First Delegation in 5 Minutes

Request your first delegated access token and call a third-party API. Choose your path:

🖥️ Self-Hosted Server Mode

Run your own Cred server and let agents request delegated tokens over HTTP. Handles token storage, encryption, consent flows, and OAuth provider management.

Requires: Node.js 18+, your own Cred server, at least one configured OAuth provider

🏠 Local Mode

Fully standalone with @credninja/oauth + @credninja/vault. No account needed, no cloud dependency.

Requires: Node.js 18+, OAuth client credentials from your provider

Prerequisites (Self-Hosted Server Mode)

Node.js 18 or later
A running self-hosted Cred server, for example via npx create-cred-app my-cred-server
A user who has authorized an OAuth connection (Google, GitHub, Slack, Notion, or Salesforce)

Install the SDK

Install the Cred SDK:

npm install @credninja/sdk

Or for Python: pip install cred-auth

Get your credentials

From your self-hosted Cred deployment, you need:

Base URL: The HTTPS URL of your Cred server
App Client ID: Usually local for the default self-hosted flow
Agent Token: The AGENT_TOKEN configured on the server

# Add to your .env file
CRED_BASE_URL=https://cred.example.com
CRED_APP_CLIENT_ID=your_app_client_id
CRED_AGENT_TOKEN=cred_at_...

Initialize the SDK

Initialize the client with your credentials:

import { Cred, ConsentRequiredError } from '@credninja/sdk';

const cred = new Cred({
  agentToken: process.env.CRED_AGENT_TOKEN,
  appClientId: process.env.CRED_APP_CLIENT_ID,
  baseUrl: process.env.CRED_BASE_URL,
});

Request a delegated token

Call delegate() with the user ID, service, and scopes:

async function getCalendarEvents(userId: string) {
  try {
    // Request delegated access to Google Calendar
    const { accessToken } = await cred.delegate({
      userId,
      service: 'google',
      appClientId: process.env.CRED_APP_CLIENT_ID,
      scopes: ['calendar.readonly'],
    });

    // Use the token directly with Google API
    const response = await fetch(
      'https://www.googleapis.com/calendar/v3/calendars/primary/events',
      {
        headers: {
          Authorization: `Bearer ${accessToken}`,
        },
      }
    );

    return response.json();
  } catch (error) {
    if (error instanceof ConsentRequiredError) {
      // User hasn't authorized yet
      // Redirect them to the consent URL
      console.log('Redirect user to:', error.consentUrl);
      return null;
    }
    throw error;
  }
}

Handle the consent flow

The first time you request delegation for a user, they need to authorize your app:

// In your web app
app.get('/connect/google', async (req, res) => {
  try {
    await cred.delegate({
      userId: req.user.id,
      service: 'google',
      appClientId: process.env.CRED_APP_CLIENT_ID,
      scopes: ['calendar.readonly'],
    });
    // Already authorized, proceed
    res.redirect('/dashboard');
  } catch (error) {
    if (error instanceof ConsentRequiredError) {
      // Redirect to your self-hosted Cred consent page
      res.redirect(error.consentUrl);
    }
  }
});

// After user approves, they're redirected back
app.get('/callback', async (req, res) => {
  // Now delegation will succeed
  const { accessToken } = await cred.delegate({
    userId: req.user.id,
    service: 'google',
    appClientId: process.env.CRED_APP_CLIENT_ID,
    scopes: ['calendar.readonly'],
  });
  // Use the token...
});

🏠 Local Mode Alternative

No remote server needed. Use standalone packages for fully local credential management:

npm install @credninja/oauth @credninja/vault

import { OAuthClient, GoogleAdapter } from '@credninja/oauth';
import { createVault } from '@credninja/vault';

// 1. Run OAuth flow
const google = new OAuthClient({
  adapter: new GoogleAdapter(),
  clientId: process.env.GOOGLE_CLIENT_ID!,
  clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
  redirectUri: 'http://localhost:3000/callback',
});
const { url, codeVerifier } = await google.getAuthorizationUrl({
  scopes: ['calendar.readonly'],
});

// 2. Store tokens in encrypted local vault
const vault = await createVault({
  passphrase: process.env.VAULT_PASSPHRASE!,
  storage: 'sqlite',
  path: './cred-vault.db',
});
await vault.store({
  provider: 'google',
  userId: 'user-123',
  accessToken: tokens.access_token,
  refreshToken: tokens.refresh_token,
  expiresAt: new Date(Date.now() + tokens.expires_in * 1000),
  scopes: ['calendar.readonly'],
});

// 3. Retrieve (auto-decrypts, auto-refreshes if adapter provided)
const creds = await vault.get({ provider: 'google', userId: 'user-123' });

See @credninja/oauth and @credninja/vault for full standalone documentation. When you want a separate broker process instead of local-only storage, deploy @credninja/server.

What Just Happened?

When you called cred.delegate(), Cred’s 7-step pipeline executed:

1Validated your agent token (cred_at_*)
2Found your application
3Verified user consent for your app + service
4Checked requested scopes against granted scopes
5Checked for cached valid access token
6Refreshed the token if expired (using encrypted refresh token)
7Returned short-lived access token to your agent

The refresh token never left the vault. Your agent received only a short-lived access token. That’s the point.

Using with Claude Desktop?

Install the Cred MCP server for interactive credential delegation:

{
  "mcpServers": {
    "cred": {
      "command": "npx",
      "args": ["-y", "@credninja/mcp"],
      "env": {
        "CRED_AGENT_TOKEN": "cred_at_...",
        "CRED_APP_CLIENT_ID": "your_app_client_id"
      }
    }
  }
}

The MCP server provides 4 tools: cred_delegate, cred_use, cred_status, and cred_revoke.

Next Steps

View Your Apps

Manage apps and agents in your dashboard.

Full Documentation

Learn about OAuth flows, API reference, and SDK methods.

Guard Policies

Add rate limits, scope restrictions, and time windows to control agent access.

Sandbox

Test the delegation pipeline without real credentials.

Questions? Email kieran@kierans.net

Documentation/Quickstart