Model Credentials API
The Model Credentials API manages API keys and authentication for AI providers. Credentials can be scoped to a single organization or shared system-wide.
Endpoints
| Operation | Method | Endpoint |
|---|---|---|
| List Credentials | GET | /api/model-credentials |
| Create Credential | POST | /api/model-credentials |
| Get Credential | GET | /api/model-credentials/{id} |
| Update Credential | PUT | /api/model-credentials/{id} |
| Delete Credential | DELETE | /api/model-credentials/{id} |
| Validate Credential | POST | /api/model-credentials/{id}/validate |
Security
Sensitive fields (apiKey, serviceAccountJson, customHeaders) are never returned in API responses. Only boolean flags (hasApiKey, hasServiceAccount, hasCustomHeaders) indicate whether credentials are configured.
List Credentials
GET /api/model-credentials?organizationId={id}&scope=organization
Query Parameters
| Parameter | Type | Description |
|---|---|---|
organizationId | UUID | Filter by organization (returns org + system credentials) |
scope | string | system or organization |
providerId | UUID | Filter by provider |
activeOnly | string | Default true — only active credentials |
Response
{
"data": [
{
"id": "cred-uuid-1",
"scope": "organization",
"organizationId": "org-uuid",
"providerId": "provider-uuid",
"name": "Production OpenAI Key",
"description": "Main API key for production workflows",
"authType": "api_key",
"hasApiKey": true,
"hasServiceAccount": false,
"hasCustomHeaders": false,
"awsRegion": null,
"requestsPerMinute": 60,
"tokensPerMinute": 150000,
"tokensPerDay": null,
"isActive": true,
"lastValidated": "2026-03-25T10:00:00Z",
"validationError": null,
"provider": {
"id": "provider-uuid",
"slug": "openai",
"name": "OpenAI"
},
"organization": {
"id": "org-uuid",
"name": "Acme Corp"
},
"_count": {
"modelConfigs": 3
},
"createdAt": "2026-01-15T10:00:00Z",
"updatedAt": "2026-03-25T10:00:00Z"
}
]
}
Create Credential
POST /api/model-credentials
Content-Type: application/json
{
"scope": "organization",
"organizationId": "org-uuid",
"providerId": "openai-provider-uuid",
"name": "Production OpenAI Key",
"description": "Main API key for production",
"apiKey": "sk-proj-xxxxxxxxxxxxx",
"requestsPerMinute": 60,
"tokensPerMinute": 150000
}
Required Fields
| Field | Type | Description |
|---|---|---|
scope | string | system or organization |
providerId | UUID | Provider to authenticate with |
name | string | Display name |
Optional Fields
| Field | Type | Description |
|---|---|---|
organizationId | UUID | Required if scope is organization |
description | string | Description |
apiKey | string | API key / bearer token |
awsRoleArn | string | AWS IAM role ARN (Bedrock) |
awsRegion | string | AWS region (Bedrock) |
serviceAccountJson | string | Google service account JSON |
customHeaders | object | Custom HTTP headers |
requestsPerMinute | integer | Rate limit |
tokensPerMinute | integer | Token rate limit |
tokensPerDay | integer | Daily token limit |
Validate Credential
Test that a credential can authenticate with its provider. Makes a minimal API call and records the result.
POST /api/model-credentials/{id}/validate
Response
{
"valid": true,
"error": null,
"lastValidated": "2026-03-26T10:00:00Z",
"provider": "openai"
}
Failed validation:
{
"valid": false,
"error": "API returned 401: Invalid API key",
"lastValidated": "2026-03-26T10:00:00Z",
"provider": "openai"
}
Validation by Provider
| Provider | Method | What It Tests |
|---|---|---|
| OpenAI | GET /models | Lists models (lightweight) |
| Anthropic | POST /messages | Minimal completion (1 token) |
GET /models | Lists models | |
| Bedrock | ListFoundationModels | Checks IAM permissions |
Delete Credential
Cannot delete a credential that is in use by model configurations.
DELETE /api/model-credentials/{id}
Success: { "success": true }
In use (400):
{
"error": "Cannot delete credential that is in use",
"details": "This credential is used by 3 model configuration(s)"
}
curl Examples
# List org + system credentials
curl -X GET "https://console.rocketwavelabs.io/api/model-credentials?organizationId=YOUR_ORG_ID" \
-H "Authorization: Bearer YOUR_SERVICE_TOKEN"
# Create an OpenAI credential
curl -X POST "https://console.rocketwavelabs.io/api/model-credentials" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_SERVICE_TOKEN" \
-d '{
"scope": "organization",
"organizationId": "YOUR_ORG_ID",
"providerId": "OPENAI_PROVIDER_ID",
"name": "My OpenAI Key",
"apiKey": "sk-proj-xxxxxxxxxxxxx"
}'
# Validate a credential
curl -X POST "https://console.rocketwavelabs.io/api/model-credentials/CRED_ID/validate" \
-H "Authorization: Bearer YOUR_SERVICE_TOKEN"
Related Topics
- Model Providers API — List available providers
- Model Configurations API — Use credentials in configurations
- Settings - Universal Model System — UI documentation