fix: correct destination auth config structure and add --include-destination-auth flag

The CLI was sending destination authentication credentials under an
`auth_method` key, but the API expects `auth_type` (string) and `auth`
(credentials map) as separate fields inside `destination.config`.

Changes:
- Fix buildDestinationConfig() to split auth into auth_type and auth fields
- Add GetDestination API client method for fetching destinations directly
- Add --include-destination-auth flag to `connection get` that fetches
  destination credentials via GET /destinations/{id}?include=config.auth
  (the connections API does not support this parameter)
- Update acceptance tests to verify credentials are stored correctly by
  doing a `connection get --include-destination-auth` after creation
- Update README.md and REFERENCE.md with new flag documentation

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: leggetter

README.md

@@ -841,6 +841,9 @@ $ hookdeck connection get "my-connection"
 
 # Get as JSON
 $ hookdeck connection get conn_123abc --output json
+
+# Include destination authentication credentials
+$ hookdeck connection get conn_123abc --include-destination-auth --output json
 ```
 
 #### Connection lifecycle management

REFERENCE.md

@@ -940,8 +940,16 @@ hookdeck connection get "my-connection"
 
 # Get as JSON
 hookdeck connection get conn_abc123 --output json
+
+# Include destination authentication credentials
+hookdeck connection get conn_abc123 --include-destination-auth --output json
 ```
 
+**Flags:**
+
+- `--output json` - Output in JSON format
+- `--include-destination-auth` - Include destination authentication credentials in the response (fetches via GET /destinations/{id}?include=config.auth)
+
 ### Create Connection
 
 Create a new connection with inline source/destination creation or by referencing existing resources.

pkg/cmd/connection_create.go

@@ -654,7 +654,14 @@ func (cc *connectionCreateCmd) buildDestinationConfig() (map[string]interface{},
 	}
 
 	if len(authConfig) > 0 {
-		config["auth_method"] = authConfig
+		config["auth_type"] = authConfig["type"]
+		auth := make(map[string]interface{})
+		for k, v := range authConfig {
+			if k != "type" {
+				auth[k] = v
+			}
+		}
+		config["auth"] = auth
 	}
 
 	// Add rate limiting configuration

pkg/cmd/connection_get.go

@@ -17,7 +17,8 @@ import (
 type connectionGetCmd struct {
 	cmd *cobra.Command
 
-	output string
+	output      string
+	includeDestinationAuth bool
 }
 
 func newConnectionGetCmd() *connectionGetCmd {
@@ -41,6 +42,7 @@ Examples:
 	}
 
 	cc.cmd.Flags().StringVar(&cc.output, "output", "", "Output format (json)")
+	addIncludeDestinationAuthFlag(cc.cmd, &cc.includeDestinationAuth)
 
 	return cc
 }
@@ -66,6 +68,17 @@ func (cc *connectionGetCmd) runConnectionGetCmd(cmd *cobra.Command, args []strin
 		return formatConnectionError(err, connectionIDOrName)
 	}
 
+	// The connections API does not support include=config.auth, so when
+	// --include-destination-auth is requested we fetch the destination directly
+	// from GET /destinations/{id}?include=config.auth and merge the enriched
+	// config back into the connection response.
+	if cc.includeDestinationAuth && conn.Destination != nil {
+		dest, err := apiClient.GetDestination(ctx, conn.Destination.ID, includeAuthParams(true))
+		if err == nil {
+			conn.Destination = dest
+		}
+	}
+
 	if cc.output == "json" {
 		jsonBytes, err := json.MarshalIndent(conn, "", "  ")
 		if err != nil {

