#Credential Sources
Credential sources store the secret material that later gets projected into outbound auth flows.
The API surface is:
| Method | Path | Purpose |
|---|---|---|
GET | /api/v1/credential-sources | List sources |
POST | /api/v1/credential-sources | Create a source |
GET | /api/v1/credential-sources/{name} | Get source metadata |
PUT | /api/v1/credential-sources/{name} | Replace a source |
DELETE | /api/v1/credential-sources/{name} | Delete a source |
Source specs are write-only. Read APIs return metadata such as name, resolverKind, currentVersion, and timestamps, but not the raw secret values.
Resolver Kinds#
| Resolver kind | Key spec fields | Typical use |
|---|---|---|
static_headers | spec.staticHeaders.values | Bearer tokens and header fragments |
static_tls_client_certificate | spec.staticTLSClientCertificate.certificatePem, privateKeyPem, optional caPem | mTLS client authentication |
static_username_password | spec.staticUsernamePassword.username, password | Username/password based outbound auth |
Create A Source#
/api/v1/credential-sources
gosource, err := client.CreateCredentialSource(ctx, apispec.CredentialSourceWriteRequest{ Name: "github-source", ResolverKind: apispec.CredentialSourceResolverKindStaticHeaders, Spec: apispec.CredentialSourceWriteSpec{ StaticHeaders: apispec.NewOptStaticHeadersSourceSpec(apispec.StaticHeadersSourceSpec{ Values: apispec.NewOptStaticHeadersSourceSpecValues( apispec.StaticHeadersSourceSpecValues{ "token": os.Getenv("GITHUB_TOKEN"), }, ), }), }, }) if err != nil { log.Fatal(err) } fmt.Println(source.Name)
Update Or Rotate A Source#
Use PUT /api/v1/credential-sources/{name} to replace the source contents while keeping the same source name. Existing bindings continue to point at that source name.
Sources are reusable. Rotate the source once, then keep bindings and credential rules stable by continuing to reference the same sourceRef.
Next Steps#
Egress Auth
Bind sources and apply outbound auth to matching traffic
Template Configuration
Set default credential bindings and egress auth at template level
Sandbox Network
Keep traffic allow and deny policy separate from outbound auth