Vaults securely store credentials for third-party services such as GitHub, Jira, databases, and custom MCP servers. Credentials are injected into Sessions on demand, so you never need to hard-code secrets in your code.
Core Concepts
| Concept | Description |
|---|
| Vault | Container that holds one or more Credentials |
| Credential | Single credential record bound to a specific MCP server URL |
protocol | MCP transport: sse or streamable_http |
type | Credential type, currently only static_bearer |
vault_ids | Vault IDs referenced when creating a Session |
Security
access_token is never returned in API responses.
- Credentials are encrypted at rest.
- Only the linked Sessions can read credential contents at runtime.
End-to-End Flow
1. Create a Vault
curl -X POST https://api.qoder.com.cn/api/v1/cloud/vaults \
-H "Authorization: Bearer $QODER_PAT" \
-H "Content-Type: application/json" \
-d '{
"display_name": "My GitHub credentials",
"credentials": [
{
"mcp_server_url": "https://mcp.github.com/sse",
"protocol": "sse",
"type": "static_bearer",
"access_token": "ghp_xxxxxxxxxxxx"
}
]
}'
Example response:
{
"id": "vault_019e5cdb9c3f71c3b6505eba937a40b4",
"type": "vault",
"display_name": "My GitHub credentials",
"status": "active",
"credentials": [
{
"id": "vcred_019e5cdb9c4f72a3b6505eba937a40c5",
"vault_id": "vault_019e5cdb9c3f71c3b6505eba937a40b4",
"status": "active",
"mcp_server_url": "https://mcp.github.com/sse",
"protocol": "sse",
"type": "static_bearer",
"created_at": "2026-05-18T08:00:00Z",
"updated_at": "2026-05-18T08:00:00Z"
}
],
"metadata": {},
"created_at": "2026-05-18T08:00:00Z",
"updated_at": "2026-05-18T08:00:00Z"
}
The response does not include access_token.
2. Append a Credential
Add more credentials to an existing Vault at any time:
curl -X POST https://api.qoder.com.cn/api/v1/cloud/vaults/vault_019e5cdb9c3f71c3b6505eba937a40b4/credentials \
-H "Authorization: Bearer $QODER_PAT" \
-H "Content-Type: application/json" \
-d '{
"mcp_server_url": "https://jira.example.com/mcp/sse",
"protocol": "sse",
"type": "static_bearer",
"access_token": "jira_token_xxxxxxxx"
}'
3. Use in a Session
Reference Vaults by passing vault_ids when you create a Session:
curl -X POST https://api.qoder.com.cn/api/v1/cloud/sessions \
-H "Authorization: Bearer $QODER_PAT" \
-H "Content-Type: application/json" \
-d '{
"agent": "agent_xxx",
"vault_ids": ["vault_019e5cdb9c3f71c3b6505eba937a40b4"]
}'
At runtime, the Agent uses every Credential in the referenced Vaults to authenticate to the corresponding MCP servers.
Parameters
| Parameter | Type | Required | Description |
|---|
display_name | string | Yes | Display name for the Vault |
credentials | array | No | Initial list of credentials; can be empty |
credentials[].mcp_server_url | string | Yes | MCP server URL |
credentials[].protocol | string | Yes | sse or streamable_http |
credentials[].type | string | Yes | Currently only static_bearer |
credentials[].access_token | string | Yes | Bearer token value |
FAQ
Q: Can I update a Credential's token? A: Delete the old Credential and create a new one.
Q: How many Vaults can a Session reference? A: No hard limit, but grouping by service improves clarity.
Q: My token leaked. What now? A: Delete the Credential immediately, revoke the token on the third-party platform, and create a new Credential.
Q: Can I read stored tokens? A: No. For security, access_token is write-only — you can only delete and recreate.
Use separate Vaults per environment (development vs. production) to avoid mixing credentials.