Skip to content
MCP Gateway

Revoke a credential binding, emit revocation fanout, and terminate affected sessions.

POST
/v1/credential-bindings/{credential_binding_id}/revoke

Authorizations

Section titled “Authorizations ”

Parameters

Section titled “ Parameters ”

Path Parameters

Section titled “Path Parameters ”
credential_binding_id
required
string

Query Parameters

Section titled “Query Parameters ”
tenant_id
string
environment_id
string

Request Body required

Section titled “Request Body required ”
object
reasonCode
required
string
/^[a-z0-9_]+$/
reason
required
string
>= 1 characters
correlationId
string
>= 1 characters

Responses

Section titled “ Responses ”

202

Section titled “202 ”

Credential binding revoked and audited.

object
schemaVersion
required
accepted
required
boolean
reasonCode
required
string
/^[a-z0-9_]+$/
binding
required
object
schemaVersion
required
credentialBindingId
required
string
>= 1 characters
tenantId
required
string
>= 1 characters
environmentId
required
string
>= 1 characters
allowedEnvironmentIds
required
Array<string>
owner
required
object
team
required
string
>= 1 characters
userId
required
string
>= 1 characters
escalationContact
required
string
>= 1 characters
oncallRotation
required
string
>= 1 characters
source
required
object
sourceType
required
Allowed values: customer_secret_store oauth_app workload_identity_provider
sourceId
required
string
>= 1 characters
secretStoreType
required
Allowed values: vault aws azure gcp kubernetes
secretRefSummary
required
string
>= 1 characters
secretRefFingerprint
required
string
>= 64 characters <= 64 characters
credentialMode
required
Allowed values: service_account user_delegated agent_scoped workload_mapped
approvalStatus
required
string
Allowed values: submitted under_review approved rejected disabled archived
lifecycleState
required
Allowed values: submitted under_review approved disabled revoked archived
allowedTargets
required
Array<object>
object
targetType
required
Allowed values: mcp_server api_operation
serverId
string
>= 1 characters
apiSourceId
string
>= 1 characters
operationId
string
>= 1 characters
toolId
required
string
>= 1 characters
credentialMode
required
Allowed values: service_account user_delegated agent_scoped workload_mapped
policyRefs
required
Array<string>
rotation
required
object
versionRef
required
string
>= 1 characters
lastRotatedAt
required
string format: date-time
nextRotationDueAt
required
string format: date-time
rotationWithoutServerChange
required
boolean
rotationProofRef
string
>= 1 characters
safeStatus
required
object
state
required
Allowed values: safe unsafe rotation_due disabled revoked
reasonCode
required
string
/^[a-z0-9_]+$/
checkedAt
required
string format: date-time
secretMaterialStored
required
boolean
redaction
required
object
payloadLogging
required
Allowed values: disabled redacted
auditMaterial
required
materialReturn
required
submittedBy
required
string
>= 1 characters
submittedAt
required
string format: date-time
reviewedBy
string
>= 1 characters
reviewedAt
string format: date-time
reviewReasonCode
string
/^[a-z0-9_]+$/
reviewReason
string
>= 1 characters
disabledAt
string format: date-time
revokedAt
string format: date-time
revocationId
string
>= 1 characters
runtimeProjectionVersionRef
string
>= 1 characters
createdAt
required
string format: date-time
updatedAt
required
string format: date-time
permissions
required
object
resource_type
required
Allowed values: mcp_server agent credential_binding client_session
resource_id
required
string
>= 1 characters
allowed_actions
required
Array
Allowed values: mcp_server.read mcp_server.register mcp_server.submit_revision mcp_server.resubmit mcp_server.edit_owner mcp_server.validate_manifest mcp_server.reprobe mcp_server.approve_submission mcp_server.reject_submission mcp_server.disable mcp_server.deprecate mcp_server.archive mcp_server.compare_versions agent.read agent.submit agent.edit agent.approve agent.reject agent.disable agent.archive agent.revoke api_source.read api_source.import api_source.review api_source.approve api_source.reject api_source.disable api_source.archive credential_binding.read credential_binding.create credential_binding.update credential_binding.rotate credential_binding.disable credential_binding.revoke credential_binding.approve credential_binding.audit_read identity_provider.read identity_provider.diagnose role_binding.read role_binding.manage local_identity.read local_identity.manage reason_code.read reason_code.manage approval_queue.read approval_queue.batch_approve
auditEventIds
required
Array<string>
revocationId
string
>= 1 characters
affectedClientSessionIds
required
Array<string>

403

Section titled “403 ”

Missing credential_binding.revoke.

Type set in Geist, Source Serif 4, and Departure Mono.