Credentials API

The Credentials API allows you to manage account-level credentials in Quave ONE. Credentials store sensitive material your apps and environments need at runtime — Docker registry logins, HTTP basic-auth users, TLS certificates and ACME wildcard configurations.

Make sure to read the Get Started document to understand how the API works.

Note: Mutating endpoints (create, update, delete, set-default, sync) require the Manage Credentials or Admin role on the account. Read endpoints (list, get, references) are available to any account member but strip sensitive fields for non-managers.

Create Credential

To create a new credential, send a POST request to /api/public/v1/credential.

Field	Type	Description	Required
`accountId`	String	The account ID to create the credential in.	Yes
`type`	String	One of: `CONTAINER_REGISTRY`, `BASIC_AUTH`, `TLS_CERTIFICATE`, `ACME_WILDCARD`.	Yes
`name`	String	A short name for the credential.	Yes
`description`	String	Optional description.	No
`isDefault`	Boolean	For Container Registry only — promote as account-wide default.	No
`provider`	String	For ACME Wildcard only — one of: `AWS_ROUTE53`, `AZURE`, `CLOUDFLARE`, `GCP`, `WEBHOOK`.	Conditional
`data`	Object	Type-specific payload (see examples below).	Yes

Container Registry example

curl -X POST \
  -H 'Authorization: YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "accountId": "ACC_ID",
    "type": "CONTAINER_REGISTRY",
    "name": "Docker Hub",
    "isDefault": true,
    "data": {
      "server": "https://index.docker.io/v1/",
      "email": "me@example.com",
      "username": "myuser",
      "password": "mypassword"
    }
  }' \
  https://api.quave.cloud/api/public/v1/credential

Basic Auth example

curl -X POST \
  -H 'Authorization: YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "accountId": "ACC_ID",
    "type": "BASIC_AUTH",
    "name": "Staging gate",
    "data": {
      "username": "stageuser",
      "password": "stagepass"
    }
  }' \
  https://api.quave.cloud/api/public/v1/credential

TLS Certificate example

curl -X POST \
  -H 'Authorization: YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "accountId": "ACC_ID",
    "type": "TLS_CERTIFICATE",
    "name": "example.com cert",
    "data": {
      "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
      "privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----",
      "ca": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
    }
  }' \
  https://api.quave.cloud/api/public/v1/credential

ACME Wildcard example

curl -X POST \
  -H 'Authorization: YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "accountId": "ACC_ID",
    "type": "ACME_WILDCARD",
    "name": "*.example.com",
    "provider": "CLOUDFLARE",
    "data": {
      "commonName": "*.example.com",
      "altNames": ["example.com"],
      "providerConfig": "{\"apiToken\":\"cf-token-here\"}"
    }
  }' \
  https://api.quave.cloud/api/public/v1/credential

Response (all types):

{
  "credentialId": "CREDENTIAL_ID",
  "message": "Credential created successfully"
}

List Credentials

List all credentials for an account. Optionally filter by type.

curl -X GET \
  -H 'Authorization: YOUR_TOKEN' \
  'https://api.quave.cloud/api/public/v1/credentials?accountId=ACC_ID'

With type filter:

curl -X GET \
  -H 'Authorization: YOUR_TOKEN' \
  'https://api.quave.cloud/api/public/v1/credentials?accountId=ACC_ID&type=CONTAINER_REGISTRY'

Response:

{
  "credentials": [
    {
      "credentialId": "CREDENTIAL_ID",
      "accountId": "ACC_ID",
      "type": "CONTAINER_REGISTRY",
      "name": "Docker Hub",
      "description": "",
      "isDefault": true,
      "revision": 1,
      "createdAt": "2025-01-01T00:00:00.000Z",
      "updatedAt": "2025-01-01T00:00:00.000Z",
      "regionSyncStatuses": { "us-east-1": "SYNCED" },
      "data": { "server": "https://index.docker.io/v1/" }
    }
  ]
}

note

Sensitive values (passwords, private keys, provider configs) are never returned in list or get responses. Only non-sensitive metadata like server, commonName, and altNames appear in the data field.

Get Credential

curl -X GET \
  -H 'Authorization: YOUR_TOKEN' \
  'https://api.quave.cloud/api/public/v1/credential?credentialId=CREDENTIAL_ID'

Returns the same shape as a single item from the list response.

Update Credential

Send a PATCH request with the fields to update. The type cannot be changed after creation. Omit sensitive data fields to keep their stored values.

curl -X PATCH \
  -H 'Authorization: YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "credentialId": "CREDENTIAL_ID",
    "name": "Docker Hub (updated)",
    "data": {
      "server": "https://index.docker.io/v1/",
      "email": "new@example.com",
      "username": "newuser"
    }
  }' \
  https://api.quave.cloud/api/public/v1/credential

Response:

{
  "credentialId": "CREDENTIAL_ID",
  "message": "Credential updated successfully"
}

Set Default Credential

Promotes a Container Registry credential to the account-wide default. Apps without an explicit registry selection will use this one.

curl -X POST \
  -H 'Authorization: YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{ "credentialId": "CREDENTIAL_ID" }' \
  https://api.quave.cloud/api/public/v1/credential/set-default

Delete Credential

Deletes a credential. Returns 409 Conflict if the credential is still referenced by apps, hosts, or environments — use List References to check first.

curl -X DELETE \
  -H 'Authorization: YOUR_TOKEN' \
  'https://api.quave.cloud/api/public/v1/credential?credentialId=CREDENTIAL_ID'

409 response example:

{
  "error": "Credential is still in use",
  "references": {
    "apps": [{ "appId": "...", "name": "my-app", "field": "imagePullAccountSecretId" }],
    "envs": [],
    "hosts": []
  }
}

Sync Credential

Re-pushes a credential to every active region the account uses. Useful after editing a credential or when a previous sync shows an Error status.

curl -X POST \
  -H 'Authorization: YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{ "credentialId": "CREDENTIAL_ID" }' \
  https://api.quave.cloud/api/public/v1/credential/sync

Response:

{
  "attempted": 3,
  "ok": 3,
  "failed": 0
}

List Credential References

Lists all apps, environments, and hosts that reference a specific credential.

curl -X GET \
  -H 'Authorization: YOUR_TOKEN' \
  'https://api.quave.cloud/api/public/v1/credential/references?credentialId=CREDENTIAL_ID'

Response:

{
  "references": {
    "apps": [{ "appId": "...", "name": "my-app", "field": "imagePullAccountSecretId" }],
    "envs": [{ "appEnvId": "...", "envName": "production", "field": "basicAuthAccountSecretId" }],
    "hosts": [{ "hostname": "example.com", "field": "certificateAccountSecretId" }]
  }
}

Create Credential​

Container Registry example​

Basic Auth example​

TLS Certificate example​

ACME Wildcard example​

List Credentials​

Get Credential​

Update Credential​

Set Default Credential​

Delete Credential​

Sync Credential​

List Credential References​

Create Credential

Container Registry example

Basic Auth example

TLS Certificate example

ACME Wildcard example

List Credentials

Get Credential

Update Credential

Set Default Credential

Delete Credential

Sync Credential

List Credential References