Agents often need to access third-party services — GitHub, Jira, databases, or custom MCP servers. Vaults provide secure credential storage so you can hand tokens to us and have them injected into Sessions on demand without hard-coding secrets in your code.
Core concepts Concept Description Vault A credential container that can hold multiple Credentials Credential A single credential bound to a specific MCP server URL protocolMCP transport. Only streamable_http is exposed typeCredential type, currently only static_bearer vault_idsThe list of Vault IDs referenced when creating a Session
Security
access_token is never returned in API responses.Credentials are encrypted at rest.
Only the linked Sessions can read credential contents at runtime.
End-to-end flow
Create a vault
curl -X POST https://api.qoder.com/api/v1/cloud/vaults \ -H "Authorization: Bearer $QODER_PAT " \ -H "Content-Type: application/json" \ -d '{ "display_name": "My GitHub credentials", "credentials": [ { "mcp_server_url": "https://mcp.github.com/mcp", "protocol": "streamable_http", "type": "static_bearer", "access_token": "ghp_xxxxxxxxxxxx" } ] }'
Example response: { "id" : "vault_019e5cdb9c3f71c3b6505eba937a40b4" , "type" : "vault" , "display_name" : "My GitHub credentials" , "status" : "active" , "credentials" : [ { "id" : "vcred_019e5cdb9c4f72a3b6505eba937a40c5" , "vault_id" : "vault_019e5cdb9c3f71c3b6505eba937a40b4" , "status" : "active" , "mcp_server_url" : "https://mcp.github.com/mcp" , "protocol" : "streamable_http" , "type" : "static_bearer" , "created_at" : "2026-05-18T08:00:00Z" , "updated_at" : "2026-05-18T08:00:00Z" } ], "metadata" : {}, "created_at" : "2026-05-18T08:00:00Z" , "updated_at" : "2026-05-18T08:00:00Z" }
The response does not include access_token.
Append a credential
You can add more credentials to a Vault at any time: curl -X POST https://api.qoder.com/api/v1/cloud/vaults/vault_019e5cdb9c3f71c3b6505eba937a40b4/credentials \ -H "Authorization: Bearer $QODER_PAT " \ -H "Content-Type: application/json" \ -d '{ "mcp_server_url": "https://jira.example.com/mcp", "protocol": "streamable_http", "type": "static_bearer", "access_token": "jira_token_xxxxxxxx" }'
Use in a Session
Reference Vaults via vault_ids when creating the Session: curl -X POST https://api.qoder.com/api/v1/cloud/sessions \ -H "Authorization: Bearer $QODER_PAT " \ -H "Content-Type: application/json" \ -d '{ "agent": "agent_xxx", "vault_ids": ["vault_019e5cdb9c3f71c3b6505eba937a40b4"] }'
At runtime, the Agent automatically gains access to every Credential in the Vault to authenticate to the corresponding MCP servers. Parameters Parameter Type Required Description display_namestring Yes Display name for the Vault credentialsarray Yes List of credentials; must contain at least one credential object credentials[].mcp_server_urlstring Yes MCP server URL credentials[].protocolstring Yes streamable_httpcredentials[].typestring Yes Currently only static_bearer credentials[].access_tokenstring Yes Bearer token value
FAQ Q: Can I update a Credential’s token? A: Rotate by deleting the old Credential and creating a new one.Q: How many Vaults can a Session reference? A: There’s no hard limit, but group by service for clarity.Q: My token leaked. What now? A: Delete the Credential immediately, revoke the token in the third-party platform, and create a new Credential.Q: Can I read stored tokens? A: No. For security, access_token is write-only — you can only delete and recreate.Use separate Vaults per environment (development vs. production) to avoid mixing credentials.
Next steps
Start a session Run an agent against an environment.
Agent setup Review Agent configuration.
Build persistent memory Give your agent persistent memory across sessions.
Cloud environment setup Customize the runtime.
