Skip to main content
POST /api/v2/buyer/storefronts/{storefrontId}/sources/{sourceId}/credentials Registers credentials for an inventory source within a storefront. Required for sources that report requiresCredentials: true. Once registered, the source reports connected: true and discovery and media buys flow through it. For OAuth sources, the response carries an oauth.authorizationUrl the buyer must visit to finish consent.
Check the source’s requiresCredentials on the parent storefront before calling — sources that report requiresCredentials: false don’t need this step.

Request

curl -X POST \
  "https://api.interchange.io/api/v2/buyer/storefronts/42/sources/src_main/credentials" \
  -H "Authorization: Bearer $SCOPE3_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "accountIdentifier": "acme-brand-account",
    "auth": {
      "type": "api_key",
      "token": "<SOURCE_API_KEY>"
    }
  }'
Auth tokens grant AdCP access on your behalf. Store them in a managed secret vault, never log or commit them, and use placeholders like <SOURCE_API_KEY> in documentation and sample requests.

Parameters

FieldInTypeRequiredNotes
storefrontIdpathintegerYesStorefront ID
sourceIdpathstringYesInventory source ID within the storefront
accountIdentifierbodystringYesUnique account identifier at the source (1–255)
authbodyobjectNoSource credentials. Required for API key / JWT sources; omit for OAuth sources
auth.typebodyenumapi_key (also bearer, apikey) or jwt
auth.tokenbodystringRequired when type is api_key
auth.privateKey, issuer, subject, keyId, scope, tokenEndpointUrl, audienceUrlbodystringRequired when type is jwt. Optional: algorithm (ES256, RS256), environment
marketplaceAccountbodybooleanNoAdmin-only. When true, creates a marketplace account instead of a client account

Response

201 Created. For API key / JWT sources, the credential is active immediately: 
{
  "id": "722",
  "accountIdentifier": "acme-brand-account",
  "status": "ACTIVE",
  "registeredBy": "user@acme.com",
  "createdAt": "2026-06-01T10:00:00Z"
}
For OAuth sources, the response includes an oauth block — visit authorizationUrl to complete consent, then refresh the storefront to confirm connected: true: 
{
  "id": "723",
  "accountIdentifier": "acme-brand-account",
  "status": "PENDING",
  "registeredBy": "user@acme.com",
  "createdAt": "2026-06-01T10:00:00Z",
  "oauth": {
    "authorizationUrl": "https://idp.example-publisher.com/oauth/authorize?client_id=...&state=pending_abc123",
    "storefrontId": 42,
    "sourceId": "src_main",
    "sourceName": "Premium CTV — Direct"
  }
}
FieldTypeNotes
idstringCredential record ID
accountIdentifierstringThe buyer’s account identifier at the source
statusstringCredential status (ACTIVE, or PENDING for OAuth)
registeredBystring | nullWho registered the credential
createdAtstringISO 8601 timestamp
oauthobjectPresent only for OAuth sources — authorizationUrl, storefrontId, sourceId, sourceName

Errors

  • 400 VALIDATION_ERROR — missing accountIdentifier, or auth missing required fields for the source’s auth type.
  • 401 UNAUTHORIZED — missing or invalid bearer token.
  • 404 NOT_FOUND — the storefront or source does not exist or is not visible to the caller.
See Errors for the full error contract.

Storefront tasks

All storefront operations

Get storefront

Confirm connected: true after registering

List credentials

All your registered credentials

Storefront object guide

OAuth flow and the seller side