simstudioai
diff --git a/‎apps/docs/content/docs/en/blocks/credential.mdx‎
Lines changed: 21 additions & 53 deletions b/‎apps/docs/content/docs/en/blocks/credential.mdx‎
Lines changed: 21 additions & 53 deletions
diff --git a/‎apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx‎
Lines changed: 4 additions & 28 deletions b/‎apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/credential-selector/credential-selector.tsx‎
Lines changed: 4 additions & 28 deletions
diff --git a/‎apps/sim/blocks/blocks/credential.ts‎
Lines changed: 10 additions & 41 deletions b/‎apps/sim/blocks/blocks/credential.ts‎
Lines changed: 10 additions & 41 deletions
@@ -7,7 +7,7 @@ import { Tab, Tabs } from 'fumadocs-ui/components/tabs'
 import { Image } from '@/components/ui/image'
 import { FAQ } from '@/components/ui/faq'
 
-The Credential block has two operations: **Select Credential** picks a single stored credential and outputs its ID reference for downstream blocks; **List Credentials** returns all credentials in the workspace (optionally filtered by type) as an array for iteration.
+The Credential block has two operations: **Select Credential** picks a single OAuth credential and outputs its ID reference for downstream blocks; **List Credentials** returns all OAuth credentials in the workspace (optionally filtered by provider) as an array for iteration.
 
 <div className="flex justify-center">
   <Image
@@ -20,7 +20,7 @@ The Credential block has two operations: **Select Credential** picks a single st
 </div>
 
 <Callout>
-  The Credential block outputs credential **ID references**, not secrets. Downstream blocks receive the ID and resolve it securely during their own execution.
+  The Credential block outputs credential **ID references**, not secrets. Downstream blocks receive the ID and resolve the actual OAuth token securely during their own execution.
 </Callout>
 
 ## Configuration Options
@@ -29,34 +29,18 @@ The Credential block has two operations: **Select Credential** picks a single st
 
 | Value | Description |
 |---|---|
-| **Select Credential** | Pick one credential and output its reference — use this to wire a single credential into downstream blocks |
-| **List Credentials** | Return all workspace credentials as an array — use this with a ForEach loop |
+| **Select Credential** | Pick one OAuth credential and output its reference — use this to wire a single credential into downstream blocks |
+| **List Credentials** | Return all OAuth credentials in the workspace as an array — use this with a ForEach loop |
 
 ### Credential (Select operation)
 
-Select a credential from your workspace. The dropdown shows all credential types you have access to, grouped by category:
-
-- **OAuth** — Connected accounts (Google, GitHub, Slack, etc.)
-- **Environment Variables** — Workspace or personal environment variable references
-- **Service Accounts** — Google service account JSON keys
+Select an OAuth credential from your workspace. The dropdown shows all connected OAuth accounts (Google, GitHub, Slack, etc.).
 
 In advanced mode, paste a credential ID directly. You can copy a credential ID from your workspace's Credentials settings page.
 
-### Type Filter (List operation)
-
-Filter the returned credentials by type. Defaults to **All**.
+### Provider (List operation)
 
-| Value | Description |
-|---|---|
-| **All** | Return all credential types |
-| **OAuth** | Connected OAuth accounts only |
-| **Env Variables (Workspace)** | Workspace environment variables only |
-| **Env Variables (Personal)** | Personal environment variables only |
-| **Service Accounts** | Google service account keys only |
-
-### Provider (List operation, OAuth only)
-
-Further filter OAuth credentials by provider. Select one or more providers from the dropdown — only providers you have credentials for will appear. Leave empty to return all OAuth providers.
+Filter the returned OAuth credentials by provider. Select one or more providers from the dropdown — only providers you have credentials for will appear. Leave empty to return all OAuth credentials.
 
 | Example | Returns |
 |---|---|
@@ -72,13 +56,12 @@ Further filter OAuth credentials by provider. Select one or more providers from
     |---|---|---|
     | `credentialId` | `string` | The credential ID — pipe this into other blocks' credential fields |
     | `displayName` | `string` | Human-readable name (e.g. "waleed@company.com") |
-    | `type` | `string` | `oauth` \| `env_workspace` \| `env_personal` \| `service_account` |
-    | `providerId` | `string` | OAuth provider (e.g. `google`, `github`), empty for non-OAuth types |
+    | `providerId` | `string` | OAuth provider ID (e.g. `google-email`, `slack`) |
   </Tab>
   <Tab>
     | Output | Type | Description |
     |---|---|---|
-    | `credentials` | `json` | Array of credential objects (see shape below) |
+    | `credentials` | `json` | Array of OAuth credential objects (see shape below) |
     | `count` | `number` | Number of credentials returned |
 
