# Delegated Grants ## List `client.zones.delegatedGrants.list(stringzoneID, DelegatedGrantListParamsquery?, RequestOptionsoptions?): DelegatedGrantListResponse` **get** `/zones/{zoneId}/delegated-grants` Returns a list of delegated grants in the specified zone. Can be filtered by user, resource, or status. ### Parameters - `zoneID: string` - `query: DelegatedGrantListParams` - `active?: "true"` - `"true"` - `after?: string` Cursor for forward pagination - `before?: string` Cursor for backward pagination - `expand?: "total_count" | Array<"total_count">` - `"total_count"` - `"total_count"` - `Array<"total_count">` - `"total_count"` - `limit?: number` Maximum number of items to return - `resource_id?: string` Filter by resource ID - `status?: "active" | "expired" | "revoked"` - `"active"` - `"expired"` - `"revoked"` - `user_id?: string` Filter by user ID ### Returns - `DelegatedGrantListResponse` - `items: Array` - `id: string` Unique identifier of the delegated grant - `created_at: string` Entity creation timestamp - `expires_at: string` Date when grant expires - `organization_id: string` Organization that owns this grant - `provider_id: string` ID of the provider that issued this grant - `refresh_token_set: boolean` Indicates whether a refresh token is stored for this grant. Grants with refresh tokens can be refreshed even after access token expiration. - `resource_id: string` ID of resource receiving grant - `scopes: Array` Granted OAuth scopes - `status: "active" | "expired" | "revoked"` - `"active"` - `"expired"` - `"revoked"` - `updated_at: string` Entity update timestamp - `user_id: string` Reference to the user granting permission - `zone_id: string` Zone this grant belongs to - `active?: boolean` Whether the grant is currently active (deprecated - use status instead) - `provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `refreshed_at?: string` Timestamp when this grant's tokens were last refreshed. Omitted if grant was never refreshed. - `resource?: Resource` A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access. - `id: string` Unique identifier of the resource - `application_type: "native" | "web"` The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname. - `"native"` - `"web"` - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this resource - `owner_type: "platform" | "customer"` Who owns this resource. Platform-owned resources cannot be modified via API. - `"platform"` - `"customer"` - `prefix: boolean` When true, the resource identifier is treated as a URI prefix, protecting all URLs that share the identifier as a prefix at path/query/fragment boundaries. Protocol and hostname must match exactly. When multiple prefix resources satisfy an identifier query, the resource with the longest prefix is matched. - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this resource belongs to - `application?: Application` An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access). - `id: string` Unique identifier of the application - `consent: "implicit" | "required"` Consent mode for the application. 'implicit' means consent is automatically granted, 'required' means explicit user consent is needed. - `"implicit"` - `"required"` - `created_at: string` Entity creation timestamp - `dependencies_count: number` Number of resource dependencies - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this application - `owner_type: "platform" | "customer"` Who owns this application. Platform-owned applications cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this application belongs to - `description?: string | null` Human-readable description - `metadata?: Metadata` Entity metadata - `docs_url?: string` Documentation URL - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `post_logout_redirect_uris?: Array | null` OAuth 2.0 post-logout redirect URIs for this application - `redirect_uris?: Array | null` OAuth 2.0 redirect URIs for this application - `application_id?: string` ID of the application that provides this resource - `credential_provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `credential_provider_id?: string` ID of the credential provider for this resource - `description?: string | null` Human-readable description - `metadata?: Metadata` Entity metadata - `docs_url?: string` Documentation URL - `scopes?: Array | null` Scopes supported by the resource - `when_accessing?: Array` List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency. - `user?: User` An authenticated user entity - `id: string` Unique identifier of the user - `created_at: string` Entity creation timestamp - `email: string` Email address of the user - `email_verified: boolean` Whether the email address has been verified - `identifier: string` Zone-scoped user identifier. Defaults to the user's Keycard ID. When the provider has user_identifier_claim configured, the value is set from that claim at user creation time. - `organization_id: string` Organization that owns this user - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this user belongs to - `authenticated_at?: string` Date when the user was last authenticated - `issuer?: string` Issuer identifier of the identity provider - `provider_id?: string` Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted. - `subject?: string` Subject identifier from the identity provider - `pagination: Pagination` Cursor-based pagination metadata - `after_cursor: string | null` An opaque cursor used for paginating through a list of results - `before_cursor: string | null` An opaque cursor used for paginating through a list of results - `total_count?: number` Total number of items matching the query. Only included when expand[]=total_count is requested. ### Example ```typescript import KeycardAPI from '@keycardai/api'; const client = new KeycardAPI(); const delegatedGrants = await client.zones.delegatedGrants.list('zoneId'); console.log(delegatedGrants.items); ``` ## Retrieve `client.zones.delegatedGrants.retrieve(stringid, DelegatedGrantRetrieveParamsparams, RequestOptionsoptions?): Grant` **get** `/zones/{zoneId}/delegated-grants/{id}` Returns details of a specific delegated grant by grant ID ### Parameters - `id: string` - `params: DelegatedGrantRetrieveParams` - `zoneId: string` Zone ID ### Returns - `Grant` User authorization for a resource to be accessed on their behalf. The grant links the user, resource, and the provider that issued the grant. - `id: string` Unique identifier of the delegated grant - `created_at: string` Entity creation timestamp - `expires_at: string` Date when grant expires - `organization_id: string` Organization that owns this grant - `provider_id: string` ID of the provider that issued this grant - `refresh_token_set: boolean` Indicates whether a refresh token is stored for this grant. Grants with refresh tokens can be refreshed even after access token expiration. - `resource_id: string` ID of resource receiving grant - `scopes: Array` Granted OAuth scopes - `status: "active" | "expired" | "revoked"` - `"active"` - `"expired"` - `"revoked"` - `updated_at: string` Entity update timestamp - `user_id: string` Reference to the user granting permission - `zone_id: string` Zone this grant belongs to - `active?: boolean` Whether the grant is currently active (deprecated - use status instead) - `provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `refreshed_at?: string` Timestamp when this grant's tokens were last refreshed. Omitted if grant was never refreshed. - `resource?: Resource` A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access. - `id: string` Unique identifier of the resource - `application_type: "native" | "web"` The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname. - `"native"` - `"web"` - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this resource - `owner_type: "platform" | "customer"` Who owns this resource. Platform-owned resources cannot be modified via API. - `"platform"` - `"customer"` - `prefix: boolean` When true, the resource identifier is treated as a URI prefix, protecting all URLs that share the identifier as a prefix at path/query/fragment boundaries. Protocol and hostname must match exactly. When multiple prefix resources satisfy an identifier query, the resource with the longest prefix is matched. - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this resource belongs to - `application?: Application` An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access). - `id: string` Unique identifier of the application - `consent: "implicit" | "required"` Consent mode for the application. 'implicit' means consent is automatically granted, 'required' means explicit user consent is needed. - `"implicit"` - `"required"` - `created_at: string` Entity creation timestamp - `dependencies_count: number` Number of resource dependencies - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this application - `owner_type: "platform" | "customer"` Who owns this application. Platform-owned applications cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this application belongs to - `description?: string | null` Human-readable description - `metadata?: Metadata` Entity metadata - `docs_url?: string` Documentation URL - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `post_logout_redirect_uris?: Array | null` OAuth 2.0 post-logout redirect URIs for this application - `redirect_uris?: Array | null` OAuth 2.0 redirect URIs for this application - `application_id?: string` ID of the application that provides this resource - `credential_provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `credential_provider_id?: string` ID of the credential provider for this resource - `description?: string | null` Human-readable description - `metadata?: Metadata` Entity metadata - `docs_url?: string` Documentation URL - `scopes?: Array | null` Scopes supported by the resource - `when_accessing?: Array` List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency. - `user?: User` An authenticated user entity - `id: string` Unique identifier of the user - `created_at: string` Entity creation timestamp - `email: string` Email address of the user - `email_verified: boolean` Whether the email address has been verified - `identifier: string` Zone-scoped user identifier. Defaults to the user's Keycard ID. When the provider has user_identifier_claim configured, the value is set from that claim at user creation time. - `organization_id: string` Organization that owns this user - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this user belongs to - `authenticated_at?: string` Date when the user was last authenticated - `issuer?: string` Issuer identifier of the identity provider - `provider_id?: string` Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted. - `subject?: string` Subject identifier from the identity provider ### Example ```typescript import KeycardAPI from '@keycardai/api'; const client = new KeycardAPI(); const grant = await client.zones.delegatedGrants.retrieve('id', { zoneId: 'zoneId' }); console.log(grant.id); ``` ## Update `client.zones.delegatedGrants.update(stringid, DelegatedGrantUpdateParamsparams, RequestOptionsoptions?): Grant` **patch** `/zones/{zoneId}/delegated-grants/{id}` Revokes an active delegated grant ### Parameters - `id: string` - `params: DelegatedGrantUpdateParams` - `zoneId: string` Path param: Zone ID - `status: "revoked"` Body param - `"revoked"` ### Returns - `Grant` User authorization for a resource to be accessed on their behalf. The grant links the user, resource, and the provider that issued the grant. - `id: string` Unique identifier of the delegated grant - `created_at: string` Entity creation timestamp - `expires_at: string` Date when grant expires - `organization_id: string` Organization that owns this grant - `provider_id: