zeropw-rolling - Bad Request

openapi: 3.0.1 info: title: Beyond Identity Secure Access API version: 1.7.0 contact: email: support@beyondidentity.com description: | # Introduction **NOTE:** To determine if you are accessing the Secure Access Platform, check the URL of your Admin Console. If it looks like one of the following, you are using the Secure Access Platform: - `https://console.beyondidentity.com` (Localized to your region) - `https://console-us.beyondidentity.com` (US region) - `https://console-eu.beyondidentity.com` (EU region) - `https://console.us1.beyondidentity-gov.com` (US FedRAMP) If your Admin Console URL does not look like one of the above, you are using the Secure Workforce Platform. Please refer to the [Secure Workforce API documentation](https://docs.beyondidentity.com/api/v0).

The Beyond Identity Secure Access API defines methods for managing resources in the Beyond Identity Secure Access platform.

All of the functionality available in the Beyond Identity Admin Console is also available through the API.

This API is currently in the early-access stage and is under active development. Feedback and suggestions are encouraged and should be directed to the [Beyond Identity Developer Slack Channel](https://join.slack.com/t/byndid/shared_invite/zt-1anns8n83-NQX4JvW7coi9dksADxgeBQ). # Base API URLs The base API URLs is determined by the region your tenant is hosted in OR if you are a FedRAMP customer.

### US Region If you are a US region customer, your base API URLs will be: - `https://api-us.beyondidentity.com` - `https://auth-us.beyondidentity.com` ### EU Region If you are a EU region customer, your base API URLs will be: - `https://api-eu.beyondidentity.com` - `https://auth-eu.beyondidentity.com` ### US FedRAMP **NOTE**: The FedRAMP version of Secure Access is released approximately *two weeks* after the commercial version, so some API endpoints may not be available immediately.

If you are a FedRAMP customer in the US region, your base API URLs will be: - `https://api.us1.beyondidentity-gov.com` - `https://auth.us1.beyondidentity-gov.com` For all the examples in this document, we will use the US region API base URL. You can always replace `https://api-us.beyondidentity.com` and `https://auth-us.beyondidentity.com` in the examples to use the proper base URL for your tenant. # Authentication All Beyond Identity API endpoints require authentication using an access token. The access token is generated through OAuth 2.0 or OIDC, using the authorization code flow or the client credentials flow.

The simplest way to acquire an access token is through the Beyond Identity Admin Console. Under the "Applications" tab, select the "Beyond Identity Management API" application, navigate to the "API Tokens" tab, and then click on "Create token".

Alternatively, an access token may also be generated directly via the API by requesting a token for the "Beyond Identity Management API" Application.

``` curl https://auth-us.beyondidentity.com/v1/tenants/$TENANT_ID/realms/$REALM_ID/applications/$APPLICATION_ID/token \ -X POST \ -u "$CLIENT_ID:$CLIENT_SECRET" --basic \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials&scope=$SCOPES" ``` This will work for any application that you have configured to provide access to the Beyond Identity Management API Resource Server. The "Beyond Identity Management API" application is provided by default as part of the tenant onboarding process. The access token must be provided in the `Authorization` header of the API request.

``` curl https://api-us.beyondidentity.com/v1/... \ -X $HTTP_METHOD -H "Authorization: Bearer $TOKEN" ``` ## Requests and Responses To interact with the Beyond Identity API, all requests should be made over HTTPS.

The Beyond Identity API is generally structured as a resource-oriented API. Resources are represented as JSON objects and are used as both inputs to and outputs from API methods.

Resource fields may be described as read-only and immutable. A read-only field is only provided on the response. An immutable field is only assigned once and may not be changed after. For example, system-generated IDs are described as both read-only and immutable.

To create a new resource, requests should use the `POST` method. Create requests include all of the necessary attributes to create a new resource. Create operations return the created resource in the response.

To retrieve a single resource or a collection of resources, requests should use the `GET` method. When retrieving a collection of resources, the response will include an array of JSON objects keyed on the plural name of the requested resource.

To update an resource, requests should use the `PATCH` method. Update operations support partial updating so requests may specify only the attributes which should be updated. Update operations return the updated resource in the response.

To delete a resource, requests should use the `DELETE` method. Note that delete operations return an empty response instead of returning the resource in the response.

### Example Response for a Realm ``` { "id": "a448fe493e02fa9f", "tenant_id": "000168dc50bdce49", "display_name": "Test Realm", "create_time": "2022-06-22T21:46:08.930278Z", "update_time": "2022-06-22T21:46:08.930278Z" } ``` ### Example Response for a Collection of Realms ``` { "realms": [ { "id": "a448fe493e02fa9f", "tenant_id": "000168dc50bdce49", "display_name": "Test Realm", "create_time": "2022-06-22T21:46:08.930278Z", "update_time": "2022-06-22T21:46:08.930278Z" } ], "total_size": 1 } ``` ## HTTP Statuses The API returns standard HTTP statuses and error codes. Statuses in the 200 range indicate that the request was successfully fulfilled and there were no errors.

Statuses in the 400 range indicate that there was an issue with the request that may be addressed by the client. For example, client errors may indicate that the request was missing proper authorization or that the request was malformed.

Statuses in the 500 range indicate that the server encountered an internal issue and was unable to fulfill the request.

All error responses include a JSON object with a `code` field and a `message` field. `code` contains a human-readable name for the HTTP status code and `message` contains a high-level description of the error. The error object may also contain additional error details which may be used by the client to determine the exact cause of the error. Refer to each API method's examples to determine the specific error detail types supported for that method.

### Invalid Access Token Example If the provided access token is invalid, you will receive a 401 error. This error indicates that the token is not recognized and was not generated by Beyond Identity.

``` HTTP/1.1 401 Unauthorized { "code": "unauthorized", "message": "unauthorized" } ``` ### Permission Denied Example If the provided access token does not have access to the requested resource, you will receive a 403 error. Access tokens are scoped at a minimum to your tenant. Any request for resources outside of your tenant will result in this error.

``` HTTP/1.1 403 Forbidden { "code": "forbidden", "message": "forbidden" } ``` ### Missing Resource Example If the requested resource does not exist, you will receive a 404 error. The specific API method may return additional details about the missing resource.

``` HTTP/1.1 404 Not Found { "code": "not_found", "message": "group not found" "details": [ { "type": "ResourceInfo", "resource_type": "Group", "id": "4822738be6b7f658", "description": "group not found" } ], } ``` ### Invalid Parameters Example If the request body contains invalid parameters, you will receive a 400 error. The specific API method may return additional details about the invalid parameter.

