# Authenticate with vaults Register per-user credentials when creating sessions. --- Vaults and credentials are authentication primitives that let you register credentials for third-party services once and reference them by ID at session creation. This means you don't need to run your own secret store, transmit tokens on every call, or lose track of which end user an agent acted on behalf of. The vault reference is a per-session parameter, so you can manage your product at the agent level and your users at the session level. All Managed Agents API requests require the `managed-agents-2026-04-01` beta header. The SDK sets the beta header automatically. ## Create a vault Vaults and credentials are workspace-scoped, meaning anyone with API key access can use them for authorizing an agent to complete a task. To revoke access, delete the vault or credential. A vault is the collection of `credentials` associated with an end user. Give it a `display_name` and optionally tag it with `metadata` so you can map it back to your own user records. ````bash vault_id=$(curl --fail-with-body -sS https://api.anthropic.com/v1/vaults \ -H "x-api-key: $ANTHROPIC_API_KEY" \ -H "anthropic-version: 2023-06-01" \ -H "anthropic-beta: managed-agents-2026-04-01" \ -H "content-type: application/json" \ --data @- <<'EOF' | jq -r '.id' { "display_name": "Alice", "metadata": {"external_user_id": "usr_abc123"} } EOF ) echo "$vault_id" # "vlt_01ABC..." ```` ````bash VAULT_ID=$(ant beta:vaults create \ --display-name "Alice" \ --metadata '{external_user_id: usr_abc123}' \ --transform id --raw-output) ```` ````python vault = client.beta.vaults.create( display_name="Alice", metadata={"external_user_id": "usr_abc123"}, ) print(vault.id) # "vlt_01ABC..." ```` ````typescript const vault = await client.beta.vaults.create({ display_name: "Alice", metadata: { external_user_id: "usr_abc123" }, }); console.log(vault.id); // "vlt_01ABC..." ```` ````csharp var vault = await client.Beta.Vaults.Create(new() { DisplayName = "Alice", Metadata = new Dictionary { ["external_user_id"] = "usr_abc123" }, }); Console.WriteLine(vault.ID); // "vlt_01ABC..." ```` ````go vault, err := client.Beta.Vaults.New(ctx, anthropic.BetaVaultNewParams{ DisplayName: "Alice", Metadata: map[string]string{"external_user_id": "usr_abc123"}, }) if err != nil { panic(err) } fmt.Println(vault.ID) // "vlt_01ABC..." ```` ````java var vault = client.beta().vaults().create(VaultCreateParams.builder() .displayName("Alice") .metadata(VaultCreateParams.Metadata.builder() .putAdditionalProperty("external_user_id", JsonValue.from("usr_abc123")) .build()) .build()); IO.println(vault.id()); // "vlt_01ABC..." ```` ````php $vault = $client->beta->vaults->create( displayName: 'Alice', metadata: ['external_user_id' => 'usr_abc123'], ); echo $vault->id . "\n"; // "vlt_01ABC..." ```` ````ruby vault = client.beta.vaults.create( display_name: "Alice", metadata: {external_user_id: "usr_abc123"} ) puts vault.id # "vlt_01ABC..." ```` The response is the full vault record: ```json { "type": "vault", "id": "vlt_01ABC...", "display_name": "Alice", "metadata": { "external_user_id": "usr_abc123" }, "created_at": "2026-03-18T10:00:00Z", "updated_at": "2026-03-18T10:00:00Z", "archived_at": null } ``` ## Add a credential Each credential binds to a single `mcp_server_url`. When the agent connects to an MCP server at session runtime, the API matches the server URL against active credentials on the referenced vault and injects the token. Use `mcp_oauth` when