List credentials visible to the caller

GET

/credentials

const url = 'https://your-org.evershell.ai/v1/credentials';
const options = {method: 'GET', headers: {Authorization: 'Bearer <token>'}};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}

curl --request GET \
  --url https://your-org.evershell.ai/v1/credentials \
  --header 'Authorization: Bearer <token>'

Permissions: any signed-in caller. Per-user narrowing runs inside the handler: callers without auth:write (so Members holding only auth:write:own, or callers with no auth scope at all) see only org-scoped credentials plus their own personal override rows; Operators+ see every credential including other members’ personal overrides.

Authorizations

bearerAuth

Responses

200

application/json

object

credentials

required

Array<object>

object

required

string

org_id

string

user_id

Non-null for personal (per-user) credentials

string

name

required

string

provider

required

string

kind

required

oauth2_jwt_bearer_with_subject is Google domain-wide delegation — same SA JSON key as the durable credential, but mint requests carry a sub claim that impersonates the email in provider_config.subject.

string

Allowed values: oauth2_authorization_code oauth2_client_credentials oauth2_jwt_bearer oauth2_jwt_bearer_with_subject oauth2_client_assertion api_key basic_auth query_api_key

scopes

Array<string>

durable_ref

Vault path to the durable secret. Reference only — the secret value is never returned.

string

provider_config

Provider-specific structured config. Common shapes: {client_id, tenant_id} for Microsoft client_credentials, {subject} for Google domain-wide delegation, {username} for basic_auth. Never carries the secret.

object

key

additional properties

any

last_minted_at

Timestamp of the most recent successful mint by the proxy’s broker.

string format: date-time

last_minted_status

Short status code from the most recent mint attempt — populated alongside status=needs_reauth to surface the broker’s terminal-error reason.

string

allow_user_override

AC-kind only — lets members create personal overrides

boolean

status

required

string

Allowed values: active needs_reauth failed revoked

created_at

string format: date-time

updated_at

string format: date-time

Example

{
  "credentials": [
    {
      "provider": "google",
      "kind": "oauth2_authorization_code",
      "status": "active"
    }
  ]
}

503

Credentials subsystem isn’t configured on this CP (auth_disabled).

application/json

object

error

required

object

code

required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string

message

required

Human-readable summary

string

request_id

required

Server-generated request id for correlating logs

string

details

Optional structured context. Validation errors land at details.fields as a per-field map.

object

key

additional properties

any

Example

{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}