The Credentials API manages reusable SSH authentication credentials — either a username/password pair or an SSH key pair. Once saved, a credential can be applied to one or many hosts, simplifying rotation and access control. The API also provides utility endpoints for generating, parsing, and validating SSH keys without persisting them.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Termix-SSH/Termix/llms.txt
Use this file to discover all available pages before exploring further.
All endpoints require a valid
jwt session cookie or Authorization: Bearer <token> header. Secret fields (password, key, keyPassword, privateKey) are stripped from list responses; use GET /credentials/:id to retrieve them.Credential CRUD
POST /credentials
Create a new credential. The credential is encrypted with the user’s data key before storage.Human-readable label (e.g.
Production SSH key).Authentication type:
password or key.Login username associated with this credential.
Password value. Required when
authType is password.PEM-encoded SSH private key. Required when
authType is key. Must include -----BEGIN and -----END headers.Passphrase for an encrypted SSH private key.
Algorithm hint (e.g.
ssh-ed25519, ssh-rsa, ecdsa-sha2-nistp256). Auto-detected when omitted.Optional free-text description.
Folder name for grouping credentials.
Array of tag strings.
Auto-assigned credential ID.
password or key.Derived public key (key credentials only).
Algorithm label supplied at creation.
Auto-detected algorithm from key parsing.
Number of times this credential has been applied to a host.
ISO 8601 timestamp of last usage, or
null.| Status | Meaning |
|---|---|
201 | Credential created; sanitized object returned. |
400 | name missing, invalid authType, missing secret, or invalid SSH key. |
500 | Database or encryption error. |
GET /credentials
Return all credentials for the authenticated user, ordered by most recently updated. Secret fields are omitted.object[]
Array of sanitized credential objects (same shape as the
POST /credentials response, without password, key, keyPassword, or privateKey).| Status | Meaning |
|---|---|
200 | Credential list returned. |
400 | Invalid session. |
500 | Database error. |
GET /credentials/:id
Return a single credential by ID, including the secret fields (password, key, privateKey, publicKey, keyPassword).
Credential ID.
| Status | Meaning |
|---|---|
200 | Full credential object returned. |
400 | Invalid request. |
404 | Credential not found (or not owned by caller). |
500 | Database or decryption error. |
PUT /credentials/:id
Update fields on an existing credential. Only fields present in the request body are changed.Credential ID.
New label.
Updated description.
Folder assignment.
Replacement tag array.
Updated login username.
Updated auth type (
password or key).New password value.
New PEM-encoded private key. Triggers re-parsing to update
publicKey and detectedKeyType.New key passphrase.
Updated algorithm hint.
| Status | Meaning |
|---|---|
200 | Updated credential returned (sanitized). |
400 | Invalid request or malformed key. |
404 | Credential not found. |
500 | Update or re-encryption error. |
DELETE /credentials/:id
Delete a credential. Any hosts that were using this credential have theircredentialId, password, key, and keyPassword cleared, and any host-sharing grants for those hosts are revoked.
Credential ID.
| Status | Meaning |
|---|---|
200 | Credential deleted. |
400 | Invalid request. |
404 | Credential not found. |
500 | Database error. |
Host application
POST /credentials/:id/apply-to-host/:hostId
Apply a credential to a host. Sets the host’scredentialId, clears any inline password/key, and records usage statistics.
Credential ID.
Host ID to apply the credential to.
| Status | Meaning |
|---|---|
200 | Credential applied. |
400 | Invalid request. |
404 | Credential not found. |
500 | Database error. |
GET /credentials/:id/hosts
Return a list of all hosts currently using this credential.Credential ID.
object[]
Array of host objects with fields:
id, userId, name, ip, port, username, folder, tags, pin, authType, enableTerminal, enableTunnel, tunnelConnections, enableFileManager, defaultPath, createdAt, updatedAt.| Status | Meaning |
|---|---|
200 | Host list returned. |
400 | Invalid request. |
500 | Database error. |
Folders
GET /credentials/folders
Return all folder names that contain at least one credential for the authenticated user.string[]
Array of non-empty folder name strings.
| Status | Meaning |
|---|---|
200 | Folder list returned. |
400 | Invalid session. |
500 | Database error. |
PUT /credentials/folders/rename
Rename a credential folder. Updates all credentials in that folder.Current folder name.
New folder name. Must differ from
oldName.| Status | Meaning |
|---|---|
200 | Folder renamed. |
400 | Missing names, or oldName equals newName. |
500 | Database error. |
SSH key utilities
The following endpoints operate on raw key material without persisting anything to the database. They are useful for validating or inspecting keys before storing them as credentials.POST /credentials/detect-key-type
Parse an SSH private key and detect its algorithm.PEM-encoded SSH private key.
Passphrase if the key is encrypted.
true when the key was parsed successfully.Detected algorithm (e.g.
ssh-ed25519, ssh-rsa, ecdsa-sha2-nistp256).Same value as
keyType.Whether a public key was derived from the private key.
Error message when
success is false.| Status | Meaning |
|---|---|
200 | Detection result returned (check success field). |
400 | privateKey is missing. |
500 | Unexpected parsing error. |
POST /credentials/detect-public-key-type
Parse an SSH public key and detect its algorithm.SSH public key string (e.g.
ssh-ed25519 AAAA...).| Status | Meaning |
|---|---|
200 | Result returned. |
400 | publicKey is missing. |
500 | Parsing error. |
POST /credentials/validate-key-pair
Verify that a private key and a public key form a matching pair.PEM-encoded SSH private key.
SSH public key string.
Passphrase for an encrypted private key.
true when the keys match.Detected algorithm of the private key.
Detected algorithm of the public key.
Public key derived from the private key, for comparison.
Error message when
isValid is false.| Status | Meaning |
|---|---|
200 | Validation result returned. |
400 | privateKey or publicKey is missing. |
500 | Validation error. |
POST /credentials/generate-key-pair
Generate a new SSH key pair. Supported types:ssh-ed25519 (default), ssh-rsa, ecdsa-sha2-nistp256.
Algorithm:
ssh-ed25519, ssh-rsa, or ecdsa-sha2-nistp256.Key size in bits. Only relevant for
ssh-rsa.Optional passphrase to encrypt the private key.
PEM-encoded private key.
Corresponding public key in OpenSSH format.
Algorithm used.
Always
"ssh".Same as
keyType.Bit size (RSA only).
Curve name for ECDSA (
"nistp256").| Status | Meaning |
|---|---|
200 | Key pair returned. |
500 | Key generation failed. |
POST /credentials/generate-public-key
Derive the SSH public key from a PEM private key. Tries multiple parsing strategies including PKCS#8, PKCS#1, SEC1, and OpenSSH formats.PEM-encoded SSH private key.
Passphrase for an encrypted key.
Derived public key in OpenSSH format (e.g.
ssh-ed25519 AAAAC3Nz...).Detected algorithm.
"ssh" or "pem" depending on which parsing path succeeded.| Status | Meaning |
|---|---|
200 | Public key returned. |
400 | privateKey missing or unparseable. |
500 | Derivation error. |