``` HTTP/1.1 400 Bad Request { "code": "bad_request", "message": "invalid parameters" "details": [ { "type": "FieldViolations" "field_violations": [ { "description": "missing", "field": "group.display_name" } ], } ], } ``` servers: - url: 'https://api-us.beyondidentity.com' description: US region API base URL - url: 'https://api-eu.beyondidentity.com' description: EU region API base URL - url: 'https://api.us1.beyondidentity-gov.com/' description: US FedRAMP API base URL tags: - name: Tenants description: | A tenant represents an organization in the Beyond Identity Cloud. Tenants contain all data necessary for that organization to operate. - name: Realms description: | A realm is a unique administrative domain within a tenant. Realms may be used to define multiple development environments or for isolated administrative domains. - name: Groups description: | A group is a logical collection of identities. Groups are commonly used as a predicate in a policy rule. - name: Identities description: | An identity is a unique identifier that may be used by an end-user to gain access governed by Beyond Identity. - name: Credentials description: | A credential is also known as a passkey. This is the public-private key pair that belongs to an identity. - name: Credential Binding Jobs description: | A credential binding job defines the state of binding a new credential to an identity. The state includes creation of the credential binding job to delivery of the credential binding method to completion of the credential binding. - name: Themes description: | A theme is a collection of configurable assets that unifies the end user login experience with your brand and products. It is primarily used to change the styling of the credential binding email. - name: Applications description: | An application represents a client application that uses Beyond Identity for authentication. This could be a native app, a single-page application, regular web application, or machine-to-machine application credentials. - name: Authenticator Configurations description: | A authenticator configuration prescribes how an end user may authenticate themselves to Beyond Identity. Beyond Identity provides a Hosted Web Authenticator which will work out-of-the-box, as well as SDKs that can be embedded into an end user application. - name: Identity Provider description: | Identity providers enable integration with external systems to support IdP-authorized workflows, such as passkey enrollment. They serve as the counterpart to SSO applications, focusing on initiating authentication workflows and enabling secure interactions. - name: SSO Configs description: | An SSO configuration defines how end users interact with supported SSO protocols and related services. Each configuration type represents a protocol or integration (e.g., SAML, WS-Federation, OIDC, SCIM) supported by Beyond Identity. An SSO configuration provides a flexible framework for managing authentication, provisioning, and other integrations. It abstracts application protocols, inbound and outbound provisioning, and supports named integrations. Additionally, it includes features like user or group assignments, visual tiles in the SSO interface, and compatibility with multiple authentication and provisioning standards. This makes SSO configurations versatile for both authentication and non-authentication use cases. - name: Launch Mechanisms description: | Launch mechanisms, or flow type configurations, define which authentication launch mechanisms are enabled and valid for different platforms (Android, iOS, macOS, Windows, Web, Linux, ChromeOS) within a tenant. These configurations control which authentication methods end users can use on different devices and platforms. - name: Resource Servers description: | A resource server represents an API server that hosts a set of protected resources and is capable of accepting and responding to protected resource requests using access tokens. Clients can enable these APIs to be consumed from authorized applications. paths: '/v1/tenants/{tenant_id}': get: tags: - Tenants operationId: GetTenant summary: Retrieve an Existing Tenant description: | To retrieve an existing tenant, send a GET request to `/v1/tenants/$TENANT_ID`. security: - BearerAuth: - 'tenants:read' parameters: - $ref: '#/components/parameters/tenant_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a tenant. content: application/json: schema: $ref: '#/components/schemas/Tenant' examples: Success: value: id: 000176d94fd7b4d1 display_name: Test Tenant create_time: '2022-01-28T12:00:02.423Z' update_time: '2022-04-19T15:17:21.186Z' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: value: code: unauthorized message: unauthorized '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: value: code: forbidden message: forbidden '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: value: code: internal_server_error message: internal server error patch: tags: - Tenants operationId: UpdateTenant summary: Patch a Tenant description: | To update only specific attributes of an existing tenant, send a PATCH request to `/v1/tenants/$TENANT_ID`. Values in the request body for immutable or read-only fields will be ignored. Fields that are omitted from the request body will be left unchanged. security: - BearerAuth: - 'tenants:update' parameters: - $ref: '#/components/parameters/tenant_id' requestBody: description: Updates to the specified tenant. content: application/json: schema: title: Update Tenant Request description: Request for UpdateTenant. type: object properties: tenant: $ref: '#/components/schemas/Tenant' required: - tenant examples: Update Display Name: value: tenant: display_name: Test Tenant responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a tenant. content: application/json: schema: $ref: '#/components/schemas/Tenant' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: value: code: bad_request message: invalid request Invalid Parameters: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: tenant.display_name description: empty string '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms': post: tags: - Realms operationId: CreateRealm summary: Create a New Realm description: | To create a realm, send a POST request to `/v1/tenants/$TENANT_ID/realms`. Values in the request body for read-only fields will be ignored. security: - BearerAuth: - 'realms:create' parameters: - $ref: '#/components/parameters/tenant_id' requestBody: content: application/json: schema: title: Create Realm Request description: Request for CreateRealm. type: object properties: realm: $ref: '#/components/schemas/Realm' required: - realm responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a realm. content: application/json: schema: $ref: '#/components/schemas/Realm' examples: Success: value: id: 19a95130480dfa79 tenant_id: 0001f1f460b1ace6 display_name: Test Realm classification: SECURE_WORKFORCE create_time: '2022-05-18T18:00:01.167Z' update_time: '2022-05-19T14:23:01.327Z' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: realm.display_name description: empty string '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' get: tags: - Realms operationId: ListRealms summary: List Realms for a Tenant description: | To list all realms for a tenant, send a GET request to `/v1/tenants/$TENANT_ID/realms`. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of realms in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'realms:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/skip' responses: '200': description: | The response will be a JSON object with keys for `realms` and `total_size`. `realms` will be set to an array of realm objects, each of which contain the standard realm attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListRealmsResponse' examples: Success: value: realms: - id: 19a95130480dfa79 tenant_id: 0001f1f460b1ace6 display_name: Test Realm create_time: '2022-05-18T18:00:01.167Z' update_time: '2022-05-19T14:23:01.327Z' total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: page_token description: invalid page token '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}': get: tags: - Realms operationId: GetRealm summary: Retrieve an Existing Realm description: | To retrieve an existing realm, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID`. security: - BearerAuth: - 'realms:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a realm. content: application/json: schema: $ref: '#/components/schemas/Realm' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/post/responses/200/content/application~1json/examples/Success' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: value: code: not_found message: realm not found details: - type: ResourceInfo resource_type: Realm id: 19a95130480dfa79 description: realm not found '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' patch: tags: - Realms operationId: UpdateRealm summary: Patch a Realm description: | To update only specific attributes of an existing realm, send a PATCH request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID`. Values in the request body for immutable or read-only fields will be ignored. Fields that are omitted from the request body will be left unchanged. security: - BearerAuth: - 'realms:update' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' requestBody: content: application/json: schema: title: Update Realm Request description: Request for UpdateRealm. type: object properties: realm: $ref: '#/components/schemas/Realm' required: - realm examples: Update Display Name: value: realm: display_name: Test Realm responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a realm. content: application/json: schema: $ref: '#/components/schemas/Realm' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/post/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' delete: tags: - Realms operationId: DeleteRealm summary: Delete a Realm description: | To delete a realm, send a DELETE request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID`. To be deleted, a realm must not have any identities, groups, or roles. All associated resources must first be deleted or you will receive a 409 error. A successful request will receive a 200 status code with no body in the response. This indicates that the request was processed successfully. security: - BearerAuth: - 'realms:delete' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' responses: '200': description: The action was successful and the response body is empty. '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '409': description: Conflict. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Has Resources: value: code: conflict message: realm has children '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/groups': post: tags: - Groups operationId: CreateGroup summary: Create a New Group description: | To create a group, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/groups`. Values in the request body for read-only fields will be ignored. security: - BearerAuth: - 'groups:create' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' requestBody: content: application/json: schema: title: Create Group Request description: Request for CreateGroup. type: object properties: group: $ref: '#/components/schemas/Group' required: - group examples: Create Group: value: group: display_name: Realm Administrators description: A group of realm administrators. responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a group. content: application/json: schema: $ref: '#/components/schemas/Group' examples: Success: value: id: 81490afab171aef0 realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 display_name: Realm Administrators description: A group of realm administrators. create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-06-14T05:55:23.823187Z' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: group.display_name description: empty string '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' get: tags: - Groups operationId: ListGroups summary: List Groups for a Realm description: | To list all groups for a realm, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/groups`. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of groups in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'groups:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/skip' responses: '200': description: | The response will be a JSON object with keys for `groups` and `total_size`. `groups` will be set to an array of group objects, each of which contains the standard group attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListGroupsResponse' examples: Success: value: groups: - id: 81490afab171aef0 realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 display_name: Realm Administrators description: A group of realm administrators. create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-06-14T05:55:23.823187Z' total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}': get: tags: - Groups operationId: GetGroup summary: Retrieve an Existing Group description: | To retrieve an existing group, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/groups/$GROUP_ID`. security: - BearerAuth: - 'groups:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/group_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a group. content: application/json: schema: $ref: '#/components/schemas/Group' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups/post/responses/200/content/application~1json/examples/Success' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Group Not Found: value: code: not_found message: group not found details: - type: ResourceInfo resource_type: Group id: 4822738be6b7f658 description: group not found '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' patch: tags: - Groups operationId: UpdateGroup summary: Patch a Group description: | To update only specific attributes of an existing group, send a PATCH request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/groups/$GROUP_ID`. Values in the request body for immutable or read-only fields will be ignored. Fields that are omitted from the request body will be left unchanged. security: - BearerAuth: - 'groups:update' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/group_id' requestBody: content: application/json: schema: title: Update Group Request description: Request for UpdateGroup. type: object properties: group: $ref: '#/components/schemas/Group' required: - group examples: Update Display Name: value: group: display_name: Realm Administrators responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a group. content: application/json: schema: $ref: '#/components/schemas/Group' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups/post/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Group Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D/get/responses/404/content/application~1json/examples/Group%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' delete: tags: - Groups operationId: DeleteGroup summary: Delete a Group description: | To delete a group, send a DELETE request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/groups/$GROUP_ID`. To be deleted, a group must not have any members. Any existing members must first be deleted or you will receive a 409 error. A successful request will receive a 200 status code with no body in the response. This indicates that the request was processed successfully. security: - BearerAuth: - 'groups:delete' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/group_id' responses: '200': description: The action was successful and the response body is empty. '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Group Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D/get/responses/404/content/application~1json/examples/Group%20Not%20Found' '409': description: Conflict. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Group Has Members: value: code: conflict message: group has children '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:addMembers': post: tags: - Groups operationId: AddGroupMembers summary: Add Members to a Group description: | To add members to a group, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/groups/$GROUP_ID:addMembers`. The request must contain at least one and no more than 1000 identity IDs. security: - BearerAuth: - 'groups:update' - 'identities:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/group_id' requestBody: content: application/json: schema: title: Add Group Members Request description: Request for AddGroupMembers. type: object properties: identity_ids: description: IDs of the identities to be added to the group. type: array items: type: string minItems: 1 maxItems: 1000 required: - identity_ids examples: Add Members: value: identity_ids: - e372db224c06e850 - 3a28d4f28b57cc93 responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a group. content: application/json: schema: $ref: '#/components/schemas/Group' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: identity_ids description: array exceeds 1000 elements '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Group Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D/get/responses/404/content/application~1json/examples/Group%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:deleteMembers': post: tags: - Groups operationId: DeleteGroupMembers summary: Delete Members from a Group description: | To delete members from a group, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/groups/$GROUP_ID:deleteMembers`. The request must contain at least one and no more than 1000 identity IDs. security: - BearerAuth: - 'groups:update' - 'identities:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/group_id' requestBody: content: application/json: schema: title: Delete Group Members Request description: Request for DeleteGroupMembers. type: object properties: identity_ids: description: IDs of the identities to be removed from the group. type: array items: type: string minItems: 1 maxItems: 1000 required: - identity_ids examples: Delete Members: value: identity_ids: - e372db224c06e850 - 3a28d4f28b57cc93 responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a group. content: application/json: schema: $ref: '#/components/schemas/Group' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AaddMembers/post/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Group Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D/get/responses/404/content/application~1json/examples/Group%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:listMembers': get: tags: - Groups operationId: ListGroupMembers summary: List Members for a Group description: | To list members belonging to a group, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/groups/$GROUP_ID:listMembers`. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of members in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'groups:read' - 'identities:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/group_id' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/skip' responses: '200': description: | The response will be a JSON object with keys for `identities` and `total_size`. `identities` will be set to an array of identity objects, each of which contains the standard identity attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListGroupMembersResponse' examples: Success: value: identities: - id: e372db224c06e850 realm_id: 8f5bec58229e6f29 tenant_id: 0001f1f460b1ace6 display_name: Test Identity create_time: '2022-04-12T05:53:07.119Z' update_time: '2022-06-16T14:31:03.770Z' traits: type: traits_v0 username: test primary_email_address: test@example.com total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Group Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D/get/responses/404/content/application~1json/examples/Group%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:listRoles': get: tags: - Groups operationId: ListGroupRoles summary: List Role Memberships for a Group description: | To list the roles to which a group is assigned, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/groups/$GROUP_ID:listRoles`. The request must include the `resource_server_id` query parameter specifying the resource server on which to filter the roles. If the specified resource server does not exist, you will receive a 409 error. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of roles in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'groups:read' - 'roles:read' - 'resource-servers:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/group_id' - $ref: '#/components/parameters/resource_server_id_query' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/skip' responses: '200': description: | The response will be a JSON object with keys for `roles` and `total_size`. `roles` will be set to an array of role objects, each of which contains the standard role attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListGroupRolesResponse' examples: Success: value: roles: - id: fb785d40cbe4fc0d resource_server_id: 7b5a4325-00e0-4379-bd7b-3e5e7e30b09e realm_id: bb26e0e8ecdef843 tenant_id: 00010036778ce59f description: Help Desk display_name: Customer support personnel. create_time: '2023-02-14T18:18:58.332247Z' update_time: '2023-02-14T18:18:58.332247Z' total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Not Found: value: code: not_found message: role not found details: - type: ResourceInfo resource_type: Role id: fb785d40cbe4fc0d description: role not found '409': description: Conflict. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Resource Server Not Found: value: code: conflict message: resource server not found details: - type: ResourceInfo resource_type: ResourceServer id: 7b5a4325-00e0-4379-bd7b-3e5e7e30b09e description: resource server not found '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities': post: tags: - Identities operationId: CreateIdentity summary: Create a New Identity description: | To create an identity, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities`. Values in the request body for read-only fields will be ignored. If the request conflicts with an existing resource, you will receive a 409 error. security: - BearerAuth: - 'identities:create' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' requestBody: content: application/json: schema: title: Create Identity Request description: Request for CreateIdentity. type: object properties: identity: $ref: '#/components/schemas/Identity' required: - identity examples: Create Identity: value: identity: display_name: Test Identity traits: type: traits_v0 username: test primary_email_address: test@example.com responses: '200': description: | The response will be a JSON object containing the standard attributes associated with an identity. content: application/json: schema: $ref: '#/components/schemas/Identity' examples: Success: value: id: e372db224c06e850 realm_id: 8f5bec58229e6f29 tenant_id: 0001f1f460b1ace6 display_name: Test Identity create_time: '2022-04-12T05:53:07.119Z' update_time: '2022-06-16T14:31:03.770Z' enrollment_status: UNENROLLED traits: type: traits_v0 username: test primary_email_address: test@example.com '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: identity.display_name description: empty string '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '409': description: Conflict. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Username Already Exists: value: code: conflict message: username already exists '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' get: tags: - Identities operationId: ListIdentities summary: List Identities for a Realm description: | To list identities for a realm, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities`. The response will only contain identities matching the filter in the request. If no filter is provided, the request will match all identities in the realm. Currently, the only supported filter is `traits.username eq "$USERNAME"`. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of identities in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The filter is also maintained by the page token but it may not be overridden. If specified, the request filter must match the filter maintained by the page token, otherwise you will receive a 400 error. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'identities:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/filter' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/skip' responses: '200': description: | The response will be a JSON object with keys for `identities` and `total_size`. `identities` will be set to an array of identity objects, each of which contains the standard identity attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListIdentitiesResponse' examples: Success: value: identities: - id: e372db224c06e850 realm_id: 8f5bec58229e6f29 tenant_id: 0001f1f460b1ace6 display_name: Test Identity create_time: '2022-04-12T05:53:07.119Z' update_time: '2022-06-16T14:31:03.770Z' enrollment_status: ENROLLED traits: type: traits_v0 username: test primary_email_address: test@example.com total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities:batchDelete': post: tags: - Identities operationId: BatchDeleteIdentities summary: Batch delete identities. description: | To delete multiple identities in a realm, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities:batchDelete`. The request must contain at least one and no more than 1000 identity IDs. If there are any repeating identity IDs, the request will fail. If there are any invalid identity IDs, the request will fail and no identities will be deleted. A successful request will receive a 200 status code with no body in the response. This indicates that the request was processed successfully. security: - BearerAuth: - 'identities:delete' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' requestBody: content: application/json: schema: title: Batch Delete Identities Request description: Request for BatchDeleteIdentities. type: object properties: ids: description: IDs of the identities to be deleted. type: array items: type: string minItems: 1 maxItems: 1000 required: - ids examples: Delete Identities: value: ids: - e372db224c06e850 - 3a28d4f28b57cc93 responses: '200': description: The action was successful and the response body is empty. '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Identities Not Found: value: code: not_found message: identities not found details: - type: BatchOperationErrors description: errors encountered performing batch operation errors: - Description: identities not found IDs: - e372db224c06e850 - 3a28d4f28b57cc93 ResourceType: Identity '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}': get: tags: - Identities operationId: GetIdentity summary: Retrieve an Existing Identity description: | To retrieve an existing identity, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID`. security: - BearerAuth: - 'identities:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with an identity. content: application/json: schema: $ref: '#/components/schemas/Identity' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identities/post/responses/200/content/application~1json/examples/Success' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Identity Not Found: value: code: not_found message: identity not found details: - type: ResourceInfo resource_type: Identity id: e372db224c06e850 description: identity not found '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' patch: tags: - Identities operationId: UpdateIdentity summary: Patch an Identity description: | To update only specific attributes of an existing identity, send a PATCH request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID`. Values in the request body for immutable or read-only fields will be ignored. Fields that are omitted from the request body will be left unchanged. If the request conflicts with an existing resource, you will receive a 409 error. security: - BearerAuth: - 'identities:update' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' requestBody: content: application/json: schema: title: Update Identity Request description: Request for UpdateIdentity. type: object properties: identity: $ref: '#/components/schemas/Identity' required: - identity examples: Update Display Name and Email: value: identity: display_name: Test Identity traits: type: traits_v0 primary_email_address: test@example.com responses: '200': description: | The response will be a JSON object containing the standard attributes associated with an identity. content: application/json: schema: $ref: '#/components/schemas/Identity' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identities/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identities/post/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Identity Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identities~1%7Bidentity_id%7D/get/responses/404/content/application~1json/examples/Identity%20Not%20Found' '409': description: Conflict. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Username Already Exists: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identities/post/responses/409/content/application~1json/examples/Username%20Already%20Exists' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' delete: tags: - Identities operationId: DeleteIdentity summary: Delete an Identity description: | To delete an identity, send a DELETE request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID`. A successful request will receive a 200 status code with no body in the response. This indicates that the request was processed successfully. security: - BearerAuth: - 'identities:delete' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' responses: '200': description: The action was successful and the response body is empty. '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Identity Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identities~1%7Bidentity_id%7D/get/responses/404/content/application~1json/examples/Identity%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}:listGroups': get: tags: - Identities operationId: ListIdentityGroups summary: List Group Memberships for an Identity description: | To list the groups to which an identity belongs, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID:listGroups`. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of groups in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'identities:read' - 'groups:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/skip' responses: '200': description: | The response will be a JSON object with keys for `groups` and `total_size`. `groups` will be set to an array of group objects, each of which contains the standard group attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListIdentityGroupsResponse' examples: Success: value: groups: - id: 81490afab171aef0 realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 display_name: Realm Administrators description: A group of realm administrators. create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-06-14T05:55:23.823187Z' total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Identity Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identities~1%7Bidentity_id%7D/get/responses/404/content/application~1json/examples/Identity%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}:listRoles': get: tags: - Identities operationId: ListIdentityRoles summary: List Role Memberships for an Identity description: | To list the roles to which an identity is assigned, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID:listRoles`. The request must include the `resource_server_id` query parameter specifying the resource server on which to filter the roles. If the specified resource server does not exist, you will receive a 409 error. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of roles in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'identities:read' - 'roles:read' - 'resource-servers:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' - $ref: '#/components/parameters/resource_server_id_query' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/skip' responses: '200': description: | The response will be a JSON object with keys for `roles` and `total_size`. `roles` will be set to an array of role objects, each of which contains the standard role attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListIdentityRolesResponse' examples: Success: value: roles: - id: fb785d40cbe4fc0d resource_server_id: 7b5a4325-00e0-4379-bd7b-3e5e7e30b09e realm_id: bb26e0e8ecdef843 tenant_id: 00010036778ce59f description: Help Desk display_name: Customer support personnel. create_time: '2023-02-14T18:18:58.332247Z' update_time: '2023-02-14T18:18:58.332247Z' total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AlistRoles/get/responses/404/content/application~1json/examples/Role%20Not%20Found' '409': description: Conflict. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Resource Server Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AlistRoles/get/responses/409/content/application~1json/examples/Resource%20Server%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles': post: tags: - Roles operationId: CreateRole summary: Create a New Role description: | To create a role, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID/roles`. Values in the request body for read-only fields will be ignored. security: - BearerAuth: - 'roles:create' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' requestBody: description: Role to be created. content: application/json: schema: title: Create Role Request description: Request for CreateRole. type: object properties: group: $ref: '#/components/schemas/Role' required: - role examples: Create Role: value: role: display_name: Help Desk description: Customer support personnel. responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a role. content: application/json: schema: $ref: '#/components/schemas/Role' examples: Success: value: id: fb785d40cbe4fc0d resource_server_id: 7b5a4325-00e0-4379-bd7b-3e5e7e30b09e realm_id: bb26e0e8ecdef843 tenant_id: 00010036778ce59f description: Help Desk display_name: Customer support personnel. create_time: '2023-02-14T18:18:58.332247Z' update_time: '2023-02-14T18:18:58.332247Z' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: role.display_name description: empty string '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Resource Server Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1resource-servers~1%7Bresource_server_id%7D~1roles/get/responses/404/content/application~1json/examples/Resource%20Server%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' get: tags: - Roles operationId: ListRoles summary: List Roles for a Resource Server description: | To list all roles for a resource server, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID/roles`. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of roles in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'roles:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/skip' responses: '200': description: | The response will be a JSON object with keys for `roles` and `total_size`. `roles` will be set to an array of role objects, each of which contain the standard role attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListRolesResponse' examples: Success: value: roles: - id: fb785d40cbe4fc0d resource_server_id: 7b5a4325-00e0-4379-bd7b-3e5e7e30b09e realm_id: bb26e0e8ecdef843 tenant_id: 00010036778ce59f description: Help Desk display_name: Customer support personnel. create_time: '2023-02-14T18:18:58.332247Z' update_time: '2023-02-14T18:18:58.332247Z' total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Resource Server Not Found: value: code: not_found message: resource server not found details: - type: ResourceInfo resource_type: ResourceServer id: 7b5a4325-00e0-4379-bd7b-3e5e7e30b09e description: resource server not found '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}': get: tags: - Roles operationId: GetRole summary: Retrieve an Existing Role description: | To retrieve an existing role, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID/roles/$ROLE_ID`. security: - BearerAuth: - 'roles:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' - $ref: '#/components/parameters/role_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a role. content: application/json: schema: $ref: '#/components/schemas/Role' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1resource-servers~1%7Bresource_server_id%7D~1roles/post/responses/200/content/application~1json/examples/Success' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AlistRoles/get/responses/404/content/application~1json/examples/Role%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' patch: tags: - Roles operationId: UpdateRole summary: Patch a Role description: | To update only specific attributes of an existing role, send a PATCH request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID/roles/$ROLE_ID`. Values in the request body for immutable or read-only fields will be ignored. Fields that are omitted from the request body will be left unchanged. security: - BearerAuth: - 'roles:update' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' - $ref: '#/components/parameters/role_id' requestBody: description: Updates to the specified role. content: application/json: schema: title: Update Role Request description: Request for UpdateRole. type: object properties: role: $ref: '#/components/schemas/Role' required: - role examples: Update Display Name: value: role: display_name: Help Desk responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a role. content: application/json: schema: $ref: '#/components/schemas/Role' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1resource-servers~1%7Bresource_server_id%7D~1roles/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1resource-servers~1%7Bresource_server_id%7D~1roles/post/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AlistRoles/get/responses/404/content/application~1json/examples/Role%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' delete: tags: - Roles operationId: DeleteRole summary: Delete a Role description: | To delete a role, send a DELETE request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID/roles/$ROLE_ID`. To be deleted, a role must not have any scopes or members. Any existing scopes and members must first be deleted or you will receive a 409 error. A successful request will receive a 200 status code with no body in the response. This indicates that the request was processed successfully. security: - BearerAuth: - 'roles:delete' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' - $ref: '#/components/parameters/role_id' responses: '200': description: The action was successful and the response body is empty. '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AlistRoles/get/responses/404/content/application~1json/examples/Role%20Not%20Found' '409': description: Conflict. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Has Scopes or Members: value: code: conflict message: role has children '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:addMembers': post: tags: - Roles operationId: AddRoleMembers summary: Assign Members to a Role description: | To assign members to a role, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID/roles/$ROLE_ID:addMembers`. The request must contain at least one group ID or identity ID and must not contain more than 1000 group IDs or 1000 identity IDs. security: - BearerAuth: - 'roles:update' - 'groups:read' - 'identities:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' - $ref: '#/components/parameters/role_id' requestBody: content: application/json: schema: title: Add Role Members Request description: Request for AddRoleMembers. type: object properties: group_ids: description: IDs of the groups to be assigned to the role. type: array items: type: string minItems: 1 maxItems: 1000 identity_ids: description: IDs of the identities to be assigned to the role. type: array items: type: string minItems: 1 maxItems: 1000 examples: Assign Members: value: group_ids: - e372db224c06e850 identity_ids: - 3a28d4f28b57cc93 responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a role. content: application/json: schema: $ref: '#/components/schemas/Role' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1resource-servers~1%7Bresource_server_id%7D~1roles/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AaddMembers/post/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AlistRoles/get/responses/404/content/application~1json/examples/Role%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:deleteMembers': post: tags: - Roles operationId: DeleteRoleMembers summary: Unassign Members from a Role description: | To unassign members from a role, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID/roles/$ROLE_ID:deleteMembers`. The request must contain at least one group ID or identity ID and must not contain more than 1000 group IDs or 1000 identity IDs. security: - BearerAuth: - 'roles:update' - 'identities:read' - 'groups:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' - $ref: '#/components/parameters/role_id' requestBody: content: application/json: schema: title: Delete Role Members Request description: Request for DeleteRoleMembers. type: object properties: group_ids: description: IDs of the groups to be unassigned from the role. type: array items: type: string minItems: 1 maxItems: 1000 identity_ids: description: IDs of the identities to be unassigned from the role. type: array items: type: string minItems: 1 maxItems: 1000 examples: Unassign Members: value: group_ids: - e372db224c06e850 identity_ids: - 3a28d4f28b57cc93 responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a role. content: application/json: schema: $ref: '#/components/schemas/Role' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1resource-servers~1%7Bresource_server_id%7D~1roles/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AaddMembers/post/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AlistRoles/get/responses/404/content/application~1json/examples/Role%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:listMembers': get: tags: - Roles operationId: ListRoleMembers summary: List Members for a Role description: | To list members assigned to a role, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID/roles/$ROLE_ID:listMembers`. