Create an OAuth provider credential

curl --request POST \
  --url https://api.example.com/credentials/oauth-provider \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "label": "<string>",
  "oauth_authorize_url": "<string>",
  "oauth_token_url": "<string>",
  "oauth_client_id": "<string>",
  "oauth_client_secret": "<string>",
  "upstream_base_url": "<string>",
  "oauth_default_scope": "<string>"
}
'

{
  "credential_id": "<string>"
}

Credentials

Create an OAuth provider credential

Creates a system.credential of kind: oauth_token carrying an upstream service’s OAuth client config — authorize URL, token URL, client_id, encrypted client_secret, upstream API base URL, and optional default scope. The resulting credential id is passed as credential_ref on subsequent POST /connections/install calls so multiple integrations of the same upstream (e.g. google.calendar + google.tasks) share one OAuth client and one stored secret instead of duplicating per-integration.

The client_secret is encrypted server-side under the connectionOauthToken HKDF domain (AES-256-GCM). Decryption only happens at the OAuth proxy + callback paths; the plaintext is never returned by any read path.

Tenant-scoped: the credential is created in the calling key’s tenant, and integrations within that tenant can reference it. Cross-tenant reuse is not supported — each tenant brings its own OAuth provider config.

POST

credentials

oauth-provider

Create an OAuth provider credential

curl --request POST \
  --url https://api.example.com/credentials/oauth-provider \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "label": "<string>",
  "oauth_authorize_url": "<string>",
  "oauth_token_url": "<string>",
  "oauth_client_id": "<string>",
  "oauth_client_secret": "<string>",
  "upstream_base_url": "<string>",
  "oauth_default_scope": "<string>"
}
'

{
  "credential_id": "<string>"
}

Authorizations

Authorization

string

header

required

Pass an API key (marfa_k1_...) or OAuth access token (marfa_at_...)

Body

application/json

label

string

required

Required string length: 1 - 200

oauth_authorize_url

string<uri>

required

Maximum string length: 2048

oauth_token_url

string<uri>

required

Maximum string length: 2048

oauth_client_id

string

required

Required string length: 1 - 512

oauth_client_secret

string

required

Required string length: 1 - 2048

upstream_base_url

string<uri>

required

Maximum string length: 2048

oauth_default_scope

string

Maximum string length: 2048

Response

Credential created. Returns the new credential's id for use as credential_ref on install.

credential_id

string

required

Update an API key Create a static API-token credential

Documentation Index

Authorizations

Body

Response