Overview
The Credentials API provides secure, server-side encryption for sensitive creator credentials (API keys, passwords, session cookies). All encryption uses AES-256-GCM with keys that never leave the server.
Key Features:
- Server-side encryption (clients never handle encryption keys)
- Multiple credential types: platform connections, download credentials, session cookies
- Directus JWT authentication for user-facing endpoints
- Shared secret authentication for server-to-server operations
Endpoint Categories
User-facing endpoints for managing creator platform credentials (Instagram, TikTok, etc.)
2. Download Credentials
YouTube-DL/yt-dlp compatible credentials (passwords, Netscape cookies)
Browser extension cookie capture for HITL (Human-in-the-Loop) authentication
POST /api/credentials/create-profile
Create or update a creator profile with encrypted credentials.
Authentication: Directus JWT (Bearer token)
Platform identifier (e.g., instagram, tiktok, youtube)
Creator’s username on the platform (optional)
Platform-specific credentials object (will be encrypted server-side)Example for Instagram:{
"username": "creator123",
"password": "securepass",
"session_id": "abc123xyz"
}
UUID of the created/updated platform_connections record
true if existing connection was updated, false if new record created
curl -X POST http://localhost:3001/api/credentials/create-profile \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-H "Content-Type: application/json" \
-d '{
"platform": "instagram",
"platform_username": "fitcreator99",
"credentials": {
"username": "fitcreator99",
"password": "MySecurePass123!",
"session_id": "abc123sessionxyz"
}
}'
{
"success": true,
"id": "d3f21c8e-4a5b-4c9d-8e7f-1a2b3c4d5e6f",
"updated": false
}
POST /api/credentials/update-profile-creds
Update encrypted credentials on an existing creator profile the user owns.
Authentication: Directus JWT (Bearer token)
UUID of the platform_connections record to update
New credentials object (replaces existing encrypted data)
Update the platform username (optional)
curl -X POST http://localhost:3001/api/credentials/update-profile-creds \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-H "Content-Type: application/json" \
-d '{
"creator_profile_id": "d3f21c8e-4a5b-4c9d-8e7f-1a2b3c4d5e6f",
"credentials": {
"username": "fitcreator99",
"password": "NewSecurePass456!",
"session_id": "newSessionXYZ789"
}
}'
{
"success": true,
"id": "d3f21c8e-4a5b-4c9d-8e7f-1a2b3c4d5e6f"
}
Server-to-Server Endpoints
These endpoints require the X-RBAC-SYNC-SECRET header. Never call from client code.
POST /api/credentials/store
Encrypt and save credentials to Directus platform_connections table.
Authentication: X-RBAC-SYNC-SECRET header
UUID of the platform_connections record
Credentials object to encrypt and store
curl -X POST http://localhost:3001/api/credentials/store \
-H "X-RBAC-SYNC-SECRET: your-secret-key-here" \
-H "Content-Type: application/json" \
-d '{
"creatorProfileId": "d3f21c8e-4a5b-4c9d-8e7f-1a2b3c4d5e6f",
"credentials": {
"api_key": "sk-proj-abc123xyz",
"refresh_token": "refresh_token_value"
}
}'
{
"success": true,
"creatorProfileId": "d3f21c8e-4a5b-4c9d-8e7f-1a2b3c4d5e6f",
"updated": "d3f21c8e-4a5b-4c9d-8e7f-1a2b3c4d5e6f"
}
POST /api/credentials/reveal
Decrypt and return credentials for a creator profile.
Authentication: X-RBAC-SYNC-SECRET header
UUID of the platform_connections record
Decrypted credentials object
curl -X POST http://localhost:3001/api/credentials/reveal \
-H "X-RBAC-SYNC-SECRET: your-secret-key-here" \
-H "Content-Type: application/json" \
-d '{
"creatorProfileId": "d3f21c8e-4a5b-4c9d-8e7f-1a2b3c4d5e6f"
}'
{
"success": true,
"creatorProfileId": "d3f21c8e-4a5b-4c9d-8e7f-1a2b3c4d5e6f",
"credentials": {
"api_key": "sk-proj-abc123xyz",
"refresh_token": "refresh_token_value"
}
}
Download Credentials (yt-dlp)
POST /api/credentials/create-download-cred
Create credentials for yt-dlp/youtube-dl authentication (password or cookies).
