Skip to main content
Each client can have one or more credentials — the actual authentication materials KnoxCall checks when a request arrives. Two credential kinds are available in v1:

List Credentials

Returns all credentials attached to a client.

Path Parameters

Response

Errors


Add Credential

Attaches a new credential to a client.

Path Parameters

Request Body

For kind: "ip":
value must be a valid IPv4/IPv6 address or CIDR range. The stored data object also carries a notes string (empty unless set via the client’s ip_address dual-write path), so credential responses for kind: "ip" return data as { "value": ..., "notes": ... }. For kind: "mtls_thumbprint" — issue a new certificate:
KnoxCall mints a certificate from your tenant CA, stores only the thumbprint, and returns the PEM bundle once in the reveal field. The private key is never stored. For kind: "mtls_thumbprint" — register an existing certificate:
sha256_thumbprint must be a SHA-256 hex digest. Non-hex characters are stripped before validation, and the remaining string must be exactly 64 hex characters or the request fails with 400 validation_error (data.sha256_thumbprint must be a SHA-256 hex digest (64 hex chars).).

Response

For mtls_thumbprint with mode: "issue", the response also includes a one-time reveal field:
The reveal.private_key_pem is returned only once. Store it immediately — it is not retrievable again.

Errors


Update Credential

Enables/disables a credential or updates its label.

Path Parameters

Request Body

At least one field is required.

Response

Returns the updated credential object.

Errors


Delete Credential

Removes a credential from a client. For mTLS thumbprint credentials, the underlying certificate is also revoked in the tenant CA’s CRL.

Path Parameters

Response

Errors