the MCP server uses OAuth 2.0. If you supply a `refresh` block, Anthropic refreshes the access token on your behalf when it expires. The `refresh.token_endpoint_auth.type` field indicates how to authenticate the refresh call: - `none`: public client - `client_secret_basic`: HTTP Basic authentication with the client secret - `client_secret_post`: client secret in the POST body ````bash credential_id=$(curl --fail-with-body -sS "https://api.anthropic.com/v1/vaults/$vault_id/credentials" \ -H "x-api-key: $ANTHROPIC_API_KEY" \ -H "anthropic-version: 2023-06-01" \ -H "anthropic-beta: managed-agents-2026-04-01" \ -H "content-type: application/json" \ --data @- <<'EOF' | jq -r '.id' { "display_name": "Alice's Slack", "auth": { "type": "mcp_oauth", "mcp_server_url": "https://mcp.slack.com/mcp", "access_token": "xoxp-...", "expires_at": "2099-12-31T23:59:59Z", "refresh": { "token_endpoint": "https://slack.com/api/oauth.v2.access", "client_id": "1234567890.0987654321", "scope": "channels:read chat:write", "refresh_token": "xoxe-1-...", "token_endpoint_auth": {"type": "client_secret_post", "client_secret": "abc123..."} } } } EOF ) ```` ````bash CREDENTIAL_ID=$(ant beta:vaults:credentials create \ --vault-id "$VAULT_ID" \ --display-name "Alice's Slack" \ --transform id --raw-output <<'EOF' auth: type: mcp_oauth mcp_server_url: https://mcp.slack.com/mcp access_token: xoxp-... expires_at: "2099-12-31T23:59:59Z" refresh: token_endpoint: https://slack.com/api/oauth.v2.access client_id: "1234567890.0987654321" scope: channels:read chat:write refresh_token: xoxe-1-... token_endpoint_auth: type: client_secret_post client_secret: abc123... EOF ) ```` ````python credential = client.beta.vaults.credentials.create( vault_id=vault.id, display_name="Alice's Slack", auth={ "type": "mcp_oauth", "mcp_server_url": "https://mcp.slack.com/mcp", "access_token": "xoxp-...", "expires_at": "2099-12-31T23:59:59Z", "refresh": { "token_endpoint": "https://slack.com/api/oauth.v2.access", "client_id": "1234567890.0987654321", "scope": "channels:read chat:write", "refresh_token": "xoxe-1-...", "token_endpoint_auth": {"type": "client_secret_post", "client_secret": "abc123..."}, }, }, ) ```` ````typescript const credential = await client.beta.vaults.credentials.create(vault.id, { display_name: "Alice's Slack", auth: { type: "mcp_oauth", mcp_server_url: "https://mcp.slack.com/mcp", access_token: "xoxp-...", expires_at: "2099-12-31T23:59:59Z", refresh: { token_endpoint: "https://slack.com/api/oauth.v2.access", client_id: "1234567890.0987654321", scope: "channels:read chat:write", refresh_token: "xoxe-1-...", token_endpoint_auth: { type: "client_secret_post", client_secret: "abc123...", }, }, }, }); ```` ````csharp var credential = await client.Beta.Vaults.Credentials.Create(vault.ID, new() { DisplayName = "Alice's Slack", Auth = new BetaManagedAgentsMcpOAuthCreateParams { Type = "mcp_oauth", McpServerUrl = "https://mcp.slack.com/mcp", AccessToken = "xoxp-...", ExpiresAt = DateTimeOffset.Parse("2099-12-31T23:59:59Z"), Refresh = new() { TokenEndpoint = "https://slack.com/api/oauth.v2.access", ClientID = "1234567890.0987654321", Scope = "channels:read chat:write", RefreshToken = "xoxe-1-...", TokenEndpointAuth = new BetaManagedAgentsTokenEndpointAuthPostParam { Type = "client_secret_post", ClientSecret = "abc123...", }, }, }, }); ```` ````go credential, err := client.Beta.Vaults.Credentials.New(ctx, vault.ID, anthropic.BetaVaultCredentialNewParams{ DisplayName: anthropic.String("Alice's Slack"), Auth: anthropic.BetaVaultCredentialNewParamsAuthUnion{ OfMCPOAuth: &anthropic.BetaManagedAgentsMCPOAuthCreateParams{ Type: anthropic.BetaManagedAgentsMCPOAuthCreateParamsTypeMCPOAuth, MCPServerURL: "https://mcp.slack.com/mcp", AccessToken: "xoxp-...", ExpiresAt: anthropic.Time(time.Date(2099, time.December, 31, 23, 59, 59, 0, time.UTC)), Refresh: anthropic.BetaManagedAgentsMCPOAuthRefreshParams{ TokenEndpoint: "https://slack.com/api/oauth.v2.access", ClientID: "1234567890.0987654321", Scope: anthropic.String("channels:read chat:write"), RefreshToken: "xoxe-1-...", TokenEndpointAuth: anthropic.BetaManagedAgentsMCPOAuthRefreshParamsTokenEndpointAuthUnion{ OfClientSecretPost: &anthropic.BetaManagedAgentsTokenEndpointAuthPostParam{ Type: anthropic.BetaManagedAgentsTokenEndpointAuthPostParamTypeClientSecretPost, ClientSecret: "abc123...", }, }, }, }, }, }) if err != nil { panic(err) } ```` ````java var credential = client.beta().vaults().credentials().create(vault.id(), CredentialCreateParams.builder() .displayName("Alice's Slack") .auth(BetaManagedAgentsMcpOAuthCreateParams.builder() .type(BetaManagedAgentsMcpOAuthCreateParams.Type.MCP_OAUTH) .mcpServerUrl("https://mcp.slack.com/mcp") .accessToken("xoxp-...") .expiresAt(OffsetDateTime.parse("2099-12-31T23:59:59Z")) .refresh(BetaManagedAgentsMcpOAuthRefreshParams.builder() .tokenEndpoint("https://slack.com/api/oauth.v2.access") .clientId("1234567890.0987654321") .scope("channels:read chat:write") .refreshToken("xoxe-1-...") .clientSecretPostTokenEndpointAuth("abc123...") .build()) .build()) .build()); ```` ````php $credential = $client->beta->vaults->credentials->create( vaultID: $vault->id, displayName: "Alice's Slack", auth: [ 'type' => 'mcp_oauth', 'mcp_server_url' => 'https://mcp.slack.com/mcp', 'access_token' => 'xoxp-...', 'expires_at' => '2099-12-31T23:59:59Z', 'refresh' => [ 'token_endpoint' => 'https://slack.com/api/oauth.v2.access', 'client_id' => '1234567890.0987654321', 'scope' => 'channels:read chat:write', 'refresh_token' => 'xoxe-1-...', 'token_endpoint_auth' => [ 'type' => 'client_secret_post', 'client_secret' => 'abc123...', ], ], ], ); ```` ````ruby credential = client.beta.vaults.credentials.create( vault.id, display_name: "Alice's Slack", auth: { type: "mcp_oauth", mcp_server_url: "https://mcp.slack.com/mcp", access_token: "xoxp-...", expires_at: "2099-12-31T23:59:59Z", refresh: { token_endpoint: "https://slack.com/api/oauth.v2.access", client_id: "1234567890.0987654321", scope: "channels:read chat:write", refresh_token: "xoxe-1-...", token_endpoint_auth: { type: "client_secret_post", client_secret: "abc123..." } } } ) ```` Use `static_bearer` when the MCP server accepts a fixed bearer token (API key, personal access token, or similar). No refresh flow is needed. ````bash curl --fail-with-body -sS "https://api.anthropic.com/v1/vaults/$vault_id/credentials" \ -H "x-api-key: $ANTHROPIC_API_KEY" \ -H "anthropic-version: 2023-06-01" \ -H "anthropic-beta: managed-agents-2026-04-01" \ -H "content-type: application/json" \ -d '{ "display_name": "Linear API key", "auth": { "type": "static_bearer", "mcp_server_url": "https://mcp.linear.app/mcp", "token": "lin_api_your_linear_key" } }' ```` ````bash ant beta:vaults:credentials create --vault-id "$VAULT_ID" <<'YAML' display_name: Linear API key auth: type: static_bearer mcp_server_url: https://mcp.linear.app/mcp token: lin_api_your_linear_key YAML ```` ````python bearer_credential = client.beta.vaults.credentials.create( vault_id=vault.id, display_name="Linear