | "customer"` Who owns this application. Platform-owned applications cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this application belongs to - `description?: string | null` Human-readable description - `metadata?: Metadata` Entity metadata - `docs_url?: string` Documentation URL - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `post_logout_redirect_uris?: Array | null` OAuth 2.0 post-logout redirect URIs for this application - `redirect_uris?: Array | null` OAuth 2.0 redirect URIs for this application ### Credential - `Credential = Token | Password | PublicKey | 2 more` Credentials for accessing external services from applications - `Token extends BaseFields` Token-based application credential - `identifier: string` Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified. - `provider_id: string` ID of the provider issuing tokens verified by this credential - `type: "token"` - `"token"` - `provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `subject?: string | null` Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims. - `Password extends BaseFields` Password-based application credential - `identifier: string` Username for password credential, also used as OAuth 2.0 client ID - `type: "password"` - `"password"` - `password?: string` Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret - `PublicKey extends BaseFields` Public key-based application credential - `identifier: string` Client ID for public key credential, also used as OAuth 2.0 client ID - `jwks_uri: string` JWKS URI to retrieve public keys from - `type: "public-key"` - `"public-key"` - `URL extends BaseFields` URL-based application credential - `identifier: string` URL of the credential (must be a valid URL) - `type: "url"` - `"url"` - `Public extends BaseFields` Public credential (no secret storage) - `identifier: string` Identifier for public credential, also used as OAuth 2.0 client ID - `type: "public"` - `"public"` ### Password - `Password extends BaseFields` Password-based application credential - `identifier: string` Username for password credential, also used as OAuth 2.0 client ID - `type: "password"` - `"password"` - `password?: string` Password for credential (only returned on creation, store securely), also used as OAuth 2.0 client secret ### Public - `Public extends BaseFields` Public credential (no secret storage) - `identifier: string` Identifier for public credential, also used as OAuth 2.0 client ID - `type: "public"` - `"public"` ### Public Key - `PublicKey extends BaseFields` Public key-based application credential - `identifier: string` Client ID for public key credential, also used as OAuth 2.0 client ID - `jwks_uri: string` JWKS URI to retrieve public keys from - `type: "public-key"` - `"public-key"` ### Token - `Token extends BaseFields` Token-based application credential - `identifier: string` Identifier for this credential. For token type, this equals the subject value, or '*' when subject is not specified. - `provider_id: string` ID of the provider issuing tokens verified by this credential - `type: "token"` - `"token"` - `provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `subject?: string | null` Subject identifier for the token. When null or omitted, any token from the provider is accepted without checking application-specific claims. ### URL - `URL extends BaseFields` URL-based application credential - `identifier: string` URL of the credential (must be a valid URL) - `type: "url"` - `"url"`