Terms of Service

3.1 Eligibility

You must be at least 18 years old and have the legal capacity to enter into a binding agreement in your jurisdiction. If you are using the Service on behalf of a company or other legal entity, you represent that you have the authority to bind such entity.

3.2 Account Types

Cred supports two account types:

• Developer Accounts: Registered through the developer portal at /auth/register. Developers manage OAuth applications, configure service integrations, create Agents, and access analytics. Authentication is handled via session-based login.
• User Accounts: Registered through the user portal at /user/register. Users authorize OAuth connections to Third-Party Services, review authorized applications, manage their delegation grants, and control which Agents can access their credentials. Authentication is handled via session-based login.

3.3 Account Security

You are responsible for maintaining the confidentiality of your account credentials, including your password, client IDs, client secrets, and any tokens issued to you. You must immediately notify us at kieran@kierans.net if you become aware of any unauthorized use of your account. We are not liable for losses arising from unauthorized use of your credentials.

3.4 Accurate Information

You agree to provide accurate, current, and complete information during registration and to keep your account information up to date.

4.1 Platform Overview

Cred provides OAuth credential delegation infrastructure that enables Developers to request delegated access tokens on behalf of Users without exposing long-lived credentials. The platform implements OAuth 2.0 with PKCE enforcement for authorization, AES-256-GCM encryption for refresh token storage, and a delegation pipeline that issues short-lived access tokens to authorized Agents.

4.2 Core Components

The Service consists of the following components:

• OAuth 2.0 Authorization Server: RFC 6749-compliant authorization server with PKCE enforcement (RFC 7636), supporting authorization code flow, token exchange, token refresh, and token revocation (RFC 7009).
• Delegation Service: Seven-step credential delegation pipeline that validates Agent identity, checks User consent, validates requested scopes, and returns short-lived access tokens. Refresh tokens remain encrypted in the vault and are never exposed to Agents.
• Developer Portal: Web-based dashboard at cred.ninja for managing OAuth applications, configuring service integrations, viewing analytics, and managing Agent credentials.
• User Portal: Web-based interface for authorizing OAuth connections to Third-Party Services, reviewing authorized applications, monitoring delegation activity, and controlling which Agents can access credentials.
• MCP Server (@credninja/mcp): Model Context Protocol server for Claude Desktop integration, enabling interactive credential delegation with four tools: delegate, use, status, and revoke.
• TypeScript SDK (@credninja/sdk): Client library with OAuth 2.0 PKCE support, delegation helpers, DID agent identity, and framework integrations for LangChain, CrewAI, and OpenAI Agents SDK.

4.3 Supported Third-Party Services

The Delegation Service currently supports OAuth connections to Google, GitHub, Slack, Notion, and Salesforce. We may add or remove supported services at our discretion with reasonable notice.

4.4 Service Availability

We strive to maintain high availability of the Service but do not guarantee uninterrupted access. The Service may be temporarily unavailable due to maintenance, updates, infrastructure issues, or circumstances beyond our control. We will make reasonable efforts to provide advance notice of planned maintenance.

5.1 Application Registration

Developers may register OAuth applications through the developer portal. Each application is assigned a unique client ID and client secret. You are solely responsible for the security of your client credentials and must not share them publicly or embed them in client-side code.

5.2 Agent Management

Developers may create Agents that authenticate via agent tokens (cred_at_*) and request delegated access tokens. Developers are responsible for all activity conducted by their Agents, including how they use delegated tokens with Third-Party Services and compliance with Third-Party Service terms.

5.3 Token Security Obligations

While Cred encrypts refresh tokens at rest using AES-256-GCM and only issues short-lived access tokens to Agents, Developers must:

• Never attempt to extract, intercept, or persist refresh tokens. Cred never exposes them.
• Implement reasonable security measures in their own applications to protect access tokens issued by Cred.
• Not store, log, or cache access tokens beyond their intended use.
• Immediately report any suspected security breach to Cred.

5.4 User Authorization

Developers must obtain explicit User authorization through the Cred OAuth flow before accessing any User’s delegated credentials. Developers must respect User revocation of authorization and immediately cease using the affected credentials upon revocation.

5.5 Webhook Security

If Developers configure webhook endpoints, they must validate incoming webhook signatures using HMAC SHA-256 verification. Developers are responsible for the security of their webhook endpoints and must use HTTPS URLs in production environments.

5.6 Third-Party Service Compliance

Developers are independently responsible for complying with the terms of service, acceptable use policies, and usage guidelines of any Third-Party Service accessed using delegated credentials. Cred does not assume any obligation to monitor or enforce third-party terms on your behalf.

6.1 OAuth Connection Authorization

Users may authorize OAuth connections to supported Third-Party Services through Cred. When you complete an OAuth flow, your refresh token is encrypted using AES-256-GCM with a unique initialization vector and stored in Cred’s vault. Refresh tokens never leave the vault. Only short-lived access tokens are issued to authorized Agents. Users are responsible for the validity and authorized use of the OAuth connections they establish.

