Create Credential

Creates a new cloud credential for your organization. Credentials are encrypted with AES-256-GCM and automatically verified asynchronously after creation.

Request

POST /credentials

Authentication

Requires Bearer JWT Token with ORG_ADMIN role.

Authorization: Bearer <access_token>

Request Body

{
  "name": "AWS Production Account",
  "provider": "AWS",
  "credentialType": "ACCESS_KEY",
  "credentialData": {
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  }
}

Body Parameters

Field	Type	Required	Description
`name`	string	Yes	Human-readable credential name
`provider`	string	Yes	Cloud provider: `AWS`, `GCP`, `AZURE`, or `APISIX`
`credentialType`	string	Yes	Type of credential (see provider-specific types below)
`credentialData`	object	Yes	Provider-specific credential data (see examples below)

Provider-Specific Credential Data

AWS - Access Key

{
  "name": "AWS Production Account",
  "provider": "AWS",
  "credentialType": "ACCESS_KEY",
  "credentialData": {
    "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
    "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  }
}

Required Permissions:

ec2:DescribeSecurityGroups
ec2:AuthorizeSecurityGroupIngress
ec2:RevokeSecurityGroupIngress

GCP - Service Account

{
  "name": "GCP Production Project",
  "provider": "GCP",
  "credentialType": "SERVICE_ACCOUNT",
  "credentialData": {
    "type": "service_account",
    "project_id": "my-project-12345",
    "private_key_id": "abc123...",
    "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
    "client_email": "[email protected]",
    "client_id": "123456789",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/..."
  }
}

Required Roles:

roles/compute.securityAdmin (or custom role with compute.firewalls.* permissions)

Azure - Service Principal

{
  "name": "Azure Production Subscription",
  "provider": "AZURE",
  "credentialType": "SERVICE_PRINCIPAL",
  "credentialData": {
    "subscriptionId": "12345678-1234-1234-1234-123456789012",
    "tenantId": "87654321-4321-4321-4321-210987654321",
    "clientId": "abcdef12-3456-7890-abcd-ef1234567890",
    "clientSecret": "your-client-secret-here"
  }
}

Required Roles:

Network Contributor (on subscription or resource group)

APISIX - API Key

{
  "name": "APISIX Gateway",
  "provider": "APISIX",
  "credentialType": "API_KEY",
  "credentialData": {
    "apiUrl": "https://apisix.example.com",
    "apiKey": "your-apisix-admin-api-key"
  }
}

Response

Success Response

Status Code: 201 Created

Response Body:

{
  "id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
  "name": "AWS Production Account",
  "provider": "AWS",
  "credentialType": "ACCESS_KEY",
  "isValid": null,
  "lastVerifiedAt": null,
  "verificationError": null,
  "createdAt": "2026-02-18T12:30:00Z",
  "updatedAt": "2026-02-18T12:30:00Z"
}

Response Fields

Field	Type	Description
`id`	UUID	Unique credential identifier (generated)
`name`	string	Human-readable credential name
`provider`	string	Cloud provider
`credentialType`	string	Type of credential
`isValid`	boolean	Initially `null` until first verification completes
`lastVerifiedAt`	string (ISO 8601)	`null` for new credentials
`verificationError`	string	`null` for new credentials
`createdAt`	string (ISO 8601)	Credential creation timestamp
`updatedAt`	string (ISO 8601)	Last update timestamp

Error Responses

Status Code	Error	Description
`400 Bad Request`	`VALIDATION_ERROR`	Invalid request body or missing required fields
`401 Unauthorized`	`UNAUTHORIZED`	Missing or invalid authentication token
`403 Forbidden`	`FORBIDDEN`	User lacks `ORG_ADMIN` role
`429 Too Many Requests`	`RATE_LIMIT_EXCEEDED`	Rate limit exceeded
`500 Internal Server Error`	`INTERNAL_ERROR`	Server error occurred

Error Response Example

{
  "error": "VALIDATION_ERROR",
  "message": "credentialData.accessKeyId is required for AWS ACCESS_KEY credentials",
  "timestamp": "2026-02-18T12:30:00Z"
}

Example

Request - AWS

curl -X POST https://api.entryguard.io/api/v1/credentials \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "AWS Production Account",
    "provider": "AWS",
    "credentialType": "ACCESS_KEY",
    "credentialData": {
      "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
      "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
    }
  }'

Request - GCP

curl -X POST https://api.entryguard.io/api/v1/credentials \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "GCP Production Project",
    "provider": "GCP",
    "credentialType": "SERVICE_ACCOUNT",
    "credentialData": {
      "type": "service_account",
      "project_id": "my-project-12345",
      "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
      "client_email": "[email protected]"
    }
  }'

Response

{
  "id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
  "name": "AWS Production Account",
  "provider": "AWS",
  "credentialType": "ACCESS_KEY",
  "isValid": null,
  "lastVerifiedAt": null,
  "verificationError": null,
  "createdAt": "2026-02-18T12:30:00Z",
  "updatedAt": "2026-02-18T12:30:00Z"
}

Notes

Credentials are encrypted at rest using AES-256-GCM encryption
Credential secrets (API keys, access keys, etc.) are never returned in API responses
Automatic verification starts asynchronously after creation
Check the Get Credential endpoint a few seconds after creation to see verification status
Store the credential ID returned in the response - you'll need it to link resources
Ensure your cloud provider credentials have the minimum required permissions listed above
Invalid credentials will prevent resources from being used in sessions
This operation is logged in the audit trail

After Creating

After creating a credential, you can:

Check verification status (wait a few seconds for async verification):

curl -X GET https://api.entryguard.io/api/v1/credentials/7c9e6679-7425-40de-944b-e07fc1f90ae7 \
  -H "Authorization: Bearer ..."

Create resources using this credential:

curl -X POST https://api.entryguard.io/api/v1/resources \
  -H "Authorization: Bearer ..." \
  -d '{"name": "My Resource", "credentialId": "7c9e6679-7425-40de-944b-e07fc1f90ae7", ...}'

Request​

Authentication​

Request Body​

Body Parameters​

Provider-Specific Credential Data​

AWS - Access Key​

GCP - Service Account​

Azure - Service Principal​

APISIX - API Key​

Response​

Success Response​

Response Fields​

Error Responses​

Error Response Example​

Example​

Request - AWS​

Request - GCP​

Response​

Notes​

After Creating​

Request

Authentication

Request Body

Body Parameters

Provider-Specific Credential Data

AWS - Access Key

GCP - Service Account

Azure - Service Principal

APISIX - API Key

Response

Success Response

Response Fields

Error Responses

Error Response Example

Example

Request - AWS

Request - GCP

Response

Notes

After Creating