Credentials
Credentials are securely stored secrets that Zerq uses to authenticate with your backend services. They are separate from client access credentials — credentials are for the gateway's outbound connections, not inbound client authentication.
Credential guides
- Type matrix
- HTTP auth
- OAuth2 client credentials
- mTLS client certificate
- Database
- Messaging and email
- Environment variables
- Encryption and secret sources
- Runtime auth application
Why use Credentials?
Without Credentials, you would need to hardcode secrets in your proxy configuration. Credentials let you:
- Store secrets once, reuse them across multiple collections or proxies
- Rotate secrets in one place without updating every proxy
- Reference environment variables so secrets never appear in the UI or database
- Keep audit trails of who created or modified credentials
How they work
- Create a Credential in the Credentials section of the management UI
- Attach the credential to a Collection
- Zerq automatically includes the credential when forwarding requests to the backend
For example, if your backend requires an API key, create an API Key credential with the key value. Zerq will add the Authorization: Bearer <key> header (or query param, depending on config) to every forwarded request in that collection.
Security
- All credential values are encrypted at rest using AES-256 encryption
- Values are never exposed in logs or error messages
- Credential values can reference environment variables using
$ENV_VAR_NAMEsyntax — the value is resolved at runtime from the gateway's environment, not stored in the database
Supported types
| Type | Use case |
|---|---|
| API Key | Backend services requiring a key in a header or query parameter |
| Basic Auth | HTTP Basic authentication (username + password) |
| OAuth2 Client Credentials | OAuth2 flows where the gateway itself is the client |
| mTLS | Mutual TLS — client certificate + private key |
| MongoDB | Database connection strings |
| PostgreSQL | Database connection strings |
| SQL Server | Database connection strings |
| Oracle | Database connection strings |
| Redis | Cache connection strings |
| Kafka | Message broker with SASL/TLS authentication |
| SMTP | Email server credentials |
| SendGrid | SendGrid API key for email delivery |
→ See Credential Types for configuration details on each type.
Creating a Credential
- Go to Credentials in the sidebar
- Click New Credential
- Select the type
- Fill in the type-specific fields
- Click Create
The credential is now available to attach to collections or use in workflow nodes.
Using Credentials in Workflows
Credentials can also be used directly in Workflow nodes:
- HTTP request node: select a credential for the backend call
- Database nodes (MongoDB, PostgreSQL, etc.): select the connection credential
- Email nodes (SMTP, SendGrid): select the email credential
- Kafka node: select the broker credential
This lets you build workflows that query databases, call authenticated APIs, and send emails — all without hardcoding secrets.
Related docs
- Credential Types — full type matrix with field descriptions
- Encryption and Secret Sources — how secrets are encrypted at rest
- Env-Backed Secrets — read secrets from environment variables at runtime