pkg/cmd/connection_include.go

@@ -0,0 +1,20 @@
+package cmd
+
+import "github.com/spf13/cobra"
+
+// addIncludeDestinationAuthFlag registers the --include-destination-auth flag on a cobra command.
+// When set, the CLI fetches destination auth credentials via
+// GET /destinations/{id}?include=config.auth and merges them into the response.
+func addIncludeDestinationAuthFlag(cmd *cobra.Command, target *bool) {
+	cmd.Flags().BoolVar(target, "include-destination-auth", false,
+		"Include destination authentication credentials in the response")
+}
+
+// includeAuthParams returns a map with the include query parameter set
+// if includeAuth is true, or nil otherwise.
+func includeAuthParams(includeAuth bool) map[string]string {
+	if includeAuth {
+		return map[string]string{"include": "config.auth"}
+	}
+	return nil
+}

pkg/hookdeck/destinations.go

@@ -1,6 +1,9 @@
 package hookdeck
 
 import (
+	"context"
+	"fmt"
+	"net/url"
 	"time"
 )
 
@@ -55,6 +58,27 @@ func (d *Destination) SetCLIPath(path string) {
 	}
 }
 
+// GetDestination retrieves a single destination by ID
+func (c *Client) GetDestination(ctx context.Context, id string, params map[string]string) (*Destination, error) {
+	queryParams := url.Values{}
+	for k, v := range params {
+		queryParams.Add(k, v)
+	}
+
+	resp, err := c.Get(ctx, fmt.Sprintf("/2025-07-01/destinations/%s", id), queryParams.Encode(), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var destination Destination
+	_, err = postprocessJsonResponse(resp, &destination)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse destination response: %w", err)
+	}
+
+	return &destination, nil
+}
+
 // DestinationCreateInput represents input for creating a destination inline
 type DestinationCreateInput struct {
 	Name        string                 `json:"name"`

test/acceptance/connection_oauth_aws_test.go

@@ -53,12 +53,34 @@ func TestConnectionOAuth2AWSAuthentication(t *testing.T) {
 		destConfig, ok := dest["config"].(map[string]interface{})
 		require.True(t, ok, "Expected destination config object")
 
-		if authMethod, ok := destConfig["auth_method"].(map[string]interface{}); ok {
-			assert.Equal(t, "OAUTH2_CLIENT_CREDENTIALS", authMethod["type"], "Auth type should be OAUTH2_CLIENT_CREDENTIALS")
-			assert.Equal(t, "https://auth.example.com/oauth/token", authMethod["auth_server"], "Auth server should match")
-			assert.Equal(t, "client_123", authMethod["client_id"], "Client ID should match")
-			// Client secret and scopes may or may not be returned depending on API
-		}
+		authType, ok := destConfig["auth_type"].(string)
+		require.True(t, ok, "Expected auth_type string in destination config, got config: %v", destConfig)
+		assert.Equal(t, "OAUTH2_CLIENT_CREDENTIALS", authType, "Auth type should be OAUTH2_CLIENT_CREDENTIALS")
+
+		// Fetch connection with --include-destination-auth to verify credentials were stored
+		getStdout, getStderr, getErr := cli.Run("connection", "get", connID,
+			"--include-destination-auth",
+			"--output", "json")
+		require.NoError(t, getErr, "Failed to get connection: stderr=%s", getStderr)
+
+		var getResp map[string]interface{}
+		err = json.Unmarshal([]byte(getStdout), &getResp)
+		require.NoError(t, err, "Failed to parse get response: %s", getStdout)
+
+		getDest, ok := getResp["destination"].(map[string]interface{})
+		require.True(t, ok, "Expected destination in get response")
+		getConfig, ok := getDest["config"].(map[string]interface{})
+		require.True(t, ok, "Expected config in get response destination")
+
+		getAuthType, ok := getConfig["auth_type"].(string)
+		require.True(t, ok, "Expected auth_type in get response config: %v", getConfig)
+		assert.Equal(t, "OAUTH2_CLIENT_CREDENTIALS", getAuthType, "Auth type should match on get")
+
+		getAuth, ok := getConfig["auth"].(map[string]interface{})
+		require.True(t, ok, "Expected auth object in get response config: %v", getConfig)
+		assert.Equal(t, "https://auth.example.com/oauth/token", getAuth["auth_server"], "Auth server should match")
+		assert.Equal(t, "client_123", getAuth["client_id"], "Client ID should match")
+		assert.Equal(t, "secret_456", getAuth["client_secret"], "Client secret should match with --include-destination-auth")
 
