Skip to main content
GET
Get Federation Configuration for a Connection

Path Parameters

nameOrID
string
required

Name or UUID of the connection

Response

OK

hook_source
enum<string>
required

HookSource selects which resolver category the gateway runs. Only the built-in resolver category ships today; the field is preserved so new sources can be added without breaking existing configurations.

Available options:
builtin
Example:

"builtin"

admin_credentials_json
string

AdminCredentialsJSON is the plaintext admin credential blob. Its shape is provider-specific: for gcp_iam it is the admin service-account JSON; for gcp_oauth it is the OAuth client config JSON ({"client_id":"...", "client_secret":"..."}). Write-only — never returned on GET. Required on the initial POST when HookSource=builtin; optional on PUT (omitting it leaves the stored value unchanged).

builtin_provider
enum<string>

BuiltinProvider is required when HookSource=builtin. "gcp_iam" impersonates a per-user service account via an admin SA key; "gcp_oauth" mints tokens from a per-user Google OAuth refresh token (no service accounts).

Available options:
gcp_iam,
gcp_oauth
Example:

"gcp_iam"

connection_id
string

ConnectionID is the connection this federation config applies to. Populated by the server from the URL path on writes.

Example:

"15B5A2FD-0706-4A47-B1CF-B93CCFC5B3D7"

created_at
string

CreatedAt / UpdatedAt are server-set audit timestamps.

Example:

"2025-05-25T17:00:00Z"

extra_config
object

ExtraConfig is provider-specific freeform JSON (e.g. {"project_id": "my-gcp-proj"}). The gateway does not interpret unknown keys.

fallback_policy
enum<string>

FallbackPolicy controls behavior when resolution fails. "deny" aborts the session; "static" skips federation and lets the session run on the connection's existing static credentials.

Available options:
deny,
static
Example:

"deny"

has_admin_credentials
boolean

HasAdminCredentials is server-set on GET responses to let the UI know whether a credential is stored without exposing its value.

Example:

true

id
string

ID is the federation row's UUID. Empty on POST requests; populated on GET/PUT responses.

Example:

"15B5A2FD-0706-4A47-B1CF-B93CCFC5B3D7"

identity_source_attribute
string

IdentitySourceAttribute is a JSONPath-like accessor into the Hoop user (defaults to $.user.email).

Example:

"$.user.email"

identity_target_template
string

IdentityTargetTemplate is the principal template the source attribute substitutes into (defaults to "{user.email}").

Example:

"{user.email}"

token_ttl_seconds
integer

TokenTTLSeconds caps the lifetime of generated credentials (default 3600, max 43200). Built-in providers may clamp lower based on cloud API limits.

Example:

3600

updated_at
string
Example:

"2025-05-25T17:00:00Z"