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of members in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'roles:read' - 'groups:read' - 'identities:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' - $ref: '#/components/parameters/role_id' - $ref: '#/components/parameters/groups_page_size' - $ref: '#/components/parameters/groups_skip' - $ref: '#/components/parameters/identities_page_size' - $ref: '#/components/parameters/identities_skip' - $ref: '#/components/parameters/page_token' responses: '200': description: | The response will be a JSON object with keys for `groups`, `total_groups_size`, `identities`, and `total_identities_size`. `groups` will be set to an array of group objects, each of which contains the standard group attributes. `total_groups_size` will be set to the total number of groups matched by the list request. `identities` will be set to an array of identity objects, each of which contains the standard identity attributes. `total_identities_size` will be set to the total number of identities matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListRoleMembersResponse' examples: Success: value: groups: - id: 81490afab171aef0 realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 display_name: Realm Administrators description: A group of realm administrators. create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-06-14T05:55:23.823187Z' total_groups_size: 1 identities: - id: e372db224c06e850 realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 display_name: Test Identity create_time: '2022-04-12T05:53:07.119Z' update_time: '2022-06-16T14:31:03.770Z' traits: type: traits_v0 username: test primary_email_address: test@example.com total_identities_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AlistRoles/get/responses/404/content/application~1json/examples/Role%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:addScopes': post: tags: - Roles operationId: AddRoleScopes summary: Assign Scopes to a Role description: | To assign scopes to a role, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID/roles/$ROLE_ID:addScopes`. The request must contain at least one and no more than 1000 scopes. security: - BearerAuth: - 'roles:update' - 'resource-servers:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' - $ref: '#/components/parameters/role_id' requestBody: content: application/json: schema: title: Add Role Scopes Request description: Request for AddRoleScopes. type: object properties: scopes: description: Scopes to be assigned to the role. type: array items: type: string minItems: 1 maxItems: 1000 required: - scopes examples: Assign Scopes: value: scopes: - 'identities:read' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a role. content: application/json: schema: $ref: '#/components/schemas/Role' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1resource-servers~1%7Bresource_server_id%7D~1roles/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: scopes description: array exceeds 1000 elements '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AlistRoles/get/responses/404/content/application~1json/examples/Role%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:deleteScopes': post: tags: - Roles operationId: DeleteRoleScopes summary: Unassign Scopes from a Role description: | To unassign scopes from a role, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID/roles/$ROLE_ID:deleteScopes`. The request must contain at least one and no more than 1000 scopes. security: - BearerAuth: - 'roles:update' - 'resource-servers:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' - $ref: '#/components/parameters/role_id' requestBody: content: application/json: schema: title: Delete Role Scopes Request description: Request for DeleteRoleScopes. type: object properties: scopes: description: Scopes to be removed from the role. type: array items: type: string minItems: 1 maxItems: 1000 required: - scopes examples: Unassign Scopes: value: scopes: - 'identities:read' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a role. content: application/json: schema: $ref: '#/components/schemas/Role' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1resource-servers~1%7Bresource_server_id%7D~1roles/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1resource-servers~1%7Bresource_server_id%7D~1roles~1%7Brole_id%7D%3AaddScopes/post/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AlistRoles/get/responses/404/content/application~1json/examples/Role%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:listScopes': get: tags: - Roles operationId: ListRoleScopes summary: List Scopes for a Role description: | To list scopes assigned to a role, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID/roles/$ROLE_ID:listScopes`. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of scopes in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'roles:read' - 'resource-servers:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' - $ref: '#/components/parameters/role_id' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/skip' responses: '200': description: | The response will be a JSON object with keys for `scopes` and `total_size`. `scopes` will be set to an array of strings, each of which is a scope assigned to the role. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListRoleScopesResponse' examples: Success: value: scopes: - 'identities:read' total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Role Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1groups~1%7Bgroup_id%7D%3AlistRoles/get/responses/404/content/application~1json/examples/Role%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials': get: tags: - Credentials operationId: ListCredentials summary: List Credentials for an Identity description: | To list all credentials for an identity, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID/credentials`. `$IDENTITY_ID` may be a wildcard (`-`) to request all credentials across all identities within the realm. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of credentials in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'credentials:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/skip' responses: '200': description: | The response will be a JSON object with keys for `credentials` and `total_size`. `credentials` will be set to an array of credential objects, each of which contains the standard credential attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListCredentialsResponse' examples: Success: value: credentials: - id: 81490afab171aef0 identity_id: e85de356dc78843a realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 state: ACTIVE csr_type: JWT jwk_json: '{"crv":"P-256","kty":"EC","x":"2MRhz05PJPq3BUfB18AT3HqgWEkI3VpWUg1MWi8rz1g","y":"YtvLYwGEqYQaoDVok2fVziJT4fu7DFPz3hy96FTAelQ"}' jwk_thumbprint: UW-uVNL0mP1vcLjHrTBxibNgCEe_PD0HIsE3FrbYjPA= create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-06-14T05:55:23.823187Z' total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '500': description: Internal. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}': get: tags: - Credentials operationId: GetCredential summary: Retrieve an Existing Credential description: | To retrieve an existing credential, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID/credentials/$CREDENTIAL_ID`. security: - BearerAuth: - 'credentials:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' - $ref: '#/components/parameters/credential_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a credential. content: application/json: schema: $ref: '#/components/schemas/Credential' examples: Success: value: id: 81490afab171aef0 identity_id: e85de356dc78843a realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 state: ACTIVE csr_type: JWT jwk_json: '{"crv":"P-256","kty":"EC","x":"2MRhz05PJPq3BUfB18AT3HqgWEkI3VpWUg1MWi8rz1g","y":"YtvLYwGEqYQaoDVok2fVziJT4fu7DFPz3hy96FTAelQ"}' jwk_thumbprint: UW-uVNL0mP1vcLjHrTBxibNgCEe_PD0HIsE3FrbYjPA= create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-06-14T05:55:23.823187Z' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Credential Not Found: value: code: not_found message: credential not found details: - type: ResourceInfo resource_type: Credential id: 51c3c2d2907d6b40 description: credential not found '500': description: Internal. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}:revoke': post: tags: - Credentials operationId: RevokeCredential summary: Revoke a Credential description: | To revoke a credential, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID/credentials/$CREDENTIAL_ID:revoke`. security: - BearerAuth: - 'credentials:revoke' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' - $ref: '#/components/parameters/credential_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a credential. content: application/json: schema: $ref: '#/components/schemas/Credential' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identities~1%7Bidentity_id%7D~1credentials~1%7Bcredential_id%7D/get/responses/200/content/application~1json/examples/Success' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Credential Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identities~1%7Bidentity_id%7D~1credentials~1%7Bcredential_id%7D/get/responses/404/content/application~1json/examples/Credential%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs': post: tags: - Credential Binding Jobs operationId: CreateCredentialBindingJob summary: Create a New Credential Binding Job description: | To create an identity, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID/credential-binding-jobs`. Values in the request body for read-only fields will be ignored. security: - BearerAuth: - 'credential-binding-jobs:create' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' requestBody: description: Credential binding job to be created. content: application/json: schema: title: Create credential binding job request description: Request for CreateCredentialBindingJob. type: object properties: job: $ref: '#/components/schemas/CredentialBindingJob' required: - job examples: Create Credential Binding Job: value: job: delivery_method: RETURN post_binding_redirect_uri: 'http://example.com/callback' authenticator_config_id: 67bb0acf12e5c899 responses: '200': description: | The response will be a JSON object with a key called `credential_binding_job`. The value of this will be an object containing the standard attributes associated with a credential binding job. If the `delivery_method` of the credential binding job is `RETURN`, the response will also contain a key called `credential_binding_link` that contains a link to facilitate the credential binding process. content: application/json: schema: title: Create Credential Binding Job Response description: Response for CreateCredentialBindingJob. type: object properties: credential_binding_job: $ref: '#/components/schemas/CredentialBindingJob' credential_binding_link: type: string description: | A unique URL to be delivered to an identity to facilitate the credential binding process. This field is only present if the credential binding job's `delivery_method` is `RETURN`. required: - credential_binding_job examples: Delivery Method Return: value: credential_binding_job: id: c4fc2d753ca22b14 realm_id: cdf4862dc4d49791 tenant_id: 000183a77dd50fa9 identity_id: 87fabad6956c6d4b delivery_method: RETURN state: LINK_SENT post_binding_redirect_uri: 'http://example.com/callback' authenticator_config_id: 67bb0acf12e5c899 expire_time: '2022-03-21T03:42:52.905657Z' create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-03-15T05:55:23.823187Z' credential_binding_link: 'http://example.com/v1/tenants/000183a77dd50fa9/realms/cdf4862dc4d49791/identities/87fabad6956c6d4b/credential-binding-jobs/c4fc2d753ca22b14:invokeAuthenticator?token=1St9IKIIrYyQ8sOSeuk5UkbLKnBJhuD4I7nWIqt-BNANDEFS-XVuOHxB7TFdZcRm' Delivery Method Email: value: credential_binding_job: id: c4fc2d753ca22b14 realm_id: cdf4862dc4d49791 tenant_id: 000183a77dd50fa9 identity_id: 87fabad6956c6d4b delivery_method: EMAIL state: LINK_SENT post_binding_redirect_uri: 'http://example.com/callback' authenticator_config_id: 67bb0acf12e5c899 expire_time: '2022-03-21T03:42:52.905657Z' create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-03-15T05:55:23.823187Z' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: job.authenticator_config_id description: empty string '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/ResourceInfo' examples: Identity Not Found: value: code: not_found message: identity not found details: - type: ResourceInfo resource_type: Identity id: 51c3c2d2907d6b40 description: identity not found '422': description: Unprocessable entity. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Identity Missing Email Address: value: code: unprocessable_entity message: Identity missing email address details: - type: ResourceInfo resource_type: Identity id: 69f4d38f840c13ab description: Identity missing email address '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '503': description: Service unavailable. content: application/json: schema: $ref: '#/components/schemas/Error' get: tags: - Credential Binding Jobs operationId: ListCredentialBindingJobs summary: List Credential Binding Jobs for an Identity description: | To list all credential binding jobs for an identity, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID/credential-binding-jobs`. `$IDENTITY_ID` may be a wildcard (`-`) to request all credential binding jobs across all identities within the realm. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of credential binding jobs in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'credential-binding-jobs:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/skip' responses: '200': description: | The response will be a JSON object with keys for `credential_binding_jobs` and `total_size`. `credential_binding_jobs` will be set to an array of credential binding job objects, each of which contains the standard credential binding job attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListCredentialBindingJobsResponse' examples: Success: value: credential_binding_jobs: - id: 81490afab171aef0 identity_id: e85de356dc78843a realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 credential_id: 9802966246819b35 delivery_method: EMAIL state: COMPLETE post_binding_redirect_uri: 'http://example.com/callback' authenticator_config_id: 67bb0acf12e5c899 expire_time: '2022-03-21T03:42:52.905657Z' create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-03-15T05:55:23.823187Z' total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs/{credential_binding_job_id}': get: tags: - Credential Binding Jobs operationId: GetCredentialBindingJob summary: Retrieve an Existing Credential Binding Job description: | To retrieve an existing credential binding job, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID/credential-binding-jobs/$CREDENTIAL_BINDING_JOB_ID`. security: - BearerAuth: - 'credential-binding-jobs:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' - $ref: '#/components/parameters/credential_binding_job_id' - name: filter in: query description: | Filter to constrain the response. The response will only include resources matching this filter. Filters follow the SCIM grammar from [RFC-7644 Section 3.4.2.2](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2). Supported filters attributes: `state`: the state of the credential binding job. `delivery_method`: the delivery method used for the credential binding job. schema: type: string responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a credential binding job. content: application/json: schema: $ref: '#/components/schemas/CredentialBindingJob' examples: Success: value: id: 81490afab171aef0 identity_id: e85de356dc78843a realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 credential_id: 9802966246819b35 delivery_method: EMAIL state: COMPLETE post_binding_redirect_uri: 'http://example.com/callback' authenticator_config_id: 67bb0acf12e5c899 expire_time: '2022-03-21T03:42:52.905657Z' create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-03-15T05:55:23.823187Z' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Credential Binding Job Not Found: value: code: not_found message: credential binding job not found details: - type: ResourceInfo resource_type: CredentialBindingJob id: 3103ba9a652b755e description: credential binding job not found '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs/{credential_binding_job_id}:revoke': post: tags: - Credential Binding Jobs operationId: SetCredentialBindingJobRevoked summary: Revocation of an active credential binding job. description: | To revoke an active credential binding job, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID/credential-binding-jobs/$CREDENTIAL_BINDING_JOB_ID:revoke`. This endpoint invalidates a pending credential binding job, preventing a credential from being enrolled for the associated identity. If the specified job has already been completed, the revocation attempt will fail. security: - CredentialAuth: - 'credential-binding-jobs:revoke' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/identity_id' - $ref: '#/components/parameters/credential_binding_job_id' requestBody: content: application/json: schema: title: Bind Credential Request description: | Request for `SetCredentialBindingJobRevoked`. This request body is empty. type: object responses: '200': description: Credential binding job was successfully revoked. content: application/json: schema: $ref: '#/components/schemas/CredentialBindingJob' '400': description: | Bad request. If the request failed due to invalid fields, the error details will include a FieldViolations. content: application/json: schema: $ref: '#/components/schemas/Error' '401': description: Unauthenticated. content: application/json: schema: $ref: '#/components/schemas/Error' '403': description: | Permission denied. The error details will include a ResourceInfo describing the authorization failure. content: application/json: schema: $ref: '#/components/schemas/Error' '404': description: | Not found. The error details will include a ResourceInfo describing the required resource that was not found. content: application/json: schema: $ref: '#/components/schemas/Error' '409': description: | Conflict. The error details will include a ResourceInfo describing the required resource that is conflicting. content: application/json: schema: $ref: '#/components/schemas/Error' '500': description: Internal. content: application/json: schema: $ref: '#/components/schemas/Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs': post: tags: - Credential Binding Jobs operationId: CreateBatchCredentialBindingJob summary: Create a New Batch Credential Binding Job description: | To create a new batch credential binding job, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/batch-credential-binding-jobs`. Values in the request body for read-only fields will be ignored. A maximum of 1000 credential binding jobs can be created in a single batch. Each realm can have up to 1000 credential binding jobs in the batch queue at any given time. security: - BearerAuth: - 'credential-binding-jobs:create' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' requestBody: description: Batch credential binding job to be created. content: application/json: schema: title: Create Batch Credential Binding Job Request description: Request for CreateBatchCredentialBindingJob. type: object properties: batch_credential_binding_job: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1batch-credential-binding-jobs/post/responses/200/content/application~1json/schema' required: - batch_credential_binding_job examples: Create Batch Credential Binding Job: value: batch_credential_binding_job: identity_ids: - 3d227b0d5949969d - a3f28b7c9e6d1234 - 5c90d2af18e47b0e job_template: authenticator_config_id: 67bb0acf12e5c899 post_binding_redirect_uri: 'http://example.com/callback' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a credential binding job. content: application/json: schema: title: BatchCredentialBindingJob description: | A batch credential binding job manages the binding of credentials for multiple identities in a batch operation. type: object required: - identity_ids - job_template properties: id: type: string description: | ID of the batch credential binding job. This is automatically generated on creation. This field is immutable and output-only. readOnly: true tenant_id: type: string description: | ID of the tenant associated with the batch credential binding job. This is automatically set on creation. This field is immutable and output-only. minLength: 1 readOnly: true realm_id: type: string description: | ID of the realm associated with the batch credential binding job. This is automatically set on creation. This field is immutable and output-only. minLength: 1 readOnly: true identity_ids: type: array description: | The list of identities associated with the batch credential binding job. items: type: string minLength: 1 minItems: 1 maxItems: 1000 state: type: string description: | The current state of the batch credential binding job. `RUNNING` indicates that the batch credential binding job is currently running. `FAILED` indicates that the batch credential binding job has failed. `PARTIAL_SUCCESS` indicates that the batch credential binding job has completed with some failures. `SUCCESS` indicates that the batch credential binding job has completed successfully. This field is immutable and output-only. readOnly: true state_commentary: title: BatchStateCommentary type: object description: | Commentary on the current state of the batch credential binding job. This field provides error information for each identity for which a credential binding job was attempted. This field is immutable and output-only. readOnly: true properties: errors: type: object description: | Per-identity error information. This contains a mapping of identity ID to error context. It will contain any errors encountered while creating an enrollment job for an entity. This field is immutable and output-only. additionalProperties: type: object required: - last_error properties: last_error: type: string description: | The most recent error encountered while creating a credential binding job for the associated identity. failed_permanently: type: boolean description: | Indicates whether attempts to create a credential binding job for this identity have reached the maximum retry limit and permanently failed. create_time: type: string format: date-time description: | Timestamp of when the batch credential binding job was created. This field is immutable and output-only. readOnly: true update_time: type: string format: date-time description: | Timestamp of when the batch credential binding job was updated. This field is immutable and output-only. readOnly: true job_template: title: BatchCredentialBindingJobTemplate description: | A batch credential binding job template provides a template for the credential binding jobs created via a batch. type: object properties: post_binding_redirect_uri: type: string description: | The URI to which the caller will be redirected after successfully binding a credential to an identity. This field is optional. If not specified, the authenticator will not attempt to redirect to a new location after binding. example: 'http://example.com/callback' authenticator_config: type: object description: | Representation of an authenticator configuration. This prescribes how an identity may authenticate themselves with Beyond Identity. properties: config: description: | An object specifying the settings for the supported authenticator type. The Hosted Web authenticator configuration is not supported in this field. It must be created separately and then referenced by its ID in the `authenticator_config_id` field. oneOf: - $ref: '#/components/schemas/AuthenticatorConfig/properties/config/oneOf/0' - $ref: '#/components/schemas/AuthenticatorConfig/properties/config/oneOf/2' authenticator_config_id: type: string description: | The ID of the authenticator configuration to be used to build the credential binding job. This field is immutable. example: 76e9eab521a8b734 expire_time: type: string format: date-time description: | A timestamp that represents when the credential binding link associated with the credential binding job will expire. This field is immutable and read-only. readOnly: true example: '2022-05-12T20:29:47.636497Z' examples: Success: value: id: 81490afab171aef0 realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 identity_ids: - 3d227b0d5949969d - a3f28b7c9e6d1234 - 5c90d2af18e47b0e state: RUNNING state_commentary: errors: a3f28b7c9e6d1234: last_error: Identity missing email address failed_permanently: false job_template: authenticator_config_id: 67bb0acf12e5c899 post_binding_redirect_uri: 'http://example.com/callback' create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-03-15T05:55:23.823187Z' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '429': description: | Too many requests. The error details will include the current total number of enrollments in the batch, the maximum allowed queue size, and the amount by which the limit was exceeded. headers: RateLimit-Limit: schema: type: string example: 1000 description: | Request limit (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1). Note: This request limit is not based on a time window, but on the number of active requests in the batch queue. It defines the maximum number of credential binding jobs allowed in the queue. RateLimit-Remaining: schema: type: string example: 200 description: | Request limit remaining (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1). The number of additional credential binding job requests that can be submitted in a batch before reaching the maximum queue size. This value reflects the remaining capacity in the batch queue, not a time-based rate limit. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Too Many Requests: value: code: too_many_requests message: 'Maximum queue sized reached. Maximum: 1000 Current Total: 800 Overage: 100' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs/{batch_credential_binding_job_id}': get: tags: - Credential Binding Jobs operationId: GetBatchCredentialBindingJob summary: Retrieve an Existing Batch Credential Binding Job description: | To retrieve an existing batch credential binding job, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID/credential-binding-jobs/batch/$BATCH_CREDENTIAL_BINDING_JOB_ID`. security: - BearerAuth: - 'credential-binding-jobs:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/batch_credential_binding_job_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with the batch credential binding job. content: application/json: schema: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1batch-credential-binding-jobs/post/responses/200/content/application~1json/schema' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1batch-credential-binding-jobs/post/responses/200/content/application~1json/examples/Success' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Batch Credential Binding Job Not Found: value: code: not_found message: batch credential binding job not found details: - type: ResourceInfo resource_type: BatchCredentialBindingJob id: ea453099-e207-47d1-b24c-b3165a54037a description: batch credential binding job not found '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs/{batch_credential_binding_job_id}:listResults': get: tags: - Credential Binding Jobs operationId: ListBatchCredentialBindingJobResults summary: List Results of a Batch Credential Binding Job description: | To list the results of a batch credential binding job, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/batch-credential-binding-jobs/$BATCH_CREDENTIAL_BINDING_JOB_ID:listResults`. security: - BearerAuth: - 'credential-binding-jobs:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/batch_credential_binding_job_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with the results of the batch credential binding job. content: application/json: schema: title: ListBatchCredentialBindingJobResultsResponse description: | A response containing the results of a batch credential binding job. type: object properties: job_results: type: array items: $ref: '#/components/schemas/CredentialBindingJob' maxItems: 200 description: | An unordered array of credential binding jobs corresponding to the batch credential binding job. total_success_count: type: integer format: uint32 description: | Total number of successful results. total_failure_count: type: integer format: uint32 description: | Total number of failed results. total_pending_count: type: integer format: uint32 description: | Total number of pending results. total_size: type: integer format: uint32 description: | Total number of results for the request. This value may be used to determine subsequent requests to query the remaining results. next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - job_results - total_size - total_success_count - total_failure_count - total_pending_count examples: Success: value: job_results: - id: 81490afab171aef0 identity_id: a3f28b7c9e6d1234 realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 delivery_method: EMAIL state: COMPLETE post_binding_redirect_uri: 'http://example.com/callback' authenticator_config_id: 67bb0acf12e5c899 expire_time: '2022-03-21T03:42:52.905657Z' create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-03-15T05:55:23.823187Z' - id: 81490afab171aef0 identity_id: 5c90d2af18e47b0e realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 delivery_method: EMAIL state: LINK_OPENED post_binding_redirect_uri: 'http://example.com/callback' authenticator_config_id: 67bb0acf12e5c899 expire_time: '2022-03-21T03:42:52.905657Z' create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-03-15T05:55:23.823187Z' - id: 81490afab171aef0 identity_id: e85de356dc78843a realm_id: 7df92e4a38ba0993 tenant_id: 0001b42d80372976 delivery_method: EMAIL state: REVOKED post_binding_redirect_uri: 'http://example.com/callback' authenticator_config_id: 67bb0acf12e5c899 expire_time: '2022-03-21T03:42:52.905657Z' create_time: '2022-03-14T03:42:52.905657Z' update_time: '2022-03-15T05:55:23.823187Z' total_success_count: 1 total_failure_count: 1 total_pending_count: 1 total_size: 3 '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Batch Credential Binding Job Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1batch-credential-binding-jobs~1%7Bbatch_credential_binding_job_id%7D/get/responses/404/content/application~1json/examples/Batch%20Credential%20Binding%20Job%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/themes': post: tags: - Themes summary: Create a New Theme description: | To create a theme, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/themes/$THEME_ID`. Values in the request body for read-only fields will be ignored. All non-read-only fields are optional and will be populated with defaults if unspecified. Currently, each realm only supports a single theme. If a theme already exists for the realm, you will receive a 409 error. operationId: CreateTheme security: - BearerAuth: - 'themes:create' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' requestBody: description: Theme to be created. content: application/json: schema: title: Create Theme Request description: Request for CreateTheme. type: object properties: theme: $ref: '#/components/schemas/Theme' examples: Create Theme: value: theme: email_realm_name: Realm Administrators logo_url_light: 'https://example.com/logo_url_light.png' logo_url_dark: 'https://example.com/logo_url_dark.png' support_url: 'https://example.com/support' button_color: '#4673D3' button_text_color: '#FFFFFF' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a theme. content: application/json: schema: $ref: '#/components/schemas/Theme' examples: Success: value: id: 88ef08fb-c3f9-44e2-b174-fbb239e1dc47 tenant_id: f36448f2ff094881 realm_id: aa6aabe6989bc4a5 email_realm_name: Realm Administrators logo_url_light: 'https://example.com/logo_url_light.png' logo_url_dark: 'https://example.com/logo_url_dark.png' support_url: 'https://example.com/support' create_time: '2022-07-28T18:00:00.000Z' button_color: '#4673D3' button_text_color: '#FFFFFF' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: value: code: bad_request message: Bad Request details: - type: FieldViolations field_violations: - field: theme.email_realm_name description: provided email_realm_name must not be empty '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: value: code: not_found message: realm not found details: - type: ResourceInfo resource_type: Realm id: 19a95130480dfa79 description: realm not found '409': description: Conflict. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Theme Already Exists: value: code: conflict message: theme already exists for this realm '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/themes/active': get: tags: - Themes summary: Get the Active Theme description: | To retrieve the active theme for a realm, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/themes/active`. If the realm has not specified the active theme, a default theme will be returned. operationId: GetActiveTheme security: - BearerAuth: - 'themes:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a theme. content: application/json: schema: $ref: '#/components/schemas/Theme' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1themes/post/responses/200/content/application~1json/examples/Success' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1themes/post/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/themes/{theme_id}': get: tags: - Themes summary: Retrive an Existing Theme description: | To retrieve an existing theme, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/themes/$THEME_ID`. operationId: GetTheme security: - BearerAuth: - 'themes:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/theme_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a theme. content: application/json: schema: $ref: '#/components/schemas/Theme' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1themes/post/responses/200/content/application~1json/examples/Success' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Theme Not Found: value: code: not_found message: theme not found details: - type: ResourceInfo resource_type: Theme id: 72d0af37-a9bb-410c-b8a7-9aa127fd8739 description: theme not found '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' patch: tags: - Themes summary: Patch a Theme description: | To update only specific attributes of an existing theme, send a PATCH request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/themes/$THEME_ID`. Values in the request body for immutable or read-only fields will be ignored. Fields that are omitted from the request body will be left unchanged. operationId: UpdateTheme security: - BearerAuth: - 'themes:update' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/theme_id' requestBody: description: Theme to be updated. content: application/json: schema: title: Update Theme Request description: Request for UpdateTheme. type: object properties: theme: $ref: '#/components/schemas/Theme' examples: Update Email Realm Name: value: theme: email_realm_name: Realm Administrators responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a theme. content: application/json: schema: $ref: '#/components/schemas/Theme' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1themes/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1themes/post/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Theme Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1themes~1%7Btheme_id%7D/get/responses/404/content/application~1json/examples/Theme%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/applications': post: operationId: CreateApplication tags: - Applications summary: Create a New Application description: | To create an application, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/applications`. Values in the request body for read-only fields will be ignored. At present, there are only two supported protocol types for applications, `oauth2` and `oidc`. security: - BearerAuth: - 'applications:create' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' requestBody: content: application/json: schema: title: Create Application Request description: Request for CreateApplication. type: object properties: application: $ref: '#/components/schemas/Application' required: - application examples: Create Application: value: application: display_name: Pet Application resource_server_id: 84db69f5-48a8-4c11-8cda-1bae3a73f07e protocol_config: type: oidc allowed_scopes: - 'pets:read' - 'pets:write' confidentiality: confidential token_endpoint_auth_method: client_secret_post grant_type: - authorization_code redirect_uris: - 'https://auth.mypetapp.com/callback' token_configuration: subject_field: id expires_after: 86400 token_signing_algorithm: RS256 pkce: disabled token_format: self_contained responses: '200': description: | The response will be a JSON object containing the standard attributes associated with an application. content: application/json: schema: $ref: '#/components/schemas/Application' examples: Success: value: id: 38833c36-6f47-4992-9329-ea0a00915137 realm_id: caf2ff640497591a tenant_id: 00011f1183c67b69 resource_server_id: 84db69f5-48a8-4c11-8cda-1bae3a73f07e display_name: Pet Application is_managed: false protocol_config: type: oidc allowed_scopes: - 'pets:read' - 'pets:write' client_id: AYYNcuOSpfqIf33JeegCzDIT client_secret: wWD4mPzdsjms1LPekQSo0v9scOHLWy5wmMtKAR2JNhJPAKXv confidentiality: confidential token_endpoint_auth_method: client_secret_post grant_type: - authorization_code redirect_uris: - 'https://auth.mypetapp.com/callback' token_configuration: subject_field: id expires_after: 86400 token_signing_algorithm: RS256 pkce: disabled token_format: self_contained '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' get: operationId: ListApplications tags: - Applications summary: List Applications for a Realm description: | To list all applications for a realm, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/applications`. The response will contain at most 100 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 100 items. There is no defined ordering of the list of applications in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'applications:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' responses: '200': description: | The response will be a JSON object with keys for `applications` and `total_size`. `applications` will be set to an array of application objects, each of which contains the standard application attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListApplicationsResponse' examples: Success: value: applications: - id: 38833c36-6f47-4992-9329-ea0a00915137 realm_id: caf2ff640497591a tenant_id: 00011f1183c67b69 resource_server_id: 84db69f5-48a8-4c11-8cda-1bae3a73f07e display_name: Pet Application is_managed: false protocol_config: type: oidc allowed_scopes: - 'pets:read' - 'pets:write' client_id: AYYNcuOSpfqIf33JeegCzDIT client_secret: wWD4mPzdsjms1LPekQSo0v9scOHLWy5wmMtKAR2JNhJPAKXv confidentiality: confidential token_endpoint_auth_method: client_secret_post grant_type: - authorization_code redirect_uris: - 'https://auth.mypetapp.com/callback' token_configuration: subject_field: id expires_after: 86400 token_signing_algorithm: RS256 pkce: disabled token_format: self_contained total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: value: code: bad_request message: invalid parameters '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: value: code: not_found message: The requested resource was not found. '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}': get: operationId: GetApplication tags: - Applications summary: Retrieve an Existing Application description: | To retrieve an existing application, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/applications/$APPLICATION_ID`. security: - BearerAuth: - 'applications:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/application_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with an application. content: application/json: schema: $ref: '#/components/schemas/Application' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/post/responses/200/content/application~1json/examples/Success' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Application Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' patch: