First Delegation in 5 Minutes

Request your first delegated access token and call a third-party API.

Prerequisites

Node.js 18 or later (or Python 3.8+)
A Cred developer account with an app created
A user who has authorized an OAuth connection (Google, GitHub, Slack, Notion, or Salesforce)

Install the SDK

Install the Cred SDK:

npm install @credninja/sdk

Or for Python: pip install cred-auth

Get your credentials

From your Cred developer dashboard, you need:

App Client ID: Found in your app settings
Agent Token: Generate one from the Agents tab in your app

# Add to your .env file
CRED_APP_CLIENT_ID=your_app_client_id
CRED_AGENT_TOKEN=cred_at_...

Initialize the SDK

Initialize the client with your credentials:

import { Cred, ConsentRequiredError } from '@credninja/sdk';

const cred = new Cred({
  agentToken: process.env.CRED_AGENT_TOKEN,
  appClientId: process.env.CRED_APP_CLIENT_ID,
  baseUrl: 'https://api.cred.ninja',
});

Request a delegated token

Call delegate() with the user ID, service, and scopes:

async function getCalendarEvents(userId: string) {
  try {
    // Request delegated access to Google Calendar
    const { accessToken } = await cred.delegate({
      userId,
      service: 'google',
      scopes: ['calendar.readonly'],
    });

    // Use the token directly with Google API
    const response = await fetch(
      'https://www.googleapis.com/calendar/v3/calendars/primary/events',
      {
        headers: {
          Authorization: `Bearer ${accessToken}`,
        },
      }
    );

    return response.json();
  } catch (error) {
    if (error instanceof ConsentRequiredError) {
      // User hasn't authorized yet
      // Redirect them to the consent URL
      console.log('Redirect user to:', error.consentUrl);
      return null;
    }
    throw error;
  }
}

Handle the consent flow

The first time you request delegation for a user, they need to authorize your app:

// In your web app
app.get('/connect/google', async (req, res) => {
  try {
    await cred.delegate({
      userId: req.user.id,
      service: 'google',
      scopes: ['calendar.readonly'],
    });
    // Already authorized, proceed
    res.redirect('/dashboard');
  } catch (error) {
    if (error instanceof ConsentRequiredError) {
      // Redirect to Cred consent page
      res.redirect(error.consentUrl);
    }
  }
});

// After user approves, they're redirected back
app.get('/callback', async (req, res) => {
  // Now delegation will succeed
  const { accessToken } = await cred.delegate({
    userId: req.user.id,
    service: 'google',
    scopes: ['calendar.readonly'],
  });
  // Use the token...
});

What Just Happened?

When you called cred.delegate(), Cred’s 7-step pipeline executed:

1Validated your agent token (cred_at_*)
2Found your application
3Verified user consent for your app + service
4Checked requested scopes against granted scopes
5Checked for cached valid access token
6Refreshed the token if expired (using encrypted refresh token)
7Returned short-lived access token to your agent

The refresh token never left the vault. Your agent received only a short-lived access token. That’s the point.

Using with Claude Desktop?

Install the Cred MCP server for interactive credential delegation:

{
  "mcpServers": {
    "cred": {
      "command": "npx",
      "args": ["-y", "@credninja/mcp"],
      "env": {
        "CRED_AGENT_TOKEN": "cred_at_...",
        "CRED_APP_CLIENT_ID": "your_app_client_id"
      }
    }
  }
}

The MCP server provides 4 tools: cred_delegate, cred_use, cred_status, and cred_revoke.

Next Steps

View Your Apps

Manage apps and agents in your dashboard.

Full Documentation

Learn about OAuth flows, API reference, and SDK methods.

Sandbox

Test the delegation pipeline without real credentials.

SDK on GitHub

View source code and contribute.

Questions? Email kieran@kierans.net

Documentation/Quickstart