add context to distinguish multiple credentials for the same (user, provider)

docs/_static/llama-stack-spec.html

@@ -577,7 +577,7 @@
                 "tags": [
                     "Credentials"
                 ],
-                "description": "Create a new set of credentials for a given provider.",
+                "description": "Create a new set of credentials for a given provider. The unique key is (provider_id, context)",
                 "parameters": [],
                 "requestBody": {
                     "content": {
@@ -6750,6 +6750,13 @@
                     "ttl_seconds": {
                         "type": "integer",
                         "description": "The time to live for the credential in seconds. Defaults to 3600 seconds. When token_type is oauth2_authorization_code, the TTL is ignored and is obtained from the provider when exchanging the code for an access token."
+                    },
+                    "context": {
+                        "type": "object",
+                        "additionalProperties": {
+                            "type": "string"
+                        },
+                        "description": "Context to distinguish between different credentials for the same provider. For example, for the MCP provider, this could be the toolgroup_id (which corresponds to a unique MCP endpoint)."
                     }
                 },
                 "additionalProperties": false,

docs/_static/llama-stack-spec.yaml

@@ -394,7 +394,8 @@ paths:
       tags:
         - Credentials
       description: >-
-        Create a new set of credentials for a given provider.
+        Create a new set of credentials for a given provider. The unique key is (provider_id,
+        context)
       parameters: []
       requestBody:
         content:
@@ -4787,6 +4788,14 @@ components:
             The time to live for the credential in seconds. Defaults to 3600 seconds.
             When token_type is oauth2_authorization_code, the TTL is ignored and is
             obtained from the provider when exchanging the code for an access token.
+        context:
+          type: object
+          additionalProperties:
+            type: string
+          description: >-
+            Context to distinguish between different credentials for the same provider.
+            For example, for the MCP provider, this could be the toolgroup_id (which
+            corresponds to a unique MCP endpoint).
       additionalProperties: false
       required:
         - provider_id

llama_stack/apis/credentials/credentials.py

@@ -59,8 +59,9 @@ class Credentials(Protocol):
         token: str,
         nonce: str | None = None,
         ttl_seconds: int = 3600,
+        context: dict[str, str] | None = None,
     ) -> str:
-        """Create a new set of credentials for a given provider.
+        """Create a new set of credentials for a given provider. The unique key is (provider_id, context)
 
         :param provider_id: The ID of the provider to create credentials for.
         :param token_type: The type of token to create. This is provided in the API to serve as lightweight
@@ -70,6 +71,9 @@ class Credentials(Protocol):
         :param ttl_seconds: The time to live for the credential in seconds. Defaults to 3600 seconds.
                             When token_type is oauth2_authorization_code, the TTL is ignored and is obtained
                             from the provider when exchanging the code for an access token.
+        :param context: Context to distinguish between different credentials for the same provider. For example,
+                        for the MCP provider, this could be the toolgroup_id (which corresponds to a unique MCP
+                        endpoint).
         :returns: The ID of the created credential.
         """
         ...