6.2 Delegation Grants

When you authorize a Developer’s application, you grant that application permission to request short-lived access tokens for the specified Third-Party Services on your behalf. The Agent then uses these tokens to call Third-Party Services directly. You can review and revoke any authorization at any time through the User portal at /user/authorizations.

6.3 Revocation Rights

You have the right to revoke any delegation grant at any time. Revocation takes effect immediately and cascades to invalidate all associated access tokens. Developers and their Agents will no longer be able to request delegated credentials on your behalf once authorization is revoked.

6.4 Credential Ownership

You retain full ownership and responsibility for your OAuth connections. Cred acts solely as a credential delegation broker. Any charges incurred on your Third-Party Service accounts through use of delegated tokens are your responsibility, whether or not such usage was authorized by you.

6.5 Account Activity

You can monitor all delegation requests and token issuances made on your behalf through the User activity dashboard. You are responsible for reviewing your activity regularly and reporting any unauthorized usage to Cred promptly.

7.1 General Conduct

You agree not to use the Service in any manner that:

• Violates any applicable law, regulation, or third-party rights.
• Infringes intellectual property rights of any party.
• Transmits malware, viruses, or any code designed to harm systems or data.
• Attempts to gain unauthorized access to any part of the Service, other users’ accounts, or Cred’s infrastructure.
• Interferes with or disrupts the Service or servers and networks connected to the Service.
• Uses the Service for any form of spam, phishing, or social engineering.

7.2 Rate Limits

The Service enforces rate limits to ensure fair usage and platform stability. Current rate limits include:

• Authentication endpoints: 10 requests per 15 minutes.
• General API endpoints: 100 requests per 15 minutes.
• Delegation endpoints: 60 requests per minute.
• Token endpoints: 20 requests per 15 minutes.

We reserve the right to adjust rate limits at any time. Systematically exceeding rate limits or attempting to circumvent them may result in temporary or permanent suspension of your account.

7.3 Prohibited Uses

You may not use the Service to:

• Build competing credential delegation services using Cred’s infrastructure.
• Resell, redistribute, or sublicense access to the Delegation Service without written authorization from Cred.
• Use automated means to create accounts, generate excessive delegation traffic, or abuse the Service.
• Attempt to decrypt, intercept, or access refresh tokens or credentials belonging to other users.
• Use the Service in any way that violates the terms of the Third-Party Services being accessed.

8.1 Data We Collect

In the course of providing the Service, we collect and process the following categories of data:

• Account Information: Email addresses, hashed passwords (bcrypt, cost factor 10), and account preferences for both Developer and User accounts.
• OAuth Refresh Tokens: Encrypted at rest using AES-256-GCM with a unique random initialization vector per token. Authentication tags verify data integrity. Refresh tokens are decrypted only in-memory during token refresh operations and are never exposed to Agents or Developers.
• Delegation Records: Authorization codes (10-minute expiration), delegated access tokens (1-hour expiration), and consent grants linking Users to Applications and Services.
• Audit Logs: Delegation requests, token issuances, and consent changes, including timing data and status. Retained for 30 days.
• Delegation Receipts: JWS/Ed25519 signed receipts for each delegation event, providing a cryptographically verifiable audit trail.
• Session Data: Browser session information managed through express-session with secure configuration.

8.2 How We Use Your Data

We use the data we collect to operate and maintain the Service, provide analytics dashboards, monitor and enforce rate limits, detect fraudulent activity, communicate with you about your account, and improve the Service.

8.3 Security Measures

We implement the following security measures to protect your data:

• Encryption: AES-256-GCM for refresh tokens at rest with AWS KMS for key management, bcrypt for password hashing, HTTPS for all data in transit.
• Authentication: OAuth 2.0 with mandatory PKCE (S256 code challenge), session-based developer authentication, and agent token (cred_at_*) validation with SHA-256 hashing at rest.
• Infrastructure: Helmet security headers, CORS whitelisting, CSRF origin validation, PII redaction in logs, per-account cryptographic isolation, and tiered rate limiting.
• Monitoring: Sentry integration for real-time error tracking and performance monitoring.

8.4 Data Retention

• Account Data: Retained for the lifetime of your account and deleted upon account termination.
• Audit Logs: Retained for 30 days, then automatically purged.
• OAuth Tokens: Access tokens expire after 1 hour. Refresh tokens are retained until revoked or account termination.
• Delegation Grants: Persistent until the User revokes them or either party’s account is terminated.

8.5 Data Sharing

We do not sell your personal data. We may share data when exchanging tokens with Third-Party Services during OAuth flows, when required by law, or in the event of a security incident. Agents receive only short-lived access tokens. Refresh tokens are never shared.

8.6 GDPR and International Users

If you are located in the EEA, UK, or other jurisdiction with data protection laws, you may have additional rights including the right to access, correct, delete, or port your personal data. Contact us at kieran@kierans.net to exercise these rights. We will respond within 30 days.