string` ID of the provider that issued this grant - `refresh_token_set: boolean` Indicates whether a refresh token is stored for this grant. Grants with refresh tokens can be refreshed even after access token expiration. - `resource_id: string` ID of resource receiving grant - `scopes: Array` Granted OAuth scopes - `status: "active" | "expired" | "revoked"` - `"active"` - `"expired"` - `"revoked"` - `updated_at: string` Entity update timestamp - `user_id: string` Reference to the user granting permission - `zone_id: string` Zone this grant belongs to - `active?: boolean` Whether the grant is currently active (deprecated - use status instead) - `provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `refreshed_at?: string` Timestamp when this grant's tokens were last refreshed. Omitted if grant was never refreshed. - `resource?: Resource` A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access. - `id: string` Unique identifier of the resource - `application_type: "native" | "web"` The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname. - `"native"` - `"web"` - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this resource - `owner_type: "platform" | "customer"` Who owns this resource. Platform-owned resources cannot be modified via API. - `"platform"` - `"customer"` - `prefix: boolean` When true, the resource identifier is treated as a URI prefix, protecting all URLs that share the identifier as a prefix at path/query/fragment boundaries. Protocol and hostname must match exactly. When multiple prefix resources satisfy an identifier query, the resource with the longest prefix is matched. - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this resource belongs to - `application?: Application` An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access). - `id: string` Unique identifier of the application - `consent: "implicit" | "required"` Consent mode for the application. 'implicit' means consent is automatically granted, 'required' means explicit user consent is needed. - `"implicit"` - `"required"` - `created_at: string` Entity creation timestamp - `dependencies_count: number` Number of resource dependencies - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this application - `owner_type: "platform" | "customer"` Who owns this application. Platform-owned applications cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this application belongs to - `description?: string | null` Human-readable description - `metadata?: Metadata` Entity metadata - `docs_url?: string` Documentation URL - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `post_logout_redirect_uris?: Array | null` OAuth 2.0 post-logout redirect URIs for this application - `redirect_uris?: Array | null` OAuth 2.0 redirect URIs for this application - `application_id?: string` ID of the application that provides this resource - `credential_provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `credential_provider_id?: string` ID of the credential provider for this resource - `description?: string | null` Human-readable description - `metadata?: Metadata` Entity metadata - `docs_url?: string` Documentation URL - `scopes?: Array | null` Scopes supported by the resource - `when_accessing?: Array` List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency. - `user?: User` An authenticated user entity - `id: string` Unique identifier of the user - `created_at: string` Entity creation timestamp - `email: string` Email address of the user - `email_verified: boolean` Whether the email address has been verified - `identifier: string` Zone-scoped user identifier. Defaults to the user's Keycard ID. When the provider has user_identifier_claim configured, the value is set from that claim at user creation time. - `organization_id: string` Organization that owns this user - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this user belongs to - `authenticated_at?: string` Date when the user was last authenticated - `issuer?: string` Issuer identifier of the identity provider - `provider_id?: string` Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted. - `subject?: string` Subject identifier from the identity provider ### Example ```typescript import KeycardAPI from '@keycardai/api'; const client = new KeycardAPI(); const grant = await client.zones.delegatedGrants.update('id', { zoneId: 'zoneId', status: 'revoked', }); console.log(grant.id); ``` ## Delete `client.zones.delegatedGrants.delete(stringid, DelegatedGrantDeleteParamsparams, RequestOptionsoptions?): void` **delete** `/zones/{zoneId}/delegated-grants/{id}` Permanently revokes a delegated grant, removing the user's access to the protected resource ### Parameters - `id: string` - `params: DelegatedGrantDeleteParams` - `zoneId: string` Zone ID ### Example ```typescript import KeycardAPI from '@keycardai/api'; const client = new KeycardAPI(); await client.zones.delegatedGrants.delete('id', { zoneId: 'zoneId' }); ``` ## Domain Types ### Grant - `Grant` User authorization for a resource to be accessed on their behalf. The grant links the user, resource, and the provider that issued the grant. - `id: string` Unique identifier of the delegated grant - `created_at: string` Entity creation timestamp - `expires_at: string` Date when grant expires - `organization_id: string` Organization that owns this grant - `provider_id: string` ID of the provider that issued this grant - `refresh_token_set: boolean` Indicates whether a refresh token is stored for this grant. Grants with refresh tokens can be refreshed even after access token expiration. - `resource_id: string` ID of resource receiving grant - `scopes: Array` Granted OAuth scopes - `status: "active" | "expired" | "revoked"` - `"active"` - `"expired"` - `"revoked"` - `updated_at: string` Entity update timestamp - `user_id: string` Reference to the user granting permission - `zone_id: string` Zone this grant