GET | List a credential by [id]

Description

Retrieve the complete detail of a single credential in PAM Core, using the v2 canonical model CredentialV2. The response is the absolute superset of all non-sensitive credential attributes. Use the optional fields query parameter to request a projection of specific fields.

your title goes here

This endpoint is part of the A2A API v2 surface, introduced in version 4.2.2. The v1 equivalent is documented in GET | List a credential.

Prerequisites

Authorization with read permission to PAM Core granted by the administrator in A2A. For more information, access How to manage authorizations in A2A.

Request

GET /api/v2/pam/credentials/{id}

Path parameters

Field	Type	Required	Description
`id`	string	Yes	Unique identification code of the credential. This value is assigned by Segura® in POST \| Create credential.

Query parameters

Field	Type	Required	Description
`fields`	string	No	Comma-separated list of fields to return (projection). Fields not present in the model return `422`. Sensitive fields return `403`.

Supported `fields` values

The following fields are available for projection. Use dot notation as shown.

credential object

Field	Type	Condition
`credential.username`	string	Always present.
`credential.active`	boolean	Always present.
`credential.password_type`	string	Always present.
`credential.parent_credential`	object	Returns the parent credential object (including `id` and `username`) when a parent credential is configured; otherwise `null`.
`credential.tags`	array[string]	Returns an empty array when no tags are configured.
`credential.criticality`	string	Possible values: `low`, `medium`, `high`, `critical`. Returns `null` when not configured.
`credential.user_credential_owner`	object	Returns the owner object when configured; otherwise `null`.
`credential.last_used_at`	datetime string	ISO 8601 format. Returns `null` when no usage is recorded.
`credential.additional_information`	string	Returns `null` when not configured.
`credential.password_policy`	string	Returns `null` when no policy is associated.

device object

Field	Type	Condition
`device.id`	integer	Always present.
`device.name`	string	Always present.
`device.domain_name`	string	Returns `null` when not linked to a domain.
`device.management_ip`	string	Always present.
`device.vendor`	string	Always present.
`device.product`	string	Always present.
`device.site`	string	Always present.
`device.tags`	array[string]	Returns an empty array when no tags are configured.
`device.connectivity_types`	array[enum]	Returns an empty array when not configured.

execution object

Field	Type	Condition
`execution.automatic_change_enabled`	boolean	Always present.
`execution.change_plugin`	object	Returns `null` when not configured.
`execution.change_template`	object	Required when `change_plugin` is set; otherwise `null`.
`execution.agent_based_password_change`	boolean	Returns `false` when not configured as agent.
`execution.justification`	string	Returns `null` when not configured.

authentication object

Field	Type	Condition
`authentication.use_own_credential_to_connect`	boolean	Always present.
`authentication.credential`	object	Required when `use_own_credential_to_connect` is `false`; otherwise `null`.
`authentication.restrict_to_remote_application_only`	boolean	Returns `false` when not configured.
`authentication.notes`	string	Returns `null` when not configured.

reconciliation object

Field	Type	Condition
`reconciliation.credential_enabled`	boolean	Always present.
`reconciliation.autorun`	boolean	Returns when `credential_enabled` is `true`.
`reconciliation.credential`	object	Required when `credential_enabled` is `true`.
`reconciliation.plugin`	object	Required when `credential_enabled` is `true`.
`reconciliation.template`	object	Required when `plugin` is set; otherwise `null`.

automation object

Field	Type	Condition
`automation.restrict_access_to_applications_only`	boolean	Returns `false` when not configured.
`automation.macro_remote_apps`	array[object]	Returns an empty array when not configured.
`automation.use_own_credential_to_connect`	boolean	Returns `false` when automation isn't configured.
`automation.authentication_credential`	object	Required when `use_own_credential_to_connect` is `false`; otherwise `null`.
`automation.authentication_device`	object	Required when `use_own_credential_to_connect` is `false`; otherwise `null`.

certificate object

Field	Type	Condition
`certificate.file`	object	Returns `null` when no certificate file is associated.
`certificate.has_key_file`	boolean	Indicates whether a key file is present.
`certificate.has_key_password`	boolean	Indicates whether a key password is set.

