Delegated Grants

List delegated grants

client.zones.delegatedGrants.list(, ?, ?): DelegatedGrantListResponse { items, pagination }

GET/zones/{zoneId}/delegated-grants

Returns a list of delegated grants in the specified zone. Can be filtered by user, resource, or status. Use cursor pagination via after/before. Sort: comma-separated field list; prefix with - for descending. Use expand[]=total_count to include the matching row count.

ParametersExpand Collapse

zoneID: string

query: DelegatedGrantListParams { active, after, before, 6 more }

active?: "true"

after?: string

Cursor for forward pagination

minLength1

maxLength255

before?: string

Cursor for backward pagination

minLength1

maxLength255

expand?: "total_count" | Array<"total_count">

Accepts one of the following:

"total_count"

Array<"total_count">

"total_count"

limit?: number

Maximum number of items to return

minimum1

maximum100

resource_id?: string

Filter by resource ID

sort?: string

Comma-separated sort fields. Prefix with - for descending. Allowed: created_at

status?: "active" | "expired" | "revoked"

Accepts one of the following:

"active"

"expired"

"revoked"

user_id?: string

Filter by user ID

ReturnsExpand Collapse

DelegatedGrantListResponse { items, pagination }

items: Array<Grant { id, created_at, expires_at, 14 more } >

id: string

Unique identifier of the delegated grant

created_at: string

Entity creation timestamp

formatdate-time

expires_at: string

Date when grant expires

formatdate-time

organization_id: string

Organization that owns this grant

provider_id: string

ID of the provider that issued this grant

refresh_token_set: boolean

Indicates whether a refresh token is stored for this grant. Grants with refresh tokens can be refreshed even after access token expiration.

resource_id: string

ID of resource receiving grant

scopes: Array<string>

Granted OAuth scopes

status: "active" | "expired" | "revoked"

Accepts one of the following:

"active"

"expired"

"revoked"

updated_at: string

Entity update timestamp

formatdate-time

user_id: string

Reference to the user granting permission

zone_id: string

Zone this grant belongs to

Deprecatedactive?: boolean

Whether the grant is currently active (deprecated - use status instead)

Deprecatedprovider?: Provider { id, created_at, identifier, 12 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

owner_type: "platform" | "customer"

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id?: string | null

OAuth 2.0 client identifier

client_secret_set?: boolean

Indicates whether a client secret is configured

description?: string | null

Human-readable description

maxLength2048

metadata?: unknown

Provider metadata

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint?: string | null

formaturi

authorization_parameters?: Record<string, string> | null

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled?: boolean | null

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter?: string | null

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported?: Array<string> | null

jwks_uri?: string | null

formaturi

registration_endpoint?: string | null

formaturi

scope_parameter?: string | null

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator?: string | null

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported?: Array<string> | null

token_endpoint?: string | null

formaturi

token_response_access_token_pointer?: string | null

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid?: Openid | null

OpenID Connect protocol configuration

scopes?: Array<string> | null

Additional OIDC scopes to request from this provider during authentication (e.g. "groups"). Merged with the default scopes (openid, profile, email).

user_identifier_claim?: string | null

Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used.

userinfo_endpoint?: string | null

formaturi

type?: "external" | "keycard-vault" | "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

refreshed_at?: string

Timestamp when this grant's tokens were last refreshed. Omitted if grant was never refreshed.

formatdate-time

Deprecatedresource?: Resource { id, application_type, created_at, 17 more }

A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.

id: string

Unique identifier of the resource

application_type: "native" | "web"

The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.

Accepts one of the following:

"native"

"web"

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this resource

owner_type: "platform" | "customer"

Who owns this resource. Platform-owned resources cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

prefix: boolean

When true, the resource identifier is treated as a URI prefix, protecting all URLs that share the identifier as a prefix at path/query/fragment boundaries. Protocol and hostname must match exactly. When multiple prefix resources satisfy an identifier query, the resource with the longest prefix is matched.

