GET | List all credentials

Description

List all credentials associated with your authorization in PAM Core, using the v2 canonical model. Returns a paginated, filterable projection of the CredentialV2 entity.

Note: This endpoint is part of the A2A API v2 surface, introduced in version 4.2.2. The v1 equivalent is documented in GET | List all credentials.

Prerequisites

Authorization with read permission to PAM Core granted by the administrator in A2A. For more information, access How to manage authorizations in A2A.

Request

GET /api/v2/pam/credentials

Query parameters

All query parameters are optional. When no parameters are provided, the endpoint returns all credentials accessible to the authorization, using the minimum contract fields defined in the response schema.

Filters

Field	Type	Description
`credential.username`	string	Filters by credential username. Accepts any non-empty string.
`credential.active`	boolean	Filters by active status. Accepted values: `true`, `false`. Values `0` and `1` are not accepted.
`device_id`	integer	Filters by device ID. Accepted range: `1` to `2147483647`.
`device.name`	string	Filters by device name. Accepts any non-empty string.
`device.domain_name`	string	Filters by domain name. Omit this parameter to return credentials regardless of domain association.
`credential.tags`	array[string]	Filters by one or more tags. Repeat the parameter for AND logic; use comma-separated values for OR logic. See the following section for examples.
`credential.criticality`	string	Filters by criticality level. Accepted values: `low`, `medium`, `high`, `critical`. Any other value returns `422`.
`credential.user_credential_owner`	string	Filters by owner name or ID. Omit to return credentials regardless of owner.
`jit.credential_enabled`	boolean	Filters by Just-in-Time (JIT) feature status. Accepted values: `true`, `false`.
`reconciliation.credential_enabled`	boolean	Filters by reconciliation feature status. Accepted values: `true`, `false`.

Note: Filtering on sensitive or non-existent fields returns 422. Invalid boolean values also return 422. For full filter validation rules, AND/OR logic, and examples, see API v2 - Conventions and shared behaviors.

Sorting

sort_by accepts one or more fields in the format field:asc or field:desc. Multiple fields are comma-separated and processed left to right. Default direction is asc. Invalid fields or directions return 422. Example: sort_by=criticality:desc,credential.username.

For full sorting rules, see API v2 - Conventions and shared behaviors.

Pagination

Supports offset pagination (page, limit) and cursor-based pagination (cursor). The two strategies are mutually exclusive — sending both returns 422. Cursor-based pagination is recommended for datasets exceeding 100,000 records.

Field	Type	Description
`page`	integer	Page number. Default: `1`.
`limit`	integer	Results per page. Default: `50`.
`cursor`	string	Opaque cursor token. Do not decode. Expires after 24 hours.

For full pagination rules and response field descriptions, see API v2 — Conventions and shared behaviors.

Example request

GET {{url}}/api/v2/pam/credentials

Response

HTTP/1.1 200 OK

Example response body

{
    "data": [
        {
            "id": "101",
            "credential": {
                "username": "svc-payments",
                "active": true,
                "tags": ["prod"],
                "criticality": "high",
                "user_credential_owner": {
                    "name": "John Doe"
                }
            },
            "device": {
                "id": 123,
                "name": "db-prod-01",
                "domain_name": "CORP"
            },
            "secret": {
                "has_secret": true,
                "type": "password"
            },
            "execution": {
                "automatic_change_enabled": true
            },
            "reconciliation": {
                "credential_enabled": true
            },
            "jit": {
                "credential_enabled": false
            }
        },
        {
            "id": "102",
            "credential": {
                "username": "db-monitor",
                "active": false,
                "tags": [],
                "criticality": null,
                "user_credential_owner": null
            },
            "device": {
                "id": 124,
                "name": "db-dev-01",
                "domain_name": null
            },
            "secret": {
                "has_secret": false,
                "type": "password"
            },
            "execution": {
                "automatic_change_enabled": false
            },
            "reconciliation": {
                "credential_enabled": false
            },
            "jit": {
                "credential_enabled": false
            }
        }
    ],
    "meta": {
        "pagination": {
            "page": 1,
            "limit": 50,
            "total_items": 1320,
            "total_pages": 27,
            "count": 50
        },
        "links": {
            "self": "/api/v2/pam/credentials?page=1&limit=50",
            "first": "/api/v2/pam/credentials?page=1&limit=50",
            "prev": null,
            "next": "/api/v2/pam/credentials?page=2&limit=50",
            "last": "/api/v2/pam/credentials?page=27&limit=50"
        }
    }
}

