List Credentials
Retrieves all cloud credentials configured for your organization. Credentials are used to authenticate EntryGuard with cloud providers (AWS, GCP, Azure, APISIX) for managing IP whitelisting rules.
Request
GET /credentials
Authentication
Requires Bearer JWT Token with ORG_ADMIN role.
Authorization: Bearer <access_token>
Query Parameters
None. All credentials for the authenticated organization are returned.
Response
Success Response
Status Code: 200 OK
Response Body:
[
{
"id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
"name": "AWS Production Account",
"provider": "AWS",
"credentialType": "ACCESS_KEY",
"isValid": true,
"lastVerifiedAt": "2026-02-18T10:00:00Z",
"verificationError": null,
"createdAt": "2026-01-10T09:00:00Z",
"updatedAt": "2026-02-18T10:00:00Z"
},
{
"id": "8d0f7780-8536-51f0-c958-f18ed2g01bf8",
"name": "GCP Production Project",
"provider": "GCP",
"credentialType": "SERVICE_ACCOUNT",
"isValid": false,
"lastVerifiedAt": "2026-02-17T14:30:00Z",
"verificationError": "AccessDenied: Service account lacks compute.firewalls.list permission",
"createdAt": "2026-01-12T11:00:00Z",
"updatedAt": "2026-02-17T14:30:00Z"
},
{
"id": "9e1f8891-9647-62g1-d069-g29ge3h12cg9",
"name": "Azure Subscription",
"provider": "AZURE",
"credentialType": "SERVICE_PRINCIPAL",
"isValid": true,
"lastVerifiedAt": "2026-02-18T08:45:00Z",
"verificationError": null,
"createdAt": "2026-01-15T10:30:00Z",
"updatedAt": "2026-02-18T08:45:00Z"
}
]
Response Fields
| Field | Type | Description |
|---|---|---|
id | UUID | Unique credential identifier |
name | string | Human-readable credential name |
provider | string | Cloud provider: AWS, GCP, AZURE, or APISIX |
credentialType | string | Type of credential (e.g., ACCESS_KEY, SERVICE_ACCOUNT, SERVICE_PRINCIPAL) |
isValid | boolean | Whether credential passed last verification |
lastVerifiedAt | string (ISO 8601) | Timestamp of last verification attempt (null if never verified) |
verificationError | string | Error message from last failed verification (null if valid) |
createdAt | string (ISO 8601) | Credential creation timestamp |
updatedAt | string (ISO 8601) | Last update timestamp |
Error Responses
| Status Code | Description |
|---|---|
401 Unauthorized | Missing or invalid authentication token |
403 Forbidden | User lacks ORG_ADMIN role |
429 Too Many Requests | Rate limit exceeded |
500 Internal Server Error | Server error occurred |
Example
Request
curl -X GET https://api.entryguard.io/api/v1/credentials \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-H "Content-Type: application/json"
Response
[
{
"id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
"name": "AWS Production Account",
"provider": "AWS",
"credentialType": "ACCESS_KEY",
"isValid": true,
"lastVerifiedAt": "2026-02-18T10:00:00Z",
"verificationError": null,
"createdAt": "2026-01-10T09:00:00Z",
"updatedAt": "2026-02-18T10:00:00Z"
},
{
"id": "8d0f7780-8536-51f0-c958-f18ed2g01bf8",
"name": "GCP Production Project",
"provider": "GCP",
"credentialType": "SERVICE_ACCOUNT",
"isValid": false,
"lastVerifiedAt": "2026-02-17T14:30:00Z",
"verificationError": "AccessDenied: Service account lacks compute.firewalls.list permission",
"createdAt": "2026-01-12T11:00:00Z",
"updatedAt": "2026-02-17T14:30:00Z"
}
]
Notes
- Credential secrets (API keys, access keys, service account JSON) are never returned in API responses
- Credentials are automatically verified asynchronously after creation
- The
isValidfield indicates whether the last verification succeeded - Invalid credentials will prevent resources linked to them from being used in sessions
- Check
verificationErrorfor details whenisValidisfalse - Credentials are encrypted at rest using AES-256-GCM