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this resource belongs to

Deprecatedapplication?: Application { id, consent, created_at, 11 more }

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: string

Unique identifier of the application

Accepts one of the following:

created_at: string

Entity creation timestamp

formatdate-time

dependencies_count: number

Number of resource dependencies

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this application

owner_type: "platform" | "customer"

Who owns this application. Platform-owned applications cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this application belongs to

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

post_logout_redirect_uris?: Array<string> | null

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris?: Array<string> | null

OAuth 2.0 redirect URIs for this application

application_id?: string

ID of the application that provides this resource

credential_lifetime_seconds?: number | null

Credential lifetime override in seconds. When set, overrides the default credential lifetime for this resource. When absent, the default from the provider or zone is used.

minimum60

maximum86400

Deprecatedcredential_provider?: Provider { id, created_at, identifier, 12 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

owner_type: "platform" | "customer"

Who owns this provider. Platform-owned providers cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id?: string | null

OAuth 2.0 client identifier

client_secret_set?: boolean

Indicates whether a client secret is configured

description?: string | null

Human-readable description

maxLength2048

metadata?: unknown

Provider metadata

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint?: string | null

formaturi

authorization_parameters?: Record<string, string> | null

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled?: boolean | null

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter?: string | null

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported?: Array<string> | null

jwks_uri?: string | null

formaturi

registration_endpoint?: string | null

formaturi

scope_parameter?: string | null

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator?: string | null

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported?: Array<string> | null

token_endpoint?: string | null

formaturi

token_response_access_token_pointer?: string | null

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid?: Openid | null

OpenID Connect protocol configuration

scopes?: Array<string> | null

Additional OIDC scopes to request from this provider during authentication (e.g. "groups"). Merged with the default scopes (openid, profile, email).

user_identifier_claim?: string | null

Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used.

userinfo_endpoint?: string | null

formaturi

type?: "external" | "keycard-vault" | "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

credential_provider_id?: string

ID of the credential provider for this resource

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

scopes?: Array<string> | null

Scopes supported by the resource

when_accessing?: Array<string>

List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.

Deprecateduser?: User { id, created_at, email, 13 more }

An authenticated user entity

id: string

Unique identifier of the user

created_at: string

Entity creation timestamp

formatdate-time

email: string

Email address of the user

formatemail

email_verified: boolean

Whether the email address has been verified

identifier: string

Zone-scoped user identifier. Defaults to the user's Keycard ID. When the provider has user_identifier_claim configured, the value is set from that claim at user creation time.

organization_id: string

Organization that owns this user

status: "active" | "disabled"

Status of the user. Disabled users cannot authenticate.

Accepts one of the following:

"active"

"disabled"

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this user belongs to

authenticated_at?: string

Date when the user was last authenticated

grant_count?: number

Delegated-grant count for this user. Populated only when expand[]=grant_count is set on the listing endpoint.

minimum0

issuer?: string

Issuer identifier of the identity provider

provider_id?: string

Reference to the identity provider. This field is undefined when the source identity provider is deleted but the user is not deleted.

role_assignments?: Array<RoleAssignment>

Role grants for this user within the zone. Populated only when expand[]=role-assignments is set on the listing endpoint.

role_id: string

ID of the assigned role

role_identifier: string

Opaque role identifier. Treated as an opaque identifier by the API and unique within a zone.

minLength1

maxLength255

scope: Scope | null

The resource this grant is scoped to, or null when the grant is unscoped (applies to the owning zone itself).

id: string

The ID of the scoped resource.

type: string

The kind of resource this grant is scoped to (e.g. zone).

session_count?: number

Session count for this user. Populated only when expand[]=session_count is set on the listing endpoint.

minimum0

subject?: string

Subject identifier from the identity provider

pagination: Pagination { after_cursor, before_cursor, total_count }

Cursor-based pagination metadata

after_cursor: string | null

An opaque cursor used for paginating through a list of results

minLength1

maxLength255

before_cursor: string | null

An opaque cursor used for paginating through a list of results

minLength1

maxLength255

total_count?: number

Total number of items matching the query. Only included when expand[]=total_count is requested.