     Each object in the `credentials` array:
@@ -87,8 +70,7 @@ Further filter OAuth credentials by provider. Select one or more providers from
     |---|---|---|
     | `credentialId` | `string` | The credential ID |
     | `displayName` | `string` | Human-readable name |
-    | `type` | `string` | Credential type |
-    | `providerId` | `string` | OAuth provider ID, empty for non-OAuth |
+    | `providerId` | `string` | OAuth provider ID |
   </Tab>
 </Tabs>
 
@@ -99,20 +81,14 @@ Further filter OAuth credentials by provider. Select one or more providers from
 Credential (Select, Google) → Gmail (Send) & Google Drive (Upload) & Google Calendar (Create)
 ```
 
-**Environment switching** — Swap credentials without touching downstream blocks
-```
-Condition (env === 'prod') → Credential (Prod API Key) or Credential (Dev API Key)
-    → API Block (credentialId = <credential.credentialId>)
-```
-
 **Multi-account workflows** — Route to different credentials based on logic
 ```
 Agent (Determine account) → Condition → Credential A or Credential B → Slack (Post)
 ```
 
 **Iterate over all Gmail accounts**
 ```
-Credential (List, OAuth, Provider: Gmail) → ForEach Loop → Gmail (Send) using <loop.currentItem.credentialId>
+Credential (List, Provider: Gmail) → ForEach Loop → Gmail (Send) using <loop.currentItem.credentialId>
 ```
 
 <div className="flex justify-center">
@@ -129,24 +105,17 @@ Credential (List, OAuth, Provider: Gmail) → ForEach Loop → Gmail (Send) usin
 
 ### Select Credential
 
-1. Drop a **Credential** block and select your credential from the picker
+1. Drop a **Credential** block and select your OAuth credential from the picker
 2. In the downstream block, switch to **advanced mode** on its credential field
 3. Enter `<credentialBlockName.credentialId>` as the value
 
-<Tabs items={['Gmail', 'API Block', 'Slack']}>
+<Tabs items={['Gmail', 'Slack']}>
   <Tab>
     In the Gmail block's credential field (advanced mode):
     ```
     <myCredential.credentialId>
     ```
   </Tab>
-  <Tab>
-    In an API block's Authorization header:
-    ```
-    Bearer <myCredential.credentialId>
-    ```
-    Note: for API blocks, this passes the credential ID — use this pattern only when the downstream API route resolves credentials internally.
-  </Tab>
   <Tab>
     In the Slack block's credential field (advanced mode):
     ```
@@ -158,25 +127,24 @@ Credential (List, OAuth, Provider: Gmail) → ForEach Loop → Gmail (Send) usin
 ### List Credentials
 
 1. Drop a **Credential** block, set Operation to **List Credentials**
-2. Optionally set a **Type Filter** (e.g. OAuth only)
-3. Optionally select one or more **Providers** to narrow results (only your connected providers appear)
-4. Wire `<credentialBlockName.credentials>` into a **ForEach Loop** as the items source
-5. Inside the loop, reference `<loop.currentItem.credentialId>` in downstream blocks' credential fields
+2. Optionally select one or more **Providers** to narrow results (only your connected providers appear)
+3. Wire `<credentialBlockName.credentials>` into a **ForEach Loop** as the items source
+4. Inside the loop, reference `<loop.currentItem.credentialId>` in downstream blocks' credential fields
 
 ## Best Practices
 
 - **Define once, reference many times**: When five blocks use the same Google account, use one Credential block and wire all five to `<credential.credentialId>` instead of selecting the account five times
 - **Outputs are safe to log**: The `credentialId` output is a UUID reference, not a secret. It is safe to inspect in execution logs
-- **Use for environment switching**: Pair with a Condition block to route to a production or staging credential based on a workflow variable
+- **Use for environment switching**: Pair with a Condition block to route to a production or staging OAuth credential based on a workflow variable
 - **Advanced mode is required**: Downstream blocks must be in advanced mode on their credential field to accept a dynamic reference
-- **Use List + ForEach for fan-out**: When you need to run the same action across all accounts of a type, List Credentials feeds naturally into a ForEach loop
+- **Use List + ForEach for fan-out**: When you need to run the same action across all accounts of a provider, List Credentials feeds naturally into a ForEach loop
 - **Narrow by provider**: Use the Provider multiselect to filter to specific services — only providers you have credentials for are shown
 
 <FAQ items={[
-  { question: "Does the Credential block expose my secret or token?", answer: "No. The block outputs a credential ID (a UUID), not the actual secret or token. Downstream blocks receive the ID and resolve it securely in their own execution context. Secrets never appear in workflow state, logs, or the canvas." },
-  { question: "What credential types does it support?", answer: "All credential types: OAuth connected accounts, workspace environment variables, personal environment variables, and Google service accounts." },
