Delete Credential
Permanently deletes a cloud credential from your organization. This operation cannot be undone.
Request
DELETE /credentials/{id}
Authentication
Requires Bearer JWT Token with ORG_ADMIN role.
Authorization: Bearer <access_token>
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
id | UUID | Yes | Credential unique identifier |
Response
Success Response
Status Code: 204 No Content
No response body is returned on successful deletion.
Error Responses
| Status Code | Error | Description |
|---|---|---|
400 Bad Request | CREDENTIAL_IN_USE | Cannot delete credential that is linked to active resources |
401 Unauthorized | UNAUTHORIZED | Missing or invalid authentication token |
403 Forbidden | FORBIDDEN | User lacks ORG_ADMIN role |
404 Not Found | CREDENTIAL_NOT_FOUND | Credential with specified ID does not exist or does not belong to your organization |
429 Too Many Requests | RATE_LIMIT_EXCEEDED | Rate limit exceeded |
500 Internal Server Error | INTERNAL_ERROR | Server error occurred |
Error Response Example - Credential In Use
{
"error": "CREDENTIAL_IN_USE",
"message": "Cannot delete credential linked to 3 active resources. Delete or reassign resources first.",
"timestamp": "2026-02-18T13:00:00Z"
}
Error Response Example - Not Found
{
"error": "CREDENTIAL_NOT_FOUND",
"message": "Credential with ID 7c9e6679-7425-40de-944b-e07fc1f90ae7 not found",
"timestamp": "2026-02-18T13:00:00Z"
}
Example
Request
curl -X DELETE https://api.entryguard.io/api/v1/credentials/7c9e6679-7425-40de-944b-e07fc1f90ae7 \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-H "Content-Type: application/json"
Response
HTTP/1.1 204 No Content
Notes
- Deletion is permanent and cannot be undone
- You cannot delete a credential that is linked to active resources
- To delete a credential with linked resources, you must first:
- Delete all resources using this credential, OR
- Update resources to use a different credential
- Historical audit logs referencing this credential will be preserved
- This operation is logged in the audit trail
Before Deleting
To check which resources are using a credential, list all resources and filter by credentialId:
# List all resources
curl -X GET https://api.entryguard.io/api/v1/resources \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
| jq '.[] | select(.credentialId == "7c9e6679-7425-40de-944b-e07fc1f90ae7")'
Or attempt deletion - the API will return an error listing how many resources are linked:
# Attempt deletion
curl -X DELETE https://api.entryguard.io/api/v1/credentials/7c9e6679-7425-40de-944b-e07fc1f90ae7 \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
# Response if in use:
# {
# "error": "CREDENTIAL_IN_USE",
# "message": "Cannot delete credential linked to 3 active resources. Delete or reassign resources first.",
# "timestamp": "2026-02-18T13:00:00Z"
# }
Migrating Resources to New Credentials
If you need to replace a credential (e.g., rotating keys), follow this workflow:
-
Create new credential:
curl -X POST https://api.entryguard.io/api/v1/credentials \
-H "Authorization: Bearer ..." \
-d '{"name": "AWS Production (New Keys)", "provider": "AWS", ...}'
# Save the new credential ID from response -
Update each resource to use new credential:
curl -X PATCH https://api.entryguard.io/api/v1/resources/550e8400-e29b-41d4-a716-446655440000 \
-H "Authorization: Bearer ..." \
-d '{"credentialId": "NEW_CREDENTIAL_ID"}' -
Verify resources still work:
curl -X POST https://api.entryguard.io/api/v1/resources/550e8400-e29b-41d4-a716-446655440000/verify \
-H "Authorization: Bearer ..." -
Delete old credential:
curl -X DELETE https://api.entryguard.io/api/v1/credentials/OLD_CREDENTIAL_ID \
-H "Authorization: Bearer ..."
Security Considerations
- After deleting a credential, EntryGuard no longer has access to the cloud provider keys
- Consider also revoking the keys on the cloud provider side (AWS IAM, GCP, Azure AD)
- If the credential was compromised, rotate immediately:
- Create new credential with fresh keys
- Update all resources
- Delete old credential
- Revoke old keys on cloud provider