Resources

Create resource

API Reference

Zones

Resources

Create resource

client.zones.resources.create(, , ?): Resource { id, application_type, created_at, 17 more }

POST/zones/{zoneId}/resources

Creates a new Resource - a system that exposes protected information or functionality requiring authentication

ParametersExpand Collapse

zoneID: string

body: ResourceCreateParams { identifier, name, application_id, 7 more }

identifier: string

User specified identifier, unique within the zone. Must not contain HTML tags (e.g. <script>, <div>) or control characters.

minLength1

maxLength2048

formatsafe-text

Human-readable name. Must not contain HTML tags (e.g. <script>, <div>) or control characters.

minLength1

maxLength255

formatsafe-text

application_id?: string

ID of the application that provides this resource

application_type?: "native" | "web"

The expected type of client for this credential. Native clients must use localhost URLs for redirect_uris or URIs with custom schemes. Web clients must use https URLs and must not use localhost as the hostname.

Accepts one of the following:

"native"

"web"

credential_lifetime_seconds?: number

Credential lifetime override in seconds. When set, overrides the default credential lifetime for this resource.

minimum60

maximum86400

credential_provider_id?: string

ID of the credential provider to associate with the resource

description?: string | null

Human-readable description. Must not contain HTML tags (e.g. <script>, <div>) or control characters.

maxLength2048

formatsafe-text

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

prefix?: boolean

When true, the resource identifier is treated as a URI prefix and protects all URLs that share the identifier as a prefix. Defaults to false: resources only match by exact identifier unless explicitly enabled.

scopes?: Array<string>

Scopes supported by the resource

ReturnsExpand Collapse

Resource { id, application_type, created_at, 17 more }

A Resource is a system that exposes protected information or functionality. It requires authentication of the requesting actor, which may be a user or application, before allowing access.

id: string

Unique identifier of the resource

application_type: "native" | "web"

Accepts one of the following:

"native"

"web"

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this resource

owner_type: "platform" | "customer"

Who owns this resource. Platform-owned resources cannot be modified via API.

Accepts one of the following:

"platform"

"customer"

prefix: boolean

When true, the resource identifier is treated as a URI prefix, protecting all URLs that share the identifier as a prefix at path/query/fragment boundaries. Protocol and hostname must match exactly. When multiple prefix resources satisfy an identifier query, the resource with the longest prefix is matched.

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this resource belongs to

Deprecatedapplication?: Application { id, consent, created_at, 10 more }

An Application is a software system with an associated identity that can access Resources. It may act on its own behalf (machine-to-machine) or on behalf of a user (delegated access).

id: string

Unique identifier of the application

Accepts one of the following:

created_at: string

Entity creation timestamp

formatdate-time

dependencies_count: number

Number of resource dependencies

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this application

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this application belongs to

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

post_logout_redirect_uris?: Array<string> | null

OAuth 2.0 post-logout redirect URIs for this application

redirect_uris?: Array<string> | null

OAuth 2.0 redirect URIs for this application

application_id?: string

ID of the application that provides this resource

credential_lifetime_seconds?: number | null

Credential lifetime override in seconds. When set, overrides the default credential lifetime for this resource. When absent, the default from the provider or zone is used.

minimum60

maximum86400

Deprecatedcredential_provider?: Provider { id, created_at, identifier, 11 more }

A Provider is a system that supplies access to Resources and allows actors (Users or Applications) to authenticate.

id: string

Unique identifier of the provider

created_at: string

Entity creation timestamp

formatdate-time

identifier: string

User specified identifier, unique within the zone

minLength1

maxLength2048

Human-readable name

minLength1

maxLength255

organization_id: string

Organization that owns this provider

slug: string

URL-safe identifier, unique within the zone

minLength1

maxLength63

updated_at: string

Entity update timestamp

formatdate-time

zone_id: string

Zone this provider belongs to

client_id?: string | null

OAuth 2.0 client identifier

client_secret_set?: boolean

Indicates whether a client secret is configured

description?: string | null

Human-readable description

maxLength2048

metadata?: unknown

Provider metadata

protocols?: Protocols | null

Protocol-specific configuration

oauth2?: Oauth2 | null

OAuth 2.0 protocol configuration

issuer: string

OIDC issuer URL used for discovery and token validation.

formaturi

authorization_endpoint?: string | null

formaturi

authorization_parameters?: Record<string, string> | null

Custom query parameters appended to authorization redirect URLs. Use for non-standard providers (e.g. Google prompt=consent, access_type=offline).

authorization_resource_enabled?: boolean | null

Whether to include the resource parameter in authorization requests.

authorization_resource_parameter?: string | null

The resource parameter value to include in authorization requests. Defaults to "resource" when authorization_resource_enabled is true.

code_challenge_methods_supported?: Array<string> | null

jwks_uri?: string | null

formaturi

registration_endpoint?: string | null

formaturi

scope_parameter?: string | null

The query parameter name for scopes in authorization requests. Defaults to "scope". Slack v2 uses "user_scope".

scope_separator?: string | null

The separator character for scope values. Defaults to " " (space). Slack v2 uses ",".

scopes_supported?: Array<string> | null

token_endpoint?: string | null

formaturi

token_response_access_token_pointer?: string | null

Dot-separated path to the access token in the token response body. Defaults to "access_token". Slack v2 uses "authed_user.access_token".

openid?: Openid | null

OpenID Connect protocol configuration

scopes?: Array<string> | null

Additional OIDC scopes to request from this provider during authentication (e.g. "groups"). Merged with the default scopes (openid, profile, email).

user_identifier_claim?: string | null

Name of a top-level string claim in this provider's ID Token to use as the user identifier on user creation. When not set, the user's Keycard ID is used.

userinfo_endpoint?: string | null

formaturi

type?: "external" | "keycard-vault" | "keycard-sts"

Accepts one of the following:

"external"

"keycard-vault"

"keycard-sts"

credential_provider_id?: string

ID of the credential provider for this resource

description?: string | null

Human-readable description

maxLength2048

metadata?: Metadata { docs_url }

Entity metadata

docs_url?: string

Documentation URL

formaturi

maxLength2048

scopes?: Array<string> | null

Scopes supported by the resource

when_accessing?: Array<string>

List of resource IDs that, when accessed, make this dependency available. Only present when this resource is returned as a dependency.