API key", auth={ "type": "static_bearer", "mcp_server_url": "https://mcp.linear.app/mcp", "token": "lin_api_your_linear_key", }, ) ```` ````typescript const bearerCredential = await client.beta.vaults.credentials.create(vault.id, { display_name: "Linear API key", auth: { type: "static_bearer", mcp_server_url: "https://mcp.linear.app/mcp", token: "lin_api_your_linear_key" } }); ```` ````csharp var bearerCredential = await client.Beta.Vaults.Credentials.Create(vault.ID, new() { DisplayName = "Linear API key", Auth = new BetaManagedAgentsStaticBearerCreateParams { Type = "static_bearer", McpServerUrl = "https://mcp.linear.app/mcp", Token = "lin_api_your_linear_key", }, }); ```` ````go bearerCredential, err := client.Beta.Vaults.Credentials.New(ctx, vault.ID, anthropic.BetaVaultCredentialNewParams{ DisplayName: anthropic.String("Linear API key"), Auth: anthropic.BetaVaultCredentialNewParamsAuthUnion{ OfStaticBearer: &anthropic.BetaManagedAgentsStaticBearerCreateParams{ Type: anthropic.BetaManagedAgentsStaticBearerCreateParamsTypeStaticBearer, MCPServerURL: "https://mcp.linear.app/mcp", Token: "lin_api_your_linear_key", }, }, }) if err != nil { panic(err) } _ = bearerCredential ```` ````java var bearerCredential = client.beta().vaults().credentials().create(vault.id(), CredentialCreateParams.builder() .displayName("Linear API key") .auth(BetaManagedAgentsStaticBearerCreateParams.builder() .type(BetaManagedAgentsStaticBearerCreateParams.Type.STATIC_BEARER) .mcpServerUrl("https://mcp.linear.app/mcp") .token("lin_api_your_linear_key") .build()) .build()); ```` ````php $bearerCredential = $client->beta->vaults->credentials->create( vaultID: $vault->id, displayName: 'Linear API key', auth: [ 'type' => 'static_bearer', 'mcp_server_url' => 'https://mcp.linear.app/mcp', 'token' => 'lin_api_your_linear_key', ], ); ```` ````ruby bearer_credential = client.beta.vaults.credentials.create( vault.id, display_name: "Linear API key", auth: { type: "static_bearer", mcp_server_url: "https://mcp.linear.app/mcp", token: "lin_api_your_linear_key" } ) ```` Secret fields (`token`, `access_token`, `refresh_token`, `client_secret`) are write-only. They are never returned in API responses. Credentials are stored as provided and are not validated until session runtime. A bad token surfaces as an MCP authentication error during the session, which is emitted but does not block the session from continuing. Constraints: - **One active credential per `mcp_server_url` per vault.** Creating a second credential for the same URL returns a 409. - **`mcp_server_url` is immutable.** To point at a different server, archive this credential and create a new one. - **Maximum 20 credentials per vault.** This matches the maximum number of MCP servers per agent. ## Reference the vault at session creation Pass `vault_ids` when creating a session: ````bash session_id=$(curl --fail-with-body -sS https://api.anthropic.com/v1/sessions \ -H "x-api-key: $ANTHROPIC_API_KEY" \ -H "anthropic-version: 2023-06-01" \ -H "anthropic-beta: managed-agents-2026-04-01" \ -H "content-type: application/json" \ --data @- <beta->sessions->create( agent: $agent->id, environmentID: $environment->id, vaultIDs: [$vault->id], title: "Alice's Slack digest", ); ```` ````ruby session = client.beta.sessions.create( agent: agent.id, environment_id: environment.id, vault_ids: [vault.id], title: "Alice's Slack digest" ) ```` Runtime behavior: - When a vault has no credential for the MCP server, the connection is attempted