List delegated grants

import KeycardAPI from '@keycardai/api';

const client = new KeycardAPI();

const delegatedGrants = await client.zones.delegatedGrants.list('zoneId');

console.log(delegatedGrants.items);

{
  "items": [
    {
      "id": "id",
      "created_at": "2019-12-27T18:11:19.117Z",
      "expires_at": "2019-12-27T18:11:19.117Z",
      "organization_id": "organization_id",
      "provider_id": "provider_id",
      "refresh_token_set": true,
      "resource_id": "resource_id",
      "scopes": [
        "string"
      ],
      "status": "active",
      "updated_at": "2019-12-27T18:11:19.117Z",
      "user_id": "user_id",
      "zone_id": "zone_id",
      "active": true,
      "provider": {
        "id": "id",
        "created_at": "2019-12-27T18:11:19.117Z",
        "identifier": "x",
        "name": "x",
        "organization_id": "organization_id",
        "owner_type": "platform",
        "slug": "slug",
        "updated_at": "2019-12-27T18:11:19.117Z",
        "zone_id": "zone_id",
        "client_id": "client_id",
        "client_secret_set": true,
        "description": "description",
        "metadata": {},
        "protocols": {
          "oauth2": {
            "issuer": "https://example.com",
            "authorization_endpoint": "https://example.com",
            "authorization_parameters": {
              "foo": "string"
            },
            "authorization_resource_enabled": true,
            "authorization_resource_parameter": "authorization_resource_parameter",
            "code_challenge_methods_supported": [
              "string"
            ],
            "jwks_uri": "https://example.com",
            "registration_endpoint": "https://example.com",
            "scope_parameter": "scope_parameter",
            "scope_separator": "scope_separator",
            "scopes_supported": [
              "string"
            ],
            "token_endpoint": "https://example.com",
            "token_response_access_token_pointer": "token_response_access_token_pointer"
          },
          "openid": {
            "scopes": [
              "string"
            ],
            "user_identifier_claim": "user_identifier_claim",
            "userinfo_endpoint": "https://example.com"
          }
        },
        "type": "external"
      },
      "refreshed_at": "2019-12-27T18:11:19.117Z",
      "resource": {
        "id": "id",
        "application_type": "native",
        "created_at": "2019-12-27T18:11:19.117Z",
        "identifier": "x",
        "name": "x",
        "organization_id": "organization_id",
        "owner_type": "platform",
        "prefix": true,
        "slug": "slug",
        "updated_at": "2019-12-27T18:11:19.117Z",
        "zone_id": "zone_id",
        "application": {
          "id": "id",
          "consent": "implicit",
          "created_at": "2019-12-27T18:11:19.117Z",
          "dependencies_count": 0,
          "identifier": "x",
          "name": "x",
          "organization_id": "organization_id",
          "owner_type": "platform",
          "slug": "slug",
          "updated_at": "2019-12-27T18:11:19.117Z",
          "zone_id": "zone_id",
          "description": "description",
          "metadata": {
            "docs_url": "https://example.com"
