Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.qoder.com/llms.txt

Use this file to discover all available pages before exploring further.

Agents often need to access third-party services — GitHub, Jira, databases, or custom MCP servers. Vaults provide secure credential storage so you can hand tokens to us and have them injected into Sessions on demand without hard-coding secrets in your code.

Core Concepts

ConceptDescription
VaultA credential container that can hold multiple Credentials
CredentialA single credential bound to a specific MCP server URL
protocolMCP transport: sse or streamable_http
typeCredential type, currently only static_bearer
vault_idsThe list of Vault IDs referenced when creating a Session

Security

  • access_token is never returned in API responses.
  • Credentials are encrypted at rest.
  • Only the linked Sessions can read credential contents at runtime.

End-to-End Flow

1. Create a Vault

curl -X POST https://api.qoder.com/api/v1/cloud/vaults \
  -H "Authorization: Bearer $QODER_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "display_name": "My GitHub credentials",
    "credentials": [
      {
        "mcp_server_url": "https://mcp.github.com/sse",
        "protocol": "sse",
        "type": "static_bearer",
        "access_token": "ghp_xxxxxxxxxxxx"
      }
    ]
  }'
Example response: 
{
  "id": "vault_abc123",
  "display_name": "My GitHub credentials",
  "credentials": [
    {
      "id": "cred_def456",
      "mcp_server_url": "https://mcp.github.com/sse",
      "protocol": "sse",
      "type": "static_bearer"
    }
  ],
  "created_at": "2026-05-18T08:00:00Z",
  "updated_at": "2026-05-18T08:00:00Z"
}
The response does not include access_token.

2. Append a Credential

You can add more credentials to a Vault at any time: 
curl -X POST https://api.qoder.com/api/v1/cloud/vaults/vault_abc123/credentials \
  -H "Authorization: Bearer $QODER_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "mcp_server_url": "https://jira.example.com/mcp/sse",
    "protocol": "sse",
    "type": "static_bearer",
    "access_token": "jira_token_xxxxxxxx"
  }'

3. Use in a Session

Reference Vaults via vault_ids when creating the Session: 
curl -X POST https://api.qoder.com/api/v1/cloud/sessions \
  -H "Authorization: Bearer $QODER_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "agent": "agent_xxx",
    "vault_ids": ["vault_abc123"]
  }'
At runtime, the Agent automatically gains access to every Credential in the Vault to authenticate to the corresponding MCP servers.

Parameters

ParameterTypeRequiredDescription
display_namestringYesDisplay name for the Vault
credentialsarrayNoInitial list of credentials; can be empty
credentials[].mcp_server_urlstringYesMCP server URL
credentials[].protocolstringYessse or streamable_http
credentials[].typestringYesCurrently only static_bearer
credentials[].access_tokenstringYesBearer token value

FAQ

Q: Can I update a Credential’s token? A: Rotate by deleting the old Credential and creating a new one. Q: How many Vaults can a Session reference? A: There’s no hard limit, but group by service for clarity. Q: My token leaked. What now? A: Delete the Credential immediately, revoke the token in the third-party platform, and create a new Credential. Q: Can I read stored tokens? A: No. For security, access_token is write-only — you can only delete and recreate.
Use separate Vaults per environment (development vs. production) to avoid mixing credentials.