Skip to main content
Manage Sessions

Vaults

Vaults securely store credentials for third-party services such as GitHub, Jira, databases, and custom MCP servers. Credentials are injected into Sessions on demand, so you never need to hard-code secrets in your code.

Core Concepts

ConceptDescription
VaultContainer that holds one or more Credentials
CredentialSingle credential record bound to a specific MCP server URL
protocolMCP transport: sse or streamable_http
typeCredential type, currently only static_bearer
vault_idsVault IDs referenced when creating a Session

Security

  • access_token is never returned in API responses.
  • Credentials are encrypted at rest.
  • Only the linked Sessions can read credential contents at runtime.

End-to-End Flow

1. Create a Vault

curl -X POST https://api.qoder.com.cn/api/v1/cloud/vaults \
  -H "Authorization: Bearer $QODER_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "display_name": "My GitHub credentials",
    "credentials": [
      {
        "mcp_server_url": "https://mcp.github.com/sse",
        "protocol": "sse",
        "type": "static_bearer",
        "access_token": "ghp_xxxxxxxxxxxx"
      }
    ]
  }'
Example response:
{
  "id": "vault_019e5cdb9c3f71c3b6505eba937a40b4",
  "type": "vault",
  "display_name": "My GitHub credentials",
  "status": "active",
  "credentials": [
    {
      "id": "vcred_019e5cdb9c4f72a3b6505eba937a40c5",
      "vault_id": "vault_019e5cdb9c3f71c3b6505eba937a40b4",
      "status": "active",
      "mcp_server_url": "https://mcp.github.com/sse",
      "protocol": "sse",
      "type": "static_bearer",
      "created_at": "2026-05-18T08:00:00Z",
      "updated_at": "2026-05-18T08:00:00Z"
    }
  ],
  "metadata": {},
  "created_at": "2026-05-18T08:00:00Z",
  "updated_at": "2026-05-18T08:00:00Z"
}
The response does not include access_token.

2. Append a Credential

Add more credentials to an existing Vault at any time:
curl -X POST https://api.qoder.com.cn/api/v1/cloud/vaults/vault_019e5cdb9c3f71c3b6505eba937a40b4/credentials \
  -H "Authorization: Bearer $QODER_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "mcp_server_url": "https://jira.example.com/mcp/sse",
    "protocol": "sse",
    "type": "static_bearer",
    "access_token": "jira_token_xxxxxxxx"
  }'

3. Use in a Session

Reference Vaults by passing vault_ids when you create a Session:
curl -X POST https://api.qoder.com.cn/api/v1/cloud/sessions \
  -H "Authorization: Bearer $QODER_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "agent": "agent_xxx",
    "vault_ids": ["vault_019e5cdb9c3f71c3b6505eba937a40b4"]
  }'
At runtime, the Agent uses every Credential in the referenced Vaults to authenticate to the corresponding MCP servers.

Parameters

ParameterTypeRequiredDescription
display_namestringYesDisplay name for the Vault
credentialsarrayNoInitial list of credentials; can be empty
credentials[].mcp_server_urlstringYesMCP server URL
credentials[].protocolstringYessse or streamable_http
credentials[].typestringYesCurrently only static_bearer
credentials[].access_tokenstringYesBearer token value

FAQ

Q: Can I update a Credential's token? A: Delete the old Credential and create a new one. Q: How many Vaults can a Session reference? A: No hard limit, but grouping by service improves clarity. Q: My token leaked. What now? A: Delete the Credential immediately, revoke the token on the third-party platform, and create a new Credential. Q: Can I read stored tokens? A: No. For security, access_token is write-only — you can only delete and recreate.
Use separate Vaults per environment (development vs. production) to avoid mixing credentials.
Tutorials
API Reference