Attach a credential to a principal.
const url = 'https://example.com/iam/principals/example/credentials';const options = { method: 'POST', headers: {Authorization: 'Bearer <token>', 'Content-Type': 'application/json'}, body: '{"publicKey":"example","type":"example"}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/iam/principals/example/credentials \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --data '{ "publicKey": "example", "type": "example" }'Authorizations
Section titled “Authorizations”Parameters
Section titled “Parameters”Path Parameters
Section titled “Path Parameters”Principal id.
Request Bodyrequired
Section titled “Request Bodyrequired”Request body for POST /iam/principals/:id/credentials.
credential_type is kept as a raw String so that Axum’s JSON extractor
never rejects the request before the handler runs. An unknown value produces
the project’s {"error":{"code":"INVALID_VALUE",...}} envelope rather than
Axum’s default 422 body. The handler parses the string into [CredentialType]
explicitly and returns the structured error on failure.
Request body for POST /iam/principals/:id/credentials.
credential_type is kept as a raw String so that Axum’s JSON extractor
never rejects the request before the handler runs. An unknown value produces
the project’s {"error":{"code":"INVALID_VALUE",...}} envelope rather than
Axum’s default 422 body. The handler parses the string into [CredentialType]
explicitly and returns the structured error on failure.
object
SSH public key in OpenSSH format (for type "ssh").
Credential type string as received on the wire, e.g. "ssh".
Kept as String (not CredentialType) so that unknown values are
rejected with the project error envelope, not Axum’s default 422 body.
Examplegenerated
{ "publicKey": "example", "type": "example"}Responses
Section titled “Responses”Credential details returned to the API caller.
Sensitive fields (credential_data, secret_hash) are never included;
only public metadata is surfaced (fingerprint for SSH, username for password).
Credential details returned to the API caller.
Sensitive fields (credential_data, secret_hash) are never included;
only public metadata is surfaced (fingerprint for SSH, username for password).
object
ISO 8601 creation timestamp.
Credential UUID.
Non-sensitive metadata from the credential (e.g., username, fingerprint).
Credential kind.
A credential type this server version understands.
Password credential (username + hashed secret).
SSH public key credential.
One-time setup/password-reset token.
A credential type string from the DB that this server version does not recognise. Preserved as-is so the API response reflects reality.
ISO 8601 last-modified timestamp.
Example
{ "type": "password"}default
Section titled “default”Structured error envelope (SPEC-DATA-0006): {"errors": [{"scope", "target", "code", "message"}, ...]}.
The top-level response body. Wraps a non-empty list of [ErrorEntry].
object
The error entries making up the envelope. Always non-empty.
One entry in the error envelope.
Carries an anchoring [ErrorScope], an optional target that
disambiguates within the scope, a stable SCREAMING_SNAKE_CASE code, and
a human-readable English message. See SPEC-DATA-0006 for the full
envelope contract.
object
Machine-readable, stable, SCREAMING_SNAKE_CASE identifier.
HFX source location for a [DataError::HfxCompileError] entry.
Emitted as the extra location field on the entry JSON when present,
per SPEC-UI-0043. The line/column are 1-based. The frame is the
offending source line extracted verbatim from the input.
object
1-based column within the line, measured in UTF-16 code units of the prefix so browser-side editors can consume it directly.
The offending source line text, when available.
1-based line number within the source text.
Server-authored English message. Not part of the API contract; may change across releases without notice.
The key of the ValidationRule that
failed, when the code is RULE_FAILED. None for all other codes.
Skipped during serialization when absent so it does not appear on
unrelated entries (same pattern as location).
Documented here as a plain string (#[schemars(with = "...")])
rather than a $ref to ValidationRuleKey’s own schema: that type
lives in metadata-types, which does not derive JsonSchema yet
(tracked by #812). ValidationRuleKey serializes transparently as
its inner string (serde’s default newtype-struct behavior), so this
is an accurate wire-shape description, not a placeholder.
Field key for field scope, record id for record scope, null
otherwise. Always serialized, even when null.
Example
{ "errors": [ { "scope": "field" } ]}