Tillered Arctic
ReferenceHTTP API Reference

Credentials API

Credential management endpoints

Credentials API

Manage API credentials for authentication.

GET /v1/credentials

List all credentials.

Authentication

Required. Scope: credentials.read

Response

[
  {
    "client_id": "cl_01HXYZ...",
    "scopes": ["urn:tillered:arctic:admin"],
    "license_id": "lic_...",
    "created_at": "2024-01-15T10:30:00Z",
    "last_used_at": "2024-01-16T14:22:00Z"
  }
]

Note: client_secret is never returned in list responses.

POST /v1/credentials

Create new credentials.

Authentication

Required. Scope: credentials.write

Request Body

{
  "scopes": [
    "urn:tillered:arctic:peers.read",
    "urn:tillered:arctic:services.read"
  ]
}
FieldTypeRequiredDescription
scopesarrayNoScopes. Empty = admin access.

Response

{
  "client_id": "cl_01HXYZ...",
  "client_secret": "sec_abc123...",
  "scopes": ["urn:tillered:arctic:peers.read"],
  "created_at": "2024-01-15T10:30:00Z"
}

Important: The client_secret is only returned once at creation time.

Available Scopes

ScopeDescription
urn:tillered:arctic:adminFull access
urn:tillered:arctic:peers.readRead peers
urn:tillered:arctic:peers.writeModify peers
urn:tillered:arctic:services.readRead services
urn:tillered:arctic:services.writeModify services
urn:tillered:arctic:credentials.readRead credentials
urn:tillered:arctic:credentials.writeModify credentials

Errors

StatusCodeDescription
400INVALID_REQUESTInvalid scope format

DELETE /v1/credentials/{client_id}

Revoke credentials.

Authentication

Required. Scope: credentials.write

Path Parameters

ParameterDescription
client_idClient ID to revoke

Response

{
  "deleted": true
}

Errors

StatusCodeDescription
404NOT_FOUNDCredential not found
422CANNOT_REVOKE_CURRENTWould lock out user

POST /v1/cluster/credentials/rotate

Rotate the shared cluster credential.

Authentication

Required. Scope: credentials.write

Response

{
  "client_id": "cl_01HXYZ...",
  "client_secret": "sec_NEW...",
  "version": 2,
  "rotated_by": "01HXYZ...",
  "rotated_at": "2024-01-15T10:30:00Z"
}

Notes

  • Generates new client secret
  • Old secret valid for 24-hour grace period
  • New secret propagates via gossip

Routes API

Route management endpoints

Cluster API

Cluster operation endpoints

On this page

Credentials APIGET /v1/credentialsAuthenticationResponsePOST /v1/credentialsAuthenticationRequest BodyResponseAvailable ScopesErrorsDELETE /v1/credentials/{client_id}AuthenticationPath ParametersResponseErrorsPOST /v1/cluster/credentials/rotateAuthenticationResponseNotes