dodil k3 credential
Store credentials + run the OAuth flow. Aliased as dodil k3 cred. The CLI exposes the three most-common operations — get/list/delete/validate/refresh live on the API.
Preview — credentials are paired with external sources, which are Preview. The production internal-S3 path needs no credential. Shapes below reflect today’s CLI; expect refinements.
Credentials are org-scoped. They can optionally link to a source_id via --source-id on oauth-exchange.
dodil k3 credential store
dodil k3 credential store [display-name]Stores a credential. The current CLI implementation accepts only the display-name positional; the credential type and payload are taken from prompts / stdin (see your dodil build’s help text). For programmatic, fully-flagged credential creation, prefer the StoreCredential API.
Example:
dodil k3 credential store "s3-primary"dodil k3 credential oauth-url
Stage 1 of the OAuth authorization-code flow. Asks K3 for a provider authorization URL you redirect your user to.
dodil k3 credential oauth-url -p PROVIDER_ID| Flag | Short | Type | Description |
|---|---|---|---|
--provider-id | -p | string | Required. Provider key — normalized case-insensitively (see below) |
Example:
dodil k3 credential oauth-url -p google_drive -o json
# Response includes auth_url + state — redirect the user to auth_urldodil k3 credential oauth-exchange
Stage 3 — exchange the OAuth code returned by the provider for stored credentials.
dodil k3 credential oauth-exchange \
-p PROVIDER_ID \
-c OAUTH_CODE \
[--redirect-uri URI] \
[--state STATE] \
[--source-id SOURCE_ID] \
[--display-name NAME]| Flag | Short | Type | Description |
|---|---|---|---|
--provider-id | -p | string | Required. Same provider as oauth-url |
--code | -c | string | Required. Authorization code from the provider callback |
--redirect-uri | — | string | Same URI passed to oauth-url |
--state | — | string | CSRF / correlation token (matches oauth-url’s state) |
--source-id | — | string | Link credential to an existing source |
--display-name | — | string | Human-friendly name |
Example — Google Drive:
# 1. Get authorization URL
URL=$(dodil k3 credential oauth-url -p google_drive -o json | jq -r '.authUrl')
open "$URL" # user authorizes; provider redirects to callback with ?code=...
# 2. Exchange the code
dodil k3 credential oauth-exchange \
-p google_drive \
-c "<oauth_code>" \
--redirect-uri "https://app.example.com/k3/oauth/callback" \
--display-name "gdrive-main"Provider-ID input
The CLI normalizes provider IDs case-insensitively, with _ and - interchangeable:
google_driveGOOGLE-DRIVEsource_provider_google_drive
All three resolve to SOURCE_PROVIDER_GOOGLE_DRIVE.
Operations not in the CLI today
| Operation | Use the API |
|---|---|
GetCredential (with secret payload) | GET /admin/credentials/:id |
ListCredentials | GET /admin/credentials |
DeleteCredential | DELETE /admin/credentials/:id |
ValidateCredential | POST /admin/credentials/:id/validate |
RefreshOAuthToken | POST /admin/credentials/:id/refresh |
See also
- Credentials — API Reference — full surface
dodil k3 source— sources that credentials authenticate against- Core Concepts → Credential — type signature + payload variants