Get a credential by id

GET

/credentials/{id}

const url = 'https://your-org.evershell.ai/v1/credentials/example';
const options = {method: 'GET', headers: {Authorization: 'Bearer <token>'}};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}

curl --request GET \
  --url https://your-org.evershell.ai/v1/credentials/example \
  --header 'Authorization: Bearer <token>'

Permissions: any signed-in caller. Same per-user narrowing as GET /credentials — fetching another member’s personal credential by id returns 404, not 403, so the existence of the row isn’t leaked across users.

Authorizations

bearerAuth

Parameters

Path Parameters

required

string

Responses

200

application/json

object

required

string

org_id

string

user_id

Non-null for personal (per-user) credentials

string

name

required

string

provider

required

string

kind

required

oauth2_jwt_bearer_with_subject is Google domain-wide delegation — same SA JSON key as the durable credential, but mint requests carry a sub claim that impersonates the email in provider_config.subject.

string

Allowed values: oauth2_authorization_code oauth2_client_credentials oauth2_jwt_bearer oauth2_jwt_bearer_with_subject oauth2_client_assertion api_key basic_auth query_api_key

scopes

Array<string>

durable_ref

Vault path to the durable secret. Reference only — the secret value is never returned.

string

provider_config

Provider-specific structured config. Common shapes: {client_id, tenant_id} for Microsoft client_credentials, {subject} for Google domain-wide delegation, {username} for basic_auth. Never carries the secret.

object

key

additional properties

any

last_minted_at

Timestamp of the most recent successful mint by the proxy’s broker.

string format: date-time

last_minted_status

Short status code from the most recent mint attempt — populated alongside status=needs_reauth to surface the broker’s terminal-error reason.

string

allow_user_override

AC-kind only — lets members create personal overrides

boolean

status

required

string

Allowed values: active needs_reauth failed revoked

created_at

string format: date-time

updated_at

string format: date-time

Example

{
  "provider": "google",
  "kind": "oauth2_authorization_code",
  "status": "active"
}

404

Resource not found in the caller’s org

application/json

object

error

required

object

code

required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string

message

required

Human-readable summary

string

request_id

required

Server-generated request id for correlating logs

string

details

Optional structured context. Validation errors land at details.fields as a per-field map.

object

key

additional properties

any

Example

{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}

503

Credentials subsystem isn’t configured on this CP (auth_disabled).

application/json

object

error

required

object

code

required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string

message

required

Human-readable summary

string

request_id

required

Server-generated request id for correlating logs

string

details

Optional structured context. Validation errors land at details.fields as a per-field map.

object

key

additional properties

any

Example

{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}