Create resource

import KeycardAPI from '@keycardai/api';

const client = new KeycardAPI();

const resource = await client.zones.resources.create('zoneId', { identifier: 'x', name: 'x' });

console.log(resource.id);

{
  "id": "id",
  "application_type": "native",
  "created_at": "2019-12-27T18:11:19.117Z",
  "identifier": "x",
  "name": "x",
  "organization_id": "organization_id",
  "owner_type": "platform",
  "prefix": true,
  "slug": "slug",
  "updated_at": "2019-12-27T18:11:19.117Z",
  "zone_id": "zone_id",
  "application": {
    "id": "id",
    "consent": "implicit",
    "created_at": "2019-12-27T18:11:19.117Z",
    "dependencies_count": 0,
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "description": "description",
    "metadata": {
      "docs_url": "https://example.com"
    },
    "protocols": {
      "oauth2": {
        "post_logout_redirect_uris": [
          "https://example.com"
        ],
        "redirect_uris": [
          "https://example.com"
        ]
      }
    }
  },
  "application_id": "application_id",
  "credential_lifetime_seconds": 60,
  "credential_provider": {
    "id": "id",
    "created_at": "2019-12-27T18:11:19.117Z",
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "client_id": "client_id",
    "client_secret_set": true,
    "description": "description",
    "metadata": {},
    "protocols": {
      "oauth2": {
        "issuer": "https://example.com",
        "authorization_endpoint": "https://example.com",
        "authorization_parameters": {
          "foo": "string"
        },
        "authorization_resource_enabled": true,
        "authorization_resource_parameter": "authorization_resource_parameter",
        "code_challenge_methods_supported": [
          "string"
        ],
        "jwks_uri": "https://example.com",
        "registration_endpoint": "https://example.com",
        "scope_parameter": "scope_parameter",
        "scope_separator": "scope_separator",
        "scopes_supported": [
          "string"
        ],
        "token_endpoint": "https://example.com",
        "token_response_access_token_pointer": "token_response_access_token_pointer"
      },
      "openid": {
        "scopes": [
          "string"
        ],
        "user_identifier_claim": "user_identifier_claim",
        "userinfo_endpoint": "https://example.com"
      }
    },
    "type": "external"
  },
  "credential_provider_id": "credential_provider_id",
  "description": "description",
  "metadata": {
    "docs_url": "https://example.com"
  },
  "scopes": [
    "string"
  ],
  "when_accessing": [
    "string"
  ]
}

Returns Examples

{
  "id": "id",
  "application_type": "native",
  "created_at": "2019-12-27T18:11:19.117Z",
  "identifier": "x",
  "name": "x",
  "organization_id": "organization_id",
  "owner_type": "platform",
  "prefix": true,
  "slug": "slug",
  "updated_at": "2019-12-27T18:11:19.117Z",
  "zone_id": "zone_id",
  "application": {
    "id": "id",
    "consent": "implicit",
    "created_at": "2019-12-27T18:11:19.117Z",
    "dependencies_count": 0,
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "description": "description",
    "metadata": {
      "docs_url": "https://example.com"
    },
    "protocols": {
      "oauth2": {
        "post_logout_redirect_uris": [
          "https://example.com"
        ],
        "redirect_uris": [
          "https://example.com"
        ]
      }
    }
  },
  "application_id": "application_id",
  "credential_lifetime_seconds": 60,
  "credential_provider": {
    "id": "id",
    "created_at": "2019-12-27T18:11:19.117Z",
    "identifier": "x",
    "name": "x",
    "organization_id": "organization_id",
    "slug": "slug",
    "updated_at": "2019-12-27T18:11:19.117Z",
    "zone_id": "zone_id",
    "client_id": "client_id",
    "client_secret_set": true,
    "description": "description",
    "metadata": {},
    "protocols": {
      "oauth2": {
        "issuer": "https://example.com",
        "authorization_endpoint": "https://example.com",
        "authorization_parameters": {
          "foo": "string"
        },
        "authorization_resource_enabled": true,
        "authorization_resource_parameter": "authorization_resource_parameter",
        "code_challenge_methods_supported": [
          "string"
        ],
        "jwks_uri": "https://example.com",
        "registration_endpoint": "https://example.com",
        "scope_parameter": "scope_parameter",
        "scope_separator": "scope_separator",
        "scopes_supported": [
          "string"
        ],
        "token_endpoint": "https://example.com",
        "token_response_access_token_pointer": "token_response_access_token_pointer"
      },
      "openid": {
        "scopes": [
          "string"
        ],
        "user_identifier_claim": "user_identifier_claim",
        "userinfo_endpoint": "https://example.com"
      }
    },
    "type": "external"
  },
  "credential_provider_id": "credential_provider_id",
  "description": "description",
  "metadata": {
    "docs_url": "https://example.com"
  },
  "scopes": [
    "string"
  ],
  "when_accessing": [
    "string"
  ]
}