Credentials

Credentials represent OAuth client credentials or API keys used to authenticate your applications against the cPod platform. Each credential is scoped to an organization and optionally to a specific workspace, and can carry one or more permission scopes.

⚠️

Secret shown once. The plaintext secret is returned only in the create() response. The platform does not store it. Save it immediately to a secrets manager or CI/CD secret store — it cannot be retrieved again. To rotate a secret, revoke the existing credential and create a new one.

Credential Schema

Field	Type	Required	Description
`id`	`string`	auto	UUID
`name`	`string`	yes	Human-readable label (e.g. `"GitHub Actions Deploy Key"`)
`type`	`enum`	yes	`api_key` \| `oauth_client`
`clientId`	`string`	auto	Public identifier used in OAuth flows
`secret`	`string`	create only	Plaintext secret — returned once at creation only
`keyPrefix`	`string`	auto	First 8 chars of the secret for display (e.g. `cpod_abc1…`)
`scopes`	`string[]`	no	Permission scopes (e.g. `["pods:read", "pods:write"]`)
`status`	`enum`	auto	`active` \| `revoked` \| `expired`
`expiresAt`	`string`	no	ISO 8601 UTC — omit for non-expiring keys
`organizationId`	`string`	yes	Organization this credential belongs to
`workspaceId`	`string`	no	Restrict credential to a single workspace
`createdAt`	`string`	auto	ISO 8601 UTC
`updatedAt`	`string`	auto	ISO 8601 UTC

List Credentials

import { CpodClient } from '@cpod/sdk'
const sdk = CpodClient.fromEnv()
 
const result = await sdk.credentials.list({
  organizationId: 'b2c3d4e5-...',
  status: 'active',
  limit: 50,
})
 
for (const cred of result.data) {
  console.log(cred.id, cred.name, cred.keyPrefix, cred.status)
}

from cpod import CpodClient
sdk = CpodClient.from_env()
 
result = await sdk.credentials.list(
    organization_id="b2c3d4e5-...",
    status="active",
    limit=50,
)
 
for cred in result.data:
    print(cred.id, cred.name, cred.key_prefix, cred.status)

import "github.com/cpod-ai/cpod-sdk-go/credentials"
 
client := cpod.New(os.Getenv("CPOD_API_KEY"))
 
result, err := client.Credentials.List(ctx, credentials.ListOptions{
    OrganizationID: "b2c3d4e5-...",
    Status:         "active",
    Limit:          50,
})
for _, cred := range result.Data {
    fmt.Println(cred.ID, cred.Name, cred.KeyPrefix, cred.Status)
}

Create a Credential

Store the secret field from the response immediately. It will not appear in any subsequent API call.

const { secret, ...credential } = await sdk.credentials.create({
  organizationId: 'b2c3d4e5-...',
  workspaceId: 'c3d4e5f6-...',
  name: 'GitHub Actions Deploy Key',
  type: 'api_key',
  scopes: ['pods:read', 'pods:write'],
  expiresAt: '2027-01-01T00:00:00Z',
})
 
// Save secret NOW — it will not be shown again
await secretsManager.put('cpod/deploy-key', secret)
 
console.log(credential.id, credential.keyPrefix) // → cpod_abc1…

result = await sdk.credentials.create(
    organization_id="b2c3d4e5-...",
    workspace_id="c3d4e5f6-...",
    name="GitHub Actions Deploy Key",
    type="api_key",
    scopes=["pods:read", "pods:write"],
    expires_at="2027-01-01T00:00:00Z",
)
 
# Save secret NOW — it will not be shown again
secret = result.secret
await secrets_manager.put("cpod/deploy-key", secret)
 
print(result.id, result.key_prefix)

result, err := client.Credentials.Create(ctx, credentials.CreateInput{
    OrganizationID: "b2c3d4e5-...",
    WorkspaceID:    "c3d4e5f6-...",
    Name:           "GitHub Actions Deploy Key",
    Type:           "api_key",
    Scopes:         []string{"pods:read", "pods:write"},
    ExpiresAt:      "2027-01-01T00:00:00Z",
})
 
// Save secret NOW — it will not be shown again
secretsManager.Put("cpod/deploy-key", result.Secret)
 
fmt.Println(result.ID, result.KeyPrefix)

Get a Credential

Fetches metadata for a credential. The secret is never returned — only the keyPrefix is shown.

const cred = await sdk.credentials.get('cred-uuid')
console.log(cred.name, cred.scopes, cred.status)

cred = await sdk.credentials.get("cred-uuid")
print(cred.name, cred.scopes, cred.status)

cred, err := client.Credentials.Get(ctx, "cred-uuid")
fmt.Println(cred.Name, cred.Scopes, cred.Status)

Revoke a Credential

Permanently deactivates a credential. Revoked credentials cannot be reactivated. Create a new credential to replace it.

🚫

Revocation is immediate and irreversible. Any service using the credential will start receiving 401 Unauthorized responses.

const revoked = await sdk.credentials.revoke('cred-uuid')
console.log(revoked.status) // → "revoked"

revoked = await sdk.credentials.revoke("cred-uuid")
print(revoked.status)  # → "revoked"

revoked, err := client.Credentials.Revoke(ctx, "cred-uuid")
fmt.Println(revoked.Status) // → "revoked"

User Profiles Pods