Skip to main content
A credential is a time-bounded authorization issued to an agent on behalf of a specific user. Issuing a credential is the consent event that anchors the agent’s authority into the audit chain.

Dashboard

Developers → Agents → [agent name] → Issue credential
FieldRequiredDescription
NameYesLabel for this credential issuance (e.g. “Shift A — 2026-05-11”).
DescriptionNoOptional note for the audit trail.
Scope grantsYesOne or more scope grants defining what the agent may do. Must be within the agent’s allowed scope types.
Expires inYesDuration until the credential expires. Options: 1 hour, 8 hours, 24 hours, 7 days, 30 days.
Revocation policyYesdrain or kill. Defaults to the agent’s registered default.
Max concurrent invocationsNoMaximum number of parallel tool invocations. Default 10.
After issuing, the plaintext bearer token is displayed once. Copy it immediately — HASP stores only the SHA-256 hash and cannot recover the plaintext.

API

POST https://api.usehasp.com/v1/agents/{agent_id}/credentials
Authorization: Bearer hasp_key_live_...
Content-Type: application/json

Body

{
  "name": "Shift A — 2026-05-11",
  "granted_scopes": [
    { "type": "hasp.data.read" },
    { "type": "external.tool.invoke", "tool_id": "calendar.find_slots" }
  ],
  "expires_at": "2026-05-11T17:00:00Z",
  "revocation_policy": "drain",
  "max_concurrent_invocations": 10
}

Fields

FieldTypeRequiredDescription
namestringYesCredential label. 2–255 chars.
descriptionstringNoOptional description.
granted_scopesScopeGrant[]YesScope grant objects. Min 1, max 20. See Scope Grants.
expires_atISO 8601 datetimeYesMust be in the future.
revocation_policydrain | killYesRevocation behavior.
max_concurrent_invocationsintegerNo1–1000. Default 10.

Response

{
  "success": true,
  "data": {
    "credential": {
      "id": "01JQCRED0000000000000000",
      "agent_id": "01JQAGENT0000000000000000",
      "name": "Shift A — 2026-05-11",
      "prefix": "hasp_agent_",
      "last_four": "a3f9",
      "mode": "live",
      "granted_scopes": [
        { "type": "hasp.data.read" },
        { "type": "external.tool.invoke", "tool_id": "calendar.find_slots" }
      ],
      "expires_at": "2026-05-11T17:00:00+00:00",
      "revocation_policy": "drain",
      "max_concurrent_invocations": 10,
      "consent_record_id": "01JQAUDIT0000000000000000",
      "created_at": "2026-05-11T09:00:00+00:00"
    },
    "token": "hasp_agent_<32-random-chars>"
  }
}
The token field is returned only in this response. It is not stored and cannot be retrieved later.

Errors

CodeHTTPMeaning
AGENT_ARCHIVED422Cannot issue credentials for an archived agent.
INVALID_SCOPE_TYPE422A scope type is not in the agent’s allowed_scope_types.
EXPIRY_IN_PAST422expires_at is not in the future.

Using the credential

Pass the bearer token in the Authorization header on every API call: 
Authorization: Bearer hasp_agent_<token>
The gateway resolves the token to the credential, validates it is active and unexpired, and runs the pre-action authorization check before any tool invocation is executed.

Token format

ModePrefixExample
Livehasp_agent_hasp_agent_abcdef...
Testhasp_agent_test_hasp_agent_test_abcdef...
The test-mode token is issued when your developer console is in test mode (toggleable in the developer dashboard). Test credentials do not authorize real tool invocations and are excluded from metered Agent Actions billing.

Listing credentials

GET https://api.usehasp.com/v1/agents/{agent_id}/credentials
Authorization: Bearer hasp_key_live_...
Returns credentials for the agent, newest first. The token field is never returned in list or detail responses — only in the issuance response.

Query parameters

ParameterDescription
statusactive, revoked, expired, or all (default).
pagePage number.

Retrieving a credential

GET https://api.usehasp.com/v1/agents/{agent_id}/credentials/{credential_id}
Authorization: Bearer hasp_key_live_...

Revoking a credential

POST https://api.usehasp.com/v1/agents/{agent_id}/credentials/{credential_id}/revoke
Authorization: Bearer hasp_key_live_...
Content-Type: application/json

Body (optional)

{
  "reason": "Shift ended"
}
Revocation is immediate. The credential’s configured revocation_policy governs in-flight work (drain vs. kill). All delegation descendants are revoked simultaneously with kill policy regardless of their own configured policy.

Response

{
  "success": true,
  "data": {
    "revoked_credential_ids": [
      "01JQCRED0000000000000000",
      "01JQCRED0000000000000001"
    ]
  }
}
The response includes the root credential plus any cascade-revoked descendants.