unauthenticated and produces an error if the server requires authentication. - When multiple vaults cover the MCP server, the first vault with a match wins. - In [multiagent sessions](/docs/en/managed-agents/multi-agent), vault credentials apply to every thread. An agent whose own definition declares the matching MCP server authenticates with these credentials. See [Connect agents to MCP servers](/docs/en/managed-agents/multi-agent#connect-agents-to-mcp-servers). ## Credential refresh Credentials are re-resolved periodically, both during a session and during the vault lifecycle. This ensures that credential rotation, archival, or deletion propagates to running sessions without a restart. To be notified if a credential is archived, deleted, or fails to refresh, you can subscribe to the vault and credential [webhooks](/docs/en/managed-agents/webhooks) associated with those lifecycle changes. | Event | Trigger | | ----- | ------- | | `vault.archived` | Vault archived. A `vault_credential.archived` event is also emitted for each underlying credential. | | `vault.deleted` | Vault deleted. A `vault_credential.deleted` event is also emitted for each underlying credential. | | `vault_credential.archived` | Credential archived, either directly or as a result of vault archival. | | `vault_credential.deleted` | Credential deleted, either directly or as a result of vault deletion. | | `vault_credential.refresh_failed` | An `mcp_oauth` credential cannot be refreshed (invalid refresh token, or irrecoverable error from the OAuth server). | This is a non-exhaustive list of webhooks; see [Subscribe to webhooks](/docs/en/managed-agents/webhooks) for the complete list. ### Diagnose an OAuth refresh failure To diagnose why a refresh failed, use the `/mcp_oauth_validate` endpoint. This allows you to determine how to handle the failure, which is distinct by error type. The top-level `status` tells you what to do next: - `valid`: the token works; no action needed. - `invalid`: the grant is gone or the OAuth server rejected the refresh with a 4xx. Prompt the end user to re-authorize. - `unknown`: a transient error (5xx, 429, or network failure). Wait and retry. ````bash curl --fail-with-body -sS -X POST \ "https://api.anthropic.com/v1/vaults/$vault_id/credentials/$credential_id/mcp_oauth_validate?beta=true" \ -H "x-api-key: $ANTHROPIC_API_KEY" \ -H "anthropic-version: 2023-06-01" \ -H "anthropic-beta: managed-agents-2026-04-01" ```` The response is a `vault_credential_validation` object. `mcp_probe` includes the failed MCP handshake step; `refresh` includes the outcome of the attempted refresh. ```json { "type": "vault_credential_validation", "credential_id": "vcrd_01ABC...", "vault_id": "vlt_01XYZ...", "validated_at": "2026-04-29T17:12:00Z", "has_refresh_token": false, "status": "invalid", "mcp_probe": { "method": "initialize", "http_response": { "status_code": 401, "content_type": "application/json", "body": "{\"error\":\"invalid_token\"}", "body_truncated": false } }, "refresh": { "status": "no_refresh_token", "http_response": null } } ``` ## Rotate a credential Only the secret payload and a handful of metadata fields are mutable. `mcp_server_url`, `token_endpoint`, and `client_id` are locked after creation. ````bash curl --fail-with-body -sS \ "https://api.anthropic.com/v1/vaults/$vault_id/credentials/$credential_id" \ -H "x-api-key: $ANTHROPIC_API_KEY" \ -H "anthropic-version: 2023-06-01" \ -H "anthropic-beta: managed-agents-2026-04-01" \ -H "content-type: application/json" \ --data @- <<'EOF' > /dev/null { "auth": { "type": "mcp_oauth", "access_token": "xoxp-new-...", "expires_at": "2099-12-31T23:59:59Z", "refresh": {"refresh_token": "xoxe-1-new-..."