Skip to main content
POST /api/v1/cloud/vaults/{vault_id}/credentials Adds a new MCP server credential to the specified vault.

Path parameters

ParameterTypeRequiredDescription
vault_idstringYesVault unique identifier

Headers

HeaderRequiredDescription
AuthorizationYesBearer $QODER_PAT
Content-TypeYesapplication/json

Request body

FieldTypeRequiredDescription
authobjectYesCredential authentication details. See Credential auth object
display_namestringNoAccepted for compatibility; currently returned as null and not persisted
metadataobjectNoCustom metadata stored with the credential; defaults to {}

Example request

curl -X POST https://api.qoder.com/api/v1/cloud/vaults/vault_019e3bb940277f0db05ab74291acf6ef/credentials \
  -H "Authorization: Bearer $QODER_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "auth": {
      "type": "static_bearer",
      "mcp_server_url": "https://example.com/mcp-stream",
      "token": "your-access-token"
    },
    "metadata": {"team":"docs"}
  }'

Example response

HTTP 200 OK
{
  "id": "vcred_019e3bb98877759e862750b495c1fce8",
  "type": "vault_credential",
  "vault_id": "vault_019e3bb940277f0db05ab74291acf6ef",
  "auth": {
    "type": "static_bearer",
    "mcp_server_url": "https://example.com/mcp-stream"
  },
  "display_name": null,
  "metadata": {
    "team": "docs"
  },
  "archived_at": null,
  "created_at": "2026-05-18T15:34:35.387093Z",
  "updated_at": "2026-05-18T15:34:35.387093Z"
}

Response fields

FieldTypeDescription
idstringCredential unique identifier with the vcred_ prefix
typestringAlways "vault_credential"
vault_idstringOwning Vault ID
authobjectSanitized authentication details; secrets are never returned
display_namenullCurrently always null
metadataobjectCustom metadata object stored with the credential; defaults to {}
archived_atstring | nullArchive time, or null when active
created_atstringCreation time (ISO 8601)
updated_atstringLast update time (ISO 8601)

Errors

HTTPTypeTrigger
400invalid_request_errorMissing auth, invalid credential type, missing required auth fields, or invalid metadata
401TOKEN_INVALIDMissing or invalid authentication token
404not_found_errorVault does not exist or is not accessible
409conflict_errorVault is archived, vault reached the active credential limit, or a duplicate active MCP credential exists

Notes

  • The response does not return credential secrets, including token, access_token, refresh_token, client_secret, or secret_value.
  • A vault can hold up to 20 active credentials.
  • Credentials are active immediately after creation.
See Errors for the full error envelope.

Authenticate with vaults

Store and inject secrets safely into agent sessions.