Skip to content
qibdo qibdo
v1
API version
  • v1
Theme
Book a demo

Get Application Credential

GET
/vault/v1/workspaces/{workspace}/engines/qibdo/applicationcredentials/{id}
curl --request GET \
--url https://example.com/vault/v1/workspaces/example/engines/qibdo/applicationcredentials/example

Returns a credential’s metadata by ID. Never returns the SecretID.

workspace
required
string

The workspace the credential belongs to.

id
required
string

The unique identifier of the credential to retrieve.

OK

Media type application/json

QibdoApplicationCredential resource — a workspace-scoped, Qibdo-managed RoleID + SecretID pair used by CI pipelines and non-K8s workloads to authenticate to the Qibdo Vault. The SecretID itself is NEVER persisted nor returned by Get/List — it is returned exactly once by Issue and RotateSecretId, and the persisted credential row carries only its SHA-512 hash (hex) so the Authenticate RPC can verify replays without storing the cleartext.

object
id

The unique identifier of the application credential (UUID).

stringOutput only
workspace_id

The workspace this credential belongs to (UUID, weak reference to taxonomy.workspaces).

stringOutput only
principal_id

The IAM principal this credential authenticates as on success.

stringOutput only
name

Workspace-unique human-readable name for the credential.

stringOutput only
role_id

The app-role RoleID (UUID). Stable for the lifetime of the credential — only the SecretID rotates.

stringOutput only
ttl

Default time-to-live applied to access tokens minted via Authenticate.

stringOutput only
/^-?(?:0|[1-9][0-9]{0,11})(?:\.[0-9]{1,9})?s$/
max_ttl

Maximum total lifetime of any access token issued under this credential.

stringOutput only
/^-?(?:0|[1-9][0-9]{0,11})(?:\.[0-9]{1,9})?s$/
last_rotated_at

Timestamp of the last SecretID rotation (or initial issuance).

string format: date-time Output only
is_revoked

Whether the credential is revoked. Once true, Authenticate returns PERMISSION_DENIED and the row is logically tombstoned.

booleanOutput only
created

Timestamp when the row was created (server-managed).

string format: date-time Output only
updated

Timestamp when the row was last modified (server-managed).

string format: date-time Output only
location_id

Weak reference to a topology Location — where this resource resides. Defaults to the global location when omitted at creation and is immutable thereafter. Only the global location is available in this release.

stringOutput only
Example generated
{}

Default error response

Media type application/json

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

object
code

The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

integer format: int32
message

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

string
details

A list of messages that carry the error details. There is a common set of message types for APIs to use.

Array<object>

Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.

object
@type

The type of the serialized message.

string
key
additional properties
any
Example generated
{
"code": 1,
"message": "example",
"details": [
{
"@type": "example"
}
]
}