> ## Documentation Index
> Fetch the complete documentation index at: https://docs.deck.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Update a credential

> Updates a credential's authentication details or external ID. Only the fields you include in the request body are updated.



## OpenAPI

````yaml /api-reference/v2.json patch /credentials/{credential_id}
openapi: 3.1.1
info:
  title: Deck API
  version: 2.0.0
servers:
  - url: https://api.deck.co/v2
    description: Production
security:
  - BearerAuth: []
tags:
  - name: Agents
  - name: Components
  - name: Credentials
  - name: Event Destinations
  - name: Events
  - name: Sessions
  - name: Sources
  - name: Storage
  - name: Task Runs
  - name: Tasks
  - name: Test
paths:
  /credentials/{credential_id}:
    patch:
      tags:
        - Credentials
      summary: Update a credential
      description: >-
        Updates a credential's authentication details or external ID. Only the
        fields you include in the request body are updated.
      operationId: updateCredential
      parameters:
        - name: credential_id
          in: path
          required: true
          schema:
            type: string
          description: Unique identifier for the credential (prefixed with `cred_`).
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UpdateCredentialRequest'
          text/json:
            schema:
              $ref: '#/components/schemas/UpdateCredentialRequest'
          application/*+json:
            schema:
              $ref: '#/components/schemas/UpdateCredentialRequest'
        required: true
      responses:
        '200':
          description: OK
          content:
            text/plain:
              schema:
                $ref: '#/components/schemas/UpdateCredentialResponse'
            application/json:
              schema:
                $ref: '#/components/schemas/UpdateCredentialResponse'
            text/json:
              schema:
                $ref: '#/components/schemas/UpdateCredentialResponse'
        '400':
          description: Bad request — validation error or malformed input.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationErrorResponse'
        '401':
          description: Unauthorized.
        '403':
          description: Forbidden.
        '404':
          description: Not found — the requested resource does not exist.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '409':
          description: >-
            Conflict — the request is valid but cannot be completed in the
            current state.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '422':
          description: >-
            Unprocessable content — the request body is understood but contains
            invalid values.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal server error.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
components:
  schemas:
    UpdateCredentialRequest:
      type: object
      properties:
        auth_credentials:
          $ref: '#/components/schemas/AuthCredentialsInput'
        external_id:
          type:
            - 'null'
            - string
          description: Updated external identifier. Set to `null` to remove the mapping.
      description: >-
        Request body for updating a credential. Only include fields you want to
        change.
    UpdateCredentialResponse:
      required:
        - id
        - object
        - status
        - source_id
        - auth_method
        - auth_credentials
        - external_id
        - created_at
        - updated_at
        - request_id
      type: object
      properties:
        id:
          type: string
          description: Unique identifier for the credential, prefixed with `cred_`.
        object:
          type: string
          description: Always `credential`.
        status:
          type: string
          description: >-
            Credential status: `unverified`, `verified`, `invalid`, or
            `deleted`.
        source_id:
          type: string
          description: >-
            The source this credential authenticates against. Prefixed with
            `src_`.
        auth_method:
          type: string
          description: 'Authentication method: `username_password` or `none`.'
        auth_credentials:
          oneOf:
            - type: 'null'
            - $ref: '#/components/schemas/AuthCredentialsSummary'
          description: Summary of stored credentials. Sensitive values are not returned.
        external_id:
          type:
            - 'null'
            - string
          description: External identifier from your system, if set.
        created_at:
          type: string
          format: date-time
          description: ISO 8601 timestamp of when the resource was created.
        updated_at:
          type: string
          format: date-time
          description: ISO 8601 timestamp of when the resource was last updated.
        request_id:
          type: string
          description: >-
            Unique identifier for the API request. Include this when contacting
            support.
    ValidationErrorResponse:
      required:
        - errors
      type: object
      properties:
        type:
          type:
            - 'null'
            - string
          description: RFC 9110 problem type URI.
        title:
          type:
            - 'null'
            - string
          description: Short summary of the validation failure.
        status:
          type:
            - 'null'
            - integer
          description: HTTP status code.
          format: int32
        errors:
          type: object
          additionalProperties:
            type: array
            items:
              type: string
          description: Validation errors grouped by field name.
        traceId:
          type:
            - 'null'
            - string
          description: Request trace identifier.
      description: Validation error returned for malformed requests (HTTP 400).
    ErrorResponse:
      required:
        - errors
        - request_id
      type: object
      properties:
        errors:
          type: array
          items:
            $ref: '#/components/schemas/TaskRunError'
          description: One or more errors that describe what went wrong.
        request_id:
          type: string
          description: Unique identifier for this request, useful for tracing.
      description: Standard error response.
    AuthCredentialsInput:
      type: object
      properties:
        username:
          type: string
          description: Username for `username_password`.
        password:
          type: string
          description: >-
            Password for `username_password`. Encrypted at rest and never
            returned.
        source_fields:
          type: object
          additionalProperties:
            type: string
          description: >-
            Additional values the source requires at login, beyond what the
            `auth_method` covers (for example, `{ "company_id": "ACME-4412" }`).
            Values must be strings. Keys must match `^[a-z][a-z0-9_]{0,63}$`,
            must not collide with reserved keys on the `auth_method` (such as
            `username` or `password`), and are capped at 10 entries per
            credential. Values are returned in the clear on read unless named in
            `tokenized`.
        tokenized:
          type: array
          items:
            type: string
          description: >-
            Names of `source_fields` keys to vault. Each entry must name a key
            present in `source_fields`. Tokenized values are stored in a secure
            vault, removed from API responses, and listed by name in the
            response `tokenized` array; they cannot be read back. On update, may
            only name keys supplied in the same request. Auth secrets such as
            `password` are always vaulted regardless of this array.
      description: >-
        Credentials payload. Structure depends on `auth_method`. For
        `username_password`, pass `username` and `password`. Any `auth_method`
        may include `source_fields`, and `tokenized` to vault selected
        source-field values.
    AuthCredentialsSummary:
      type: object
      properties:
        username:
          type:
            - 'null'
            - string
          description: The username associated with this credential, if applicable.
        source_fields:
          type: object
          additionalProperties:
            type: string
          description: >-
            Non-tokenized `source_fields` returned as key/value pairs in the
            clear (for example, `{ "company_id": "ACME-4412" }`). Tokenized
            source fields are dropped from this map and named in `tokenized`
            instead. Omitted when empty.
        tokenized:
          type: array
          items:
            type: string
          description: >-
            Names of the source fields whose values were vaulted. Their values
            never appear in `source_fields` and cannot be read back through the
            API. Omitted when nothing was tokenized.
      description: >-
        Summary of stored authentication credentials. Secret values such as
        `password` are encrypted at rest and never returned. Non-tokenized
        `source_fields` are returned in the clear; fields named in `tokenized`
        are vaulted and omitted from the map.
    TaskRunError:
      required:
        - type
        - code
        - message
      type: object
      properties:
        type:
          type: string
          description: >-
            Error category (e.g. `source`, `auth`, `task`, `rate_limit`).
            Determines the class of failure.
        code:
          type: string
          description: Machine-readable error code. Use this for programmatic handling.
        message:
          type: string
          description: >-
            Human-readable explanation. Do not rely on this for logic — it may
            change.
        field:
          type:
            - 'null'
            - string
          description: The input field that caused the error, when applicable.
      description: Error details for a failed task run. Same structure as API-level errors.
  securitySchemes:
    BearerAuth:
      type: http
      description: Secret key (sk_live_...)
      scheme: bearer
      bearerFormat: JWT

````