9.1 Cred’s Intellectual Property

The Service, including the developer portal, API infrastructure, SDKs, MCP server, documentation, and all associated code, design, and content, is owned by Cred and protected by copyright, trademark, and other intellectual property laws.

9.2 SDK and MCP Server License

The Cred TypeScript SDK (@credninja/sdk) and MCP server (@credninja/mcp) are distributed under open-source licenses as specified in their respective package repositories. Your use of these tools is subject to both these Terms and the applicable open-source license.

9.3 Your Content

You retain ownership of all content, data, and OAuth tokens you provide to the Service. By using the Service, you grant Cred a limited, non-exclusive license to process your data solely as necessary to provide the Service.

9.4 Feedback

If you provide feedback, suggestions, or ideas about the Service, you grant Cred a non-exclusive, royalty-free, perpetual, irrevocable license to use, modify, and incorporate that feedback into the Service without obligation to you.

10.1 Current Pricing

Cred currently operates under a developer-pays model. Specific pricing terms will be communicated through the developer portal and may include usage-based billing tiers. We will provide at least 30 days’ notice before introducing new fees or changing existing pricing.

10.2 Third-Party Service Costs

Cred does not cover the costs incurred on your Third-Party Service accounts. Any API usage charges from Google, GitHub, Slack, Notion, Salesforce, or other Third-Party Services accessed using delegated credentials are your sole responsibility.

11.1 “As Is” Service

THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. We disclaim all warranties, including implied warranties of merchantability, fitness for a particular purpose, non-infringement, and any warranties arising from course of dealing or usage of trade.

11.2 Third-Party Service Disclaimer

Cred acts as a credential delegation broker and does not control or guarantee the availability, accuracy, reliability, or performance of Third-Party Services. We are not responsible for downtime, errors, changes to APIs or pricing, data loss, or rate limiting imposed by Third-Party Services.

11.3 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, CRED SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, DATA, USE, OR GOODWILL, ARISING OUT OF OR IN CONNECTION WITH THESE TERMS OR THE SERVICE.

OUR TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNTS YOU PAID TO CRED IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM, OR (B) ONE HUNDRED U.S. DOLLARS ($100).

11.4 Security Disclaimer

While we implement industry-standard security measures including AES-256-GCM encryption and PKCE-enforced OAuth, no system is perfectly secure. We do not guarantee that the Service will be free from security vulnerabilities, and we are not liable for damages arising from a security breach except to the extent caused by our gross negligence or willful misconduct.

13.1 Termination by You

You may terminate your account at any time through the account settings page. Termination will result in immediate revocation of all active delegation grants, invalidation of all associated OAuth tokens, deletion of your stored refresh tokens from our encrypted vault, and deletion of your account data, subject to any legal retention requirements.

13.2 Termination by Cred

We may suspend or terminate your account at any time if you breach these Terms, your use poses a security risk, we are required to do so by law, or we discontinue the Service. Where practicable, we will provide advance notice and an opportunity to export your data before termination.

13.3 Effect of Termination

Upon termination, all rights granted to you under these Terms will immediately cease. Sections 8 (Data Processing), 9 (Intellectual Property), 11 (Disclaimers), 12 (Indemnification), and 14 (Dispute Resolution) will survive termination.

13.4 Data Export

Prior to account termination, you may export your data through the available API endpoints or by contacting us at kieran@kierans.net. We will provide reasonable assistance with data export for a period of 30 days following termination notice.

14.1 Governing Law

These Terms shall be governed by and construed in accordance with the laws of the State of Delaware, United States of America, without regard to conflict of law principles.

14.2 Informal Resolution

Before initiating any formal dispute resolution proceeding, you agree to first contact us at kieran@kierans.net and attempt to resolve the dispute informally for a period of at least 30 days.

14.3 Arbitration

If informal resolution is unsuccessful, any dispute arising out of or relating to these Terms shall be resolved by binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules. The arbitration shall take place in the State of Delaware.

14.4 Class Action Waiver

YOU AGREE THAT ANY DISPUTE RESOLUTION PROCEEDINGS WILL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTION.

14.5 Exceptions

Nothing in this section prevents either party from seeking injunctive or other equitable relief in court for matters relating to intellectual property rights or data security.

15.1 Entire Agreement

These Terms, together with any Privacy Policy and any service-specific agreements referenced herein, constitute the entire agreement between you and Cred regarding the Service.

15.2 Severability

If any provision of these Terms is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall remain in full force and effect.

15.3 No Waiver

Our failure to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision.

15.4 Assignment

You may not assign or transfer these Terms without our prior written consent. We may assign these Terms in connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets.

15.5 Force Majeure

Cred shall not be liable for any delay or failure to perform resulting from causes outside its reasonable control, including natural disasters, war, terrorism, pandemics, labor disputes, power failures, internet disturbances, or actions of governmental authorities.

15.6 Notices

Notices to Cred should be sent to kieran@kierans.net. We may send notices to you at the email address associated with your account.