belongs to - `active?: boolean` Whether the grant is currently active (deprecated - use status instead) - `provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `refreshed_at?: string` Timestamp when this grant's tokens were last refreshed. Omitted if grant was never refreshed. - `resource?: Resource` A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access. - `id: string` Unique identifier of the resource - `application_type: "native" | "web"` The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname. - `"native"` - `"web"` - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this resource - `owner_type: "platform" | "customer"` Who owns this resource. Platform-owned resources cannot be modified via API. - `"platform"` - `"customer"` - `prefix: boolean` When true, the resource identifier is treated as a URI prefix, protecting all URLs that share the identifier as a prefix at path/query/fragment boundaries. Protocol and hostname must match exactly. When multiple prefix resources satisfy an identifier query, the resource with the longest prefix is matched. - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this resource belongs to - `application?: Application` An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access). - `id: string` Unique identifier of the application - `consent: "implicit" | "required"` Consent mode for the application. 'implicit' means consent is automatically granted, 'required' means explicit user consent is needed. - `"implicit"` - `"required"` - `created_at: string` Entity creation timestamp - `dependencies_count: number` Number of resource dependencies - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this application - `owner_type: "platform" | "customer"` Who owns this application. Platform-owned applications cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this application belongs to - `description?: string | null` Human-readable description - `metadata?: Metadata` Entity metadata - `docs_url?: string` Documentation URL - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `post_logout_redirect_uris?: Array | null` OAuth 2.0 post-logout redirect URIs for this application - `redirect_uris?: Array | null` OAuth 2.0 redirect URIs for this application - `application_id?: string` ID of the application that provides this resource - `credential_provider?: Provider` A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate. - `id: string` Unique identifier of the provider - `created_at: string` Entity creation timestamp - `identifier: string` User specified identifier, unique within the zone - `name: string` Human-readable name - `organization_id: string` Organization that owns this provider - `owner_type: "platform" | "customer"` Who owns this provider. Platform-owned providers cannot be modified via API. - `"platform"` - `"customer"` - `slug: string` URL-safe identifier, unique within the zone - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this provider belongs to - `client_id?: string | null` OAuth 2.0 client identifier - `client_secret_set?: boolean` Indicates whether a client secret is configured - `description?: string | null` Human-readable description - `metadata?: unknown` Provider metadata - `protocols?: Protocols | null` Protocol-specific configuration - `oauth2?: Oauth2 | null` OAuth 2.0 protocol configuration - `issuer: string` OIDC issuer URL used for discovery and token validation. - `authorization_endpoint?: string | null` - `authorization_parameters?: Record | null` Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline). - `authorization_resource_enabled?: boolean | null` Whether to include the resource parameter in authorization requests. - `authorization_resource_parameter?: string | null` The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true. - `code_challenge_methods_supported?: Array | null` - `jwks_uri?: string | null` - `registration_endpoint?: string | null` - `scope_parameter?: string | null` The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope". - `scope_separator?: string | null` The separator character for scope values. Defaults to " " (space). Slack v2 uses ",". - `scopes_supported?: Array | null` - `token_endpoint?: string | null` - `token_response_access_token_pointer?: string | null` Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token". - `openid?: Openid | null` OpenID Connect protocol configuration - `user_identifier_claim?: string | null` Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used. - `userinfo_endpoint?: string | null` - `type?: "external" | "keycard-vault" | "keycard-sts"` - `"external"` - `"keycard-vault"` - `"keycard-sts"` - `credential_provider_id?: string` ID of the credential provider for this resource - `description?: string | null` Human-readable description - `metadata?: Metadata` Entity metadata - `docs_url?: string` Documentation URL - `scopes?: Array | null` Scopes supported by the resource - `when_accessing?: Array` List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency. - `user?: User` An authenticated user entity - `id: string` Unique identifier of the user - `created_at: string` Entity creation timestamp - `email: string` Email address of the user - `email_verified: boolean` Whether the email address has been verified - `identifier: string` Zone-scoped user identifier. Defaults to the user's Keycard ID. When the provider has user_identifier_claim configured, the value is set from that claim at user creation time. - `organization_id: string` Organization that owns this user - `updated_at: string` Entity update timestamp - `zone_id: string` Zone this user belongs to - `authenticated_at?: string` Date when the user was last authenticated - `issuer?: string` Issuer identifier of the identity provider - `provider_id?: string` Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted. - `subject?: string` Subject identifier from the identity provider