 		// Cleanup
 		t.Cleanup(func() {
@@ -112,12 +134,34 @@ func TestConnectionOAuth2AWSAuthentication(t *testing.T) {
 		destConfig, ok := dest["config"].(map[string]interface{})
 		require.True(t, ok, "Expected destination config object")
 
-		if authMethod, ok := destConfig["auth_method"].(map[string]interface{}); ok {
-			assert.Equal(t, "OAUTH2_AUTHORIZATION_CODE", authMethod["type"], "Auth type should be OAUTH2_AUTHORIZATION_CODE")
-			assert.Equal(t, "https://auth.example.com/oauth/token", authMethod["auth_server"], "Auth server should match")
-			assert.Equal(t, "client_789", authMethod["client_id"], "Client ID should match")
-			// Sensitive fields like client_secret, refresh_token may not be returned
-		}
+		authType, ok := destConfig["auth_type"].(string)
+		require.True(t, ok, "Expected auth_type string in destination config, got config: %v", destConfig)
+		assert.Equal(t, "OAUTH2_AUTHORIZATION_CODE", authType, "Auth type should be OAUTH2_AUTHORIZATION_CODE")
+
+		// Fetch connection with --include-destination-auth to verify credentials were stored
+		getStdout, getStderr, getErr := cli.Run("connection", "get", connID,
+			"--include-destination-auth",
+			"--output", "json")
+		require.NoError(t, getErr, "Failed to get connection: stderr=%s", getStderr)
+
+		var getResp map[string]interface{}
+		err = json.Unmarshal([]byte(getStdout), &getResp)
+		require.NoError(t, err, "Failed to parse get response: %s", getStdout)
+
+		getDest, ok := getResp["destination"].(map[string]interface{})
+		require.True(t, ok, "Expected destination in get response")
+		getConfig, ok := getDest["config"].(map[string]interface{})
+		require.True(t, ok, "Expected config in get response destination")
+
+		getAuthType, ok := getConfig["auth_type"].(string)
+		require.True(t, ok, "Expected auth_type in get response config: %v", getConfig)
+		assert.Equal(t, "OAUTH2_AUTHORIZATION_CODE", getAuthType, "Auth type should match on get")
+
+		getAuth, ok := getConfig["auth"].(map[string]interface{})
+		require.True(t, ok, "Expected auth object in get response config: %v", getConfig)
+		assert.Equal(t, "https://auth.example.com/oauth/token", getAuth["auth_server"], "Auth server should match")
+		assert.Equal(t, "client_789", getAuth["client_id"], "Client ID should match")
+		assert.Equal(t, "secret_abc", getAuth["client_secret"], "Client secret should match with --include-destination-auth")
 
 		// Cleanup
 		t.Cleanup(func() {
@@ -170,12 +214,35 @@ func TestConnectionOAuth2AWSAuthentication(t *testing.T) {
 		destConfig, ok := dest["config"].(map[string]interface{})
 		require.True(t, ok, "Expected destination config object")
 
