Skip to main content
POST
cURL

Authorizations

Authorization
string
header
required

JWT Bearer token obtained from authentication. Pass as: Authorization: Bearer

Body

application/json

Input for creating a human-in-the-loop credential request — the secret is never passed as a tool argument; a human supplies it out-of-band.

type
enum<string>
required

Type of credential the human is asked to provide

Available options:
login,
secure_note,
card,
identity,
oauth_token,
api_key,
certificate
name
string
required

Display name for the credential to be created

Minimum string length: 1
reason
string
required

Human-readable explanation of why the credential is needed, shown to the owner

Minimum string length: 1
agentId

Agent identifier. Optional when using an agent API key (resolved automatically); required when using a master key.

Pattern: ^[0-9a-z]+$
ttlSeconds
integer
default:900

Request TTL in seconds (60-3600, default 900 = 15 minutes)

Required range: 60 <= x <= 3600
notifyOwner
boolean
default:false

The MCP layer sets this true ONLY on the no-elicitation fallback path; the api emails the fillUrl to the org owner iff true.

Response

200 - application/json

OK

Created credential request — carries the fill URL and pending status, or a synchronously resolved reference

requestId
string
required

Unique credential request identifier

fillUrl
string
required

Token-gated URL where the human submits the secret (fallback / URL-mode path)

status
enum<string>
required

Current request status

Available options:
PENDING,
FULFILLED,
EXPIRED,
DECLINED,
CANCELLED
expiresAt
string<date-time>
required

When the request expires and the fill URL stops working

emailSent
boolean
required

Whether the fill URL was emailed to the agent owner (false if no humanEmail is set)

credentialId
string | null

Resolved vault credential ID when the inline path fulfills synchronously; null otherwise