          },
          "protocols": {
            "oauth2": {
              "post_logout_redirect_uris": [
                "https://example.com"
              ],
              "redirect_uris": [
                "https://example.com"
              ]
            }
          }
        },
        "application_id": "application_id",
        "credential_lifetime_seconds": 60,
        "credential_provider": {
          "id": "id",
          "created_at": "2019-12-27T18:11:19.117Z",
          "identifier": "x",
          "name": "x",
          "organization_id": "organization_id",
          "owner_type": "platform",
          "slug": "slug",
          "updated_at": "2019-12-27T18:11:19.117Z",
          "zone_id": "zone_id",
          "client_id": "client_id",
          "client_secret_set": true,
          "description": "description",
          "metadata": {},
          "protocols": {
            "oauth2": {
              "issuer": "https://example.com",
              "authorization_endpoint": "https://example.com",
              "authorization_parameters": {
                "foo": "string"
              },
              "authorization_resource_enabled": true,
              "authorization_resource_parameter": "authorization_resource_parameter",
              "code_challenge_methods_supported": [
                "string"
              ],
              "jwks_uri": "https://example.com",
              "registration_endpoint": "https://example.com",
              "scope_parameter": "scope_parameter",
              "scope_separator": "scope_separator",
              "scopes_supported": [
                "string"
              ],
              "token_endpoint": "https://example.com",
              "token_response_access_token_pointer": "token_response_access_token_pointer"
            },
            "openid": {
              "scopes": [
                "string"
              ],
              "user_identifier_claim": "user_identifier_claim",
              "userinfo_endpoint": "https://example.com"
            }
          },
          "type": "external"
        },
        "credential_provider_id": "credential_provider_id",
        "description": "description",
        "metadata": {
          "docs_url": "https://example.com"
        },
        "scopes": [
          "string"
        ],
        "when_accessing": [
          "string"
        ]
      },
      "user": {
        "id": "id",
        "created_at": "2019-12-27T18:11:19.117Z",
        "email": "dev@stainless.com",
        "email_verified": true,
        "identifier": "identifier",
        "organization_id": "organization_id",
        "status": "active",
        "updated_at": "2019-12-27T18:11:19.117Z",
        "zone_id": "zone_id",
        "authenticated_at": "authenticated_at",
        "grant_count": 0,
        "issuer": "issuer",
        "provider_id": "provider_id",
        "role_assignments": [
          {
            "role_id": "role_id",
            "role_identifier": "x",
            "scope": {
              "id": "id",
              "type": "type"
            }
          }
        ],
        "session_count": 0,
        "subject": "subject"
      }
    }
  ],
  "pagination": {
    "after_cursor": "x",
    "before_cursor": "x",
    "total_count": 0
  }
}