+  { question: "Does the Credential block expose my secret or token?", answer: "No. The block outputs a credential ID (a UUID), not the actual OAuth token. Downstream blocks receive the ID and resolve the token securely in their own execution context. Secrets never appear in workflow state, logs, or the canvas." },
+  { question: "What credential types does it support?", answer: "OAuth connected accounts only (Google, GitHub, Slack, etc.). Environment variables and service accounts cannot be resolved by ID in downstream blocks, so they are not supported." },
   { question: "How is Select different from just copying a credential ID into advanced mode?", answer: "Functionally identical — both pass the same credential ID to the downstream block. The Credential block adds value when you need to use one credential in many blocks (change it once), or when you want to select between credentials dynamically using a Condition block." },
-  { question: "Can I list all credentials in my workspace?", answer: "Yes. Set the Operation to 'List Credentials'. You can optionally filter by type (OAuth, environment variables, service accounts). Wire the credentials output into a ForEach loop to process each credential individually." },
+  { question: "Can I list all OAuth credentials in my workspace?", answer: "Yes. Set the Operation to 'List Credentials'. Optionally filter by provider using the Provider multiselect. Wire the credentials output into a ForEach loop to process each credential individually." },
   { question: "Can I use a Credential block output in a Function block?", answer: "Yes. Reference <credential.credentialId> in your Function block's code. Note that the function will receive the raw UUID string — if you need the resolved token, the downstream block must handle the resolution (as integration blocks do). The Function block does not automatically resolve credential IDs." },
   { question: "What happens if the credential is deleted?", answer: "The Select operation will throw an error at execution time: 'Credential not found'. The List operation will simply omit the deleted credential from the results. Update the Credential block to select a valid credential before re-running." },
 ]} />
@@ -22,11 +22,7 @@ import { useSubBlockValue } from '@/app/workspace/[workspaceId]/w/[workflowId]/c
 import type { SubBlockConfig } from '@/blocks/types'
 import { CREDENTIAL_SET } from '@/executor/constants'
 import { useCredentialSets } from '@/hooks/queries/credential-sets'
-import {
-  useWorkspaceCredential,
-  useWorkspaceCredentials,
-  type WorkspaceCredential,
-} from '@/hooks/queries/credentials'
+import { useWorkspaceCredential, useWorkspaceCredentials } from '@/hooks/queries/credentials'
 import { useOAuthCredentials } from '@/hooks/queries/oauth/oauth-credentials'
 import { useOrganizations } from '@/hooks/queries/organization'
 import { useSubscriptionData } from '@/hooks/queries/subscription'
@@ -35,13 +31,6 @@ import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 
 const isBillingEnabled = isTruthy(getEnv('NEXT_PUBLIC_BILLING_ENABLED'))
 
-const TYPE_SECTION_LABELS: Record<string, string> = {
-  oauth: 'OAuth',
-  env_workspace: 'Environment Variables',
-  env_personal: 'Personal Variables',
-  service_account: 'Service Accounts',
-} as const
-
 interface CredentialSelectorProps {
   blockId: string
   subBlock: SubBlockConfig
@@ -255,22 +244,9 @@ export function CredentialSelector({
 
   const { comboboxOptions, comboboxGroups } = useMemo(() => {
     if (isAllCredentials) {
-      const grouped = allWorkspaceCredentials.reduce<Record<string, WorkspaceCredential[]>>(
-        (acc, cred) => {
-          const section = TYPE_SECTION_LABELS[cred.type] ?? cred.type
-          acc[section] = acc[section] ?? []
-          acc[section].push(cred)
-          return acc
-        },
-        {}
-      )
-
-      const groups = Object.entries(grouped).map(([section, creds]) => ({
-        section,
-        items: creds.map((cred) => ({ label: cred.displayName, value: cred.id })),
-      }))
-
-      return { comboboxOptions: [], comboboxGroups: groups.length > 0 ? groups : undefined }
+      const oauthCredentials = allWorkspaceCredentials.filter((c) => c.type === 'oauth')
+      const options = oauthCredentials.map((cred) => ({ label: cred.displayName, value: cred.id }))
+      return { comboboxOptions: options, comboboxGroups: undefined }
     }
 
     const pollingProviderId = getPollingProviderFromOAuth(effectiveProviderId)
 
@@ -10,12 +10,10 @@ interface CredentialBlockOutput {
   output: {
     credentialId: string
     displayName: string
-    type: string
     providerId: string
     credentials: Array<{
       credentialId: string
       displayName: string
-      type: string
       providerId: string
     }>
     count: number
@@ -25,14 +23,13 @@ interface CredentialBlockOutput {
 export const CredentialBlock: BlockConfig<CredentialBlockOutput> = {
   type: 'credential',
   name: 'Credential',
