> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt
> Use this file to discover all available pages before exploring further.

# Mint a callback credential

> Mints an opaque bearer token bound to the caller's tenant for authenticating inbound external-system exception callbacks, and returns the raw token ONCE. Only the token's SHA-256 hash is stored server-side.



## OpenAPI

````yaml en/openapi/v3-current/matcher.yaml post /v1/exceptions/callbacks/credentials
openapi: 3.1.0
info:
  title: Matcher APIs
  description: >-
    Complete API reference for the Matcher reconciliation engine, providing
    automated transaction matching between Midaz Ledger and external systems.
  version: 4.1.0
  license:
    name: Elastic License 2.0
    url: https://www.elastic.co/licensing/elastic-license
servers:
  - url: https://matcher.sandbox.lerian.net
security: []
paths:
  /v1/exceptions/callbacks/credentials:
    post:
      tags:
        - Exception
      summary: Mint a callback credential
      description: >-
        Mints an opaque bearer token bound to the caller's tenant for
        authenticating inbound external-system exception callbacks, and returns
        the raw token ONCE. Only the token's SHA-256 hash is stored server-side.
      operationId: mintCallbackCredential
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/MintCredentialRequest'
        required: true
      responses:
        '201':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CredentialSecretResponse'
          description: Created
        default:
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/Detail'
          description: Error
      security:
        - BearerAuth: []
components:
  schemas:
    MintCredentialRequest:
      additionalProperties: false
      properties:
        externalSystem:
          description: >-
            Optional operator-legible label for the external system this
            credential authenticates (e.g. "stripe", "billing-gw")
          examples:
            - stripe
          maxLength: 128
          type: string
      type: object
    CredentialSecretResponse:
      additionalProperties: false
      properties:
        createdAt:
          description: Mint time (RFC 3339, UTC)
          type: string
        credentialId:
          description: Surrogate id of the minted credential
          format: uuid
          type: string
        externalSystem:
          description: Operator-legible external-system label, echoed for confirmation
          type: string
        token:
          description: >-
            Raw bearer token, surfaced exactly once; configure it as the
            X-Callback-Token header value in the external system. Only its
            SHA-256 hash is stored server-side.
          type: string
        webhookUrlHint:
          description: >-
            Informational inbound-callback URL shape to configure in the
            external system. The {exceptionId} placeholder is filled per
            callback.
          type: string
      required:
        - token
        - credentialId
        - createdAt
      type: object
    Detail:
      additionalProperties: false
      properties:
        code:
          description: >-
            Stable, machine-readable domain error code scoped to the emitting
            service (format: <SERVICE>-NNNN).
          examples:
            - ERR-0001
          type: string
        detail:
          description: >-
            A human-readable explanation specific to this occurrence of the
            problem.
          examples:
            - Property foo is required but is missing.
          type: string
        errors:
          description: Optional list of individual error details
          items:
            $ref: '#/components/schemas/ErrorDetail'
          type:
            - array
            - 'null'
        instance:
          description: >-
            A URI reference that identifies the specific occurrence of the
            problem.
          examples:
            - https://example.com/error-log/abc123
          format: uri
          type: string
        status:
          description: HTTP status code
          examples:
            - 400
          format: int64
          type: integer
        title:
          description: >-
            A short, human-readable summary of the problem type. This value
            should not change between occurrences of the error.
          examples:
            - Bad Request
          type: string
        type:
          default: about:blank
          description: A URI reference to human-readable documentation for the error.
          examples:
            - https://example.com/errors/example
          format: uri
          type: string
      type: object
    ErrorDetail:
      additionalProperties: false
      properties:
        location:
          description: >-
            Where the error occurred, e.g. 'body.items[3].tags' or
            'path.thing-id'
          type: string
        message:
          description: Error message text
          type: string
        value:
          description: The value at the given location
      type: object
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: 'Bearer token authentication (format: "Bearer {token}")'

````