operationId: UpdateApplication tags: - Applications summary: Patch an Application description: | To update only specific attributes of an existing application, send a PATCH request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/applications/$APPLICATION_ID`. Values in the request body for immutable or read-only fields will be ignored. Fields that are omitted from the request body will be left unchanged. security: - BearerAuth: - 'applications:update' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/application_id' requestBody: content: application/json: schema: title: Update Application Request description: Request for UpdateApplication. type: object properties: application: $ref: '#/components/schemas/Application' required: - application examples: Update Display Name: value: application: display_name: Pet Application responses: '200': description: | The response will be a JSON object containing the standard attributes associated with an application. content: application/json: schema: $ref: '#/components/schemas/Application' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Application Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' delete: operationId: DeleteApplication tags: - Applications summary: Delete an Application description: | To delete an application, send a DELETE request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/applications/$APPLICATION_ID`. A successful request will receive a 200 status code with no body in the response. This indicates that the request was processed successfully. security: - BearerAuth: - 'applications:delete' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/application_id' responses: '200': description: The action was successful and the response body is empty. '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Application Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs': post: operationId: CreateAuthenticatorConfig tags: - Authenticator Configurations summary: Create a New Authenticator Configuration description: | To create an authenticator configuration, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/authenticator-configs`. Values in the request body for read-only fields will be ignored. security: - BearerAuth: - 'authenticator-configs:create' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' requestBody: content: application/json: schema: title: Create Authenticator Configuration Request description: Request for CreateAuthenticatorConfig. type: object properties: authenticator_config: $ref: '#/components/schemas/AuthenticatorConfig' required: - authenticator_config examples: Create Authenticator Configuration: value: authenticator_config: display_name: Pet Authenticator Configuration config: type: embedded invoke_url: 'http://localhost:8092' trusted_origins: - 'http://localhost:8092' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with an authenticator configuration. content: application/json: schema: $ref: '#/components/schemas/AuthenticatorConfig' examples: Success Embedded: value: id: 73731b7f-eb76-4143-9b4b-81a720385f5a realm_id: caf2ff640497591a tenant_id: 00011f1183c67b69 display_name: Pet Authenticator Configuration config: type: embedded invoke_url: 'http://localhost:8092' invocation_type: automatic trusted_origins: - 'http://localhost:8092' authentication_methods: - type: email_one_time_password - type: software_passkey - type: webauthn_passkey Success Hosted Web: value: id: 73731b7f-eb76-4143-9b4b-81a720385f5a realm_id: caf2ff640497591a tenant_id: 00011f1183c67b69 display_name: Pet Authenticator Configuration config: type: hosted_web authentication_methods: - type: software_passkey trusted_origins: - 'http://localhost:8092' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' get: operationId: ListAuthenticatorConfigs tags: - Authenticator Configurations summary: List Authenticator Configurations for a Realm description: | To list all authenticator configurations for a realm, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/authenticator-configs`. The response will contain at most 100 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 100 items. There is no defined ordering of the list of authenticator configurations in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'authenticator-configs:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/filter' responses: '200': description: | The response will be a JSON object with a keys for `authenticator_configs` and `total_size`. `authenticator_configs` will be set to an array of authenticator configuration objects, each of which contains the standard authenticator configuration attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListAuthenticatorConfigsResponse' examples: Success: value: authenticator_configs: - id: 73731b7f-eb76-4143-9b4b-81a720385f5a realm_id: caf2ff640497591a tenant_id: 00011f1183c67b69 display_name: Pet Authenticator Configuration config: invoke_url: 'http://localhost:8092' invocation_type: automatic trusted_origins: - 'http://localhost:8092' type: embedded total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id}': get: operationId: GetAuthenticatorConfig tags: - Authenticator Configurations summary: Retrieve an Existing Authenticator Configuration description: | To retrieve an existing authenticator configuration, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/authenticator-configs/$AUTHENTICATOR_CONFIG_ID`. security: - BearerAuth: - 'authenticator-configs:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/authenticator_config_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with an authenticator configuration. content: application/json: schema: $ref: '#/components/schemas/AuthenticatorConfig' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1authenticator-configs/post/responses/200/content/application~1json/examples/Success%20Embedded' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Authenticator Configuration Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' patch: operationId: UpdateAuthenticatorConfig tags: - Authenticator Configurations summary: Patch an Authenticator Configuration description: | To update only specific attributes of an existing authenticator configuration, send a PATCH request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/authenticator-configs/$AUTHENTICATOR_CONFIG_ID`. Values in the request body for immutable or read-only fields will be ignored. Fields that are omitted from the request body will be left unchanged. security: - BearerAuth: - 'authenticator-configs:update' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/authenticator_config_id' requestBody: content: application/json: schema: title: Update Authenticator Configuration Request description: Request for UpdateAuthenticatorConfig. type: object properties: authenticator_config: $ref: '#/components/schemas/AuthenticatorConfig' required: - authenticator_config examples: Update Embedded Invoke URL: value: authenticator_config: display_name: Pet Authenticator Configuration config: invoke_url: 'http://localhost:8092' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with an authenticator configuration. content: application/json: schema: $ref: '#/components/schemas/AuthenticatorConfig' examples: Success Embedded: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1authenticator-configs/post/responses/200/content/application~1json/examples/Success%20Embedded' Success Hosted Web: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1authenticator-configs/post/responses/200/content/application~1json/examples/Success%20Hosted%20Web' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Authenticator Configuration Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' delete: operationId: DeleteAuthenticatorConfig tags: - Authenticator Configurations summary: Delete an Authenticator Configuration description: | To delete an authenticator configuration, send a DELETE request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/authenticator-configs/$AUTHENTICATOR_CONFIG_ID`. A successful request will receive a 200 status code with no body in the response. This indicates that the request was processed successfully. security: - BearerAuth: - 'authenticator-configs:delete' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/authenticator_config_id' responses: '200': description: The action was successful and the response body is empty. '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Authenticator Configuration Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers': post: operationId: CreateResourceServer tags: - Resource Servers summary: Create a New Resource Server description: | To create a resource server, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers`. Values in the request body for read-only fields will be ignored. security: - BearerAuth: - 'resource-servers:create' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' requestBody: content: application/json: schema: title: Create Resource Server Request description: Request for CreateResourceServer. type: object properties: resource_server: $ref: '#/components/schemas/ResourceServer' required: - resource_server examples: Create Resource Server: value: resource_server: display_name: Pet API identifier: 'https://api.mypetapp.com' scopes: - 'pets:read' - 'pets:write' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a resource server. content: application/json: schema: $ref: '#/components/schemas/ResourceServer' examples: Success: value: id: 84db69f5-48a8-4c11-8cda-1bae3a73f07e realm_id: caf2ff640497591a tenant_id: 00011f1183c67b69 display_name: Pet API is_managed: false identifier: 'https://api.mypetapp.com' scopes: - 'pets:read' - 'pets:write' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' get: operationId: ListResourceServers tags: - Resource Servers summary: List Resource Servers For a Realm description: | To list all resource servers for a realm, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers`. The response will contain at most 100 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 100 items. There is no defined ordering of the list of resource servers in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'resource-servers:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' responses: '200': description: | The response will be a JSON object with a keys for `resource_servers` and `total_size`. `resource_servers` will be set to an array of resource server objects, each of which contains the standard resource server attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/ListResourceServersResponse' examples: Success: value: resource_servers: - id: 84db69f5-48a8-4c11-8cda-1bae3a73f07e realm_id: caf2ff640497591a tenant_id: 00011f1183c67b69 display_name: Pet API is_managed: false identifier: 'https://api.mypetapp.com' scopes: - 'pets:read' - 'pets:write' total_size: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Realm Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}': get: operationId: GetResourceServer tags: - Resource Servers summary: Retrieve an Existing Resource Server description: | To retrieve an existing resource server, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID`. security: - BearerAuth: - 'resource-servers:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a resource server. content: application/json: schema: $ref: '#/components/schemas/ResourceServer' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1resource-servers/post/responses/200/content/application~1json/examples/Success' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Resource Server Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' patch: operationId: UpdateResourceServer tags: - Resource Servers summary: Patch a Resource Server description: | To update only specific attributes of an existing resource server, send a a PATCH request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID`. Values in the request body for immutable or read-only fields will be ignored. Fields that are omitted from the request body will be left unchanged. Scopes that are removed from a resource server will be asynchronously removed from all roles associated with the resource server. security: - BearerAuth: - 'resource-servers:update' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' requestBody: content: application/json: schema: title: Update Resource Server Request description: Request for UpdateResourceServer. type: object properties: resource_server: $ref: '#/components/schemas/ResourceServer' required: - resource_server examples: Update Display Name: value: resource_server: display_name: Pet API responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a resource server. content: application/json: schema: $ref: '#/components/schemas/ResourceServer' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1resource-servers/post/responses/200/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Malformed Request: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/patch/responses/400/content/application~1json/examples/Malformed%20Request' Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Resource Server Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' delete: operationId: DeleteResourceServer tags: - Resource Servers summary: Delete a Resource Server description: | To delete a resource server, send a DELETE request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/resource-servers/$RESOURCE_SERVER_ID`. A successful request will receive a 200 status code with no body in the response. This indicates that the request was processed successfully. security: - BearerAuth: - 'resource-servers:delete' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/resource_server_id' responses: '200': description: The action was successful and the response body is empty. '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Resource Server Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/tokens': get: operationId: ListTokens tags: - Tokens summary: List Tokens description: | To list all tokens issued by an application, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/applications/$APPLICATION_ID/tokens`. The `$APPLICATION_ID` in path corresponds to the application that is the issuer of the token. To filter the list of tokens by a principal, set `principal_type` and `principal_id`. These parameters are optional. The response will contain at most 100 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 100 items. There is no defined ordering of the list of tokens in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. The skip is not maintained by the page token and must be specified on each subsequent request. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. security: - BearerAuth: - 'tokens:read' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/application_id' - $ref: '#/components/parameters/principal_type' - $ref: '#/components/parameters/principal_id' responses: '200': description: | The response will be a JSON object with keys called `tokens` and `total_size`. `tokens` will be set to an array of token objects, each of which contains the standard token attributes. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: title: List Tokens Response description: Response for ListTokens. type: object properties: tokens: type: array items: title: Token type: object description: | A token represents a record of an access token or a refresh token issued by Beyond Identity. properties: id: type: string description: | A unique identifier for a token. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. For JWS tokens, the token_id is the same as the value of the `jti` claim. readOnly: true example: cTXMRjNrTz7w3p7wO5HJ5cUTpFt5Z3yL display_name: type: string description: | A human-readable name for the token. This name is used for display purposes. example: Testing token only for creating identities scopes: type: array items: type: string example: 'applications:create' description: | A list of scopes granted by this token. This field is immutable and read-only. readOnly: true token_suffix: type: string description: | The last few characters of the cryptographic string that corresponds to this token. This can be used to identify which token the listing entry corresponds to. This field is immutable and read-only. readOnly: true example: JV_adQssw5c token_format: description: | Format of the token. Allowable values are: - `self_contained`: token in JWT format. - `referential`: Encoded token which requires /introspect call in order to retrieve token claims. type: string example: self_contained readOnly: true expires: type: integer format: uint32 description: | The expiration time of this token formatted as a unix timestamp in seconds. This field is immutable and read-only. readOnly: true example: 1677246914 issued_at: type: integer format: uint32 description: | The time when this token has been issued formatted as a unix timestamp in seconds. This field is immutable and read-only. readOnly: true example: 1677246914 token_type: type: string description: | Type of the token. Allowable values are: - `access` - `refresh` - `identity` readOnly: true example: access maxItems: 100 description: | An unordered array of tokens corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - tokens - total_size examples: Success: value: tokens: - id: cTXMRjNrTz7w3p7wO5HJ5cUTpFt5Z3yL display_name: Testing token only for creating applications scopes: - 'applications:create' token_suffix: JV_adQssw5c token_format: self_contained expires: 1677246914 issued_at: 1677246914 token_type: access total_size: 1 '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Application Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/tokens/{token_id}': delete: operationId: RevokeToken tags: - Tokens summary: Revoke a Token description: | To revoke a token, send a DELETE request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/applications/$APPLICATION_ID/tokens/$TOKEN_ID`. The `$APPLICATION_ID` in path corresponds to the application that is the issuer of the token. A successful request will receive a 200 status code with no body in the response. This indicates that the request was processed successfully. If the token ID is not available, the access token must be revoked via the [RFC-7009 revoke endpoint](https://developer.beyondidentity.com/docs/revoke-access-tokens). security: - BearerAuth: - 'tokens:delete' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' - $ref: '#/components/parameters/application_id' - $ref: '#/components/parameters/token_id' responses: '200': description: The action was successful and the response body is empty. '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Insufficient Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/403/content/application~1json/examples/Insufficient%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Application Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1applications/get/responses/404/content/application~1json/examples/Realm%20Not%20Found' '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users': post: tags: - SCIM operationId: SCIMCreateUser summary: Create a New User description: | To create a user, send a POST request to `/Users`. Values in the request body for read-only fields will be ignored. security: - BearerAuth: - 'scim:users:create' requestBody: content: application/json: schema: title: Create User Request description: Request for CreateUser. type: object properties: user: $ref: '#/components/schemas/SCIMUser' required: - user examples: Create User: value: schemas: - 'urn:ietf:params:scim:schemas:core:2.0:User' active: true userName: bjensen displayName: Ms. Barbara Jensen externalId: bjensen name: familyName: Jensen givenName: Barbara emails: - value: bjensen@example.com primary: true responses: '201': description: | The response will be a JSON object containing the standard attributes associated with a user. content: application/json: schema: $ref: '#/components/schemas/SCIMUser' examples: Success: value: schemas: - 'urn:ietf:params:scim:schemas:core:2.0:User urn:ietf:params:scim:schemas:extension:enterprise:2.0:User' id: 2819c223-7f76-453a-919d-413861904646 externalId: bjensen userName: bjensen displayName: Ms. Barbara J Jensen III name: - familyName: Jensen - givenName: Barbara active: true emails: - primary: true value: bjensen@example.com meta: resourceType: User created: '2022-10-12T05:11:47Z' lastModified: '2023-03-30T06:00:03Z' location: Users/2819c223-7f76-453a-919d-413861904646 version: W/0 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User': employeeNumber: '12345' costCenter: Finance department: Accounting manager: - value: '54321' displayName: Jane Doe '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/403/content/application~1json/examples/Missing%20Authorization' '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' get: tags: - SCIM operationId: SCIMListUsers summary: List All Users description: | To list all users, send a GET request to `/Users`. Currently, filtering on users only supports the `eq` and `ne` operators and the `userName` and `externalId` attributes. The response will contain at most 1000 items. If count is not specified or is zero, the response will not contain any resources. There is no defined ordering of the list of users in the response. Note that the maximum page size is subject to change. security: - BearerAuth: - 'scim:users:read' parameters: - $ref: '#/components/parameters/scim_filter' - $ref: '#/components/parameters/scim_count' - $ref: '#/components/parameters/scim_start_index' responses: '200': description: | The response will be a ListResponse containing the users corresponding to the request. The `totalResults` key may be used to determine whether there are additional pages to fetch for the request. content: application/json: schema: title: List Users Response description: Response for ListUsers. type: object properties: schemas: type: array description: | The list of schemas used to define the list response. This only contains the ListResponse schema ("urn:ietf:params:scim:api:messages:2.0:ListResponse"). items: type: string example: 'urn:ietf:params:scim:api:messages:2.0:ListResponse' Resources: type: array description: | An array of users corresponding to the filter from the request. items: $ref: '#/components/schemas/SCIMUser' maxItems: 1000 totalResults: type: integer format: uint32 description: | Total number of results matching the request. This value may be larger than the number of resources returned, such as when returning a single page of results where multiple pages are available. startIndex: type: integer format: uint32 description: | The 1-based index of the first result in the current set of list results. itemsPerPage: type: integer format: uint32 description: | The number of resources returned in a list response page. required: - schemas - Resources - totalResults - startIndex - itemsPerPage examples: Success: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:ListResponse' Resources: - schemas: - 'urn:ietf:params:scim:schemas:core:2.0:User urn:ietf:params:scim:schemas:extension:enterprise:2.0:User' id: 2819c223-7f76-453a-919d-413861904646 externalId: bjensen userName: bjensen displayName: Ms. Barbara J Jensen III name: - familyName: Jensen - givenName: Barbara active: true emails: - primary: true value: bjensen@example.com meta: resourceType: User created: '2022-10-12T05:11:47Z' lastModified: '2023-03-30T06:00:03Z' location: Users/2819c223-7f76-453a-919d-413861904646 version: W/0 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User': employeeNumber: '12345' costCenter: Finance department: Accounting manager: - value: '54321' displayName: Jane Doe itemsPerPage: 1000 startIndex: 1 totalResults: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Invalid Parameters: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:Error' status: '400' scimType: invalidValue detail: 'A required value was missing, or the value specified was not compatible with the operation or attribute type, or resource schema.' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:Error' status: '401' detail: The authorization header is invalid or missing. scimType: unauthorized '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:Error' status: '403' detail: token is unauthorized. scimType: forbidden '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:Error' status: '500' '/v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id}': get: tags: - SCIM operationId: SCIMGetUser summary: Retrieve an Existing User description: | To retrieve an existing user, send a GET request to `/Users/$USER_ID`. security: - BearerAuth: - 'scim:users:read' parameters: - $ref: '#/components/parameters/scim_user_id' responses: '200': description: OK. content: application/json: schema: $ref: '#/components/schemas/SCIMUser' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/403/content/application~1json/examples/Missing%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: User Not Found: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:Error' status: '404' detail: Resource 2819c223-7f76-453a-919d-413861904646 not found. '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' patch: tags: - SCIM operationId: SCIMUpdateUser summary: Patch a User description: | To update only specific attributes of an existing user, send a PATCH request to `/Users/$USER_ID`. Values in the request body for immutable or read-only fields will be ignored. Fields that are omitted from the request body will be left unchanged. Note that the Beyond Identity SCIM server currently does not support atomic PATCH operations. If a request contains multiple operations, the request may be partially applied. Currently, only "add" and "replace" operations are supported for users. security: - BearerAuth: - 'scim:users:update' parameters: - $ref: '#/components/parameters/scim_user_id' requestBody: content: application/json: schema: title: Update User Request description: Request for UpdateUser. type: object properties: user: $ref: '#/components/schemas/SCIMUser' required: - user examples: Update Display Name: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:PatchOp' Operations: - op: replace path: displayName value: Ms. Barbara J Jensen III responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a user. content: application/json: schema: $ref: '#/components/schemas/SCIMUser' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/post/responses/201/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/403/content/application~1json/examples/Missing%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: User Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users~1%7Buser_id%7D/get/responses/404/content/application~1json/examples/User%20Not%20Found' '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' put: tags: - SCIM operationId: SCIMReplaceUser summary: Replace a User description: | To replace all attributes of an existing user, send a PUT request to `/Users/$USER_ID`. Values in the request body for immutable or read-only fields will be ignored. security: - BearerAuth: - 'scim:users:update' parameters: - $ref: '#/components/parameters/scim_user_id' requestBody: content: application/json: schema: title: Update User Request description: Request for UpdateUser. type: object properties: user: $ref: '#/components/schemas/SCIMUser' required: - user examples: Replace User: value: schemas: - 'urn:ietf:params:scim:schemas:core:2.0:User' active: true userName: bjensen externalId: bjensen displayName: Ms. Barbara J Jensen III name: familyName: Jensen givenName: Barbara emails: - value: bjensen@example.com primary: true responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a user. content: application/json: schema: $ref: '#/components/schemas/SCIMUser' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/post/responses/201/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/403/content/application~1json/examples/Missing%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: User Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users~1%7Buser_id%7D/get/responses/404/content/application~1json/examples/User%20Not%20Found' '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' delete: tags: - SCIM operationId: SCIMDeleteUser summary: Delete a User description: 'To delete a user, send a DELETE request to `/Users/$USER_ID`.' security: - BearerAuth: - 'scim:users:delete' parameters: - $ref: '#/components/parameters/scim_user_id' responses: '204': description: The action was successful and the response body is empty. '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/403/content/application~1json/examples/Missing%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: User Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users~1%7Buser_id%7D/get/responses/404/content/application~1json/examples/User%20Not%20Found' '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/': post: tags: - SCIM operationId: SCIMCreateGroup summary: Create a New Group description: | To create a group, send a POST request to `/Groups`. Values in the request body for read-only fields will be ignored. security: - BearerAuth: - 'scim:groups:create' requestBody: content: application/json: schema: title: Create Group Request description: Request for CreateGroup. type: object properties: group: $ref: '#/components/schemas/SCIMGroup' required: - group examples: Create Group: value: schemas: - 'urn:ietf:params:scim:schemas:core:2.0:Group' id: 22e7c78c-39ff-4501-8ed4-32d0479e54c1 displayName: Test Group responses: '201': description: | The response will be a JSON object containing the standard attributes associated with a group. content: application/json: schema: $ref: '#/components/schemas/SCIMGroup' examples: Success: value: schemas: - 'urn:ietf:params:scim:schemas:core:2.0:Group' id: 22e7c78c-39ff-4501-8ed4-32d0479e54c1 displayName: Test Group meta: created: '2023-04-10T06:08:28Z' lastModified: '2023-04-10T06:08:28Z' location: Groups/22e7c78c-39ff-4501-8ed4-32d0479e54c1 resourceType: Group version: W/0 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/403/content/application~1json/examples/Missing%20Authorization' '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' get: tags: - SCIM operationId: SCIMListGroups summary: List All Groups description: | To list all groups, send a GET request to `/Groups`. Currently, filtering on groups only supports the `eq` and `ne` operators and the `displayName` attribute. The response will contain at most 1000 items. If count is not specified or is zero, the response will not contain any resources. There is no defined ordering of the list of groups in the response. Note that the maximum page size is subject to change. Members will not be returned with the group. security: - BearerAuth: - 'scim:groups:read' parameters: - $ref: '#/components/parameters/scim_filter' - $ref: '#/components/parameters/scim_count' - $ref: '#/components/parameters/scim_start_index' responses: '200': description: | The response will be a ListResponse containing the groups corresponding to the request. The `totalResults` key may be used to determine whether there are additional pages to fetch for the request. content: application/json: schema: title: List Groups Response description: Response for ListGroups. type: object properties: schemas: type: array description: | The list of schemas used to define the list response. This only contains the ListResponse schema ("urn:ietf:params:scim:api:messages:2.0:ListResponse"). items: type: string example: 'urn:ietf:params:scim:api:messages:2.0:ListResponse' Resources: type: array description: | An array of groups corresponding to the filter from the request. items: $ref: '#/components/schemas/SCIMGroup' maxItems: 1000 totalResults: type: integer format: uint32 description: | Total number of results matching the request. This value may be larger than the number of resources returned, such as when returning a single page of results where multiple pages are available. startIndex: type: integer format: uint32 description: | The 1-based index of the first result in the current set of list results. itemsPerPage: type: integer format: uint32 description: | The number of resources returned in a list response page. required: - schemas - Resources - totalResults - startIndex - itemsPerPage examples: Success: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:ListResponse' Resources: - schemas: - 'urn:ietf:params:scim:schemas:core:2.0:Group' id: 22e7c78c-39ff-4501-8ed4-32d0479e54c1 displayName: Test Group meta: created: '2023-04-10T06:08:28Z' lastModified: '2023-04-10T06:08:28Z' location: Groups/22e7c78c-39ff-4501-8ed4-32d0479e54c1 resourceType: Group version: W/0 itemsPerPage: 1000 startIndex: 1 totalResults: 1 '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/403/content/application~1json/examples/Missing%20Authorization' '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/{group_id}': get: tags: - SCIM operationId: SCIMGetGroup summary: Retrieve an existing group description: | To retrieve an existing group, send a GET request to `/Groups/$GROUP_ID`. security: - BearerAuth: - 'scim:groups:read' parameters: - $ref: '#/components/parameters/scim_group_id' responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a group. content: application/json: schema: $ref: '#/components/schemas/SCIMGroup' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/403/content/application~1json/examples/Missing%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Group Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users~1%7Buser_id%7D/get/responses/404/content/application~1json/examples/User%20Not%20Found' '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' patch: tags: - SCIM operationId: SCIMUpdateGroup summary: Patch a Group description: | To update only specific attributes of an existing group, send a PATCH request to `/Groups/$GROUP_ID`. Values in the request body for immutable or read-only fields will be ignored. Fields that are omitted from the request body will be left unchanged. Note that the Beyond Identity SCIM server currently does not support atomic PATCH operations. If a request contains multiple operations, the request may be partially applied. The Beyond Identity SCIM server also does not support modifying both a group and its membership in the same operation. For example, a PATCH request to update a group's display name and its membership should specify two separate operations, one to update the display name and the other to modify the membership. Currently, "replace" operations are supported for displayName while "add" and "remove" operations are supported for members. Multiple members may be added at a time, but batch remove is not supported. Note that while member changes will take affect, they will not be reflected in the response as members are not currently returned with groups. security: - BearerAuth: - 'scim:groups:update' parameters: - $ref: '#/components/parameters/scim_group_id' requestBody: content: application/json: schema: title: Update Group Request description: Request for UpdateGroup. type: object properties: group: $ref: '#/components/schemas/SCIMGroup' required: - group examples: Replace DisplayName: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:PatchOp' Operations: - op: replace path: displayName value: Test Group Add Members: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:PatchOp' Operations: - op: add path: members value: - value: 6c9f819d6a0f1b57 - value: a46bd3fb5c62d80d Remove Member: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:PatchOp' Operations: - op: remove path: members value: - value: 6c9f819d6a0f1b57 responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a group. content: application/json: schema: $ref: '#/components/schemas/SCIMGroup' examples: Success: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Groups~1/post/responses/201/content/application~1json/examples/Success' '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/403/content/application~1json/examples/Missing%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Group Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users~1%7Buser_id%7D/get/responses/404/content/application~1json/examples/User%20Not%20Found' '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' delete: tags: - SCIM operationId: SCIMDeleteGroup summary: Delete a Group description: | To delete a group, send a DELETE request to `/Groups/$GROUP_ID`. security: - BearerAuth: - 'scim:groups:delete' parameters: - $ref: '#/components/parameters/scim_group_id' responses: '204': description: The action was successful and the response body is empty. '400': description: Bad request. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Invalid Parameters: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/400/content/application~1json/examples/Invalid%20Parameters' '401': description: Unauthorized. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/401/content/application~1json/examples/Missing%20Authorization' '403': description: Forbidden. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Missing Authorization: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/403/content/application~1json/examples/Missing%20Authorization' '404': description: The resource was not found. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Group Not Found: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users~1%7Buser_id%7D/get/responses/404/content/application~1json/examples/User%20Not%20Found' '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/ResourceTypes': get: tags: - SCIM operationId: ListResourceTypes summary: List All Resource Types description: | To list all supported resource types, send a GET request to `/ResourceTypes`. responses: '200': description: | The response will be a list of JSON objects, each of which contains the standard resource type attributes. content: application/json: schema: title: List Resource Types Response description: Response for ListResourceTypes. type: object properties: schemas: type: array description: | The list of schemas used to define the list response. This only contains the ListResponse schema ("urn:ietf:params:scim:api:messages:2.0:ListResponse"). items: type: string example: 'urn:ietf:params:scim:api:messages:2.0:ListResponse' Resources: type: array description: An array of resource types corresponding to the request. items: $ref: '#/components/schemas/SCIMResourceType' maxItems: 1000 totalResults: type: integer format: uint32 description: | Total number of results matching the request. This value may be larger than the number of resources returned, such as when returning a single page of results where multiple pages are available. startIndex: type: integer format: uint32 description: | The 1-based index of the first result in the current set of list results. itemsPerPage: type: integer format: uint32 description: | The number of resources returned in a list response page. required: - schemas - Resources - totalResults - startIndex - itemsPerPage examples: Success: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:ListResponse' Resources: - schemas: - 'urn:ietf:params:scim:schemas:core:2.0:ResourceType' id: User name: User description: User Account endpoint: /Users schema: 'urn:ietf:params:scim:schemas:core:2.0:User' schemaExtensions: [] - schemas: - 'urn:ietf:params:scim:schemas:core:2.0:ResourceType' id: Group name: Group description: User Groups endpoint: /Groups schema: 'urn:ietf:params:scim:schemas:core:2.0:Group' schemaExtensions: - required: false schema: 'urn:scim:schemas:extension:byndid:1.0:Group' itemsPerPage: 1000 startIndex: 1 totalResults: 2 '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Schemas': get: tags: - SCIM operationId: ListSchemas summary: List All Schemas description: | To list all supported resource schemas, send a GET request to `/Schemas`. responses: '200': description: | The response will be a list of JSON objects, each of which contains the standard resource schema attributes. content: application/json: schema: title: List Schemas Response description: Response for ListSchemas. type: object properties: schemas: type: array description: | The list of schemas used to define the list response. This only contains the ListResponse schema ("urn:ietf:params:scim:api:messages:2.0:ListResponse"). items: type: string example: 'urn:ietf:params:scim:api:messages:2.0:ListResponse' Resources: type: array description: An array of schemas corresponding to the request. items: $ref: '#/components/schemas/SCIMSchema' maxItems: 1000 totalResults: type: integer format: uint32 description: | Total number of results matching the request. This value may be larger than the number of resources returned, such as when returning a single page of results where multiple pages are available. startIndex: type: integer format: uint32 description: | The 1-based index of the first result in the current set of list results. itemsPerPage: type: integer format: uint32 description: | The number of resources returned in a list response page. required: - schemas - Resources - totalResults - startIndex - itemsPerPage examples: Success: value: schemas: - 'urn:ietf:params:scim:api:messages:2.0:ListResponse' Resources: - id: 'urn:ietf:params:scim:schemas:core:2.0:User' name: User description: User resource attributes: - name: externalId type: string description: | A String that is an identifier for the resource as defined by the provisioning client. caseExact: true multiValued: false mutability: readWrite required: true returned: always uniqueness: server - name: userName type: string caseExact: true description: | The username of the user. The value of this field will be returned as the subject of a OIDC ID Token. multiValued: false mutability: readWrite required: true returned: always uniqueness: server - name: displayName type: string caseExact: true description: | The name of the User, suitable for display to end-users. The name SHOULD be the full name of the User being described, if known. multiValued: false mutability: readWrite required: true returned: always uniqueness: none - name: active type: boolean description: | A Boolean value indicating the User's administrative status within the Beyond Identity Service. multiValued: false mutability: readWrite required: true returned: always - name: name type: complex description: The components of the user's real name. multiValued: false mutability: readWrite required: false returned: request subAttributes: - name: familyName type: string description: | The family name of the User, or last name in most Western languages (e.g., 'Jensen' given the full name 'Ms. Barbara J Jensen, III'). caseExact: true multiValued: false mutability: readWrite required: true returned: request uniqueness: none - name: givenName type: string description: | The given name of the User, or first name in most Western languages (e.g., "Barbara" given the full name "Ms. Barbara Jane Jensen, III"). caseExact: true multiValued: false mutability: readWrite required: true returned: request uniqueness: none - name: emails type: complex description: | Email addresses for the User. Providing a primary is required. multiValued: true mutability: readWrite required: true returned: always subAttributes: - name: value type: string description: '' caseExact: false multiValued: false mutability: readWrite required: false returned: default uniqueness: none - name: primary type: boolean description: '' multiValued: false mutability: readWrite required: false returned: default - id: 'urn:ietf:params:scim:schemas:core:2.0:Group' name: Group description: Group resource attributes: - name: id type: string description: group id caseExact: false multiValued: false mutability: readWrite required: false returned: default uniqueness: server - name: displayName type: string description: A human-readable name for the Group. caseExact: false multiValued: false mutability: readWrite required: false returned: default uniqueness: server - name: members type: complex description: A list of members of the group. multiValued: true mutability: readWrite required: false returned: default subAttributes: - name: value type: string description: Identifier of the member of this Group. caseExact: false multiValued: false mutability: immutable required: false returned: default uniqueness: none - name: '' type: reference description: | The URI corresponding to a SCIM resource that is a member of this Group. caseExact: true multiValued: false mutability: immutable referenceTypes: - User required: false returned: default uniqueness: none - name: type type: string description: A label indicating the type of resource canonicalValues: - User - Group caseExact: false multiValued: false mutability: immutable required: false returned: default uniqueness: none itemsPerPage: 1000 startIndex: 1 totalResults: 2 '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/ServiceProviderConfig': get: tags: - SCIM operationId: GetServiceProviderConfig summary: Retrieve the Service Provider Configuration description: | To retrieve the service provider configuration, send a GET request to `/ServiceProviderConfig`. responses: '200': description: | The response will be a JSON object containing the standard attributes associated with a service provider configuration. content: application/json: schema: $ref: '#/components/schemas/SCIMServiceProviderConfig' examples: Internal Error: value: schemas: - 'urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig' authenticationSchemes: - name: '' description: '' documentationUri: '' primary: false specUri: '' type: oauthbearertoken bulk: maxOperations: 1000 maxPayloadSize: 1048576 supported: false changePassword: supported: false documentationUri: '' etag: supported: false filter: maxResults: 1000 supported: true patch: supported: true sort: supported: false '429': description: Rate limit exceeded. headers: RateLimit-Limit: schema: type: string description: 'Request limit per time window (see https://www.ietf.org/archive/id/draft-polli-ratelimit-headers-02.html#section-toc.1-1.3.2.1.1).' example: 1 RateLimit-Remaining: schema: type: integer description: The number of requests left for the time window. example: 0 RateLimit-Reset: schema: type: integer description: Number of seconds until the current rate limit window resets. example: 30 '500': description: Server error. content: application/json: schema: $ref: '#/components/schemas/SCIMError' examples: Internal Error: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1scim~1v2~1Users/get/responses/500/content/application~1json/examples/Internal%20Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs': post: summary: Create a new SSO Config. description: | To create a new SSO Config, send a POST request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/sso-configs`. tags: - SSO Configs operationId: CreateSsoConfig parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' security: - BearerAuth: - 'sso-configs:create' requestBody: content: application/json: schema: $ref: '#/components/schemas/SsoConfigEnvelope' responses: '200': description: The sso config has been created. headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' content: application/json: schema: description: Represents an SSO config as a response body. type: object required: - id - display_name - payload properties: id: description: A unique identifier for an SSO config. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. type: string format: uuid display_name: description: A human-readable name for the SSO config. This name is used for display purposes. type: string payload: oneOf: - type: object required: - type - login_link properties: type: $ref: '#/components/schemas/SsoConfigType' login_link: type: string icon: type: string is_tile_visible: type: boolean application_tile_id: type: string - type: object required: - type - redirect_uris - application_id - authenticator_config_id - resource_server_id - oidc_configuration - client_id - discover_endpoint properties: type: $ref: '#/components/schemas/SsoConfigType' redirect_uris: type: array items: type: string oidc_configuration: type: object required: - grant_types_supported - introspect_endpoint - issuer - jwks_uri - response_types_supported - token_endpoint - token_endpoint_auth_methods_supported properties: issuer: type: string authorization_endpoint: type: string nullable: true token_endpoint: type: string userinfo_endpoint: type: string nullable: true jwks_uri: type: string response_types_supported: type: array items: type: string enum: - code - id_token token_endpoint_auth_methods_supported: type: array items: $ref: '#/components/schemas/TokenEndpointAuthMethod' client_id: description: The client ID for the idp application. type: string inbound_scim: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/post/responses/200/content/application~1json/schema/properties/payload/oneOf/8/allOf/0' application_id: type: string authenticator_config_id: type: string resource_server_id: type: string discover_endpoint: $ref: '#/components/schemas/SsoConfigEntraIdExternalAuthMethod/properties/discover_endpoint' - type: object required: - type - redirect_uris - scopes - trusted_origins - confidentiality - pkce - application_id - authenticator_config_id - resource_server_id - oidc_configuration - client_id properties: type: $ref: '#/components/schemas/SsoConfigType' redirect_uris: type: array items: type: string scopes: type: array items: type: string trusted_origins: type: array items: type: string login_link: type: string icon: type: string is_tile_visible: type: boolean confidentiality: $ref: '#/components/schemas/Confidentiality' pkce: $ref: '#/components/schemas/PkceConfig' oidc_configuration: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/post/responses/200/content/application~1json/schema/properties/payload/oneOf/1/properties/oidc_configuration' client_id: description: The client ID for the idp application. type: string client_secret: description: The client secret to authenticate as the idp application. type: string inbound_scim: $ref: '#/components/schemas/SsoConfigType' application_id: type: string authenticator_config_id: type: string resource_server_id: type: string application_tile_id: type: string - type: object required: - type - client_id - pkce - identifying_claim_name - identity_attribute - authorization_endpoint - token_endpoint - jwks_endpoint - redirect_uri - identity_provider_id properties: type: $ref: '#/components/schemas/SsoConfigType' client_id: description: The client ID for the idp application. type: string client_secret: description: The client secret to authenticate as the idp application. type: string pkce: $ref: '#/components/schemas/PkceConfig' id_token_scopes: type: array items: type: string identifying_claim_name: type: string identity_attribute: $ref: '#/components/schemas/SubjectField' authorization_endpoint: type: string nullable: true token_endpoint: type: string jwks_endpoint: type: string redirect_uri: type: string identity_provider_id: type: string - type: object properties: type: $ref: '#/components/schemas/SsoConfigType' acs_url: type: string description: The Assertion Consumer Service (ACS) URL where the SAML assertions are sent. override_recipient_and_destination: type: boolean description: Flag to override the recipient and destination URLs in the SAML response. recipient_url: type: string description: The recipient URL for the SAML response. destination_url: type: string description: The destination URL for the SAML response. audience_url: type: string description: The URL that identifies the intended audience for the SAML assertion. default_relay_state: type: string description: The default relay state parameter for the SAML response. name_format: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/name_format' description: The format of the NameID in the SAML assertion. authentication_context: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/authentication_context' description: The authentication context for the SAML assertion. subject_user_name_attribute: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/subject_user_name_attribute' description: The attribute used for the subject's username in the SAML assertion. sign_envelope: type: boolean description: Flag indicating whether to sign the SAML envelope. sign_assertions: type: boolean description: Flag indicating whether to sign the SAML assertions. signature_algorithm: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/signature_algorithm' description: The algorithm used for signing the SAML assertions. digest_algorithm: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/digest_algorithm' description: The algorithm used for the digest of the SAML assertions. encrypt_assertions: type: boolean description: Flag indicating whether to encrypt the SAML assertions. assertion_validity_duration_seconds: type: integer format: int32 description: The duration (in seconds) for which the SAML assertion is valid. assertion_encryption_algorithm: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/assertion_encryption_algorithm' description: The algorithm used for encrypting the SAML assertions. assertion_key_transport_algorithm: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/assertion_key_transport_algorithm' description: The algorithm used for key transport when encrypting SAML assertions. assertion_encryption_public_key: type: string description: The public key used for encrypting the SAML assertions. sp_signature_certificates: type: array items: $ref: '#/components/schemas/SsoConfigSamlPartialUpdate/properties/sp_signature_certificates/items' description: The certificates used for signing the SAML assertions. enable_single_log_out: type: boolean description: Flag indicating whether to enable single logout (SLO) functionality. single_log_out_url: type: string description: The URL for single logout (SLO). single_log_out_issuer_url: type: string description: The issuer URL for single logout (SLO). single_log_out_binding: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/single_log_out_binding' description: The binding method for single logout (SLO) requests. single_logout_sign_request_and_response: type: boolean description: Flag indicating whether to sign the single logout (SLO) requests and responses. validate_signed_requests: type: boolean description: Flag indicating whether to validate signed SAML requests. other_sso_urls: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/other_sso_urls' description: Other SSO URLs associated with the configuration. additional_user_attributes: description: Additional user attributes to include in the SAML assertions. type: array items: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/additional_user_attributes' icon: type: string description: The icon associated with the SSO configuration. is_tile_visible: type: boolean description: Flag indicating whether the configuration tile is visible. application_id: type: string description: The application ID associated with the SSO configuration. authenticator_config_id: type: string description: The authenticator configuration ID. application_tile_id: type: string description: The application tile ID. idp_initiated_url: type: string description: The URL for IdP-initiated SSO. sp_initiated_url: type: string description: The URL for SP-initiated SSO. inbound_scim: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/post/responses/200/content/application~1json/schema/properties/payload/oneOf/8/allOf/0' use_short_url: default: false type: boolean description: Changes the EntityID in the SAML response to a shorter version. This is to support applications with URL restrictions. short_sp_initiated_url: type: string description: This is the shortened URL that will be used to initiate a SAML login from the service provider side. Generated and provided by Beyond Identity. This should only be displayed when `use_short_urls` is true. short_entity_id_url: type: string description: This is the shortened URL that we will use as our issuer inside of a SAML response. - type: object required: - type - client_id - pkce - identifying_claim_name - identity_attribute - okta_domain - authorization_endpoint - token_endpoint - jwks_endpoint - redirect_uri - identity_provider_id properties: type: $ref: '#/components/schemas/SsoConfigType' client_id: description: The client ID for the idp application. type: string client_secret: description: The client secret to authenticate as the idp application. type: string pkce: allOf: - $ref: '#/components/schemas/PkceConfig' id_token_scopes: type: array items: type: string identifying_claim_name: type: string identity_attribute: $ref: '#/components/schemas/SubjectField' okta_domain: type: string authorization_endpoint: type: string nullable: true token_endpoint: type: string jwks_endpoint: type: string redirect_uri: type: string identity_provider_id: type: string inbound_scim: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/post/responses/200/content/application~1json/schema/properties/payload/oneOf/8/allOf/0' - type: object required: - type - pkce - oidc_configuration - client_id - client_secret - application_id - authenticator_config_id - okta_registration properties: type: $ref: '#/components/schemas/SsoConfigType' pkce: allOf: - $ref: '#/components/schemas/PkceConfig' oidc_configuration: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/post/responses/200/content/application~1json/schema/properties/payload/oneOf/1/properties/oidc_configuration' client_id: description: The client ID for the idp application. type: string client_secret: description: The client secret to authenticate as the idp application. type: string okta_registration: $ref: '#/components/schemas/SsoConfigOktaBiIdp/properties/okta_registration' inbound_scim: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/post/responses/200/content/application~1json/schema/properties/payload/oneOf/8/allOf/0' application_id: type: string authenticator_config_id: type: string - type: object required: - type - company_identifier properties: type: $ref: '#/components/schemas/SsoConfigType' company_identifier: type: string - type: object required: - type - application_id - client_id - client_secret - scim_url - token_endpoint properties: type: $ref: '#/components/schemas/SsoConfigType' allOf: - type: object required: - application_id - client_id - client_secret - scim_url - token_endpoint properties: application_id: type: string client_id: description: The client ID for the scim application. type: string client_secret: description: The client secret for the scim application. type: string scim_url: description: Beyond Identity Scim server endpoint type: string token_endpoint: type: string - type: object required: - type - acs_url - override_recipient_and_destination - audience_url - default_relay_state - name_format - authentication_context - subject_user_name_attribute - sign_envelope - sign_assertions - signature_algorithm - digest_algorithm - encrypt_assertions - assertion_validity_duration_seconds - sp_signature_certificates - enable_single_log_out - validate_signed_requests - additional_user_attributes - application_id - authenticator_config_id - idp_initiated_url - sp_initiated_url properties: type: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/post/responses/200/content/application~1json/schema/properties/payload/oneOf/8/allOf/0' description: The type of SSO configuration. acs_url: type: string expiration_time_seconds: type: integer format: int32 audience_url: type: string digest_algorithm: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/digest_algorithm' signature_algorithm: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/signature_algorithm' name_format: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/name_format' subject_user_name_attribute: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/subject_user_name_attribute' authentication_context: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/authentication_context' additional_user_attributes: type: array items: $ref: '#/components/schemas/SsoConfigWsFed/properties/additional_user_attributes/items' icon: type: string description: The icon associated with the SSO configuration. is_tile_visible: type: boolean description: Flag indicating whether the configuration tile is visible. application_id: type: string description: The application ID associated with the SSO configuration. authenticator_config_id: type: string description: The authenticator configuration ID. application_tile_id: type: string description: The application tile ID. idp_sso_url: type: string idp_issuer_url: type: string metadata_url: type: string inbound_scim: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/post/responses/200/content/application~1json/schema/properties/payload/oneOf/8/allOf/0' '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' get: summary: List SSO Configs for a Realm. description: | To list SSO Configs for a Realm, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/sso-configs`. The response will contain at most 200 items and may contain a page token to query the remaining items. If page size is not specified, the response will contain 20 items. There is no defined ordering of the list of identities in the response. Note that the maximum and default page sizes are subject to change. When paginating, the page size is maintained by the page token but may be overridden on subsequent requests. Page tokens expire after one week. Requests which specify an expired page token will result in undefined behavior. tags: - SSO Configs operationId: listSsoConfigs parameters: - $ref: '#/components/parameters/correlation_id' - name: tenant_id in: path description: A unique identifier for a tenant. required: true schema: type: string example: 000176d94fd7b4d1 - name: realm_id in: path description: A unique identifier for a realm. required: true schema: type: string example: 19a95130480dfa79 - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - name: type in: query required: false description: The type of sso config to filter by. You may query with multiple types for example "/sso-configs?type=generic_oidc&type=generic_oid_idp" schema: type: array items: $ref: '#/components/schemas/SsoConfigType' - name: is_migrated in: query required: false schema: type: boolean - name: order_by in: query required: false schema: type: string security: - BearerAuth: - 'sso-configs:read' responses: '200': description: Successful response. content: application/json: schema: description: Represents a list of sso configs as a response body. type: object required: - sso_configs - total_size properties: sso_configs: description: The sso configs which are part of the response. type: array items: description: Represents an SSO config as a response body. type: object required: - id - display_name - payload properties: id: description: A unique identifier for an SSO config. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. type: string format: uuid display_name: description: A human-readable name for the SSO config. This name is used for display purposes. type: string payload: oneOf: - type: object required: - type - login_link properties: type: $ref: '#/components/schemas/SsoConfigType' login_link: type: string icon: type: string is_tile_visible: type: boolean - type: object required: - type - redirect_uris - discover_endpoint properties: type: $ref: '#/components/schemas/SsoConfigType' redirect_uris: type: array items: type: string discover_endpoint: $ref: '#/components/schemas/SsoConfigEntraIdExternalAuthMethod/properties/discover_endpoint' - type: object required: - type - redirect_uris properties: type: $ref: '#/components/schemas/SsoConfigType' redirect_uris: type: array items: type: string login_link: type: string icon: type: string is_tile_visible: type: boolean - type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' - type: object required: - type properties: type: description: The type of the SSO configuration. $ref: '#/components/schemas/SsoConfigType' icon: description: The URL or data URI of the icon representing the SSO configuration. type: string is_tile_visible: description: Indicates if the SSO configuration tile is visible to the user. type: boolean - type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' - type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' - type: object required: - type - company_identifier properties: type: $ref: '#/components/schemas/SsoConfigType' company_identifier: type: string - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/post/responses/200/content/application~1json/schema/properties/payload/oneOf/8' - type: object required: - type properties: type: description: The type of the SSO configuration. $ref: '#/components/schemas/SsoConfigType' icon: description: The URL or data URI of the icon representing the SSO configuration. type: string is_tile_visible: description: Indicates if the SSO configuration tile is visible to the user. type: boolean total_size: description: The total number of sso configs contained by the Realm. type: integer format: uint minimum: 0 next_page_token: description: The value to be passed as the page_token parameter to retrieve the next page. type: string nullable: true headers: x-correlation-id: description: 'Correlation ID. If supplied with the request, the response must contain the same value. If not supplied with the request, it is generated by the server and returned in the response.' required: true schema: type: string '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}': get: summary: Retrieves an existing SSO Config. description: | To retrieve an existing SSO Config, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/sso-configs/$SSO_CONFIG_ID`. tags: - SSO Configs operationId: GetSsoConfig security: - BearerAuth: - 'sso-configs:read' parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' responses: '200': description: The sso config has been found. headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' content: application/json: schema: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/post/responses/200/content/application~1json/schema' '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '404': description: sso config not found. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' patch: summary: Updates an SSO Config by its ID. description: Updates an SSO Config by its ID. tags: - SSO Configs operationId: UpdateSsoConfig security: - BearerAuth: - 'sso-configs:update' parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' requestBody: content: application/json: schema: $ref: '#/components/schemas/SsoConfigPartialUpdate' required: true responses: '200': description: Successful response. content: application/json: schema: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/post/responses/200/content/application~1json/schema' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '404': description: SSO Config not found. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' delete: summary: Deletes an SSO Config by its ID. description: Deletes an SSO Config by its ID. tags: - SSO Configs operationId: DeleteSsoConfig security: - BearerAuth: - 'sso-configs:delete' parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' responses: '200': description: The action was successful and the response body is empty. '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '404': description: SSO Config not found. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:addIdentities': post: tags: - SSO Configs operationId: AddIdentitiesToSsoConfig summary: Associate Identities with an SSO Config description: | To associate identities to an sso config. The request must contain at least one and no more than 1000 identity IDs. security: - BearerAuth: - 'sso-configs:update' parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' requestBody: content: application/json: schema: $ref: '#/components/schemas/SsoConfigAddIdentities' responses: '200': description: The action was successful and the response body is empty. '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' examples: schema: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: identity_ids description: array exceeds 1000 elements headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '404': description: Resource server not found. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:deleteIdentities': post: tags: - SSO Configs operationId: DeleteIdentitiesFromSsoConfig summary: Delete Identities from an SSO Config description: | To delete identities from an sso config. The request must contain at least one and no more than 1000 identities IDs. security: - BearerAuth: - 'sso-configs:update' parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' requestBody: content: application/json: schema: title: Delete Identities from SSO Config description: Request for DeleteIdentitiesFromSsoConfig. type: object properties: identity_ids: description: IDs of the identities to be removed from the sso config. type: array items: type: string minItems: 1 maxItems: 1000 required: - identity_ids examples: Remove Identities: value: identity_ids: - e372db224c06e850 - 3a28d4f28b57cc93 responses: '200': description: The action was successful and the response body is empty. '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: identities_ids description: array exceeds 1000 elements headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '404': description: Resource server not found. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:listIdentityAssociations': get: tags: - SSO Configs operationId: ListIdentitiesForSsoConfig summary: List Identities Directly and Indirectly Associated With an SSO Config. description: | To list identities belonging to an sso config. Note that there may be duplicate identities or an empty array in the response, but as long as there is a `page_token` then pagination should continue. security: - BearerAuth: - 'sso-configs:read' - 'identities:read' - 'groups:read' parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' responses: '200': description: | The response will be a JSON object with keys for `identities`. `identities` will be set to an array of identity objects. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identities~1%7Bidentity_id%7D~1sso-configs/get/responses/200/content/application~1json/schema' examples: Success: value: identities: - id: e372db224c06e850 realm_id: 8f5bec58229e6f29 tenant_id: 0001f1f460b1ace6 group_id: 923935b2912304 group_display_name: Test Group display_name: Test Identity create_time: '2022-04-12T05:53:07.119Z' update_time: '2022-06-16T14:31:03.770Z' traits: type: traits_v0 username: test primary_email_address: test@example.com '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/sso-configs/{sso_config_id}/is-identity-assigned': get: summary: Returns if an identity is assigned to the SSO config id. description: | To check if an identity is assigned to the SSO config id, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/identities/$IDENTITY_ID/sso-configs/$SSO_CONFIG_ID/is-identity-assigned`. tags: - SSO Configs operationId: IdentityToSSOConfigCheck parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' security: - BearerAuth: - 'sso-configs:read' responses: '200': description: Successful response. content: application/json: schema: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs~1%7Bsso_config_id%7D~1is-group-assigned/post/responses/200/content/application~1json/schema' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/sso-configs': get: tags: - SSO Configs operationId: ListSsoConfigsForIdentity summary: List SSO configs directly and indirectly associated with an identity. description: | To list sso configs associated with an identity. This will return all SSO configs that have an association with the specified identity ID. Note that there may be duplicate SSO configs or an empty array in the response, but as long as there is a `page_token` pagination should continue. security: - BearerAuth: - 'sso-configs:read' parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/identity_id' responses: '200': description: | The response will be a JSON object with keys for `sso_configs` and `total_size`. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: title: List Identities directly and indirectly associated with an SSO config. description: List Identities Directly and Indirectly Associated With an SSO Config. type: object properties: identities: type: array items: allOf: - $ref: '#/components/schemas/Identity' - properties: group_id: description: 'If the association is through a group, the group ID will be added to the response object.' type: string group_display_name: description: 'If the association is through a group, the group display name will be added to the response object.' type: string maxItems: 200 description: An unordered array of identities corresponding to the request. next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - identities - total_size '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/flow-type-config': get: tags: - Launch Mechanisms summary: Get flow type configuration description: Retrieves the flow type configuration for a tenant or creates a default configuration if one does not exist operationId: GetFlowTypeConfig security: - DirectoryAuth: - 'tenants:read' - 'realms:read' - 'flow-type:read' - 'flow-type:create' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' responses: '200': description: OK. content: application/json: schema: $ref: '#/components/schemas/FlowTypeConfig' '400': description: | Bad request. If the request failed due to invalid fields, the error details will include a FieldViolations. content: application/json: schema: $ref: '#/components/schemas/Error' '401': description: Unauthenticated. content: application/json: schema: $ref: '#/components/schemas/Error' '403': description: | Permission denied. The error details will include a ResourceInfo describing the authorization failure. content: application/json: schema: $ref: '#/components/schemas/Error' '404': description: | Not found. The error details will include a ResourceInfo describing the required resource that was not found. content: application/json: schema: $ref: '#/components/schemas/Error' '409': description: | Already exists. The error details will include a ResourceInfo describing the conflicting resource. content: application/json: schema: $ref: '#/components/schemas/Error' '500': description: Internal. content: application/json: schema: $ref: '#/components/schemas/Error' patch: tags: - Launch Mechanisms summary: Update flow type configuration description: 'Updates the flow type configuration for a tenant, note that this will also create a default configuration if one does not exist' operationId: UpdateFlowTypeConfig security: - DirectoryAuth: - 'tenants:read' - 'realms:read' - 'flow-type:read' - 'flow-type:create' - 'flow-type:update' parameters: - $ref: '#/components/parameters/tenant_id' - $ref: '#/components/parameters/realm_id' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdatePlatformFlowTypeConfig' responses: '200': description: OK. content: application/json: schema: $ref: '#/components/schemas/FlowTypeConfig' '400': description: | Bad request. If the request failed due to invalid fields, the error details will include a FieldViolations. content: application/json: schema: $ref: '#/components/schemas/Error' '401': description: Unauthenticated. content: application/json: schema: $ref: '#/components/schemas/Error' '403': description: | Permission denied. The error details will include a ResourceInfo describing the authorization failure. content: application/json: schema: $ref: '#/components/schemas/Error' '404': description: | Not found. The error details will include a ResourceInfo describing the required resource that was not found. content: application/json: schema: $ref: '#/components/schemas/Error' '409': description: | Already exists. The error details will include a ResourceInfo describing the conflicting resource. content: application/json: schema: $ref: '#/components/schemas/Error' '500': description: Internal. content: application/json: schema: $ref: '#/components/schemas/Error' '/v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:addGroups': post: tags: - SSO Configs operationId: AddGroupsToSsoConfig summary: Associate Groups with an SSOConfig description: | To associate groups to an sso config. The request must contain at least one and no more than 1000 group IDs. security: - BearerAuth: - 'sso-configs:update' parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' requestBody: content: application/json: schema: title: Associate Groups with SSO Config description: Request for AddGroupsToSsoConfig. type: object properties: group_ids: description: IDs of the groups to be added to the sso config. type: array items: type: string minItems: 1 maxItems: 1000 required: - group_ids examples: Add Members: value: group_ids: - e372db224c06e850 - 3a28d4f28b57cc93 responses: '200': description: The action was successful and the response body is empty. '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid Parameters: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: group_ids description: array exceeds 1000 elements headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '404': description: Resource server not found. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:deleteGroups': post: tags: - SSO Configs operationId: DeleteGroupsFromSsoConfig summary: Delete Groups from an SSO Config description: | To delete groups from an sso config. The request must contain at least one and no more than 1000 group IDs. security: - BearerAuth: - 'sso-configs:update' parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' requestBody: content: application/json: schema: $ref: '#/components/schemas/SsoConfigDeleteGroup' examples: Remove Members: value: group_ids: - e372db224c06e850 - 3a28d4f28b57cc93 responses: '200': description: The action was successful and the response body is empty. '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '404': description: Resource server not found. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:listGroupAssociations': get: tags: - SSO Configs operationId: ListGroupsForSSOConfig summary: List Groups associated with an SSO config. description: | To list groups associated with an SSO config, send a GET request to `/v1/tenants/$TENANT_ID/realms/$REALM_ID/sso-configs/$SSO_CONFIG_ID/groups`. security: - BearerAuth: - 'sso-configs:read' - 'groups:read' parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' responses: '200': description: | The response will be a JSON object with keys for `groups` and `total_size`. `groups` will be set to an array of group objects. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: $ref: '#/components/schemas/SsoConfigListGroups' examples: Success: value: code: bad_request message: invalid parameters details: - type: FieldViolations field_violations: - field: identity_ids description: array exceeds 1000 elements '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}/sso-configs': get: tags: - SSO Configs operationId: ListSsoConfigsForGroup summary: List SSO Configs associated with a Group. description: | To list sso configs associated with a group. This will return all SSO configs that have an association with the specified group ID. security: - BearerAuth: - 'sso-configs:read' parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' - $ref: '#/components/parameters/group_id' responses: '200': description: | The response will be a JSON object with keys for `sso_configs` and `total_size`. `total_size` will be set to the total number of items matched by the list request. If there are more items to be returned by the requested query, the response will also contain a key called `next_page_token`. content: application/json: schema: title: List SSO configs directly and indirectly associated with an identity. description: List SSO configs directly and indirectly associated with an identity. type: object properties: sso_configs: type: array items: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/content/application~1json/schema/properties/sso_configs/items' total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - sso_configs - total_size '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}/is-group-assigned': post: summary: Check if any of the groups provided are associated with the SSO Config ID. description: Check if any of the groups provided are associated with the SSO Config ID. tags: - SSO Configs operationId: SSOIsGroupAssigned parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' requestBody: content: application/json: schema: type: object description: | A collection of group ids. properties: group_ids: type: array items: type: string description: A group id. required: true security: - BearerAuth: - 'sso-configs:read' responses: '200': description: Successful response. content: application/json: schema: type: object description: | Used to indicate if the result of a request is associated with an SSO Config. This could be through an Identity or a group depending on the endpoint used. required: - is_assigned_to_sso_config headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/sso-configs-id': get: summary: Returns the ID of the SSO Config associated with the Application. description: Returns the ID of the SSO Config associated with the application. tags: - SSO Configs operationId: ApplicationIdToSSOConfigId parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/components/parameters/application_id' security: - BearerAuth: - 'sso-configs:read' responses: '200': description: Successful response. content: application/json: schema: $ref: '#/components/schemas/ApplicationSsoResponse' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}/test': post: summary: Tests an SSO Config. description: Tests an SSO Config. tags: - SSO Configs operationId: TestSsoConfig parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers/get/parameters/3' security: - BearerAuth: - 'sso-configs:read' responses: '200': description: The sso config has been tested. headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' content: application/json: schema: description: Represents an SSO config test response body. type: object required: - identity_providers - oidc_applications properties: identity_providers: type: array items: $ref: '#/components/schemas/IdentityProviderTestResponse' oidc_applications: type: array items: description: Represents an SSO config test response body. type: object required: - application_id - display_name - is_success - status_code properties: application_id: type: string display_name: type: string is_success: type: boolean status_code: type: string error_context: type: string example: identity_providers: - identity_provider_id: '123' display_name: Okta IDP is_successful: true status_code: 200 - identity_provider_id: '456' display_name: Ping IDP is_successful: false status_code: 500 error_context: | zeropw-rolling - Bad Request