-		if authMethod, ok := destConfig["auth_method"].(map[string]interface{}); ok {
-			assert.Equal(t, "AWS_SIGNATURE", authMethod["type"], "Auth type should be AWS_SIGNATURE")
-			assert.Equal(t, "us-east-1", authMethod["region"], "AWS region should match")
-			assert.Equal(t, "execute-api", authMethod["service"], "AWS service should match")
-			// Access key may be returned but secret key should not be for security
-		}
+		authType, ok := destConfig["auth_type"].(string)
+		require.True(t, ok, "Expected auth_type string in destination config, got config: %v", destConfig)
+		assert.Equal(t, "AWS_SIGNATURE", authType, "Auth type should be AWS_SIGNATURE")
+
+		// Fetch connection with --include-destination-auth to verify credentials were stored
+		getStdout, getStderr, getErr := cli.Run("connection", "get", connID,
+			"--include-destination-auth",
+			"--output", "json")
+		require.NoError(t, getErr, "Failed to get connection: stderr=%s", getStderr)
+
+		var getResp map[string]interface{}
+		err = json.Unmarshal([]byte(getStdout), &getResp)
+		require.NoError(t, err, "Failed to parse get response: %s", getStdout)
+
+		getDest, ok := getResp["destination"].(map[string]interface{})
+		require.True(t, ok, "Expected destination in get response")
+		getConfig, ok := getDest["config"].(map[string]interface{})
+		require.True(t, ok, "Expected config in get response destination")
+
+		getAuthType, ok := getConfig["auth_type"].(string)
+		require.True(t, ok, "Expected auth_type in get response config: %v", getConfig)
+		assert.Equal(t, "AWS_SIGNATURE", getAuthType, "Auth type should match on get")
+
+		getAuth, ok := getConfig["auth"].(map[string]interface{})
+		require.True(t, ok, "Expected auth object in get response config: %v", getConfig)
+		assert.Equal(t, "AKIAIOSFODNN7EXAMPLE", getAuth["access_key_id"], "AWS access key ID should match")
+		assert.Equal(t, "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", getAuth["secret_access_key"], "AWS secret access key should match")
+		assert.Equal(t, "us-east-1", getAuth["region"], "AWS region should match")
+		assert.Equal(t, "execute-api", getAuth["service"], "AWS service should match")
 
 		// Cleanup
 		t.Cleanup(func() {
@@ -229,11 +296,33 @@ func TestConnectionOAuth2AWSAuthentication(t *testing.T) {
 		destConfig, ok := dest["config"].(map[string]interface{})
 		require.True(t, ok, "Expected destination config object")
 
-		if authMethod, ok := destConfig["auth_method"].(map[string]interface{}); ok {
-			assert.Equal(t, "GCP_SERVICE_ACCOUNT", authMethod["type"], "Auth type should be GCP_SERVICE_ACCOUNT")
-			assert.Equal(t, "https://www.googleapis.com/auth/cloud-platform", authMethod["scope"], "GCP scope should match")
-			// Service account key should not be returned for security reasons
-		}
+		authType, ok := destConfig["auth_type"].(string)
+		require.True(t, ok, "Expected auth_type string in destination config, got config: %v", destConfig)
+		assert.Equal(t, "GCP_SERVICE_ACCOUNT", authType, "Auth type should be GCP_SERVICE_ACCOUNT")
+
+		// Fetch connection with --include-destination-auth to verify credentials were stored
+		getStdout, getStderr, getErr := cli.Run("connection", "get", connID,
+			"--include-destination-auth",
+			"--output", "json")
+		require.NoError(t, getErr, "Failed to get connection: stderr=%s", getStderr)
+
+		var getResp map[string]interface{}
+		err = json.Unmarshal([]byte(getStdout), &getResp)
+		require.NoError(t, err, "Failed to parse get response: %s", getStdout)
+
+		getDest, ok := getResp["destination"].(map[string]interface{})
+		require.True(t, ok, "Expected destination in get response")
+		getConfig, ok := getDest["config"].(map[string]interface{})
+		require.True(t, ok, "Expected config in get response destination")
+
+		getAuthType, ok := getConfig["auth_type"].(string)
+		require.True(t, ok, "Expected auth_type in get response config: %v", getConfig)
+		assert.Equal(t, "GCP_SERVICE_ACCOUNT", getAuthType, "Auth type should match on get")
+
+		getAuth, ok := getConfig["auth"].(map[string]interface{})
+		require.True(t, ok, "Expected auth object in get response config: %v", getConfig)
+		assert.Equal(t, "https://www.googleapis.com/auth/cloud-platform", getAuth["scope"], "GCP scope should match")
+		assert.NotEmpty(t, getAuth["service_account_key"], "Service account key should be present with --include-destination-auth")
 
 		// Cleanup
 		t.Cleanup(func() {