Documentation/docs/credential/sources

#Credential Sources

Credential sources store the secret material that later gets projected into outbound auth flows.

The API surface is:

Method	Path	Purpose
`GET`	`/api/v1/credential-sources`	List sources
`POST`	`/api/v1/credential-sources`	Create a source
`GET`	`/api/v1/credential-sources/{name}`	Get source metadata
`PUT`	`/api/v1/credential-sources/{name}`	Replace a source
`DELETE`	`/api/v1/credential-sources/{name}`	Delete a source

ℹ

Source specs are write-only. Read APIs return metadata such as name, resolverKind, currentVersion, and timestamps, but not the raw secret values.

ℹ

CLI examples assume you already ran s0 auth login and selected a current team with s0 team use <team-id>.

Resolver Kinds#

Resolver kind	Key spec fields	Typical use
`static_headers`	`spec.staticHeaders.values`	Bearer tokens and header fragments
`static_tls_client_certificate`	`spec.staticTLSClientCertificate.certificatePem`, `privateKeyPem`, optional `caPem`	mTLS client authentication
`static_username_password`	`spec.staticUsernamePassword.username`, `password`	Username/password based outbound auth

Create A Source#

POST/api/v1/credential-sources

go
source, err := client.CreateCredentialSource(ctx, apispec.CredentialSourceWriteRequest{
  Name: "github-source",
  ResolverKind: apispec.CredentialSourceResolverKindStaticHeaders,
  Spec: apispec.CredentialSourceWriteSpec{
      StaticHeaders: apispec.NewOptStaticHeadersSourceSpec(apispec.StaticHeadersSourceSpec{
          Values: apispec.NewOptStaticHeadersSourceSpecValues(
              apispec.StaticHeadersSourceSpecValues{
                  "token": os.Getenv("GITHUB_TOKEN"),
              },
          ),
      }),
  },
})
if err != nil {
  log.Fatal(err)
}
fmt.Println(source.Name)

List Sources#

GET/api/v1/credential-sources

Read APIs return metadata only. Use list to discover source names, resolver kinds, status, and current versions.

go
sources, err := client.ListCredentialSources(ctx)
if err != nil {
  log.Fatal(err)
}
for _, source := range sources {
  fmt.Printf("- %s (%s) version=%d\n", source.Name, source.ResolverKind, source.CurrentVersion)
}

Get Source Metadata#

GET/api/v1/credential-sources/{name}

Use get when you know the source name and want the current metadata record without listing everything.

go
source, err := client.GetCredentialSource(ctx, "github-source")
if err != nil {
  log.Fatal(err)
}
fmt.Printf("%s version=%d status=%s\n", source.Name, source.CurrentVersion, source.Status)

Update Or Rotate A Source#

Use PUT /api/v1/credential-sources/{name} to replace the source contents while keeping the same source name. Existing bindings continue to point at that source name.

Sources are reusable. Rotate the source once, then keep bindings and credential rules stable by continuing to reference the same sourceRef.

PUT/api/v1/credential-sources/{name}

go
source, err := client.UpdateCredentialSource(ctx, "github-source", apispec.CredentialSourceWriteRequest{
  ResolverKind: apispec.CredentialSourceResolverKindStaticHeaders,
  Spec: apispec.CredentialSourceWriteSpec{
      StaticHeaders: apispec.NewOptStaticHeadersSourceSpec(apispec.StaticHeadersSourceSpec{
          Values: apispec.NewOptStaticHeadersSourceSpecValues(
              apispec.StaticHeadersSourceSpecValues{
                  "token": os.Getenv("ROTATED_GITHUB_TOKEN"),
              },
          ),
      }),
  },
})
if err != nil {
  log.Fatal(err)
}
fmt.Println(source.Name, source.CurrentVersion)

Delete A Source#

DELETE/api/v1/credential-sources/{name}

Delete only succeeds after no sandbox credential binding still references the source.

go
_, err := client.DeleteCredentialSource(ctx, "github-source")
if err != nil {
  log.Fatal(err)
}
fmt.Println("deleted github-source")

Next Steps#

Egress Auth

Bind sources and apply outbound auth to matching traffic

Template Configuration

Set default credential bindings and egress auth at template level

Sandbox Network

Keep traffic allow and deny policy separate from outbound auth