Agents often need to access third-party services — GitHub, Jira, databases, or custom MCP servers. Vaults provide secure credential storage so you can hand tokens to us and have them injected into Sessions on demand without hard-coding secrets in your code.
Core Concepts
| Concept | Description |
|---|
| Vault | A credential container that can hold multiple Credentials |
| Credential | A single credential bound to a specific MCP server URL |
protocol | MCP transport: sse or streamable_http |
type | Credential type, currently only static_bearer |
vault_ids | The list of Vault IDs referenced when creating a Session |
Security
access_token is never returned in API responses.- Credentials are encrypted at rest.
- Only the linked Sessions can read credential contents at runtime.
End-to-End Flow
1. Create a Vault
curl -X POST https://api.qoder.com/api/v1/cloud/vaults \
-H "Authorization: Bearer $QODER_PAT" \
-H "Content-Type: application/json" \
-d '{
"display_name": "My GitHub credentials",
"credentials": [
{
"mcp_server_url": "https://mcp.github.com/sse",
"protocol": "sse",
"type": "static_bearer",
"access_token": "ghp_xxxxxxxxxxxx"
}
]
}'
{
"id": "vault_019e5cdb9c3f71c3b6505eba937a40b4",
"type": "vault",
"display_name": "My GitHub credentials",
"status": "active",
"credentials": [
{
"id": "vcred_019e5cdb9c4f72a3b6505eba937a40c5",
"vault_id": "vault_019e5cdb9c3f71c3b6505eba937a40b4",
"status": "active",
"mcp_server_url": "https://mcp.github.com/sse",
"protocol": "sse",
"type": "static_bearer",
"created_at": "2026-05-18T08:00:00Z",
"updated_at": "2026-05-18T08:00:00Z"
}
],
"metadata": {},
"created_at": "2026-05-18T08:00:00Z",
"updated_at": "2026-05-18T08:00:00Z"
}
The response does not include access_token.
2. Append a Credential
You can add more credentials to a Vault at any time:
curl -X POST https://api.qoder.com/api/v1/cloud/vaults/vault_019e5cdb9c3f71c3b6505eba937a40b4/credentials \
-H "Authorization: Bearer $QODER_PAT" \
-H "Content-Type: application/json" \
-d '{
"mcp_server_url": "https://jira.example.com/mcp/sse",
"protocol": "sse",
"type": "static_bearer",
"access_token": "jira_token_xxxxxxxx"
}'
3. Use in a Session
Reference Vaults via vault_ids when creating the Session:
curl -X POST https://api.qoder.com/api/v1/cloud/sessions \
-H "Authorization: Bearer $QODER_PAT" \
-H "Content-Type: application/json" \
-d '{
"agent": "agent_xxx",
"vault_ids": ["vault_019e5cdb9c3f71c3b6505eba937a40b4"]
}'
Parameters
| Parameter | Type | Required | Description |
|---|
display_name | string | Yes | Display name for the Vault |
credentials | array | No | Initial list of credentials; can be empty |
credentials[].mcp_server_url | string | Yes | MCP server URL |
credentials[].protocol | string | Yes | sse or streamable_http |
credentials[].type | string | Yes | Currently only static_bearer |
credentials[].access_token | string | Yes | Bearer token value |
FAQ
Q: Can I update a Credential’s token? A: Rotate by deleting the old Credential and creating a new one.
Q: How many Vaults can a Session reference? A: There’s no hard limit, but group by service for clarity.
Q: My token leaked. What now? A: Delete the Credential immediately, revoke the token in the third-party platform, and create a new Credential.
Q: Can I read stored tokens? A: No. For security, access_token is write-only — you can only delete and recreate.
Use separate Vaults per environment (development vs. production) to avoid mixing credentials.