Note: For large datasets (>100,000 records), total_items may be null or an estimate. Use has_more as the continuation signal in those scenarios. See API v2 - Conventions and shared behaviors.

Response body fields

Field	Type	Description
`data`	array of objects	List of credentials matching the request filters.
`data[].id`	string	Unique identification code of the credential. This value is assigned by Segura® in POST \| Create credential.
`data[].credential`	object	Core credential attributes.
`data[].credential.username`	string	Username assigned to the credential.
`data[].credential.active`	boolean	Indicates whether the credential is active.
`data[].credential.tags`	array[string]	Tags associated with the credential. Returns an empty array when no tags are configured.
`data[].credential.criticality`	string	Criticality level of the credential. Possible values: `low`, `medium`, `high`, `critical`. Returns `null` when not configured.
`data[].credential.user_credential_owner`	object	Owner associated with the credential. Returns `null` when no owner is configured.
`data[].credential.user_credential_owner.name`	string	Name of the credential owner.
`data[].device`	object	Device associated with the credential.
`data[].device.id`	integer	Unique identification code of the device.
`data[].device.name`	string	Name of the device.
`data[].device.domain_name`	string	Domain associated with the device. Returns `null` when the credential isn't linked to a domain.
`data[].secret`	object	Secret presence and type indicator.
`data[].secret.has_secret`	boolean	Indicates whether the credential has an associated secret.
`data[].secret.type`	string	Secret type. Example: `password`.
`data[].execution`	object	Automatic change configuration summary.
`data[].execution.automatic_change_enabled`	boolean	Indicates whether automatic credential rotation is enabled.
`data[].reconciliation`	object	Reconciliation feature configuration summary.
`data[].reconciliation.credential_enabled`	boolean	Indicates whether reconciliation is enabled for this credential.
`data[].jit`	object	Just-in-Time (JIT) feature configuration summary.
`data[].jit.credential_enabled`	boolean	Indicates whether Just-in-Time (JIT) provisioning is enabled for this credential.
`meta`	object	Pagination metadata and navigation links.
`meta.pagination`	object	Pagination details for the current result set.
`meta.pagination.page`	integer	Current page number.
`meta.pagination.limit`	integer	Maximum number of results per page.
`meta.pagination.total_items`	integer	Total number of credentials matching the filters. May be `null` or an estimate for large datasets.
`meta.pagination.total_pages`	integer	Total number of pages.
`meta.pagination.count`	integer	Number of items returned in the current page.
`meta.links`	object	Navigation links for paginating through results.
`meta.links.self`	string	URL of the current page.
`meta.links.first`	string	URL of the first page.
`meta.links.prev`	string	URL of the previous page. Returns `null` on the first page.
`meta.links.next`	string	URL of the next page. Returns `null` on the last page.
`meta.links.last`	string	URL of the last page.

Errors

HTTP code	Message	Possible cause	Solution
`401`	`Unauthorized`	Missing or invalid authentication token.	Check the access token and request a new one if expired.
`403`	`Forbidden`	The authorization doesn't have read permission to PAM Core resources.	Ask the administrator to check the authorization permissions in A2A.
`422`	`Unprocessable Content`	Invalid filter field, sensitive field used as filter, invalid boolean value, or `page`/`limit` mixed with `cursor`.	Review the query parameters.
`500`	`Unexpected error.`	Internal server error.	Contact the Segura® support team.

For authentication error messages and the 403 vs 404 policy, see API v2 - Conventions and shared behaviors.