Warning: certificate.key_file and certificate.key_password are classified as sensitive and can never be requested or returned. Requesting them returns 403.

session object

Field	Type	Condition
`session.status`	string	Session state. Possible values: `in_progress`, `available`.
`session.connectivity`	array[string]	Returns an empty array when not configured.

web_service object

Field	Type	Condition
`web_service.identifiers`	array[string]	Returns `null` when no web service session is associated.
`web_service.server_path`	string	Returns `null` when not configured.

jit object

Field	Type	Condition
`jit.credential_enabled`	boolean	Always present.
`jit.type`	string	Required when `credential_enabled` is `true`; otherwise `null`. Example: `ephemeral`.
`jit.use_own_credential_to_connect`	boolean	Returns `false` when `credential_enabled` is `false`.
`jit.authentication_credential`	object	Required when `credential_enabled` is `true` and `use_own_credential_to_connect` is `false`; otherwise `null`.
`jit.credential_enable_plugin`	object	Returns `null` when not configured.
`jit.credential_enable_template`	object	Required when `credential_enable_plugin` is set; otherwise `null`.
`jit.credential_disable_plugin`	object	Returns `null` when not configured.
`jit.credential_disable_template`	object	Required when `credential_disable_plugin` is set; otherwise `null`.
`jit.credential_creation_plugin`	object	Returns `null` when not configured.
`jit.credential_creation_template`	object	Required when `credential_creation_plugin` is set; otherwise `null`.
`jit.credential_removal_plugin`	object	Returns `null` when not configured.
`jit.credential_removal_template`	object	Required when `credential_removal_plugin` is set; otherwise `null`.

Sensitive fields — never returned

The following fields are always excluded from the response regardless of the fields parameter. Requesting any of these returns 403:

credential.password
certificate.key_file
certificate.key_password
totp.secret_key

Example requests

Full canonical response (no projection):

GET {{url}}/api/v2/pam/credentials/101

Projected response — specific fields only:

GET {{url}}/api/v2/pam/credentials/101?fields=credential.username,device,execution.automatic_change_enabled,jit.credential_enabled

Response

HTTP/1.1 200 OK

Example response body — full canonical

{
    "data": {
        "id": "101",
        "credential": {
            "username": "svc-payments",
            "active": true,
            "password_type": "password",
            "tags": ["prod", "finance"],
            "criticality": "high",
            "user_credential_owner": {
                "name": "John Doe"
            },
            "parent_credential": {
                "id": "10",
                "username": "root"
            },
            "last_used_at": "2026-01-29T12:34:56Z",
            "additional_information": "Owned by Payments Team; used by CI/CD pipeline.",
            "password_policy": "medium-lowercase-only"
        },
        "device": {
            "id": 55,
            "name": "db-prod-01",
            "domain_name": "CORP",
            "management_ip": "10.10.10.10",
            "vendor": "Oracle",
            "product": "Oracle Linux VM",
            "site": "SP-DC1",
            "tags": ["prod", "database"],
            "connectivity_types": ["SSH", "SQL_Server"]
        },
        "secret": {
            "has_secret": true,
            "type": "password"
        },
        "execution": {
            "automatic_change_enabled": true,
            "change_plugin": {
                "name": "linux-passwd"
            },
            "change_template": {
                "name": "default-linux"
            },
            "agent_based_password_change": false,
            "justification": "Managed by PAM"
        },
        "authentication": {
            "use_own_credential_to_connect": false,
            "credential": {
                "id": "88",
                "username": "auth-user"
            },
            "restrict_to_remote_application_only": false,
            "notes": "Connection credential managed by infra team."
        },
        "reconciliation": {
            "credential_enabled": true,
            "autorun": true,
            "credential": {
                "id": "90",
                "username": "recon-user"
            },
            "plugin": {
                "name": "recon-linux"
            },
            "template": {
                "name": "default-recon"
            }
        },
        "automation": {
            "restrict_access_to_applications_only": true,
            "macro_remote_apps": [
                {
                    "id": "12",
                    "name": "ERP Access"
                }
            ],
            "use_own_credential_to_connect": true,
            "authentication_credential": null,
            "authentication_device": null
        },
        "certificate": {
            "file": {
                "name": "client.crt"
            },
            "has_key_file": true,
            "has_key_password": true
        },
        "session": {
            "status": "available",
            "connectivity": ["SSH", "SQL_Server"]
        },
        "web_service": {
            "identifiers": ["svc-payment-api"],
            "server_path": "/api/payments"
        },
        "jit": {
            "credential_enabled": true,
            "type": "ephemeral",
            "use_own_credential_to_connect": false,
            "authentication_credential": {
                "id": "77",
                "username": "jit-auth"
            },
            "credential_enable_plugin": {
                "name": "jit-enable"
            },
            "credential_enable_template": {
                "name": "enable-template"
            },
            "credential_disable_plugin": {
                "name": "jit-disable"
            },
            "credential_disable_template": {
                "name": "disable-template"
            },
            "credential_creation_plugin": null,
            "credential_creation_template": null,
            "credential_removal_plugin": null,
            "credential_removal_template": null
        }
    },
    "meta": {
        "links": {
            "self": "/api/v2/pam/credentials/101"
        },
        "actions": {
            "checkout": "/api/v2/pam/credentials/101/checkout",
            "rotate": "/api/v2/pam/credentials/101/rotate"
        }
    }
}