400

Bad Request

Your request resulted in an error. The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: https://zeropw-rolling-admin.oktapreview.com/admin/app/oidc_client/instance/0oa24fkg4hed8IxFK0h8#tab-general

Go to Homepage

END_USER_APP

Error: The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: https://zeropw-rolling-admin.oktapreview.com/admin/app/oidc_client/instance/0oa24fkg4hed8IxFK0h8#tab-general

'400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/identity-providers': get: operationId: listIdentityProviders tags: - Identity Provider summary: Lists Identity Providers by Realm. description: Lists Identity Providers by Realm. parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - name: sso_config_id in: path required: true description: A unique identifier of the sso configuration schema: type: string - $ref: '#/components/parameters/page_size' - $ref: '#/components/parameters/page_token' responses: '200': description: The list operation was successful. headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' content: application/json: schema: $ref: '#/components/schemas/IdentityProviderListResponse' '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' post: operationId: createIdentityProvider tags: - Identity Provider summary: Creates a new identity provider. description: Creates a new identity provider. parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' requestBody: content: application/json: schema: description: Represents an identity provider. type: object required: - protocol_config - display_name properties: id: description: | A unique identifier identifying an identity provider within a realm. This is automatically set on creation. This field is immutable and read-only. type: string readOnly: true tenant_id: type: string description: | A unique identifier for the identity's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 0001f1f460b1ace6 realm_id: type: string description: | A unique identifier for the identity's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 8f5bec58229e6f29 display_name: type: string description: | The human-readable name associated with the identity provider. protocol_config: description: | The kind of protocol we should use to communicate with the identity provider. allOf: - $ref: '#/components/schemas/IdentityProviderProtocolConfig' responses: '200': description: The identity provider has been created. headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' content: application/json: schema: $ref: '#/components/schemas/IdentityProviderProtocolConfigResponse' '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '/v1/tenants/{tenant_id}/realms/{realm_id}/identity-providers/{identity_provider_id}': patch: operationId: updateIdentityProvider tags: - Identity Provider summary: Updates an identity provider. description: Updates an identity provider. parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers~1%7Bidentity_provider_id%7D/get/parameters/3' requestBody: content: application/json: schema: $ref: '#/components/schemas/IdentityProviderUpdate' responses: '200': description: The identity provider has been updated. headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' content: application/json: schema: $ref: '#/components/schemas/IdentityProviderResponse' '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' get: operationId: getIdentityProvider tags: - Identity Provider summary: Retrieves data about an Identity Provider. description: Retrieves data about an identity provider. parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - name: identity_provider_id in: path description: A unique identifier for an identity provider. required: true schema: type: string example: e372db224c06e850 responses: '200': description: The requested identity provider. headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' content: application/json: schema: $ref: '#/components/schemas/IdentityProviderResponse' '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' delete: operationId: deleteIdentityProvider tags: - Identity Provider summary: Deletes an Identity Provider. description: Deletes an identity provider. parameters: - $ref: '#/components/parameters/correlation_id' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/1' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/parameters/2' - $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1identity-providers~1%7Bidentity_provider_id%7D/get/parameters/3' responses: '200': description: The identity provider has been deleted. headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '400': description: The request is malformed. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '401': description: An invalid Authorization token has been supplied. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '403': description: The supplied authorization token doesn't allow the requested operation. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' '500': description: Internal server error. content: application/json: schema: $ref: '#/components/schemas/Error' headers: x-correlation-id: $ref: '#/paths/~1v1~1tenants~1%7Btenant_id%7D~1realms~1%7Brealm_id%7D~1sso-configs/get/responses/200/headers/x-correlation-id' components: parameters: tenant_id: name: tenant_id in: path description: A unique identifier for a tenant. required: true schema: type: string example: 000176d94fd7b4d1 realm_id: name: realm_id in: path description: A unique identifier for a realm. required: true schema: type: string example: 19a95130480dfa79 group_id: name: group_id in: path description: A unique identifier for a group. required: true schema: type: string example: 81490afab171aef0 identity_id: name: identity_id in: path description: A unique identifier for an identity. required: true schema: type: string example: e372db224c06e850 role_id: name: role_id in: path description: A unique identifier for a role. required: true schema: type: string example: fb785d40cbe4fc0d groups_page_size: name: groups_page_size in: query description: | Number of groups returned per page for ListRoleMembers. The response will include at most this many groups but may include fewer. If this value is omitted, the response will return the default number of groups allowed by ListRoleMembers. schema: type: integer format: uint32 minimum: 0 groups_skip: name: groups_skip in: query description: | Number of groups to skip for ListRoleMembers. This is the zero-based index of the first group result. schema: type: integer format: uint32 minimum: 0 default: 0 identities_page_size: name: identities_page_size in: query description: | Number of identities returned per page for ListRoleMembers. The response will include at most this many identities but may include fewer. If this value is omitted, the response will return the default number of identities allowed by ListRoleMembers. schema: type: integer format: uint32 minimum: 0 identities_skip: name: identities_skip in: query description: | Number of identities to skip for ListRoleMembers. This is the zero-based index of the first identity result. schema: type: integer format: uint32 minimum: 0 default: 0 resource_server_id_query: name: resource_server_id in: query description: The unique identifier of the resource server used to filter roles. schema: type: string minLength: 1 credential_id: name: credential_id in: path description: A unique identifier for a credential. required: true schema: type: string example: b5a31610800dda18 credential_binding_job_id: name: credential_binding_job_id in: path description: A unique identifier for a credential binding job. required: true schema: type: string example: 5c4137af5e70413a batch_credential_binding_job_id: name: batch_credential_binding_job_id in: path description: A unique identifier for a batch credential binding job. required: true schema: type: string example: c15e004f-a7bc-459b-b035-cec40e07f537 theme_id: name: theme_id in: path description: A unique identifier for a theme. required: true schema: type: string example: 88ef08fb-c3f9-44e2-b174-fbb239e1dc47 application_id: name: application_id in: path description: A unique identifier for an application. required: true schema: type: string example: 38833c36-6f47-4992-9329-ea0a00915137 authenticator_config_id: name: authenticator_config_id in: path description: A unique identifier for an authenticator configuration. required: true schema: type: string example: 73731b7f-eb76-4143-9b4b-81a720385f5a resource_server_id: name: resource_server_id in: path description: A unique identifier for a resource server. required: true schema: type: string example: 84db69f5-48a8-4c11-8cda-1bae3a73f07e token_id: name: token_id in: path description: 'A unique identifier for a token. For JWS tokens, this corresponds to the value of the `jti` token claim.' required: true schema: type: string principal_id: name: principal_id in: query description: A unique identifier for a principal. This might be an application ID or an identity ID depending on the type of principal. required: false schema: type: string principal_type: name: principal_type in: query description: | Type of the principal. Allowable values are: - `application` - `identity` required: false schema: type: string filter: name: filter in: query description: | Filter to constrain the response. The response will only include resources matching this filter. Filters follow the SCIM grammar from [RFC-7644 Section 3.4.2.2](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2). schema: type: string page_size: name: page_size in: query description: | Number of items returned per page. The response will include at most this many results but may include fewer. If this value is omitted, the response will return the default number of results allowed by the method. schema: type: integer format: uint32 minimum: 0 page_token: name: page_token in: query description: | Token to retrieve the subsequent page of the previous request. All other parameters to the list endpoint should match the original request that provided this token unless otherwise specified. schema: type: string skip: name: skip in: query description: | Number of items to skip. This is the zero-based index of the first result. schema: type: integer format: uint32 minimum: 0 default: 0 scim_user_id: name: user_id in: path description: ID of the user. This corresponds to the identity ID. required: true schema: type: string minLength: 1 scim_group_id: name: group_id in: path description: ID of the group. required: true schema: type: string minLength: 1 scim_filter: name: filter in: query description: | Filter for list methods. Filters follow the SCIM grammar from [RFC 7644 Section 3.4.2.2](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2). schema: type: string scim_count: name: count in: query description: | Specifies the desired maximum number of query results per page. A negative value is treated as 0, which indicates that the response should not contain any resources. Note that the response may include fewer results than the requested count. schema: type: integer format: uint32 minimum: 0 default: 0 scim_start_index: name: startIndex in: query description: The 1-based index of the first query result. schema: type: integer format: uint32 minimum: 1 default: 1 correlation_id: name: x-correlation_id description: 'Correlation ID. If supplied with the request, the response must contain the same value. If not supplied with the request, it is generated by the server and returned in the response.' in: header required: true schema: type: string schemas: Tenant: title: Tenant type: object description: | A tenant represents an organization in the Beyond Identity Cloud. Tenants contain all data necessary for that organization to operate. properties: id: type: string description: | A unique identifier for the tenant. This is automatically generated on creation. This field is immutable and read-only. readOnly: true example: 000176d94fd7b4d1 display_name: type: string minLength: 1 maxLength: 64 pattern: '^[^{}[\]<>;:?\\/|*^%$#=~`!]*$' description: | A human-readable name for the tenant. This name is used for display purposes. example: Test Tenant create_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the tenant was created. This is automatically generated on creation. This field is read-only. readOnly: true example: '2022-01-28T12:00:02.423Z' update_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the tenant was last updated. This is automatically updated when the tenant is updated. This field is read-only. readOnly: true example: '2022-04-19T15:17:21.186Z' Realm: title: Realm type: object description: | A realm is a unique administrative domain within a tenant. Realms may be used to define multiple development environments or for isolated administrative domains. properties: id: type: string description: | A unique identifier for the realm. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the tenant. readOnly: true example: 19a95130480dfa79 tenant_id: type: string description: | A unique identifier of the realm's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 0001f1f460b1ace6 display_name: type: string minLength: 1 maxLength: 64 pattern: '^[^{}[\]<>;:?\\/|*^%$#=~`!]*$' description: | A human-readable name for the realm. This name is used for display purposes. example: Test Realm classification: type: string description: Classification of the realm. Can be either SECURE_WORFORCE or SECURE_CUSTOMER example: SECURE_CUSTOMER create_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the realm was created. This is automatically generated on creation. This field is read-only. readOnly: true example: '2022-05-18T18:00:01.167Z' update_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the realm was last updated. This is automatically updated when the realm is updated. This field is read-only. readOnly: true example: '2022-05-19T14:23:01.327Z' Group: title: Group type: object description: | A group is a logical collection of identities. Groups are commonly used as a predicate in a policy rule. properties: id: type: string description: | A unique identifier for a group. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. readOnly: true example: 81490afab171aef0 realm_id: type: string description: | A unique identifier for the group's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 7df92e4a38ba0993 tenant_id: type: string description: | A unique identifier for the group's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 0001b42d80372976 display_name: type: string minLength: 1 maxLength: 64 pattern: '^[^{}[\]<>;:?\\/|*^%$#=~`!]*$' description: | A human-readable name for the group. This name is used for display purposes. example: Realm Administrators description: type: string maxLength: 300 pattern: '^[^{}[\]<>;:?\\/|*^%$#=~`!]*$' description: | A free-form text field to describe a group. example: A group of realm administrators. create_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the group was created. This is automatically generated on creation. This field is read-only. readOnly: true example: '2022-03-14T03:42:52.905657Z' update_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the group was last updated. This is automatically updated when the group is updated. This field is read-only. readOnly: true example: '2022-06-14T05:55:23.823187Z' Identity: title: Identity type: object description: | An identity is a unique identifier that may be used by an end-user to gain access governed by Beyond Identity. properties: id: type: string description: | A unique identifier for the identity. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. readOnly: true example: e372db224c06e850 realm_id: type: string description: | A unique identifier for the identity's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 8f5bec58229e6f29 tenant_id: type: string description: | A unique identifier for the identity's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 0001f1f460b1ace6 display_name: type: string minLength: 1 maxLength: 64 pattern: '^[^{}[\]<>;:?\\/|*^%$#=~`!]*$' description: | A human-readable name for the identity. This name is used for display purposes. example: Test Display create_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the identity was created. This is automatically generated on creation. This field is read-only. readOnly: true example: '2022-04-12T05:53:07.119Z' update_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the identity was last updated. This is automatically updated when the identity is updated. This field is read-only. readOnly: true example: '2022-06-16T14:31:03.770Z' status: type: string description: | Indicator for the identity's administrative status. If 'active', the identity is able to generate passkeys and login. If 'suspended', the identity is unable to generate passkeys or login. example: active traits: description: | A collection of properties to describe an identity. All traits contain a `type` key which describes the specific traits schema. oneOf: - $ref: '#/components/schemas/Traits_v0' discriminator: propertyName: type mapping: traits_v0: '#/components/schemas/Traits_v0' enrollment_status: type: string enum: - ENROLLED - PENDING - INVITE_FAILED - UNENROLLED description: | Indicator for the identity's enrollment status. If 'ENROLLED', the identity has 1 or more active passkeys. If 'PENDING', the identity has no active passkeys and 1 or more pending enrollments. If 'INVITE_FAILED', the identity has no active passkeys, no pending enrollments, and 1 or more failed enrollments. If 'UNENROLLED', the identity is not enrolled in the organization. May be undefined. This field is output-only. example: ENROLLED readOnly: true Traits_v0: title: Traits_v0 description: Set of traits associated with an identity. type: object properties: type: type: string description: | The type of the traits schema. This value must be provided on all writes. example: traits_v0 username: type: string minLength: 1 maxLength: 64 pattern: '^[^{}[\]<>;:?\\/|*^%$#=~`!]*$' description: 'A required, unique, case-insensitive username for an identity in the realm.' example: test primary_email_address: type: string description: Email address serving as primary contact for identity. example: test@example.com secondary_email_address: type: string description: | An additional email address for the user. external_id: type: string description: | An ID issued by the provisioning client. It is assumed that the value's uniqueness is controlled by the client setting the value. family_name: type: string description: | The family name or last name in most Western languages. given_name: type: string description: | The given name or first name in most Western languages. formatted_name: type: string description: | The full name, including all middle names, titles, and suffixes as appropriate, formatted for display (e.g. "Ms. Barbara Jane Jensen, III"). middle_name: type: string description: | The middle name of the user, if applicable. honorific_prefix: type: string description: | Honorifics like "Mr.", "Mrs.", "Dr.", etc. honorific_suffix: type: string description: | Suffixes such as "Jr.", "Sr.", "III", etc. nick_name: type: string description: | A nickname the user goes by. title: type: string description: | The user's job title. primary_phone: type: string description: | The primary contact phone number for the user. secondary_phone: type: string description: | An additional phone number for the user. profile_url: type: string description: | A URL to the user's profile. photo: type: string description: | A URL to the user's photo. preferred_language: type: string description: | The user's preferred language. locale: type: string description: | The locale of the user, typically in the format of language-region. timezone: type: string description: | The timezone of the user. formatted_address: type: string description: | The full mailing address, formatted for display or use with a mailing label. This attribute MAY contain newlines. street_address: type: string description: | The full street address component, which may include house number, street name, P.O. box, and multi-line extended street address information. This attribute MAY contain newlines. locality: type: string description: | The locality or city of the user. region: type: string description: | The region or state of the user. postal_code: type: string description: | The zip code or postal code of the user. country: type: string description: | The country of the user. user_type: type: string description: | Used to identify the relationship between the organization and the user. Typical values used might be 'Contractor', 'Employee', 'Intern', 'Temp', 'External', and 'Unknown', but any value may be used. employee_number: type: string description: | The employee number assigned to the user, typically based on order of hire or association with an organization. cost_center: type: string description: | The cost center associated with the user. organization: type: string description: | The organization the user belongs to. division: type: string description: | The division of the organization the user belongs to. department: type: string description: | The department of the organization the user belongs to. manager_id: type: string description: | The unique identifier for the user's manager. manager_name: type: string description: | The name of the user's manager. required: - type Role: title: Role type: object description: | A role is a logical collection of scopes. Roles are commonly used to limit access control. The scopes belonging to a role are limited to its associated resource server. However, note that the resource server may change independently of the role. If scopes are added to or removed from a resource server, its associated roles must be manually updated using the AddRoleScopes or DeleteRoleScopes methods. properties: id: type: string description: | A unique identifier for a role. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. readOnly: true example: fb785d40cbe4fc0d resource_server_id: type: string description: | A unique identifier for the role's resource server. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 7b5a4325-00e0-4379-bd7b-3e5e7e30b09e realm_id: type: string description: | A unique identifier for the role's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: bb26e0e8ecdef843 tenant_id: type: string description: | A unique identifier for the role's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 00010036778ce59f display_name: type: string minLength: 1 maxLength: 64 pattern: '^[^{}[\]<>;:?\\/|*^%$#=~`!]*$' description: | A human-readable name for the role. This name is used for display purposes. example: Help Desk description: type: string maxLength: 300 pattern: '^[^{}[\]<>;:?\\/|*^%$#=~`!]*$' description: | A free-form text field to describe a role. example: Customer support personnel. create_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the role was created. This is automatically generated on creation. This field is read-only. readOnly: true example: '2023-02-14T18:18:58.332247Z' update_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the role was last updated. This is automatically updated when the group is updated. This field is read-only. readOnly: true example: '2023-02-14T18:18:58.332247Z' ListRealmsResponse: title: List Realms Response description: Response for ListRealms. type: object properties: realms: type: array items: $ref: '#/components/schemas/Realm' maxItems: 200 description: An unordered array of realms corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - realms - total_size ListRolesResponse: title: List Roles Response description: Response for ListRoles. type: object properties: groups: type: array items: $ref: '#/components/schemas/Role' maxItems: 200 description: An unordered array of roles corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - roles - total_size ListRoleMembersResponse: title: List Role Members Response description: Response for ListRoleMembers. type: object properties: groups: type: array items: $ref: '#/components/schemas/Group' maxItems: 200 description: An unordered array of groups corresponding to the request. total_groups_size: type: integer format: uint32 description: | Total number of group results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 identities: type: array items: $ref: '#/components/schemas/Identity' maxItems: 200 description: An unordered array of identities corresponding to the request. total_identities_size: type: integer format: uint32 description: | Total number of identity results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - groups - total_groups_size - identities - total_identities_size ListRoleScopesResponse: title: List Role Scopes Response description: Response for ListRoleScopes. type: object properties: scopes: type: array items: type: string maxItems: 200 description: An unordered array of scopes corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - scopes - total_size ListIdentitiesResponse: title: List Identities Response description: Response for ListIdentities. type: object properties: identities: type: array items: $ref: '#/components/schemas/Identity' maxItems: 200 description: An unordered array of identities corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - identities - total_size ListIdentityGroupsResponse: title: List Identity Groups Response description: Response for ListIdentityGroups. type: object properties: groups: type: array items: $ref: '#/components/schemas/Group' maxItems: 200 description: An unordered array of groups corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - groups - total_size ListIdentityRolesResponse: title: List Identity Roles Response description: Response for ListIdentityRoles. type: object properties: roles: type: array items: $ref: '#/components/schemas/Role' maxItems: 200 description: An unordered array of roles corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - roles - total_size ListGroupsResponse: title: List Groups Response description: Response for ListGroups. type: object properties: groups: type: array items: $ref: '#/components/schemas/Group' maxItems: 200 description: An unordered array of groups corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - groups - total_size ListGroupMembersResponse: title: List Group Members Response description: Response for ListGroupMembers. type: object properties: identities: type: array items: $ref: '#/components/schemas/Identity' maxItems: 200 description: An unordered array of identities corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - identities - total_size ListGroupRolesResponse: title: List Group Roles Response description: Response for ListGroupRoles. type: object properties: roles: type: array items: $ref: '#/components/schemas/Role' maxItems: 200 description: An unordered array of roles corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - roles - total_size Credential: title: Credential description: | A credential is also known as a passkey. This is the public-private key pair that belongs to an identity. type: object properties: id: type: string description: | A unique identifier for a credential. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. readOnly: true example: f3e87aa26a696372 identity_id: type: string description: | A unique identifier for the credential's identity. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 4a2719e73d6d972d realm_id: type: string description: | A unique identifier for the credential's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: d65cc516f7f22fdd tenant_id: type: string description: | A unique identifier for the credential's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: f1a7309c1e3d1e85 state: type: string enum: - ACTIVE - REVOKED description: | A string representing the current state of the credential. The value `ACTIVE` indicates that the credential can be used to authenticate with Beyond Identity. The value `REVOKED` indicates that the credential has been revoked and cannot be used to authenticate with Beyond Identity. readOnly: true example: ACTIVE csr_type: type: string enum: - JWT - WEBAUTHN - FIDO2 description: | A string representing the type of certificate signing request that created this credential. The value `JWT` indicates that the CSR was delivered in the form of a JWT. The value `WEBAUTHN` indicates that the CSR was delivered in the form of a WebAuthn attestation response. `FIDO2` indicates that `raw` contains a FIDO2 WebAuthn (Level 2 at the time of writing) attestation response object. readOnly: true example: JWT jwk_json: type: string description: | The public key of the Credential in JWK format, as specified by RFC-7517. This field is immutable and read-only. readOnly: true example: '{"crv":"P-256","kty":"EC","x":"2MRhz05PJPq3BUfB18AT3HqgWEkI3VpWUg1MWi8rz1g","y":"YtvLYwGEqYQaoDVok2fVziJT4fu7DFPz3hy96FTAelQ"}' jwk_thumbprint: type: string description: | The base64 URL encoding of the JWK thumbprint of the public key, as specified by RFC-7638. This field is immutable and read-only. readOnly: true example: UW-uVNL0mP1vcLjHrTBxibNgCEe_PD0HIsE3FrbYjPA= create_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the credential was created. This is automatically generated on creation. This field is read-only. readOnly: true example: '2022-05-12T20:29:47.636497Z' update_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the credential was last updated. This is automatically updated when the credential is updated. This field is read-only. readOnly: true example: '2022-05-12T20:29:47.636497Z' CredentialBindingJob: title: CredentialBindingJob description: | A credential binding job defines the state of binding a new credential to an identity. The state includes creation of the credential binding job to delivery of the credential binding method to completion of the credential binding. type: object properties: id: type: string description: | A unique identifier for a credential binding job. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. readOnly: true example: 86b4f51481f09321 identity_id: type: string description: | A unique identifier for the credential binding job's identity. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 3d227b0d5949969d realm_id: type: string description: | A unique identifier for the credential binding job's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 9602e246c2ead9b2 tenant_id: type: string description: | A unique identifier for the credential binding job's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: ce5ace5fc7e14d6a credential_id: type: string description: | A unique identifier for the credential that was bound via the credential binding job. This field will only be populated if the credential binding job has successfully been used to bind a credential to an identity. example: 9802966246819b35 batch_id: type: string description: | A unique identifier for the batch that this credential binding job is associated with. This field is immutable and read-only. This field will only be populated if the credential binding job was created as part of a batch. readOnly: true example: 9802966246819b35 delivery_method: type: string enum: - RETURN - EMAIL description: | The method by which a credential binding link is delivered to the target authenticator or identity. The value `RETURN` indicates that a credential binding link will be returned to the caller upon creation of the credential binding job. The value `EMAIL` indicates that a credential binding link will be sent to the email address associated with the identity. state: type: string enum: - LINK_SENT - LINK_OPENED - REQUEST_DELIVERED - COMPLETE - EXPIRED - FAILED_TO_SEND - REVOKED description: | The current state of the credential binding job. `LINK_SENT` indicates that the credential binding link associated with the job was sent to its target authenticator or identity. `LINK_OPENED` indicates that the credential binding link associated with the job was opened by its target identity. `REQUEST_DELIVERED` indicates that the credential binding request has been successfully delivered to its target authenticator. `COMPLETE` indicates that a credential was successfully bound to an identity. `EXPIRED` indicates that the credential binding job has expired. `FAILED_TO_SEND` indicates that the credential binding request failed to send via email. `REVOKED` indicates that the credential binding job has been revoked. readOnly: true example: COMPLETE post_binding_redirect_uri: type: string description: | The URI to which the caller will be redirected after successfully binding a credential to an identity. This field is optional. If not specified, the authenticator will not attempt to redirect to a new location after binding. example: 'http://example.com/callback' authenticator_config: type: object description: | Representation of an authenticator configuration. This prescribes how an identity may authenticate themselves with Beyond Identity. properties: config: description: | An object specifying the settings for the supported authenticator type. The Hosted Web authenticator configuration is not supported in this field. It must be created separately and then referenced by its ID in the `authenticator_config_id` field. oneOf: - $ref: '#/components/schemas/AuthenticatorConfig/properties/config/oneOf/0' - $ref: '#/components/schemas/AuthenticatorConfig/properties/config/oneOf/2' authenticator_config_id: type: string description: | The ID of the authenticator configuration to be used to build the credential binding job. This field is immutable. example: 76e9eab521a8b734 expire_time: type: string format: date-time description: | A timestamp that represents when the credential binding link associated with the credential binding job will expire. This field is immutable and read-only. readOnly: true example: '2022-05-12T20:29:47.636497Z' create_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the credential binding job was created. This is automatically generated on creation. This field is read-only. readOnly: true example: '2022-05-12T20:29:47.636497Z' update_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the credential binding job was last updated. This is automatically updated when the credential binding job is updated. This field is read-only. readOnly: true example: '2022-05-12T20:29:47.636497Z' ListCredentialsResponse: title: List Credentials Response description: Response for ListCredentials. type: object properties: credentials: type: array items: $ref: '#/components/schemas/Credential' maxItems: 200 description: | An unordered array of credentials corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - credentials - total_size ListCredentialBindingJobsResponse: title: List Credential Binding Jobs Response description: Response for ListCredentialBindingJobs. type: object properties: credential_binding_jobs: type: array items: $ref: '#/components/schemas/CredentialBindingJob' maxItems: 200 description: | An unordered array of credential binding jobs corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - credential_binding_jobs - total_size Theme: title: Theme description: | A theme is a collection of configurable assets that unifies the end user login experience with your brand and products. It is primarily used to change the styling of the credential binding email. type: object properties: id: type: string description: | A unique identifier for a theme. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. readOnly: true example: 88ef08fb-c3f9-44e2-b174-fbb239e1dc47 tenant_id: type: string description: | A unique identifier for the theme's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 0001b42d80372976 realm_id: type: string description: | A unique identifier for the theme's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 7df92e4a38ba0993 create_time: type: string format: date-time description: | Timestamp of when the theme was created. This field is immutable and read-only. readOnly: true example: '2022-07-28T18:00:00.000Z' update_time: type: string format: date-time description: | Timestamp of when the theme was last updated. This field is read-only. readOnly: true example: '2022-07-30T16:00:00.000Z' email_realm_name: type: string minLength: 1 maxLength: 64 pattern: '^[^{}[\]<>;:?\\/|*^%$#=~`!]*$' description: Realm name that is used in email templates. example: Realm Administrators logo_url_light: type: string description: URL for resolving the logo image for light mode. example: 'https://example.com/logo_url_light.png' logo_url_dark: type: string description: URL for resolving the logo image for dark mode. example: 'https://example.com/logo_url_dark.png' support_url: type: string format: url description: URL for the customer support portal. example: 'https://example.com/support' button_color: type: string description: Hexadecimal color code to use for buttons. example: '#4673D3' button_text_color: type: string description: Hexadecimal color code to use for button text. example: '#FFFFFF' Confidentiality: description: | The confidentiality of the client, as prescribed by OAuth 2.0 and OIDC. Confidentiality is based on a client's ability to authenticate securely with the authorization server (i.e., ability to maintain the confidentiality of their client credentials). Allowable values are: - `confidential`: Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means. - `public`: Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means. type: string enum: - confidential - public example: confidential GrantType: type: array items: type: string enum: - authorization_code - client_credentials example: authorization_code description: | Grant types supported by this application's `token` endpoint. Allowable values are: - `authorization_code`: The authorization code grant type defined in OAuth 2.0, Section 4.1. Namely, the client may authorize to the `token` endpoint with a grant code which it obtains via the `authorize` endpoint. - `client_credentials`: The client credentials grant type defined in OAuth 2.0, Section 4.4. Namely, the client may authorize to the `token` endpoint with a client credentials tuple of `client_id` and `client_secret`. TokenConfiguration: description: Properties of a token issued for an application. type: object required: - expires_after properties: expires_after: type: integer format: uint32 description: | Time after minting, in seconds, for which the token will be considered valid. minimum: 0 example: 86400 token_signing_algorithm: type: string enum: - RS256 description: | Signing algorithm to use for an application token. The only allowable value at present is `RS256`. default: RS256 example: RS256 subject_field: type: string enum: - id - email - username description: | Property of a principal which is used to fill the subject of a token issued for this application. default: id example: id PkceConfig: type: string enum: - disabled - plain - s256 description: | PKCE code challenge methods supported for applications, as defined by [RFC-7636](https://datatracker.ietf.org/doc/html/rfc7636). Allowable values are: - `disabled` : PKCE is disabled for this application. This is the default state if the `pkce` field is left blank. Please note that public OIDC and OAuth2 configured applications MUST enable PKCE support. Confidential clients can leave PKCE disabled if they choose. - `plain` : PKCE is enabled for this application. The server will correlate the `code_challenge` and `code_verifier` between the `authorize` and `token` requests. In this configuration, those fields are required to be identical. This is the lower security option for PKCE support and should only be used by legacy clients, or clients that don't support `s256`. - `s256` : PKCE is enabled for this application, and the server will correlate the `code_challenge` and `code_verifier` between the `authorize` and `token` requests. In this configuration, those fields are required to equate as follows: `code_challenge` = `base64url(sha256(ascii(code_verifier)))`. This is the higher security option and should always be preferred if it is supported by the client. example: s256 SubjectField: description: | Defines which field should be used to populate the subject field of an id token. - `id` - The user ID is used. - `email` - The user email is used. - `username` - The username is used. type: string enum: - id - email - username - external_id TokenEndpointAuthMethod: description: | Indicator of the requested authentication method for the token endpoint. Allowable values are: - `client_secret_post`: The client uses the HTTP POST parameters as defined in OAuth 2.0, Section 2.3.1. Namely, `client_id` and `client_secret` are sent in the body of the POST request. - `client_secret_basic`: The client uses HTTP Basic as defined in OAuth 2.0, Section 2.3.1. Namely, `client_id` and `client_secret` are sent in the Basic Authorization header. - `none`: The `client_secret` is not part of the request body and there is no authorization header. This endpoint authentication method is only allowed if the application has `confidentiality` set to `confidential`. Deprecation Notice: This field is deprecated. The API will ignore the value of this field in requests. In responses, confidential applications will always have `client_secret_basic` and public applications will always have `none`. On authentication, confidential applications may use both `client_secret_post` and `client_secret_basic`. Public applications may only use `none`. **This field is scheduled for removal on August 1, 2023** type: string deprecated: true enum: - client_secret_basic - client_secret_post - none example: client_secret_basic Application: title: Application type: object description: | An application represents a client application that uses Beyond Identity for authentication. This could be a native app, a single-page application, regular web application, or machine-to-machine application credentials. properties: id: type: string description: | A unique identifier for an application. