Create a credential binding

A credential binding ties a secret (referenced in your secret manager, never inlined) to an upstream under one of the credential modes. The broker resolves it at the edge — the secret never reaches the agent or audit.

Requires credential_admin

Creating and managing bindings requires credential_binding permissions in the target environment.

1. Validate the binding (mode, secret reference, scope).
2. Create it — it enters approval.
3. Rotate / disable / revoke over its lifetime as needed.

Create the binding

Create a credential binding

UIAPICLI

1. Open Access → Credential bindings → New.
2. Choose the credential mode, point at the secret reference, and set the scope, then Create.

POST/v1/credential-bindings

Copy

curl -X POST "$GATEWAY/v1/credential-bindings" \
-H "authorization: Bearer $TOKEN" \
-H "content-type: application/json" \
--data '{
  "mode": "service_account",
  "server_id": "legal-contract-review",
  "secret_ref": "vault://kv/data/mcp/legal-sa"
}'

View createCredentialBinding in the API reference →

Copy

gatewayctl validate-credential-binding binding.yaml --format json

Validate with validate-credential-binding; create/update via the API or `gatewayctl credential-binding update`.

Rotate, disable, or revoke

Rotate or revoke a binding

UIAPICLI

1. Open the binding under Access → Credential bindings.
2. Use Rotate, Disable, or Revoke — each is recorded as an auditable transition.

POST/v1/credential-bindings/{credential_binding_id}/rotate

Copy

curl -X POST \
"$GATEWAY/v1/credential-bindings/cb_123/rotate" \
-H "authorization: Bearer $TOKEN"

View rotateCredentialBinding in the API reference →

Copy

gatewayctl credential-binding rotate cb_123 --format json

credential-binding supports list / get / update / rotate / disable / revoke / status.

Caution

Revoking a binding stops new resolutions immediately. Calls that require it will fail closed with a stable reason — exactly the intended governance behavior.