Authentication: Directus JWT (Bearer token)
Platform identifier (e.g., youtube, instagram)
UUID of the associated platform_connections record
Either password or cookies
Platform username (optional for cookies auth)
For password auth:{ "password": "mypassword" }
cookies auth:{ "cookies_netscape": "# Netscape HTTP Cookie File\n.youtube.com\tTRUE\t/\t..." }
Human-readable name for this credential set (optional)
curl -X POST http://localhost:3001/api/credentials/create-download-cred \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-H "Content-Type: application/json" \
-d '{
"platform": "youtube",
"creator_profile_id": "d3f21c8e-4a5b-4c9d-8e7f-1a2b3c4d5e6f",
"auth_type": "password",
"username": "[email protected]",
"credentials": {
"password": "MyYouTubePassword123"
},
"display_name": "My YouTube Channel"
}'
{
"success": true,
"id": "a1b2c3d4-5e6f-7g8h-9i0j-k1l2m3n4o5p6"
}
POST /api/credentials/reveal-download-cred
Decrypt download credentials (server-to-server only).
Authentication: X-RBAC-SYNC-SECRET header
UUID of the download_credentials record
curl -X POST http://localhost:3001/api/credentials/reveal-download-cred \
-H "X-RBAC-SYNC-SECRET: your-secret-key-here" \
-H "Content-Type: application/json" \
-d '{"id": "a1b2c3d4-5e6f-7g8h-9i0j-k1l2m3n4o5p6"}'
{
"success": true,
"id": "a1b2c3d4-5e6f-7g8h-9i0j-k1l2m3n4o5p6",
"platform": "youtube",
"auth_type": "password",
"credentials": {
"password": "MyYouTubePassword123"
}
}
POST /api/credentials/store-platform-session
Store browser cookies captured via extension (HITL authentication).
Authentication: Directus JWT (Bearer token)
UUID of the platform_connections record
Platform identifier (e.g., instagram, tiktok)
Array of browser cookie objects:[
{
"name": "sessionid",
"value": "abc123xyz",
"domain": ".instagram.com",
"path": "/",
"expires": 1735689600,
"httpOnly": true,
"secure": true
}
]
Browser user agent string (optional)
ISO 8601 expiry timestamp (optional)
curl -X POST http://localhost:3001/api/credentials/store-platform-session \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-H "Content-Type: application/json" \
-d '{
"creator_profile_id": "d3f21c8e-4a5b-4c9d-8e7f-1a2b3c4d5e6f",
"platform": "instagram",
"cookies": [
{
"name": "sessionid",
"value": "123456789%3AabcXYZ%3A28",
"domain": ".instagram.com",
"path": "/",
"expires": 1735689600,
"httpOnly": true,
"secure": true
}
],
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
}'
{
"success": true,
"id": "session-uuid-123",
"platform": "instagram",
"cookie_count": 1
}
POST /api/credentials/get-platform-session
Retrieve decrypted session cookies (server-to-server only).
Authentication: X-RBAC-SYNC-SECRET header
UUID of the platform_connections record
curl -X POST http://localhost:3001/api/credentials/get-platform-session \
-H "X-RBAC-SYNC-SECRET: your-secret-key-here" \
-H "Content-Type: application/json" \
-d '{
"creator_profile_id": "d3f21c8e-4a5b-4c9d-8e7f-1a2b3c4d5e6f",
"platform": "instagram"
}'
{
"success": true,
"id": "session-uuid-123",
"platform": "instagram",
"cookies": [
{
"name": "sessionid",
"value": "123456789%3AabcXYZ%3A28",
"domain": ".instagram.com",
"path": "/",
"expires": 1735689600,
"httpOnly": true,
"secure": true
}
],
"captured_at": "2026-01-15T10:30:00.000Z",
"expires_at": "2026-12-31T23:59:59.000Z",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
}
POST /api/credentials/revoke-platform-session
Mark a platform session as revoked (disables cookie usage).
Authentication: Directus JWT (Bearer token)
UUID of the platform_sessions record
curl -X POST http://localhost:3001/api/credentials/revoke-platform-session \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-H "Content-Type: application/json" \
-d '{"id": "session-uuid-123"}'
{
"success": true,
"id": "session-uuid-123"
}
Encryption Details
All credential encryption uses the encryptJSON() and decryptJSON() utilities (server/utils/credentialsCrypto.js):
- Algorithm: AES-256-GCM
- Key derivation: Server-side environment variable (never exposed)
- IV: Randomly generated per encryption operation
- Output format: Base64-encoded
iv:authTag:ciphertext
Security guarantees:
- Encryption keys never leave the server
- Clients never handle plaintext encryption keys
- Each credential has unique IV (no key reuse)
- Authentication tags prevent tampering
Error Handling
Common error responses:
Missing credentials:
{
"success": false,
"error": "No encrypted_credentials found"
}
{
"success": false,
"error": "Unauthorized"
}
{
"success": false,
"error": "Forbidden"
}
{
"success": false,
"error": "Directus 400 /items/platform_connections/invalid-uuid: {\"errors\":[{\"message\":\"Invalid UUID\"}]}"
}
