Issue Application Credential
const url = 'https://example.com/vault/v1/workspaces/example/engines/qibdo/applicationcredentials:issue';const options = { method: 'POST', headers: {'Content-Type': 'application/json'}, body: '{"workspace":"example","application_credential":{},"location_id":"example"}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/vault/v1/workspaces/example/engines/qibdo/applicationcredentials:issue \ --header 'Content-Type: application/json' \ --data '{ "workspace": "example", "application_credential": {}, "location_id": "example" }'Creates a new credential with a freshly-minted RoleID + SecretID. The SecretID is returned exactly once in the response and is NEVER recoverable afterwards; only its SHA-512 hash is persisted server-side.
Parameters
Section titled “ Parameters ”Path Parameters
Section titled “Path Parameters ”The workspace the credential belongs to.
Request Body required
Section titled “Request Body required ”Request payload for Issue Qibdo Application Credential
Carries the input fields required to issue qibdo application credential.
object
The workspace the credential belongs to.
The credential to create. Only name, principal_id, ttl, and
max_ttl are honoured — every other field is OUTPUT_ONLY.
object
The unique identifier of the application credential (UUID).
The workspace this credential belongs to (UUID, weak reference to taxonomy.workspaces).
The IAM principal this credential authenticates as on success.
Workspace-unique human-readable name for the credential.
The app-role RoleID (UUID). Stable for the lifetime of the credential — only the SecretID rotates.
Default time-to-live applied to access tokens minted via Authenticate.
Maximum total lifetime of any access token issued under this credential.
Timestamp of the last SecretID rotation (or initial issuance).
Whether the credential is revoked. Once true, Authenticate returns PERMISSION_DENIED and the row is logically tombstoned.
Timestamp when the row was created (server-managed).
Timestamp when the row was last modified (server-managed).
Weak reference to a topology Location — where this resource resides. Defaults to the global location when omitted at creation and is immutable thereafter. Only the global location is available in this release.
Optional weak reference to a topology Location where the credential resides. Defaults to the global location when omitted; immutable after creation. Only the global location is available in this release.
Example generated
{ "workspace": "example", "application_credential": {}, "location_id": "example"}Responses
Section titled “ Responses ”OK
Response payload from Issue Qibdo Application Credential
Carries the output produced by issue qibdo application credential.
object
The persisted credential metadata. SecretID is NOT included here.
object
The unique identifier of the application credential (UUID).
The workspace this credential belongs to (UUID, weak reference to taxonomy.workspaces).
The IAM principal this credential authenticates as on success.
Workspace-unique human-readable name for the credential.
The app-role RoleID (UUID). Stable for the lifetime of the credential — only the SecretID rotates.
Default time-to-live applied to access tokens minted via Authenticate.
Maximum total lifetime of any access token issued under this credential.
Timestamp of the last SecretID rotation (or initial issuance).
Whether the credential is revoked. Once true, Authenticate returns PERMISSION_DENIED and the row is logically tombstoned.
Timestamp when the row was created (server-managed).
Timestamp when the row was last modified (server-managed).
Weak reference to a topology Location — where this resource resides. Defaults to the global location when omitted at creation and is immutable thereafter. Only the global location is available in this release.
The freshly-minted SecretID. Returned exactly once — the server retains only its SHA-512 hash.
Example generated
{ "application_credential": {}, "secret_id": "example"}default
Section titled “default ”Default error response
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.
object
The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
A list of messages that carry the error details. There is a common set of message types for APIs to use.
Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
object
The type of the serialized message.
Example generated
{ "code": 1, "message": "example", "details": [ { "@type": "example" } ]}