-  description: 'Select or list stored credentials',
+  description: 'Select or list OAuth credentials',
   longDescription:
-    'Select a stored credential once and pipe its ID into any downstream block that requires authentication, or list all credentials in the workspace for iteration. No secrets are ever exposed — only credential IDs and metadata.',
+    'Select an OAuth credential once and pipe its ID into any downstream block that requires authentication, or list all OAuth credentials in the workspace for iteration. No secrets are ever exposed — only credential IDs and metadata.',
   bestPractices: `
-  - Use "Select Credential" to define a credential once and reference <CredentialBlock.credentialId> in multiple downstream blocks instead of repeating credential IDs.
-  - Use "List Credentials" with a ForEach loop to iterate over all credentials of a given type (e.g. all OAuth accounts).
-  - Use the Type Filter in "List Credentials" to narrow results to a specific credential type.
-  - Use the Provider filter to further narrow OAuth results to specific services (e.g. Gmail, Slack).
+  - Use "Select Credential" to define an OAuth credential once and reference <CredentialBlock.credentialId> in multiple downstream blocks instead of repeating credential IDs.
+  - Use "List Credentials" with a ForEach loop to iterate over all OAuth accounts (e.g. all Gmail accounts).
+  - Use the Provider filter to narrow results to specific services (e.g. Gmail, Slack).
   - The outputs are credential ID references, not secret values — they are safe to log and inspect.
   - To switch credentials across environments, replace the single Credential block rather than updating every downstream block.
   `,
@@ -51,26 +48,13 @@ export const CredentialBlock: BlockConfig<CredentialBlockOutput> = {
       ],
       value: () => 'select',
     },
-    {
-      id: 'typeFilter',
-      title: 'Type Filter',
-      type: 'dropdown',
-      options: [
-        { label: 'All', id: 'all' },
-        { label: 'OAuth', id: 'oauth' },
-        { label: 'Env Variables (Workspace)', id: 'env_workspace' },
-        { label: 'Env Variables (Personal)', id: 'env_personal' },
-        { label: 'Service Accounts', id: 'service_account' },
-      ],
-      value: () => 'all',
-      condition: { field: 'operation', value: 'list' },
-    },
     {
       id: 'providerFilter',
       title: 'Provider',
       type: 'dropdown',
       multiSelect: true,
       options: [],
+      condition: { field: 'operation', value: 'list' },
       fetchOptions: async () => {
         const workspaceId = useWorkflowRegistry.getState().hydration.workspaceId
         if (!workspaceId) return []
@@ -99,11 +83,6 @@ export const CredentialBlock: BlockConfig<CredentialBlockOutput> = {
         const label = serviceConfig?.name ?? optionId
         return { label, id: optionId }
       },
-      condition: {
-        field: 'operation',
-        value: 'list',
-        and: { field: 'typeFilter', value: 'oauth' },
-      },
     },
     {
       id: 'credential',
@@ -133,17 +112,12 @@ export const CredentialBlock: BlockConfig<CredentialBlockOutput> = {
     operation: { type: 'string', description: "'select' or 'list'" },
     credentialId: {
       type: 'string',
-      description: 'The credential ID to resolve (select operation)',
-    },
-    typeFilter: {
-      type: 'string',
-      description:
-        "Type filter for list operation: 'all' | 'oauth' | 'env_workspace' | 'env_personal' | 'service_account'",
+      description: 'The OAuth credential ID to resolve (select operation)',
     },
     providerFilter: {
       type: 'json',
       description:
-        'Array of OAuth provider IDs to filter by (e.g. ["google-email", "slack"]). Only applies when typeFilter is oauth.',
+        'Array of OAuth provider IDs to filter by (e.g. ["google-email", "slack"]). Leave empty to return all OAuth credentials.',
     },
   },
   outputs: {
@@ -157,20 +131,15 @@ export const CredentialBlock: BlockConfig<CredentialBlockOutput> = {
       description: 'Human-readable name of the credential',
       condition: { field: 'operation', value: 'select' },
     },
-    type: {
-      type: 'string',
-      description: 'Credential type: oauth | env_workspace | env_personal | service_account',
-      condition: { field: 'operation', value: 'select' },
-    },
     providerId: {
       type: 'string',
-      description: 'OAuth provider ID (e.g. google, github), empty for non-OAuth credentials',
+      description: 'OAuth provider ID (e.g. google-email, slack)',
       condition: { field: 'operation', value: 'select' },
     },
     credentials: {
       type: 'json',
       description:
-        'Array of credential objects, each with credentialId, displayName, type, and providerId',
+        'Array of OAuth credential objects, each with credentialId, displayName, and providerId',
       condition: { field: 'operation', value: 'list' },
     },
     count: {