Example response body — with field projection

{
    "data": {
        "id": "101",
        "credential": {
            "username": "svc-payments"
        },
        "device": {
            "id": 55,
            "name": "db-prod-01"
        },
        "execution": {
            "automatic_change_enabled": true
        },
        "jit": {
            "credential_enabled": true
        }
    },
    "meta": {
        "links": {
            "self": "/api/v2/pam/credentials/101?fields=credential.username,device,execution.automatic_change_enabled,jit.credential_enabled"
        }
    }
}

Note: When fields is omitted, all public fields of the canonical model are returned, with null for fields that aren't applicable. When fields is provided, only the requested fields are returned.

Response body fields

Field	Type	Description
`data`	object	Full `CredentialV2` canonical model for the requested credential.
`data.id`	string	Unique identification code of the credential.
`data.credential`	object	Core credential identity and policy attributes.
`data.credential.username`	string	Username assigned to the credential.
`data.credential.active`	boolean	Indicates whether the credential is active.
`data.credential.password_type`	string	Type of the credential secret. Example: `password`.
`data.credential.parent_credential`	object	Parent credential object. Returns `null` when not configured.
`data.credential.parent_credential.id`	string	Unique identification code of the parent credential.
`data.credential.parent_credential.username`	string	Username of the parent credential.
`data.credential.tags`	array[string]	Tags associated with the credential. Returns an empty array when none are configured.
`data.credential.criticality`	string	Criticality level. Possible values: `low`, `medium`, `high`, `critical`. Returns `null` when not configured.
`data.credential.user_credential_owner`	object	Owner of the credential. Returns `null` when not configured.
`data.credential.user_credential_owner.name`	string	Name of the credential owner.
`data.credential.last_used_at`	string	ISO 8601 datetime of the last credential use. Returns `null` when no usage is recorded. Example: `2026-01-29T12:34:56Z`.
`data.credential.additional_information`	string	Free-text notes about the credential. Returns `null` when not configured.
`data.credential.password_policy`	string	Name of the associated password policy. Returns `null` when not configured.
`data.device`	object	Device associated with the credential.
`data.device.id`	integer	Unique identification code of the device.
`data.device.name`	string	Name of the device.
`data.device.domain_name`	string	Domain associated with the device. Returns `null` when not linked to a domain.
`data.device.management_ip`	string	IP address used to manage the device. Example: `10.10.10.10`.
`data.device.vendor`	string	Device vendor. Example: `Oracle`.
`data.device.product`	string	Device product name. Example: `Oracle Linux VM`.
`data.device.site`	string	Site where the device is located. Example: `SP-DC1`.
`data.device.tags`	array[string]	Tags associated with the device. Returns an empty array when none are configured.
`data.device.connectivity_types`	array[enum]	Connectivity protocols available for the device. Example: `["SSH", "SQL_Server"]`. Returns an empty array when not configured.
`data.secret`	object	Secret presence and type indicator.
`data.secret.has_secret`	boolean	Indicates whether the credential has an associated secret.
`data.secret.type`	string	Secret type. Example: `password`.
`data.execution`	object	Automatic password change configuration.
`data.execution.automatic_change_enabled`	boolean	Indicates whether automatic credential rotation is enabled.
`data.execution.change_plugin`	object	Plugin used for automatic password change. Returns `null` when not configured.
`data.execution.change_plugin.name`	string	Name of the change plugin.
`data.execution.change_template`	object	Template used for automatic password change. Returns `null` when not configured.
`data.execution.change_template.name`	string	Name of the change template.
`data.execution.agent_based_password_change`	boolean	Indicates whether agent-based password change is configured. Returns `false` when not configured.
`data.execution.justification`	string	Justification for the change configuration. Returns `null` when not configured.
`data.authentication`	object	Authentication settings for connecting to the device.
`data.authentication.use_own_credential_to_connect`	boolean	Indicates whether the credential uses itself to connect to the device.
`data.authentication.credential`	object	Authentication credential used to connect. Required when `use_own_credential_to_connect` is `false`; otherwise `null`.
`data.authentication.credential.id`	string	Unique identification code of the authentication credential.
`data.authentication.credential.username`	string	Username of the authentication credential.
`data.authentication.restrict_to_remote_application_only`	boolean	Indicates whether access is restricted to remote applications only. Returns `false` when not configured.
`data.authentication.notes`	string	Notes about the authentication configuration. Returns `null` when not configured.
`data.reconciliation`	object	Reconciliation configuration for the credential.
`data.reconciliation.credential_enabled`	boolean	Indicates whether reconciliation is enabled for this credential.
`data.reconciliation.autorun`	boolean	Indicates whether reconciliation runs automatically. Present when `credential_enabled` is `true`.
`data.reconciliation.credential`	object	Credential used for reconciliation. Present when `credential_enabled` is `true`.
`data.reconciliation.credential.id`	string	Unique identification code of the reconciliation credential.