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. readOnly: true example: 38833c36-6f47-4992-9329-ea0a00915137 realm_id: type: string description: | A unique identifier for the application's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: caf2ff640497591a tenant_id: type: string description: | A unique identifier for the application's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 00011f1183c67b69 resource_server_id: type: string description: | A unique identifier for the application's resource server. At present, the only available resource server is for the Beyond Identity Management API. Referencing this resource server from an application will allow that application to grant access to Beyond Identity's APIs. When not present, this application may provide authentication (identity) but not authorization (access). example: 84db69f5-48a8-4c11-8cda-1bae3a73f07e authenticator_config_id: type: string description: | A unique identifier for the application's authenticator configuration. This field is unused for `oidc` and `oauth2` applications when `grant_type=client_credentials`. example: 73731b7f-eb76-4143-9b4b-81a720385f5a display_name: type: string description: | A human-readable name for the application. This name is used for display purposes. example: Pet Application is_managed: type: boolean description: | A boolean indicating whether the application is managed by Beyond Identity. Managed applications may not be modified by the user. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: false protocol_config: description: Represents an application protocol configuration. oneOf: - title: OAuth 2.0 description: OAuth2 protocol configuration. type: object required: - type properties: type: type: string enum: - oauth2 allowed_scopes: type: array items: type: string example: 'pets:read' description: | Scopes to which this application can grant access. If this application references a resource server, this set of scopes must be a subset of the resource server's available scopes. If this application does not reference a resource server, then this application can only be used for authentication and thereby `scopes` must necessarily be empty. client_id: type: string description: | The client ID for this application. This is automatically set on creation. This field is output-only. readOnly: true example: AYYNcuOSpfqIf33JeegCzDIT client_secret: type: string description: | The client secret to authenticate as this application; typically, as a Basic Authorization header. This is automatically set on creation. This field is output-only. This field is present only when confidentiality is `confidential`. readOnly: true example: wWD4mPzdsjms1LPekQSo0v9scOHLWy5wmMtKAR2JNhJPAKXv confidentiality: $ref: '#/components/schemas/Confidentiality' token_endpoint_auth_method: $ref: '#/components/schemas/TokenEndpointAuthMethod' grant_type: $ref: '#/components/schemas/GrantType' redirect_uris: type: array items: type: string example: 'https://auth.mypetapp.com/callback' description: | A list of valid URIs to redirect the resource owner's user-agent to after completing its interaction with the authorization server. See https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2 for more information. token_configuration: $ref: '#/components/schemas/TokenConfiguration' pkce: $ref: '#/components/schemas/PkceConfig' token_format: description: | Allowed access token formats for this application. token type. Allowable values are: - `self_contained`: token in JWT format. - `referential`: Encoded token which requires /introspect call in order to retrieve token claims. type: string enum: - self_contained - referential example: self_contained default: self_contained - title: OIDC description: OIDC protocol configuration. type: object required: - type properties: type: type: string enum: - oidc allowed_scopes: type: array items: type: string example: 'pets:read' description: | Scopes to which this application can grant access. If this application references a resource server, this set of scopes must be a subset of the resource server's available scopes. If this application does not reference a resource server, then this application can only be used for authentication and thereby `scopes` must necessarily be empty. Note that OIDC requests may accept OpenID Connect standard scopes as well as resource server scopes, but the OpenID Connect scopes should not be defined on the application itself. Currently, the only OpenID Connect supported scope is `openid`. client_id: type: string description: | The client ID for this application. This is automatically set on creation. This field is output-only. readOnly: true example: AYYNcuOSpfqIf33JeegCzDIT client_secret: type: string description: | The client secret to authenticate as this application; typically, as a Basic Authorization header. This is automatically set on creation. This field is output-only. This field is present only when confidentiality is `confidential`. readOnly: true example: wWD4mPzdsjms1LPekQSo0v9scOHLWy5wmMtKAR2JNhJPAKXv confidentiality: $ref: '#/components/schemas/Confidentiality' token_endpoint_auth_method: $ref: '#/components/schemas/TokenEndpointAuthMethod' grant_type: $ref: '#/components/schemas/GrantType' redirect_uris: type: array items: type: string example: 'https://auth.mypetapp.com/callback' description: | A list of valid URIs to redirect the resource owner's user-agent to after completing its interaction with the authorization server. See https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2 for more information. token_configuration: $ref: '#/components/schemas/TokenConfiguration' pkce: $ref: '#/components/schemas/PkceConfig' token_format: $ref: '#/components/schemas/Application/properties/protocol_config/oneOf/0/properties/token_format' - $ref: '#/components/schemas/SsoConfigPayload/oneOf/4' AuthenticatorConfig: title: Authenticator Configuration type: object description: | Representation of an authenticator configuration. This prescribes how an identity may authenticate themselves with Beyond Identity. properties: id: type: string description: | A unique identifier for an authenticator configuration. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. readOnly: true example: 73731b7f-eb76-4143-9b4b-81a720385f5a realm_id: type: string description: | A unique identifier for the authenticator configuration's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: caf2ff640497591a tenant_id: type: string description: | A unique identifier for the authenticator configuration's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 00011f1183c67b69 display_name: type: string description: | A human-readable name for the authenticator configuration. This name is used for display purposes. example: Pet Authenticator Configuration config: description: | An object specifying the settings for the supported authenticator type. oneOf: - title: Embedded SDK Authenticator description: Configuration options for the embedded SDK authenticator. type: object required: - type - invoke_url - trusted_origins properties: invocation_type: default: automatic description: | The method used to invoke the `invoke_url` in the embedded authenticator config type. The two methods available are: The value `automatic` indicates that this invocation type automatically redirects you to your native or web app using the Invoke URL with a challenge that your app will need to sign. The value `manual` indicates that this invocation type will cause the challenge to be returned to you as part of a JSON response. It will then be up to you to get it to your native/web app any way you see fit. This is useful for flows where you require a lot more control when redirecting to your native/web app. Since the challenge is packaged as part of a URL, following the URL will result in the same behavior as if an Invocation Type of "automatic" were selected. enum: - automatic - manual type: string invoke_url: description: URL to invoke during the authentication flow. example: 'http://localhost:8092' type: string trusted_origins: description: | Trusted origins are URLs that will be allowed to make requests from a browser to the Beyond Identity API. This is used with Cross-Origin Resource Sharing (CORS). These may be in the form of ` "://" [ ":" ]`, such as `https://auth.your-domain.com` or `http://localhost:3000`. items: example: 'http://localhost:8092' type: string type: array type: enum: - embedded type: string authentication_methods: items: properties: type: description: | Within our hosted web product, an array of values determines the client-side authentication workflows: The value `webauthn_passkey` triggers a workflow that generates a hardware key within your device's trusted execution environment (TEE). If webauthn passkeys are not supported in the browser, specifying one of the other two authentication methods will result in a fallback to that mechanism. The value `software_passkey` activates a workflow where a passkey is securely created within the browser's context. The value `email_one_time_password` enables a workflow that verifies identity via an email of a one-time password. enum: - email_one_time_password - software_passkey - webauthn_passkey type: string required: - type title: AuthenticationMethod type: object type: array - title: Hosted Web Authenticator description: | Configuration options for the hosted web experience. This authenticator is maintained by Beyond Identity and allows the caller to customize authentication methods. type: object required: - type - authentication_methods - trusted_origins properties: authentication_methods: items: $ref: '#/components/schemas/AuthenticatorConfig/properties/config/oneOf/0/properties/authentication_methods/items' type: array trusted_origins: description: | Trusted origins are URLs that will be allowed to make requests from a browser to the Beyond Identity API. This is used with Cross-Origin Resource Sharing (CORS). These may be in the form of ` "://" [ ":" ]`, such as `https://auth.your-domain.com` or `http://localhost:3000`. items: example: 'http://localhost:8092' type: string type: array type: enum: - hosted_web type: string - title: Console Authenticator description: | Configuration options for credential enrollment, enabling an identity to access the Beyond Identity Console. These options support both IDP-authorized flows and non-verified enrollment pathways. type: object required: - type - onboarding_configuration properties: type: enum: - console type: string onboarding_configuration: title: Console Onboarding Configuration description: Configuration options for the console onboarding experience. type: object required: - verification_method properties: verification_method: oneOf: - title: Console Verification Method IDP description: Configures IDP verification for identities onboarding. type: object required: - type - idp_id properties: type: description: |- The type of verification method to be used for credential onboarding. Currently only `idp` or `none` are supported options. If set to `none` there will be no verification step performed for the identity selected for credential onboarding. type: string enum: - idp idp_id: description: The id of the IDP to use to verify the identity during the onboarding process. type: string format: uuid - title: Console Verification Method None description: An onboarding configuration with no verification configured. Identities will not be verified during the onboarding operation. type: object required: - type properties: type: description: |- The type of verification method to be used for credential onboarding. Currently only `idp` or `none` are supported options. If set to `none` there will be no verification step performed for the identity selected for credential onboard. type: string enum: - none - title: Platform Authenticator description: Configuration options for the platform authenticator. type: object required: - type properties: type: type: string enum: - platform trusted_origins: description: 'Trusted origins are URLs that will be allowed to make requests from a browser to the Beyond Identity API. This is used with Cross-Origin Resource Sharing (CORS). These may be in the form of ` "://" [ ":" ],` such as `https://auth.your-domain.com` or `http://localhost:3000`.' type: array items: type: string nullable: true roaming_auth_config: description: The roaming_auth_config offers advanced configuration options for the roaming auth feature. title: RoamingAuthConfig type: object required: - enabled - allow_unknow_user properties: enabled: description: 'If false, roaming auth is never offered as an available flow during authentication on this Authenticator Config.' type: boolean allow_unknown_user: description: 'If a login_hint is not provided or the login_hint does not match for exactly one user in the directory, the user will be considered "unknown" and the value of allow_unknown_user will be used to determine whether or not to offer roaming auth.' type: boolean allowed_source_ips: description: 'If allowed_source_ips is not null and not empty, roaming auth will only be offered to users who begin the authentication from a specified IP address or range.' type: array items: type: string allowed_user_group_ids: description: 'If allowed_user_group_ids is not nil and not empty, roaming auth will only be offered to users if they are part of one of those user groups. Note that the user is determined _before_ authentication using a best effort lookup by login_hint, if provided. If a login_hint is not provided or the login_hint does not match for exactly one user in the directory, the user will be considered \"unknown\" and the value of allow_unknown_user will be used to determine whether or not to offer roaming auth.' type: array items: type: string allowed_user_ids: description: 'If allowed_user_ids is not nil and not empty, roaming auth will only be offered to specified users. Note that the user is determined _before_ authentication using a best effort lookup by login_hint, if provided. If a login_hint is not provided or the login_hint does not match for exactly one user in the directory, the user will be considered \"unknown\" and the value of allow_unknown_user will be used to determine whether or not to offer roaming auth.' type: array items: type: string ListApplicationsResponse: title: List Applications Response description: Response for ListApplications. type: object properties: applications: type: array items: $ref: '#/components/schemas/Application' maxItems: 100 description: | An unordered array of applications corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - applications - total_size ListAuthenticatorConfigsResponse: title: List Authenticator Configurations Response description: Response for ListAuthenticatorConfigs. type: object properties: authenticator_configs: type: array items: $ref: '#/components/schemas/AuthenticatorConfig' maxItems: 100 description: | An unordered array of authenticator configurations corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - authenticator_configs - total_size ListResourceServersResponse: title: List Resource Servers Response description: Response for ListResourceServers. type: object properties: resource_servers: type: array items: $ref: '#/components/schemas/ResourceServer' maxItems: 100 description: | An unordered array of resource servers corresponding to the request. total_size: type: integer format: uint32 description: | Total number of results returned by the operation. This value may be larger than the number of resources returned, such as when returning a single page where multiple pages are available. example: 1000 next_page_token: type: string description: | Token used to fetch the next set of results. If this field is omitted, there are no subsequent pages. required: - resource_servers - total_size ResourceServer: title: Resource Server type: object description: | A resource server represents an API server that hosts a set of protected resources and is capable of accepting and responding to protected resource requests using access tokens. Clients can enable these APIs to be consumed from authorized applications. properties: id: type: string description: | A unique identifier for a resource server. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. readOnly: true example: 84db69f5-48a8-4c11-8cda-1bae3a73f07e realm_id: type: string description: | A unique identifier for the resource server's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: caf2ff640497591a tenant_id: type: string description: | A unique identifier for the resource server's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 00011f1183c67b69 display_name: type: string description: | A human-readable name for the resource server. This name is used for display purposes. example: Pet API is_managed: type: boolean description: | A boolean indicating whether the resource server is managed by Beyond Identity. Managed resource servers may not be modified by the user. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: false identifier: type: string description: | The identifier of this resource server entity. This value should be unique per realm and is often presented as a URI, as it should be a unique identifier for an API to which access is being gated. This identifier will be returned in the `audience` claim of all tokens minted that provide access to scopes owned by this resource server. The client is responsible for validating tokens are intended for them via this `audience` claim. Tokens minted for the Beyond Identity Management API will use the audience `beyondidentity`, which is reserved and may not be used for any other resource servers. example: 'https://api.mypetapp.com' scopes: type: array items: type: string example: 'pets:read' description: | The list of scopes supported by this resource server. For the Beyond Identity Management API, this will include scopes for all publicly available endpoints. Note that applications may not provide access to scopes that are not defined on a resource server that they reference; this is the superset of all allowable application scopes in a given realm. SCIMUser: title: User description: | A user represents a human entity as defined by [RFC 7643 Section 4.1](https://www.rfc-editor.org/rfc/rfc7643#section-4.1). A user cooresponds to the identity resource in Beyond Identity. type: object properties: schemas: type: array description: | The list of schemas used to define the user. This must contain only the core User schema ("urn:ietf:params:scim:schemas:core:2.0:User"). items: type: string example: 'urn:ietf:params:scim:schemas:core:2.0:User' id: type: string description: | The unique ID of the user. This is automatically generated on creation. This field is immutable and output-only. minLength: 1 readOnly: true example: ed9fcce6-ec82-458e-ae58-e2d975cfc32d externalId: type: string description: The provisioning client's unique identifier for the resource. example: external-id-abcdef userName: type: string minLength: 1 description: | The unique username of the user. example: test_user displayName: type: string minLength: 1 description: | Display name of the User. This name is used for display purposes. example: Test User active: type: boolean description: | Indicator for the user's administrative status. If true, the user has administrative capabilities. example: true emails: type: array description: The list containing the user's emails. items: type: object description: Definition of an email. properties: primary: type: boolean description: | Indicator for the primary or preferred email address. Only the primary email address is included on the response. All other provided email addresses will be ignored. example: true value: type: string description: The email address. example: test@test.com name: type: object description: Definition of the user's name. properties: givenName: type: string description: | The given name of the user, or first name in most Western languages. example: Barbara familyName: type: string description: | The family name of the user, or last name in most Western languages. example: Jensen 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User': title: EnterpriseUserExtension description: | Defines attributes commonly used in representing users that belong to, or act on behalf of, a business or enterprise. The enterprise User extension is identified using the following schema URI: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User". type: object properties: employeeNumber: type: string description: | A string identifier, typically numeric or alphanumeric, assigned to a person, typically based on order of hire or association with an organization as defined in [RFC 7643](https://datatracker.ietf.org/doc/html/rfc7643#section-4.3). costCenter: type: string description: | Identifies the name of a cost center as defined in [RFC 7643](https://datatracker.ietf.org/doc/html/rfc7643#section-4.3). organization: type: string description: | Identifies the name of an organization as defined in [RFC 7643](https://datatracker.ietf.org/doc/html/rfc7643#section-4.3). department: type: string description: | Identifies the name of a department as defined in [RFC 7643](https://datatracker.ietf.org/doc/html/rfc7643#section-4.3). division: type: string description: | Identifies the name of a division as defined in [RFC 7643](https://datatracker.ietf.org/doc/html/rfc7643#section-4.3). manager: type: object properties: value: type: string description: | The "id" of the SCIM resource representing the user's manager as defined in [RFC 7643](https://datatracker.ietf.org/doc/html/rfc7643#section-4.3). displayName: type: string description: | The displayName of the user's manager. This attribute is OPTIONAL, and mutability is "readOnly" as defined in [RFC 7643](https://datatracker.ietf.org/doc/html/rfc7643#section-4.3). meta: title: Meta description: | Resource metadata as defined in [RFC 7643 Section 3.1](https://www.rfc-editor.org/rfc/rfc7643#section-3.1). This attribute is only populated on responses and is ignored on requests. type: object properties: resourceType: type: string description: The name of the resource type of the resource. example: Group created: type: string format: date-time description: Timestamp of when the resource was created. readOnly: true example: '2022-04-07T07:23:33Z' lastModified: type: string format: date-time description: Timestamp of when the resource was last updated. readOnly: true example: '2023-03-30T07:00:14Z' location: type: string description: The URI of the resource being returned. readOnly: true example: Groups/ed9fcce6-ec82-458e-ae58-e2d975cfc32d version: type: string description: | The version of the resource being returned. This is always "W/0". readOnly: true example: W/0 required: - resourceType - created - lastModified - location - version required: - schemas SCIMGroup: title: Group description: | A group is a collection of users corresponding to [RFC 7643 Section 4.2](https://www.rfc-editor.org/rfc/rfc7643#section-4.2). type: object properties: schemas: type: array description: | The list of schemas used to define the group. This must contain the core Group schema ("urn:ietf:params:scim:schemas:core:2.0:Group") and may include the custom Beyond Identity Group schema extension ("urn:scim:schemas:extension:byndid:1.0:Group"). items: type: string example: 'urn:ietf:params:scim:schemas:core:2.0:Group' id: type: string description: | The unique ID of the group. This is automatically generated on creation. This field is immutable and output-only. minLength: 1 readOnly: true example: ed9fcce6-ec82-458e-ae58-e2d975cfc32d displayName: type: string minLength: 1 description: | The unique display name of the group. This name is used for display purposes. example: Help Desk meta: $ref: '#/components/schemas/SCIMUser/properties/meta' required: - schemas SCIMResourceType: title: ResourceType description: | A resource type specifies the metadata about a resource type, as defined in [RFC 7643 Section 6](https://www.rfc-editor.org/rfc/rfc7643#section-6). type: object properties: schemas: type: array description: | The list of schemas used to define the resource type. This only contains the core ResourceType schema ("urn:ietf:params:scim:schemas:core:2.0:ResourceType"). items: type: string example: 'urn:ietf:params:scim:schemas:core:2.0:ResourceType' id: type: string description: | ID of the resource type. This corresponds to the name of the type. minLength: 1 readOnly: true example: User name: type: string minLength: 1 description: Name of the resource type. readOnly: true example: User description: type: string description: Description of the resource type. readOnly: true example: User Account endpoint: type: string description: The relative base URL of the resource type. readOnly: true example: /Users schema: type: string description: The schema defining the resource type. readOnly: true example: 'urn:ietf:params:scim:schemas:core:2.0:User' schemaExtensions: type: array description: Schema extensions for the resource type. items: type: object properties: required: type: boolean description: | Indicator specifying whether the extension is required for the resource type. If true, the extension is required. readOnly: true example: false schema: type: string description: URN of the schema extension. readOnly: true example: 'urn:scim:schemas:extension:byndid:1.0:Group' required: - required - schema readOnly: true required: - schemas - id - name - description - endpoint - schema - schemaExtensions SCIMSchema: title: Schema description: | Definition of a schema which indicates what attributes are supported. This resource corresponds to [RFC 7643 Section 7](https://www.rfc-editor.org/rfc/rfc7643#section-7). type: object properties: id: type: string description: | ID of the schema defined as a URN. minLength: 1 readOnly: true example: 'urn:ietf:params:scim:schemas:core:2.0:User' name: type: string minLength: 1 description: Name of the resource type. readOnly: true example: User description: type: string description: Description of the resource type. readOnly: true example: User resource attributes: type: array description: List of attributes supported for this schema. items: type: object description: The definition of an attribute. properties: name: type: string description: The attribute's name. readOnly: true example: id type: type: string description: The attribute's type. enum: - string - boolean - decimal - integer - dateTime - reference - complex readOnly: true example: string subAttributes: type: array description: | A list of sub-attributes. This is defined only for complex attributes. Each sub-attribute is defined with the same schema as an attribute. items: type: object readOnly: true multiValued: type: boolean description: Indicator for the attribute's plurality. readOnly: true example: true description: type: string description: The attribute's human-readable description. readOnly: true example: The display name of the user. required: type: boolean description: Indicator for whether the attribute is required. readOnly: true example: true caseExact: type: boolean description: | Indicator for whether the attribute is case-sensitive. This only applies for string attributes. readOnly: true example: true mutability: type: string description: Definition of the attribute's mutability. enum: - readOnly - readWrite - immutable - writeOnly readOnly: true example: readOnly returned: type: string description: Definition of when the attribute is returned. enum: - always - never - default - request readOnly: true example: default uniqueness: type: string description: Definition of the attribute's uniqueness. enum: - none - server - global readOnly: true example: none referenceTypes: type: array description: | The list of types that may be referenced by this attribute. This only applies to attributes of type "reference". items: type: string example: User readOnly: true required: - name - type - multiValued - description - required - mutability - returned readOnly: true required: - id - name - description - attributes SCIMServiceProviderConfig: title: ServiceProviderConfig description: | The service provider configuration, as defined in [RFC 7643 Section 5](https://www.rfc-editor.org/rfc/rfc7643#section-5). type: object properties: schemas: type: array description: | The list of schemas used to define the resource type. This only contains the core ServiceProviderConfig schema ("urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"). items: type: string example: 'urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig' documentationUri: type: string description: | URL pointing to the service provider's human-consumable help documentation. readOnly: true patch: type: object properties: supported: type: boolean description: | Indicator specifying whether PATCH operations are supported. The Beyond Identity SCIM server supports PATCH operations. example: true readOnly: true required: - supported bulk: type: object description: Configuration for bulk operations. properties: supported: type: boolean description: | Indicator specifying whether PATCH operations are supported. The Beyond Identity SCIM server does not support bulk operations. example: false readOnly: true maxOperations: type: integer format: uint32 description: Maximum number of operations allowed per bulk operation. example: 1000 readOnly: true maxPayloadSize: type: integer format: uint32 description: Maximum payload size in bytes. example: 1048576 readOnly: true required: - supported - maxOperations - maxPayloadSize filter: type: object description: Configuration for query filters. properties: supported: type: boolean description: | Indicator specifying whether filters are supported for querying. The Beyond Identity SCIM server supports filters for querying. example: true readOnly: true maxResults: type: integer format: uint32 description: Maximum number of resources returned in a response. example: 1000 readOnly: true required: - supported - maxResults changePassword: type: object description: Configuration for password support. properties: supported: type: boolean description: | Indicator specifying whether changing a password is supported. The Beyond Identity SCIM server does not support passwords. example: true readOnly: true required: - supported sort: type: object description: Configuration for sort support in queries. properties: supported: type: boolean description: | Indicator specifying whether sorting is supported for querying. The Beyond Identity SCIM server does not support sorting. example: false readOnly: true required: - supported etag: type: object description: Configuration for ETag support. properties: supported: type: boolean description: | Indicator specifying whether ETags are supported. The Beyond Identity SCIM server does not support ETags. example: true readOnly: true required: - supported authenticationSchemes: type: array description: Supported authentication schemes. items: type: object properties: type: type: string description: The authentication scheme. enum: - oauth - oauth2 - oauthbearertoken - httpbasic - httpdigest readOnly: true example: oauthbearertoken name: type: string description: The common authentication scheme name. readOnly: true description: type: string description: A description of the authentication scheme. readOnly: true specUri: type: string description: URL pointing to the authentication scheme specification. readOnly: true documentationUri: type: string description: | URL pointing to the authentication scheme's usage documentation. readOnly: true required: - type - name - description - specUri - documentationUri readOnly: true required: - schemas - documentationUri - patch - bulk - filter - changePassword - sort - etag - authenticationSchemes SCIMError: type: object properties: schemas: type: array description: | The list of schemas used to define the error. This only contains the Error schema ("urn:ietf:params:scim:api:messages:2.0:Error"). items: type: string example: 'urn:ietf:params:scim:api:messages:2.0:Error' status: type: string description: The HTTP status code of the error expressed as a JSON string. scimType: type: string description: | A SCIM detail error keyword corresponding to [RFC 7644 Section 3.12](https://datatracker.ietf.org/doc/html/rfc7644#section-3.12). detail: type: string description: A detailed human-readable message. required: - schemas - status ApplicationSsoResponse: type: object properties: sso_config_id: type: string description: | This is the id of the SSO Config object that is associated with the provided application id. If this is missing it means that the application isn't associated with an SSO config. SsoConfigAddIdentities: title: Associate Identities with SSO Config description: Request for AddIdentitiesToSsoConfig. type: object properties: identity_ids: description: IDs of the identities to be added to the sso config. type: array items: type: string minItems: 1 maxItems: 1000 required: - identity_ids SsoConfigBookmarkPartialUpdate: type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' login_link: type: string icon: type: string is_tile_visible: type: boolean SsoConfigBookmark: type: object required: - type - login_link properties: type: $ref: '#/components/schemas/SsoConfigType' login_link: type: string icon: type: string is_tile_visible: type: boolean SsoConfigDeleteGroup: title: Delete Groups from SSO Config description: Request for DeleteGroupsToSsoConfig. type: object properties: group_ids: description: IDs of the groups to be removed from the sso config. type: array items: type: string minItems: 1 maxItems: 1000 required: - group_ids SsoConfigEntraIdAuthMethodPartial: type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' redirect_uris: default: null type: array items: type: string inbound_scim: default: null type: object discover_endpoint: default: null $ref: '#/components/schemas/SsoConfigEntraIdExternalAuthMethod/properties/discover_endpoint' SsoConfigEntraIdExternalAuthMethod: type: object required: - type - redirect_uris - discover_endpoint properties: type: $ref: '#/components/schemas/SsoConfigType' redirect_uris: default: null type: array items: type: string inbound_scim: default: null type: object discover_endpoint: description: | Describes the type of discovery endpoint for the entra_id_external_auth_methods sso config. type: string enum: - global_azure - azure_us_government - microsoft_azure_vianet SsoConfigEnvelope: description: Represents an SSO config as a request body. type: object required: - sso_config properties: sso_config: $ref: '#/components/schemas/SsoConfig' SsoConfigGenericOidcIdpPartialUpdate: type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' client_id: description: The client ID for the idp application. type: string client_secret: description: The client secret to authenticate as the idp application. type: string nullable: true pkce: default: null allOf: - $ref: '#/components/schemas/PkceConfig' id_token_scopes: default: null type: array items: type: string identifying_claim_name: type: string identity_attribute: $ref: '#/components/schemas/SubjectField' authorization_endpoint: type: string nullable: true token_endpoint: type: string jwks_endpoint: type: string SsoConfigGenericOidcPartialUpdate: type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' redirect_uris: default: null type: array items: type: string scopes: default: null type: array items: type: string trusted_origins: default: null type: array items: type: string login_link: type: string icon: type: string is_tile_visible: type: boolean confidentiality: default: null allOf: - $ref: '#/components/schemas/Confidentiality' pkce: default: null allOf: - $ref: '#/components/schemas/PkceConfig' inbound_scim: default: null type: object SsoConfigGenericOidc: type: object required: - type - redirect_uris - scopes - confidentiality - pkce properties: type: $ref: '#/components/schemas/SsoConfigType' redirect_uris: default: null type: array items: type: string scopes: default: null type: array items: type: string trusted_origins: default: null type: array items: type: string login_link: type: string icon: type: string is_tile_visible: type: boolean confidentiality: default: null allOf: - $ref: '#/components/schemas/Confidentiality' pkce: default: null allOf: - $ref: '#/components/schemas/PkceConfig' inbound_scim: default: null type: object SsoConfigListGroups: title: List Groups associated with an SSO config. description: List Groups associated with an SSO config. type: object properties: groups: type: array items: $ref: '#/components/schemas/SsoGroupWithMemberCount' SsoConfigOidcIdp: type: object required: - type - client_id - identifying_claim_name - identity_attribute - authorization_endpoint - token_endpoint - jwks_endpoint properties: type: $ref: '#/components/schemas/SsoConfigType' client_id: description: The client ID for the idp application. type: string identifying_claim_name: type: string identity_attribute: $ref: '#/components/schemas/SubjectField' authorization_endpoint: type: string nullable: true token_endpoint: type: string jwks_endpoint: type: string SsoConfigOktaBiIdpPartialUpdate: type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' pkce: default: null allOf: - $ref: '#/components/schemas/PkceConfig' okta_registration: description: Represents a list of Resource Servers as a response body. type: object properties: domain: description: The domain Url inside of Okta. type: string okta_token: description: An okta token used for accessing the okta API. type: string attribute_name: description: |- The name of the attribute within okta that we are going to set to true. type: string is_enabled: description: If the integration is enabled. type: boolean inbound_scim: default: null type: object SsoConfigOktaBiIdp: type: object required: - type - pkce - okta_registration properties: type: $ref: '#/components/schemas/SsoConfigType' pkce: default: null allOf: - $ref: '#/components/schemas/PkceConfig' okta_registration: description: Represents a list of Resource Servers as a response body. type: object properties: domain: description: The domain Url inside of Okta. type: string okta_token: description: An okta token used for accessing the okta API. type: string attribute_name: description: |- The name of the attribute within okta that we are going to set to true. type: string is_enabled: description: If the integration is enabled. type: boolean inbound_scim: default: null type: object SsoConfigPartialUpdatePayload: oneOf: - $ref: '#/components/schemas/SsoConfigBookmarkPartialUpdate' - $ref: '#/components/schemas/SsoConfigEntraIdAuthMethodPartial' - $ref: '#/components/schemas/SsoConfigGenericOidcPartialUpdate' - $ref: '#/components/schemas/SsoConfigGenericOidcIdpPartialUpdate' - $ref: '#/components/schemas/SsoConfigSamlPartialUpdate' - type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' client_id: description: The client ID for the idp application. type: string client_secret: description: The client secret to authenticate as the idp application. type: string nullable: true pkce: default: null allOf: - $ref: '#/components/schemas/PkceConfig' id_token_scopes: default: