# Story 2.6.2: Implement GET /credentials/{id}

<!-- Powered by BMAD™ Core -->

## Status
**Draft**

## Story

**As a** workflow automation user,
**I want** to retrieve detailed information about a specific credential by ID,
**so that** I can view credential configuration, check which nodes use it, and verify its settings without accessing the n8n UI.

## Acceptance Criteria

1. New `get_credential` MCP tool registered and functional
2. Tool retrieves complete credential metadata by ID
3. Security: Sensitive data handling documented (may be encrypted/masked)
4. Response includes all credential fields except raw sensitive data
5. Multi-instance routing works correctly
6. Error handling for non-existent credentials (404)
7. Error handling for unauthorized access (401)
8. Comprehensive testing with various credential types
9. Documentation updated with security notes
10. Credential structure validation complete

## Tasks / Subtasks

### Task 1: Implement getCredential in N8NApiWrapper (AC: 1, 2, 5)
- [ ] Add `getCredential` method to src/services/n8nApiWrapper.ts
- [ ] Use callWithInstance pattern
- [ ] Support credential ID parameter
- [ ] Add error handling
- [ ] Follow existing patterns

### Task 2: Register get_credential MCP Tool (AC: 1)
- [ ] Add tool definition to src/index.ts
- [ ] Define input schema with credentialId
- [ ] Include instance parameter
- [ ] Add security notes in description
- [ ] Implement request handler

### Task 3: Security & Data Handling (AC: 3, 4)
- [ ] Document sensitive data handling
- [ ] Test credential data field behavior
- [ ] Verify encryption/masking approach
- [ ] Add security warnings
- [ ] Document data access restrictions

### Task 4: Create Tests (AC: 8)
- [ ] **Test 4.1**: Retrieve credential by ID
  - [ ] Verify complete structure
  - [ ] Check all metadata fields
  - [ ] Validate data types
- [ ] **Test 4.2**: Test various credential types
  - [ ] OAuth2 credentials
  - [ ] API key credentials
  - [ ] Basic auth credentials
  - [ ] Custom credentials
- [ ] **Test 4.3**: Verify nodesAccess details
  - [ ] Check node usage tracking
  - [ ] Validate access history
- [ ] **Test 4.4**: Multi-instance routing
  - [ ] Get from default instance
  - [ ] Get from specific instance
  - [ ] Test cross-instance (expect 404)
- [ ] **Test 4.5**: Error scenarios
  - [ ] Non-existent ID (404)
  - [ ] Invalid ID format
  - [ ] Invalid API key (401)

### Task 5: Documentation (AC: 9)
- [ ] Update README with examples
- [ ] Document security model
- [ ] Add to CLAUDE.md
- [ ] Update CHANGELOG

### Task 6: Integration (AC: 10)
- [ ] Add to test suite
- [ ] Integration with list_credentials
- [ ] Cleanup utilities

## Dev Notes

### Complete Credential Structure
```typescript
{
  id: string;
  name: string;
  type: string;
  data: object | null;     // May be encrypted/masked
  nodesAccess: Array<{
    nodeType: string;
    date: string;
  }>;
  createdAt: string;
  updatedAt: string;
}
```

**Security Note:** `data` field behavior depends on n8n security settings

## Testing

### Test Pattern
```javascript
const credential = await getCredential(credentialId);
assert(credential.id === credentialId);
assert(credential.type !== undefined);
assert(Array.isArray(credential.nodesAccess));
```

## Change Log

| Date | Version | Description | Author |
|------|---------|-------------|--------|
| 2025-12-26 | 1.0 | Story created for GET /credentials/{id} | Sarah (PO) |