`data.reconciliation.credential.username`	string	Username of the reconciliation credential.
`data.reconciliation.plugin`	object	Plugin used for reconciliation. Present when `credential_enabled` is `true`.
`data.reconciliation.plugin.name`	string	Name of the reconciliation plugin.
`data.reconciliation.template`	object	Template used for reconciliation. Present when `plugin` is set; otherwise `null`.
`data.reconciliation.template.name`	string	Name of the reconciliation template.
`data.automation`	object	RemoteApp and automation access settings.
`data.automation.restrict_access_to_applications_only`	boolean	Indicates whether access is restricted to registered applications only. Returns `false` when not configured.
`data.automation.macro_remote_apps`	array[object]	List of RemoteApp macros associated with the credential. Returns an empty array when not configured.
`data.automation.macro_remote_apps[].id`	string	Unique identification code of the RemoteApp macro.
`data.automation.macro_remote_apps[].name`	string	Name of the RemoteApp macro.
`data.automation.use_own_credential_to_connect`	boolean	Indicates whether automation uses the credential itself to connect. Returns `false` when automation isn't configured.
`data.automation.authentication_credential`	object	Credential used for automation authentication. Present when `use_own_credential_to_connect` is `false`; otherwise `null`.
`data.automation.authentication_credential.id`	string	Unique identification code of the automation authentication credential.
`data.automation.authentication_credential.username`	string	Username of the automation authentication credential.
`data.automation.authentication_device`	object	Device used for automation authentication. Present when `use_own_credential_to_connect` is `false`; otherwise `null`.
`data.certificate`	object	Certificate file association.
`data.certificate.file`	object	Certificate file metadata. Returns `null` when no certificate file is associated.
`data.certificate.file.name`	string	Name of the certificate file.
`data.certificate.has_key_file`	boolean	Indicates whether a key file is present.
`data.certificate.has_key_password`	boolean	Indicates whether a key password is set.
`data.session`	object	Session status and connectivity protocols.
`data.session.status`	string	Session state. Possible values: `in_progress`, `available`.
`data.session.connectivity`	array[string]	Connectivity protocols available for the session. Returns an empty array when not configured.
`data.web_service`	object	Web service session identifiers and path.
`data.web_service.identifiers`	array[string]	Identifiers for the associated web service session. Returns `null` when not configured.
`data.web_service.server_path`	string	Server path for the web service. Returns `null` when not configured.
`data.jit`	object	Just-in-Time (JIT) provisioning configuration.
`data.jit.credential_enabled`	boolean	Indicates whether Just-in-Time (JIT) provisioning is enabled.
`data.jit.type`	string	JIT provisioning type. Example: `ephemeral`. Required when `credential_enabled` is `true`; otherwise `null`.
`data.jit.use_own_credential_to_connect`	boolean	Indicates whether JIT uses the credential itself to connect. Returns `false` when `credential_enabled` is `false`.
`data.jit.authentication_credential`	object	Credential used for JIT authentication. Present when `credential_enabled` is `true` and `use_own_credential_to_connect` is `false`; otherwise `null`.
`data.jit.authentication_credential.id`	string	Unique identification code of the JIT authentication credential.
`data.jit.authentication_credential.username`	string	Username of the JIT authentication credential.
`data.jit.credential_enable_plugin`	object	Plugin used to enable the credential. Returns `null` when not configured.
`data.jit.credential_enable_plugin.name`	string	Name of the enable plugin.
`data.jit.credential_enable_template`	object	Template used to enable the credential. Present when `credential_enable_plugin` is set; otherwise `null`.
`data.jit.credential_enable_template.name`	string	Name of the enable template.
`data.jit.credential_disable_plugin`	object	Plugin used to disable the credential. Returns `null` when not configured.
`data.jit.credential_disable_plugin.name`	string	Name of the disable plugin.
`data.jit.credential_disable_template`	object	Template used to disable the credential. Present when `credential_disable_plugin` is set; otherwise `null`.
`data.jit.credential_disable_template.name`	string	Name of the disable template.
`data.jit.credential_creation_plugin`	object	Plugin used to create the credential. Returns `null` when not configured.
`data.jit.credential_creation_plugin.name`	string	Name of the creation plugin.
`data.jit.credential_creation_template`	object	Template used to create the credential. Present when `credential_creation_plugin` is set; otherwise `null`.
`data.jit.credential_creation_template.name`	string	Name of the creation template.
`data.jit.credential_removal_plugin`	object	Plugin used to remove the credential. Returns `null` when not configured.
`data.jit.credential_removal_plugin.name`	string	Name of the removal plugin.
`data.jit.credential_removal_template`	object	Template used to remove the credential. Present when `credential_removal_plugin` is set; otherwise `null`.
`data.jit.credential_removal_template.name`	string	Name of the removal template.
`meta`	object	Navigation links and available actions for the credential.
`meta.links`	object	Navigation links for the current resource.
`meta.links.self`	string	URL of the current request.
`meta.actions`	object	Available actions for the credential. Present in full responses; may be absent in projected responses.
`meta.actions.checkout`	string	Endpoint to check out this credential.
`meta.actions.rotate`	string	Endpoint to rotate the credential password.