null type: array items: type: string identifying_claim_name: type: string identity_attribute: $ref: '#/components/schemas/SubjectField' okta_domain: type: string inbound_scim: default: null type: object - $ref: '#/components/schemas/SsoConfigOktaBiIdpPartialUpdate' - $ref: '#/components/schemas/SsoConfigRealityCheckPartialUpdate' - $ref: '#/components/schemas/SsoConfigWsFedPartialUpdate' SsoConfigPartialUpdate: description: Represents an sso config as an update request body. type: object required: - sso_config properties: sso_config: $ref: '#/components/schemas/SsoConfigPartialUpdatePayload' SsoConfigPayload: oneOf: - $ref: '#/components/schemas/SsoConfigBookmark' - $ref: '#/components/schemas/SsoConfigEntraIdExternalAuthMethod' - $ref: '#/components/schemas/SsoConfigGenericOidc' - $ref: '#/components/schemas/SsoConfigOidcIdp' - type: object required: - type - acs_url - override_recipient_and_destination - audience_url - default_relay_state - name_format - authentication_context - subject_user_name_attribute - sign_envelope - sign_assertions - signature_algorithm - digest_algorithm - encrypt_assertions - assertion_validity_duration_seconds - sp_signature_certificates - enable_single_log_out - validate_signed_requests - additional_user_attributes - single_logout_sign_request_and_response properties: type: type: string enum: - saml acs_url: description: | Location where the SAML Response is sent via HTTP-POST. Often referred to as the SAML Assertion Consumer Service (ACS) URL. type: string example: 'https://example.com/saml/acs' override_recipient_and_destination: description: | When this is true, the `recipient_url` and the `destination_url` are used for SAML Response. When this is false, both the `recipient_url` and the `destination_url` are omitted and the `acs_url` is used instead. type: boolean example: true recipient_url: description: | If `override_recipient_and_destination` is set to `true`, this field is utilized for the SAML Response. If it is `false`, this field is unused. The location where the application may present the SAML assertion. This is usually the same location as the Single Sign-On URL. type: string example: 'https://example.com/saml/recipient' destination_url: description: | If `override_recipient_and_destination` is set to `true`, this field is utilized for the SAML Response. If it is `false`, this field is unused. Identifies the location where the SAML response is intended to be sent inside of the SAML assertion. type: string example: 'https://example.com/saml/destination' audience_url: description: | The intended audience of the SAML assertion. Often referred to as the service provider Entity ID. type: string example: 'https://example.com/saml/audience' default_relay_state: description: | Identifies a specific application resource in an IDP initiated Single Sign-On scenario. In most instances this is blank. type: string example: defaultRelayState name_format: description: | Name format of the assertion's subject statement. Processing rules and constraints can be applied based on selection. Default value is "unspecified" unless SP explicitly requires differently. type: string enum: - unspecified - email_address - x509_subject_name - persistent - transient - entity - kerberos - windows_domain_qualified_name example: unspecified authentication_context: description: | The SAML Authentication Context Class for the assertion's authentication statement. Default value is "X509". type: string enum: - x509 - integrated_windows_federation - kerberos - password - password_protected_transport - tls_client - unspecified - refeds_mfa example: x509 subject_user_name_attribute: description: | Determines the default value for a user's application username. The application username will be used for the assertion's subject statement. type: string enum: - user_name - email - email_prefix - external_id - display_name - custom - none example: user_name sign_envelope: description: | Determines whether the SAML authentication response message is digitally signed by the IdP or not. A digital signature is required to ensure that only your IdP generated the response message. type: boolean example: true sign_assertions: description: All of the assertions should be signed by the IdP. type: boolean example: true signature_algorithm: description: | The algorithm used for signing the SAML assertions. type: string enum: - rsa_sha256 - rsa_sha1 - rsa_sha384 - rsa_sha512 example: rsa_sha256 digest_algorithm: description: | The algorithm used to encrypt the SAML assertion. type: string enum: - sha256 - sha1 - sha384 - sha512 example: sha256 encrypt_assertions: description: | This is the flag that determines if the SAML assertion is encrypted. If this flag is set to `true`, there **MUST** be a SAML encryption certificate uploaded. Encryption ensures that nobody but the sender and receiver can understand the assertion. type: boolean example: false assertion_validity_duration_seconds: description: | The amount of time SAML assertions are valid for in seconds. type: integer format: int32 example: 300 assertion_encryption_algorithm: description: | The algorithm used for the digest in SAML assertions. type: string enum: - aes256_cbc - aes256_gcm - aes128_cbc - aes128_gcm example: aes256_cbc assertion_key_transport_algorithm: description: | The algorithm used for key transport in SAML assertions. type: string enum: - rsa_oaep - rsa1_5 example: rsa_oaep assertion_encryption_public_key: description: | The public key used to encrypt the SAML assertion. This is required if `encrypt_assertions` is true. type: string example: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr3Q4ebLzciJlVf4QDQ2u 0Y2CfX9z4rMdG6MQSDW2NFQF0kM16Zzsz0p2gMOnp7YOz8OZqkU2XgUN3kQ8zC1h q+um2mU5K45f9Idoq8gE7/kmlZG1zS1mrDS36lM5Sc+E5hVgXJkNw3kEJ7OnhHHu ZG0EvTlGjqntCGXxrpX5sS1a9z7HeemEos6Xlw8I8Q8txJTeHgkRmZkMy5ndRbWa sMyV8A1tk0Z5bLpoZBxn8Hh/M4v8HkV8O7lH91kB9D+4O+CZ4WcG4Fj8UOJW5m1M nsCfYvzpEzeLoB2xD3CEmonGzZC+Ij1ZhrWu5V6mnmx6dzUMjOZchRQtfnJZzQ1U 2QIDAQAB -----END PUBLIC KEY----- sp_signature_certificates: $ref: '#/components/schemas/SsoConfigSamlPartialUpdate/properties/sp_signature_certificates/items' enable_single_log_out: description: | Enables single logout. Single Logout (SLO) is a feature that allows users to be logged out from multiple service providers (SPs) and the identity provider (IdP) with a single logout action. type: boolean example: false single_log_out_url: description: | The location where the single logout response will be sent. This is only enabled if `enable_single_log_out` is true. type: string example: 'https://example.com/saml/logout' single_log_out_issuer_url: description: | The issuer ID for the service provider when handling a Single Logout. This is only enabled if `enable_single_log_out` is true. type: string example: 'https://example.com/saml/issuer' single_log_out_binding: description: | The SAML binding used for SAML messages. type: string enum: - post - redirect example: post single_logout_sign_request_and_response: description: | If enabled, Single Logout requests must bbe signed and Single Logout responses will also be signed. type: boolean example: false validate_signed_requests: description: | Select this to validate all SAML requests using the SP Signature Certificate. type: boolean example: true other_sso_urls: type: object description: | For use with SP-initiated sign-in flows. Enter the ACS URLs for any other requestable SSO nodes used by your app integration. This option enables applications to choose where to send the SAML Response. Specify a URL and an index that uniquely identifies each ACS URL endpoint. Some SAML AuthnRequest messages don't specify an index or URL. In these cases, the SAML Response is sent to the ACS specified in the Single sign on URL field. When you enable Signed Requests, Beyond Identity deletes any previously defined static SSO URLs and reads the SSO URLs from the signed SAML request instead. You can't have both static SSO URLs and dynamic SSO URLs. This can only be set if `validate_signed_requests` is set to false. required: - index - url properties: index: description: The index that this URL may be referenced by. type: integer format: int16 example: 1 url: description: | This is a URL that may be used to replace the ACS URL. type: string example: 'https://example.com/saml/acs1' additional_user_attributes: description: | This structure describes additional attributes that can be attached to SAML assertion. type: array items: type: object required: - name - name_format - value properties: name: description: The SAML attribute name. type: string example: firstName name_format: $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/name_format' value: description: The value to attach to the SAML value. $ref: '#/components/schemas/SsoConfigSamlPartialUpdate/properties/additional_user_attributes/items' custom_value: description: | The custom static string value when value is set to `custom_static_string`. type: string example: customString identity_provider_certs: description: | The X509 certificates of the identity provider (Beyond Identity). These are the certificates that is in our IDP metadata, and that the upstream services use to validate our SAML assertion. type: array readOnly: true items: type: object description: | The BI Identity Provider Certificate for this SAML connection. required: - id - created_at - expires_at - is_active - idp_public_certificate properties: id: description: The id of the certificate. type: string example: 3cb717d1-88ff-440a-b5ee-86c00ce63dbf created_at: description: Timestamp of when the certificate was created. type: string format: date-time example: '2022-05-12T20:29:47.636Z' expires_at: description: Timestamp of when the certificate expires. type: string format: date-time example: '2022-05-12T20:29:47.636Z' is_active: description: Indicates whether the certificate is active. type: boolean example: true idp_public_certificate: description: | Beyond Identity's public signing key wrapped in a certificate. Stored as a base64 encoded DER format. type: string example: | -----BEGIN CERTIFICATE----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr3Q4ebLzciJlVf4QDQ2u 0Y2CfX9z4rMdG6MQSDW2NFQF0kM16Zzsz0p2gMOnp7YOz8OZqkU2XgUN3kQ8zC1h q+um2mU5K45f9Idoq8gE7/kmlZG1zS1mrDS36lM5Sc+E5hVgXJkNw3kEJ7OnhHHu ZG0EvTlGjqntCGXxrpX5sS1a9z7HeemEos6Xlw8I8Q8txJTeHgkRmZkMy5ndRbWa sMyV8A1tk0Z5bLpoZBxn8Hh/M4v8HkV8O7lH91kB9D+4O+CZ4WcG4Fj8UOJW5m1M nsCfYvzpEzeLoB2xD3CEmonGzZC+Ij1ZhrWu5V6mnmx6dzUMjOZchRQtfnJZzQ1U 2QIDAQAB -----END CERTIFICATE----- use_short_url: default: false type: boolean description: Changes the EntityID in the SAML response to a shorter version. This is to support applications with URL restrictions. - type: object required: - type - client_id - identifying_claim_name - identity_attribute - okta_domain properties: type: $ref: '#/components/schemas/SsoConfigType' client_id: description: The client ID for the idp application. type: string client_secret: description: The client secret to authenticate as the idp application. type: string nullable: true pkce: default: null allOf: - $ref: '#/components/schemas/PkceConfig' id_token_scopes: default: null type: array items: type: string identifying_claim_name: type: string identity_attribute: $ref: '#/components/schemas/SubjectField' okta_domain: type: string inbound_scim: default: null type: object - $ref: '#/components/schemas/SsoConfigOktaBiIdp' - $ref: '#/components/schemas/SsoConfigRealityCheck' - $ref: '#/components/schemas/SsoConfigWsFed' SsoConfigRealityCheckPartialUpdate: type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' company_identifier: default: null type: string SsoConfigRealityCheck: type: object required: - type - company_identifier properties: type: $ref: '#/components/schemas/SsoConfigType' company_identifier: default: null type: string SsoConfigSamlPartialUpdate: type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' acs_url: description: | Location where the SAML Response is sent via HTTP-POST. Often referred to as the SAML Assertion Consumer Service (ACS) URL. type: string override_recipient_and_destination: description: | When this is true, the `recipient_url` and the `destination_url` are used for SAML Response. When this is false, both the `recipient_url` and the `destination_url` are omitted and the acs_url is used instead. type: boolean recipient_url: description: | If `override_recipient_and_destination` is set to true, this field is utilized for the SAML Response. If it is false, this field is unused. The location where the application can present the SAML assertion. This is usually the Single Sign-On (SSO) URL. type: string destination_url: description: | If `override_recipient_and_destination` is set to true, this field is utilized for the SAML Response. If it is false, this field is unused. The location to send the SAML Response, as defined in the SAML assertion. type: string audience_url: description: | The intended audience of the SAML assertion. Often referred to as the service provider Entity ID. type: string default_relay_state: description: | Identifies a specific application resource in an IDP initiated Single Sign-On scenario. In most instances this is blank. type: string name_format: description: The format of the SAML NameID. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/name_format' authentication_context: description: The context for SAML authentication. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/authentication_context' subject_user_name_attribute: description: The attribute to use for the subject's username. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/subject_user_name_attribute' sign_envelope: description: | Determines whether the SAML authentication response message is digitally signed by the IdP or not. A digital signature is required to ensure that only your IdP generated the response message. type: boolean sign_assertions: description: All of the assertions are signed by the IdP. type: boolean signature_algorithm: description: The algorithm used for signing the SAML assertions. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/signature_algorithm' digest_algorithm: description: The algorithm used for the digest in SAML assertions. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/digest_algorithm' encrypt_assertions: description: | This is the flag that determines if the SAML assertion is encrypted. If this flag is set to `true`, there MUST be a SAML encryption certificate uploaded. Determines whether the SAML assertion is encrypted or not. Encryption ensures that nobody but the sender and receiver can understand the assertion. type: boolean assertion_validity_duration_seconds: description: | The amount of time assertions are valid for in seconds. type: integer format: int32 assertion_encryption_algorithm: description: The algorithm used to encrypt the SAML assertion. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/assertion_encryption_algorithm' assertion_key_transport_algorithm: description: The algorithm used for key transport in SAML assertions. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/assertion_key_transport_algorithm' assertion_encryption_public_key: description: | The public key used to encrypt the SAML assertion. This is required if `encrypt_assertions` is true. type: string sp_signature_certificates: description: | The PEM encoded X509 key certificate of the Service Provider used to verify SAML AuthnRequests. type: array items: description: | The PEM encoded X509 key certificate of the Service Provider used to verify SAML AuthnRequests. type: array items: type: object required: - sp_public_signing_key properties: sp_public_signing_key: type: string example: - | -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIEbF2LTTANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJV UzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbiBGcmFuY2lzY28xEjAQBgNVBAoT CU9rdGEsIEluYy4xHzAdBgNVBAMTFm9rdGEuZXhhbXBsZS5jb20gQ0EgUm9vdDAe Fw0yMDA2MTkwMDAwMDBaFw0yMTA2MTkyMzU5NTlaMG0xCzAJBgNVBAYTAlVTMQsw CQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuIEZyYW5jaXNjbzESMBAGA1UEChMJb2t0 Pbg6vGfJnxYYibTwLlXhgxl0tT+NMQFZ5GQslLh2sB3AWBzjZtFzFS7lDi0n4Fz5 y9x6U1hUS54fScJmSVSTT9v/qAD0ccjvlPj3M6PENq2X7TwrOqSTgx5TPOpA5Myl MtwPbU3wn/pA5Cp9kWvlYbBfTS4Hx14FQyg3GAAkMrzrhKhpIfhz6iH0H8kDxFId 6KjXy4TvoUM/tH7c6v2HS6D4TD7TfYOv/8A7E1Lj6WKwjtghTAh3Rb5tbyxRBcw gg== -----END CERTIFICATE----- enable_single_log_out: description: Enable single logout. type: boolean single_log_out_url: description: | The location where the logout response will be sent. Only enabled if `enable_single_log_out` is true. type: string single_log_out_issuer_url: description: | The issuer ID for the service provider. When handling a Single Log Out. Only enabled if `enable_single_log_out` is true. type: string single_log_out_binding: description: The binding used for single logout messages. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/single_log_out_binding' single_logout_sign_request_and_response: description: | If we should expect the LogoutRequest to be signed and if we should sign the LogoutResponse. type: boolean validate_signed_requests: description: | Select this to validate all SAML requests using the Signature Certificate. The payload from the SAML request is validated, and Okta dynamically reads any single sign-on (SSO) URLs from the request. This checkbox appears after you upload a Signature Certificate. When Signed Requests is enabled, the SAML Request must include a NameIDPolicy. type: boolean other_sso_urls: description: | For use with SP-initiated sign-in flows. Enter the ACS URLs for any other requestable SSO nodes used by your app integration. This option enables applications to choose where to send the SAML Response. Specify a URL and an index that uniquely identifies each ACS URL endpoint. Some SAML AuthnRequest messages don't specify an index or URL. In these cases, the SAML Response is sent to the ACS specified in the Single sign on URL field. When you enable Signed Requests, Okta deletes any previously defined static SSO URLs and reads the SSO URLs from the signed SAML request instead. You can't have both static SSO URLs and dynamic SSO URLs. This can only be set if validate_signed_requests is set to false. type: object required: - index - url properties: index: description: The index that this URL may be referenced by. type: integer format: int16 url: description: | This is a URL that may be used to replace the ACS URL. type: string additional_user_attributes: description: Any additional attributes to attach to the SAML assertion. type: array items: description: | The value of the SAML attribute. It will correspond to a directory attribute of the user. type: string enum: - email - user_name - external_id - display_name - custom_static_string example: email icon: description: The URL or data URI of the icon representing the SSO configuration. type: string is_tile_visible: description: Indicates if the SSO configuration tile is visible to the user. type: boolean inbound_scim: default: null type: object use_short_url: default: false type: boolean description: Changes the EntityID in the SAML response to a shorter version. This is to support applications with URL restrictions. SsoConfigType: description: | Describes the type of sso config. type: string enum: - bookmark - entra_id_external_auth_methods - generic_oidc - generic_oidc_idp - generic_saml - okta_idp - okta_sso_bi_idp - scim - ws_fed SsoConfigWsFedPartialUpdate: type: object required: - type properties: type: $ref: '#/components/schemas/SsoConfigType' acs_url: description: | This is where to redirect too. This is also known as the SP SSO url. type: string audience_url: description: The Recipient/Audience of the RSTR. type: string expiration_time_seconds: description: The amount of time in seconds that the RSTR should be valid for. type: integer format: int32 digest_algorithm: description: The algorithm used to create a digest inside of the token within the RSTR. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/digest_algorithm' signature_algorithm: description: The algorithm used to create a signature inside of the token within the RSTR. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/signature_algorithm' name_format: description: The format that should be used to identify the user that is logging into the system. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/name_format' subject_user_name_attribute: description: | The attribute on the identity that's used to uniquely identify the user. This is also the source for the user name inside of the RSTR. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/subject_user_name_attribute' authentication_context: description: | The SAML Authentication Context Class for the assertion's authentication statement. Default value is "X509". $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/authentication_context' additional_user_attributes: description: Any additional attributes to attach to the assertion. type: array items: $ref: '#/components/schemas/SsoConfigWsFed/properties/additional_user_attributes/items' icon: description: The URL or data URI of the icon representing the SSO configuration. type: string is_tile_visible: description: Indicates if the SSO configuration tile is visible to the user. type: boolean inbound_scim: default: null type: object SsoConfigWsFed: type: object required: - type - acs_url - audience_url - expiration_time_seconds - digest_algorithm - signature_algorithm - name_format - subject_user_name_attribute - authentication_context - additional_user_attributes properties: type: description: The type of the SSO configuration. $ref: '#/components/schemas/SsoConfigType' acs_url: description: | This is where to redirect to. This is also known as the SP SSO url. type: string audience_url: description: The Recipient/Audience of the RSTR. type: string expiration_time_seconds: description: The amount of time in seconds that the RSTR should be valid for. type: integer format: int32 digest_algorithm: description: The algorithm used to create a digest inside of the token within the RSTR. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/digest_algorithm' signature_algorithm: description: The algorithm used to create a signature inside of the token within the RSTR. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/signature_algorithm' name_format: description: The format that should be used to identify the user that is logging into the system. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/name_format' subject_user_name_attribute: description: | The attribute on the identity that's used to uniquely identify the user. This is also the source for the user name inside of the RSTR. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/subject_user_name_attribute' authentication_context: description: | The SAML Authentication Context Class for the assertion's authentication statement. Default value is "X509". $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/authentication_context' additional_user_attributes: description: Any additional attributes to attach to the assertion. type: array items: description: | This structure describes additional attributes that can be attached to SAML assertion inside of WS-Fed token. type: object required: - name - name_format - value properties: name: description: The SAML attribute name. type: string name_format: description: The format that the attribute has. $ref: '#/components/schemas/SsoConfigPayload/oneOf/4/properties/name_format' value: description: The value to attach to the SAML value. $ref: '#/components/schemas/SsoConfigSamlPartialUpdate/properties/additional_user_attributes/items' namespace: type: string description: | This is an XML namespace that is applied the attribute and all of its children. icon: description: The URL or data URI of the icon representing the SSO configuration. type: string is_tile_visible: description: Indicates if the SSO configuration tile is visible to the user. type: boolean inbound_scim: default: null type: object SsoConfig: description: Represents an SSO config as a request body. type: object required: - display_name - payload properties: is_migrated: description: Indicates that the SSO Config was added by a script such as fast migrate type: boolean display_name: description: A human-readable name for the application. This name is used for display purposes. type: string payload: $ref: '#/components/schemas/SsoConfigPayload' SsoGroupWithMemberCount: title: Group with count of members type: object description: | A group is a logical collection of identities. Groups are commonly used as a predicate in a policy rule. properties: id: type: string description: | A unique identifier for a group. This is automatically generated on creation. This field is immutable and read-only. This field is unique within the realm. readOnly: true example: 81490afab171aef0 realm_id: type: string description: | A unique identifier for the group's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 7df92e4a38ba0993 tenant_id: type: string description: | A unique identifier for the group's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 0001b42d80372976 display_name: type: string minLength: 1 maxLength: 64 pattern: '^[^{}[\]<>;:?\\/|*^%$#=~`!]*$' description: | A human-readable name for the group. This name is used for display purposes. example: Realm Administrators description: type: string maxLength: 300 pattern: '^[^{}[\]<>;:?\\/|*^%$#=~`!]*$' description: | A free-form text field to describe a group. example: A group of realm administrators. create_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the group was created. This is automatically generated on creation. This field is read-only. readOnly: true example: '2022-03-14T03:42:52.905Z' update_time: type: string format: date-time description: | A time value given in ISO8601 combined date and time format that represents when the group was last updated. This is automatically updated when the group is updated. This field is read-only. readOnly: true example: '2022-06-14T05:55:23.823Z' member_count: type: integer format: uint32 description: | Total number of members of this group. example: 1000 IdentityProviderUpdate: description: Represents an identity provider. type: object properties: identity_provider: type: object description: The identity provider object. properties: id: description: | A unique identifier identifying an identity provider. This is automatically set on creation. This field is immutable and read-only. type: string readOnly: true tenant_id: type: string description: | A unique identifier for the identity provider's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 0001f1f460b1ace6 realm_id: type: string description: | A unique identifier for the identity provider's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 8f5bec58229e6f29 display_name: type: string description: | The human-readable name associated with the identity provider. protocol_config: description: | The kind of protocol we should use to communicate with the identity provider. allOf: - $ref: '#/components/schemas/IdentityProviderUpdateProtocolConfig' IdentityProviderProtocolConfigOidcIdp: description: | OIDC protocol configuration for connecting to an identity provider, and validating the token we received. type: object required: - client_id - client_secret - token_scopes - identity_attribute - pkce - jwks_url - token_url - authorize_url - identifying_claim_name - type properties: type: type: string enum: - oidc_idp client_id: description: | The OIDC client id. This value is from the identity provider. type: string client_secret: description: | The OIDC client secret. This value is from the identity provider. type: string token_scopes: description: | The scopes which to assign to the generated Access token. Scopes will be checked against the identity before validating. type: array items: type: string identity_attribute: $ref: '#/components/schemas/SubjectField' pkce: $ref: '#/components/schemas/PkceConfig' jwks_url: description: | The URL that points to the ".well-known/jwks.json" of the identity provider. Must be a URL. type: string token_url: description: | The URL that points to the "/token" endpoint of the identity provider. Must be a URL. type: string authorize_url: description: | The "/authorize" URL to authenticate against inside of the identity provider. Must be a URL. type: string identifying_claim_name: description: | The name of the claim that specifies the user's identity inside of a token. type: string IdentityProviderProtocolConfig: description: | Represents the protocol configuration that is used by the identity provider. oneOf: - $ref: '#/components/schemas/IdentityProviderProtocolConfigOidcIdp' IdentityProviderUpdateProtocolConfig: description: | Represents the protocol configuration that is used by the identity provider. oneOf: - $ref: '#/components/schemas/IdentityProviderUpdateProtocolConfigOidcIdp' discriminator: propertyName: type IdentityProviderUpdateProtocolConfigOidcIdp: description: | OIDC protocol configuration for connecting to an identity provider, and validating the token we received. type: object required: - type properties: type: type: string enum: - oidc_idp client_id: description: | The OIDC client id. This value is from the identity provider. type: string client_secret: description: | The OIDC client secret. This value is from the identity provider. type: string token_scopes: description: | The scopes which to assign to the generated Access token. Scopes will be checked against the identity before validating. type: array items: type: string identity_attribute: $ref: '#/components/schemas/SubjectField' pkce: $ref: '#/components/schemas/PkceConfig' jwks_url: description: | The URL that points to the ".well-known/jwks.json" of the identity provider. Must be a URL. type: string token_url: description: | The URL that points to the "/token" endpoint of the identity provider. Must be a URL. type: string authorize_url: description: | The "/authorize" URL to authenticate against inside of the identity provider. Must be a URL. type: string identifying_claim_name: description: | The name of the claim that specifies the user's identity inside of a token. type: string IdentityProviderListResponse: description: Represents a list of identity providers as a response body. type: object required: - identity_providers - total_size properties: identity_providers: description: The identity providers that are in the list. type: array items: $ref: '#/components/schemas/IdentityProviderResponse' total_size: description: The total number of identity providers contained by the Realm. type: integer format: uint minimum: 0 next_page_token: description: The value to be passed as the page_token parameter to retrieve the next page. type: string nullable: true IdentityProviderProtocolConfigOidcIdpResponse: description: | OIDC protocol configuration for connecting to an identity provider, and validating the token we received. type: object required: - client_id - client_secret - token_scopes - identity_attribute - pkce - jwks_url - token_url - authorize_url - redirect_url - identifying_claim_name - type properties: type: type: string enum: - oidc_idp client_id: description: | The OIDC client id. This value is from the identity provider. type: string client_secret: description: | The OIDC client secret. This value is from the identity provider. type: string token_scopes: description: | The scopes to assign to the generated Access token. Scopes will be checked against the identity before validating. type: array items: type: string identity_attribute: $ref: '#/components/schemas/SubjectField' pkce: $ref: '#/components/schemas/PkceConfig' jwks_url: description: | The URL that points to the ".well-known/jwks.json" of the identity provider. Must be a URL. type: string token_url: description: | The URL that points to the "/token" endpoint of the identity provider. Must be a URL. type: string authorize_url: description: | The "/authorize" URL to authenticate against inside of the identity provider. Must be a URL. type: string redirect_url: description: | Redirect URL provided by Beyond Identity that the IdP can redirect end users to after successful authorize call. This is an OIDC-compliant callback. type: string identifying_claim_name: description: | The name of the claim that specifies the user's identity inside of a token. type: string IdentityProviderProtocolConfigResponse: description: | Represents the protocol configuration that is used by the identity provider. oneOf: - $ref: '#/components/schemas/IdentityProviderProtocolConfigOidcIdpResponse' IdentityProviderResponse: description: Represents an identity provider. type: object required: - id - tenant_id - realm_id - protocol_config - display_name properties: id: description: | A unique identifier identifying an identity provider within a realm. This is automatically set on creation. This field is immutable and read-only. type: string readOnly: true tenant_id: type: string description: | A unique identifier for the identity provider's tenant. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 0001f1f460b1ace6 realm_id: type: string description: | A unique identifier for the identity provider's realm. This is automatically set on creation. This field is immutable and read-only. readOnly: true example: 8f5bec58229e6f29 display_name: type: string description: | The human-readable name associated with the identity provider. protocol_config: $ref: '#/components/schemas/IdentityProviderProtocolConfigResponse' IdentityProviderTestResponse: description: Represents an SSO config test response body. type: object required: - identity_provider_id - display_name - is_success - status_code properties: identity_provider_id: type: string display_name: type: string is_success: type: boolean status_code: type: string error_context: type: string FlowTypeConfig: title: FlowTypeConfig description: Flow type configuration for a tenant type: object properties: id: type: string description: | ID of the flow type configuration. This is automatically generated on creation. This field is immutable and output-only. minLength: 1 readOnly: true tenant_id: type: string description: ID of the tenant this configuration belongs to readOnly: true realm_id: type: string description: ID of the realm this configuration belongs to readOnly: true create_time: type: string format: date-time description: Timestamp when the flow type configuration was created readOnly: true update_time: type: string format: date-time description: Timestamp when the flow type configuration was last updated readOnly: true platform_config: $ref: '#/components/schemas/PlatformFlowTypeConfig' required: - id - tenant_id - realm_id - create_time - update_time - platform_config PlatformFlowTypeConfig: title: PlatformFlowTypeConfig description: Platform-specific flow type configurations type: object properties: android: $ref: '#/components/schemas/FlowTypeSet' macos: $ref: '#/components/schemas/FlowTypeSet' ios: $ref: '#/components/schemas/FlowTypeSet' windows: $ref: '#/components/schemas/FlowTypeSet' web: $ref: '#/components/schemas/FlowTypeSet' linux: $ref: '#/components/schemas/FlowTypeSet' chromeos: $ref: '#/components/schemas/FlowTypeSet' chromeosweb: $ref: '#/components/schemas/FlowTypeSet' required: - android - macos - ios - windows - web - linux - chromeos - chromeosweb FlowTypeSet: title: FlowTypeSet description: Set of flow type configurations for a platform type: object properties: unknown: $ref: '#/components/schemas/FlowTypeConfiguration' scheme: $ref: '#/components/schemas/FlowTypeConfiguration' embedded: $ref: '#/components/schemas/FlowTypeConfiguration' copy: $ref: '#/components/schemas/FlowTypeConfiguration' roaming_auth: $ref: '#/components/schemas/FlowTypeConfiguration' android_autofill: $ref: '#/components/schemas/FlowTypeConfiguration' android_accessibility: $ref: '#/components/schemas/FlowTypeConfiguration' pipe: $ref: '#/components/schemas/FlowTypeConfiguration' localhost: $ref: '#/components/schemas/FlowTypeConfiguration' universal_link: $ref: '#/components/schemas/FlowTypeConfiguration' safari_extension: $ref: '#/components/schemas/FlowTypeConfiguration' layered_auth_qr_code: $ref: '#/components/schemas/FlowTypeConfiguration' secure_localhost: $ref: '#/components/schemas/FlowTypeConfiguration' required: - unknown - scheme - embedded - copy - roaming_auth - android_autofill - android_accessibility - pipe - localhost - universal_link - safari_extension - layered_auth_qr_code - secure_localhost FlowTypeConfiguration: title: FlowTypeConfiguration description: Configuration for a specific flow type type: object properties: enabled: type: boolean description: Whether the this flow type is allowed to be used. valid: type: boolean description: Whether the flow type is valid and expected on a given platform required: - enabled - valid UpdatePlatformFlowTypeConfig: title: UpdatePlatformFlowTypeConfig description: Platform-specific flow type configurations for updates type: object properties: android: $ref: '#/components/schemas/UpdateFlowTypeSet' macos: $ref: '#/components/schemas/UpdateFlowTypeSet' ios: $ref: '#/components/schemas/UpdateFlowTypeSet' windows: $ref: '#/components/schemas/UpdateFlowTypeSet' web: $ref: '#/components/schemas/UpdateFlowTypeSet' linux: $ref: '#/components/schemas/UpdateFlowTypeSet' chromeos: $ref: '#/components/schemas/UpdateFlowTypeSet' chromeosweb: $ref: '#/components/schemas/UpdateFlowTypeSet' UpdateFlowTypeSet: title: UpdateFlowTypeSet description: Set of flow type configurations for a platform (update version) type: object properties: unknown: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' scheme: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' embedded: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' copy: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' roaming_auth: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' android_autofill: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' android_accessibility: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' pipe: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' localhost: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' universal_link: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' safari_extension: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' layered_auth_qr_code: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' secure_localhost: $ref: '#/components/schemas/UpdateFlowTypeConfiguration' UpdateFlowTypeConfiguration: title: UpdateFlowTypeConfiguration description: Configuration for a specific flow type (update version) type: object properties: enabled: type: boolean description: Whether the customer allows this flow type to be used. valid: type: boolean description: Whether the flow type is valid and expected on a given platform Error: type: object properties: code: type: string description: | Human-readable HTTP status code name, stylized as lower snake case (e.g. bad_request). message: type: string description: | Human-readable message describing the error. details: type: array items: $ref: '#/components/schemas/ErrorDetail' required: - code - message ErrorDetail: title: Error Detail description: | Additional details for errors designed to support client applications. type: object discriminator: propertyName: type properties: type: type: string description: Type of the error detail. required: - type FieldViolations: title: Field Violations description: Invalid request fields. allOf: - $ref: '#/components/schemas/ErrorDetail' - type: object properties: field_violations: type: array items: type: object properties: field: type: string description: The name of the field specifying an invalid value. description: type: string description: A description of the field violation. required: - field - description minItems: 1 ResourceInfo: title: Resource Information description: Resource information. allOf: - $ref: '#/components/schemas/ErrorDetail' - type: object properties: resource_type: type: string description: The type of the resource. id: type: string description: The ID of the resource. description: type: string description: | A description of the failure as it relates to this resource. For example, this may indicate that the resource is not found or that a precondition failed. required: - resource_type - id - description securitySchemes: BearerAuth: type: http scheme: bearer bearerFormat: JWT description: | See the [Authentication](#section/Authentication) section for details. security: - BearerAuth: []