} } } EOF ```` ````bash ant beta:vaults:credentials update \ --vault-id "$VAULT_ID" \ --credential-id "$CREDENTIAL_ID" <<'EOF' auth: type: mcp_oauth access_token: xoxp-new-... expires_at: "2099-12-31T23:59:59Z" refresh: refresh_token: xoxe-1-new-... EOF ```` ````python client.beta.vaults.credentials.update( credential.id, vault_id=vault.id, auth={ "type": "mcp_oauth", "access_token": "xoxp-new-...", "expires_at": "2099-12-31T23:59:59Z", "refresh": {"refresh_token": "xoxe-1-new-..."}, }, ) ```` ````typescript await client.beta.vaults.credentials.update(credential.id, { vault_id: vault.id, auth: { type: "mcp_oauth", access_token: "xoxp-new-...", expires_at: "2099-12-31T23:59:59Z", refresh: { refresh_token: "xoxe-1-new-...", }, }, }); ```` ````csharp await client.Beta.Vaults.Credentials.Update(credential.ID, new() { VaultID = vault.ID, Auth = new BetaManagedAgentsMcpOAuthUpdateParams { Type = "mcp_oauth", AccessToken = "xoxp-new-...", ExpiresAt = DateTimeOffset.Parse("2099-12-31T23:59:59Z"), Refresh = new() { RefreshToken = "xoxe-1-new-..." }, }, }); ```` ````go _, err = client.Beta.Vaults.Credentials.Update(ctx, credential.ID, anthropic.BetaVaultCredentialUpdateParams{ VaultID: vault.ID, Auth: anthropic.BetaVaultCredentialUpdateParamsAuthUnion{ OfMCPOAuth: &anthropic.BetaManagedAgentsMCPOAuthUpdateParams{ Type: anthropic.BetaManagedAgentsMCPOAuthUpdateParamsTypeMCPOAuth, AccessToken: anthropic.String("xoxp-new-..."), ExpiresAt: anthropic.Time(time.Date(2099, time.December, 31, 23, 59, 59, 0, time.UTC)), Refresh: anthropic.BetaManagedAgentsMCPOAuthRefreshUpdateParams{ RefreshToken: anthropic.String("xoxe-1-new-..."), }, }, }, }) if err != nil { panic(err) } ```` ````java client.beta().vaults().credentials().update(credential.id(), CredentialUpdateParams.builder() .vaultId(vault.id()) .auth(BetaManagedAgentsMcpOAuthUpdateParams.builder() .type(BetaManagedAgentsMcpOAuthUpdateParams.Type.MCP_OAUTH) .accessToken("xoxp-new-...") .expiresAt(OffsetDateTime.parse("2099-12-31T23:59:59Z")) .refresh(BetaManagedAgentsMcpOAuthRefreshUpdateParams.builder() .refreshToken("xoxe-1-new-...") .build()) .build()) .build()); ```` ````php $client->beta->vaults->credentials->update( $credential->id, vaultID: $vault->id, auth: [ 'type' => 'mcp_oauth', 'access_token' => 'xoxp-new-...', 'expires_at' => '2099-12-31T23:59:59Z', 'refresh' => ['refresh_token' => 'xoxe-1-new-...'], ], ); ```` ````ruby client.beta.vaults.credentials.update( credential.id, vault_id: vault.id, auth: { type: "mcp_oauth", access_token: "xoxp-new-...", expires_at: "2099-12-31T23:59:59Z", refresh: {refresh_token: "xoxe-1-new-..."} } ) ```` ## Other operations - **List vaults or credentials:** Paginated, newest first. Archived records are excluded by default (pass `include_archived=true` to include them). - **Archive a vault:** `POST /v1/vaults/{id}/archive`. Cascades to all credentials. Secrets are purged; records are retained for auditing. Future sessions referencing this vault fail; running sessions continue. - **Archive a credential:** `POST /v1/vaults/{id}/credentials/{cred_id}/archive`. Purges the secret payload; `mcp_server_url` remains visible. Frees the `mcp_server_url` for a replacement credential. - **Delete a vault or credential:** Hard delete. The record is not retained. Use archive if you need an audit trail.