Returns Examples

{
  "items": [
    {
      "id": "id",
      "created_at": "2019-12-27T18:11:19.117Z",
      "expires_at": "2019-12-27T18:11:19.117Z",
      "organization_id": "organization_id",
      "provider_id": "provider_id",
      "refresh_token_set": true,
      "resource_id": "resource_id",
      "scopes": [
        "string"
      ],
      "status": "active",
      "updated_at": "2019-12-27T18:11:19.117Z",
      "user_id": "user_id",
      "zone_id": "zone_id",
      "active": true,
      "provider": {
        "id": "id",
        "created_at": "2019-12-27T18:11:19.117Z",
        "identifier": "x",
        "name": "x",
        "organization_id": "organization_id",
        "owner_type": "platform",
        "slug": "slug",
        "updated_at": "2019-12-27T18:11:19.117Z",
        "zone_id": "zone_id",
        "client_id": "client_id",
        "client_secret_set": true,
        "description": "description",
        "metadata": {},
        "protocols": {
          "oauth2": {
            "issuer": "https://example.com",
            "authorization_endpoint": "https://example.com",
            "authorization_parameters": {
              "foo": "string"
            },
            "authorization_resource_enabled": true,
            "authorization_resource_parameter": "authorization_resource_parameter",
            "code_challenge_methods_supported": [
              "string"
            ],
            "jwks_uri": "https://example.com",
            "registration_endpoint": "https://example.com",
            "scope_parameter": "scope_parameter",
            "scope_separator": "scope_separator",
            "scopes_supported": [
              "string"
            ],
            "token_endpoint": "https://example.com",
            "token_response_access_token_pointer": "token_response_access_token_pointer"
          },
          "openid": {
            "scopes": [
              "string"
            ],
            "user_identifier_claim": "user_identifier_claim",
            "userinfo_endpoint": "https://example.com"
          }
        },
        "type": "external"
      },
      "refreshed_at": "2019-12-27T18:11:19.117Z",
      "resource": {
        "id": "id",
        "application_type": "native",
        "created_at": "2019-12-27T18:11:19.117Z",
        "identifier": "x",
        "name": "x",
        "organization_id": "organization_id",
        "owner_type": "platform",
        "prefix": true,
        "slug": "slug",
        "updated_at": "2019-12-27T18:11:19.117Z",
        "zone_id": "zone_id",
        "application": {
          "id": "id",
          "consent": "implicit",
          "created_at": "2019-12-27T18:11:19.117Z",
          "dependencies_count": 0,
          "identifier": "x",
          "name": "x",
          "organization_id": "organization_id",
          "owner_type": "platform",
          "slug": "slug",
          "updated_at": "2019-12-27T18:11:19.117Z",
          "zone_id": "zone_id",
          "description": "description",
          "metadata": {
            "docs_url": "https://example.com"
          },
          "protocols": {
            "oauth2": {
              "post_logout_redirect_uris": [
                "https://example.com"
              ],
              "redirect_uris": [
                "https://example.com"
              ]
            }
          }
        },
        "application_id": "application_id",
        "credential_lifetime_seconds": 60,
        "credential_provider": {
          "id": "id",
          "created_at": "2019-12-27T18:11:19.117Z",
          "identifier": "x",
          "name": "x",
          "organization_id": "organization_id",
          "owner_type": "platform",
          "slug": "slug",
          "updated_at": "2019-12-27T18:11:19.117Z",
          "zone_id": "zone_id",
          "client_id": "client_id",
          "client_secret_set": true,
          "description": "description",
          "metadata": {},
          "protocols": {
            "oauth2": {
              "issuer": "https://example.com",
              "authorization_endpoint": "https://example.com",
              "authorization_parameters": {
                "foo": "string"
              },
              "authorization_resource_enabled": true,
              "authorization_resource_parameter": "authorization_resource_parameter",
              "code_challenge_methods_supported": [
                "string"
              ],
              "jwks_uri": "https://example.com",
              "registration_endpoint": "https://example.com",
              "scope_parameter": "scope_parameter",
              "scope_separator": "scope_separator",
              "scopes_supported": [
                "string"
              ],
              "token_endpoint": "https://example.com",
              "token_response_access_token_pointer": "token_response_access_token_pointer"
            },
            "openid": {
              "scopes": [
                "string"
              ],
              "user_identifier_claim": "user_identifier_claim",
              "userinfo_endpoint": "https://example.com"
            }
          },
          "type": "external"
        },
        "credential_provider_id": "credential_provider_id",
        "description": "description",
        "metadata": {
          "docs_url": "https://example.com"
        },
        "scopes": [
          "string"
        ],
        "when_accessing": [
          "string"
        ]
      },
      "user": {
        "id": "id",
        "created_at": "2019-12-27T18:11:19.117Z",
        "email": "dev@stainless.com",
        "email_verified": true,
        "identifier": "identifier",
        "organization_id": "organization_id",
        "status": "active",
        "updated_at": "2019-12-27T18:11:19.117Z",
        "zone_id": "zone_id",
        "authenticated_at": "authenticated_at",
        "grant_count": 0,
        "issuer": "issuer",
        "provider_id": "provider_id",
        "role_assignments": [
          {
            "role_id": "role_id",
            "role_identifier": "x",
            "scope": {
              "id": "id",
              "type": "type"
            }
          }
        ],
        "session_count": 0,
        "subject": "subject"
      }
    }
  ],
  "pagination": {
    "after_cursor": "x",
    "before_cursor": "x",
    "total_count": 0
  }
}