Errors

HTTP code	Message	Possible cause	Solution
`401`	`Unauthorized`	Missing or invalid authentication token.	Check the access token and request a new one if expired.
`403`	`api.fields.sensitive.not.allowed`	A sensitive field was requested via `fields`.	Remove sensitive fields (`credential.password`, `certificate.key_file`, `certificate.key_password`, `totp.secret_key`) from the `fields` parameter.
`403`	`Forbidden`	The authorization doesn't have read permission to PAM Core resources, or the requested `fields` aren't permitted by the current authorization.	Ask the administrator to check the authorization permissions in A2A.
`404`	`Resource not found`	The credential `id` doesn't exist or isn't accessible to the authorization.	Verify the `id` value and confirm the credential exists in GET \| List all credentials (v2).
`422`	`api.fields.invalid`	One or more `fields` values don't exist in the `CredentialV2` canonical model.	Review the `fields` parameter against the supported fields list in this document.
`500`	`Unexpected error.`	Internal server error.	Contact the Segura® support team.

Authentication errors

Message	Possible cause	Solution
`Client authentication failed.`	Application authentication failure with the Segura® server.	Check the authentication parameters (`Access Token URL`, `Client ID`, and `Client secret`) and request a new access token.
`Invalid signature`	Failure in recognizing the client application URL.	Check the URL of the client application and resend the request.
`No route matched with those values.`	Missing authorization header in the API request.	Request a new access token.
`Request timed out.`	The request exceeded the timeout limit.	Check the connectivity between the source of the request and the Segura® server.