generated: '2026-07-15' method: generated source: openapi/beyond-identity-secure-access-api-openapi.yml, openapi/beyond-identity-secure-workforce-api-openapi.yml description: Recommended x-agentic-access execution contracts, classified heuristically from the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind audience per deployment. See research/curity/agentic-governance/. summary: operations: 150 by_action_class: connected: 69 acting: 81 by_consequence: read: 69 write: 77 safety-critical: 4 human_in_the_loop_required: 4 operations: - path: /v1/tenants/{tenant_id} method: get operationId: GetTenant x-agentic-access: action-class: connected consequence: read subject: optional scope: - tenants:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id} method: patch operationId: UpdateTenant x-agentic-access: action-class: acting consequence: write subject: required scope: - tenants:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms method: post operationId: CreateRealm x-agentic-access: action-class: acting consequence: write subject: required scope: - realms:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms method: get operationId: ListRealms x-agentic-access: action-class: connected consequence: read subject: optional scope: - realms:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id} method: get operationId: GetRealm x-agentic-access: action-class: connected consequence: read subject: optional scope: - realms:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id} method: patch operationId: UpdateRealm x-agentic-access: action-class: acting consequence: write subject: required scope: - realms:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id} method: delete operationId: DeleteRealm x-agentic-access: action-class: acting consequence: write subject: required scope: - realms:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups method: post operationId: CreateGroup x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups method: get operationId: ListGroups x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id} method: get operationId: GetGroup x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id} method: patch operationId: UpdateGroup x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id} method: delete operationId: DeleteGroup x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:addMembers method: post operationId: AddGroupMembers x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:update - identities:read audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:deleteMembers method: post operationId: DeleteGroupMembers x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:update - identities:read audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:listMembers method: get operationId: ListGroupMembers x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read - identities:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:listRoles method: get operationId: ListGroupRoles x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read - resource-servers:read - roles:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities method: post operationId: CreateIdentity x-agentic-access: action-class: acting consequence: write subject: required scope: - identities:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities method: get operationId: ListIdentities x-agentic-access: action-class: connected consequence: read subject: optional scope: - identities:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities:batchDelete method: post operationId: BatchDeleteIdentities x-agentic-access: action-class: acting consequence: write subject: required scope: - identities:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id} method: get operationId: GetIdentity x-agentic-access: action-class: connected consequence: read subject: optional scope: - identities:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id} method: patch operationId: UpdateIdentity x-agentic-access: action-class: acting consequence: write subject: required scope: - identities:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id} method: delete operationId: DeleteIdentity x-agentic-access: action-class: acting consequence: write subject: required scope: - identities:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}:listGroups method: get operationId: ListIdentityGroups x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read - identities:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}:listRoles method: get operationId: ListIdentityRoles x-agentic-access: action-class: connected consequence: read subject: optional scope: - identities:read - resource-servers:read - roles:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles method: post operationId: CreateRole x-agentic-access: action-class: acting consequence: write subject: required scope: - roles:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles method: get operationId: ListRoles x-agentic-access: action-class: connected consequence: read subject: optional scope: - roles:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id} method: get operationId: GetRole x-agentic-access: action-class: connected consequence: read subject: optional scope: - roles:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id} method: patch operationId: UpdateRole x-agentic-access: action-class: acting consequence: write subject: required scope: - roles:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id} method: delete operationId: DeleteRole x-agentic-access: action-class: acting consequence: write subject: required scope: - roles:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:addMembers method: post operationId: AddRoleMembers x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:read - identities:read - roles:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:deleteMembers method: post operationId: DeleteRoleMembers x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:read - identities:read - roles:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:listMembers method: get operationId: ListRoleMembers x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read - identities:read - roles:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:addScopes method: post operationId: AddRoleScopes x-agentic-access: action-class: acting consequence: write subject: required scope: - resource-servers:read - roles:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:deleteScopes method: post operationId: DeleteRoleScopes x-agentic-access: action-class: acting consequence: write subject: required scope: - resource-servers:read - roles:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id}/roles/{role_id}:listScopes method: get operationId: ListRoleScopes x-agentic-access: action-class: connected consequence: read subject: optional scope: - resource-servers:read - roles:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials method: get operationId: ListCredentials x-agentic-access: action-class: connected consequence: read subject: optional scope: - credentials:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id} method: get operationId: GetCredential x-agentic-access: action-class: connected consequence: read subject: optional scope: - credentials:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}:revoke method: post operationId: RevokeCredential x-agentic-access: action-class: acting consequence: safety-critical subject: required scope: - credentials:revoke audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs method: post operationId: CreateCredentialBindingJob x-agentic-access: action-class: acting consequence: write subject: required scope: - credential-binding-jobs:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs method: get operationId: ListCredentialBindingJobs x-agentic-access: action-class: connected consequence: read subject: optional scope: - credential-binding-jobs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs/{credential_binding_job_id} method: get operationId: GetCredentialBindingJob x-agentic-access: action-class: connected consequence: read subject: optional scope: - credential-binding-jobs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs/{credential_binding_job_id}:revoke method: post operationId: SetCredentialBindingJobRevoked x-agentic-access: action-class: acting consequence: safety-critical subject: required scope: - credential-binding-jobs:revoke audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs method: post operationId: CreateBatchCredentialBindingJob x-agentic-access: action-class: acting consequence: write subject: required scope: - credential-binding-jobs:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs/{batch_credential_binding_job_id} method: get operationId: GetBatchCredentialBindingJob x-agentic-access: action-class: connected consequence: read subject: optional scope: - credential-binding-jobs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/batch-credential-binding-jobs/{batch_credential_binding_job_id}:listResults method: get operationId: ListBatchCredentialBindingJobResults x-agentic-access: action-class: connected consequence: read subject: optional scope: - credential-binding-jobs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes method: post operationId: CreateTheme x-agentic-access: action-class: acting consequence: write subject: required scope: - themes:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/active method: get operationId: GetActiveTheme x-agentic-access: action-class: connected consequence: read subject: optional scope: - themes:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/{theme_id} method: get operationId: GetTheme x-agentic-access: action-class: connected consequence: read subject: optional scope: - themes:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/{theme_id} method: patch operationId: UpdateTheme x-agentic-access: action-class: acting consequence: write subject: required scope: - themes:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications method: post operationId: CreateApplication x-agentic-access: action-class: acting consequence: write subject: required scope: - applications:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications method: get operationId: ListApplications x-agentic-access: action-class: connected consequence: read subject: optional scope: - applications:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id} method: get operationId: GetApplication x-agentic-access: action-class: connected consequence: read subject: optional scope: - applications:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id} method: patch operationId: UpdateApplication x-agentic-access: action-class: acting consequence: write subject: required scope: - applications:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id} method: delete operationId: DeleteApplication x-agentic-access: action-class: acting consequence: write subject: required scope: - applications:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs method: post operationId: CreateAuthenticatorConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - authenticator-configs:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs method: get operationId: ListAuthenticatorConfigs x-agentic-access: action-class: connected consequence: read subject: optional scope: - authenticator-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id} method: get operationId: GetAuthenticatorConfig x-agentic-access: action-class: connected consequence: read subject: optional scope: - authenticator-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id} method: patch operationId: UpdateAuthenticatorConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - authenticator-configs:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id} method: delete operationId: DeleteAuthenticatorConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - authenticator-configs:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers method: post operationId: CreateResourceServer x-agentic-access: action-class: acting consequence: write subject: required scope: - resource-servers:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers method: get operationId: ListResourceServers x-agentic-access: action-class: connected consequence: read subject: optional scope: - resource-servers:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id} method: get operationId: GetResourceServer x-agentic-access: action-class: connected consequence: read subject: optional scope: - resource-servers:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id} method: patch operationId: UpdateResourceServer x-agentic-access: action-class: acting consequence: write subject: required scope: - resource-servers:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id} method: delete operationId: DeleteResourceServer x-agentic-access: action-class: acting consequence: write subject: required scope: - resource-servers:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/tokens method: get operationId: ListTokens x-agentic-access: action-class: connected consequence: read subject: optional scope: - tokens:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/tokens/{token_id} method: delete operationId: RevokeToken x-agentic-access: action-class: acting consequence: safety-critical subject: required scope: - tokens:delete audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users method: post operationId: SCIMCreateUser x-agentic-access: action-class: acting consequence: write subject: required scope: - scim:users:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users method: get operationId: SCIMListUsers x-agentic-access: action-class: connected consequence: read subject: optional scope: - scim:users:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id} method: get operationId: SCIMGetUser x-agentic-access: action-class: connected consequence: read subject: optional scope: - scim:users:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id} method: patch operationId: SCIMUpdateUser x-agentic-access: action-class: acting consequence: write subject: required scope: - scim:users:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id} method: put operationId: SCIMReplaceUser x-agentic-access: action-class: acting consequence: write subject: required scope: - scim:users:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Users/{user_id} method: delete operationId: SCIMDeleteUser x-agentic-access: action-class: acting consequence: write subject: required scope: - scim:users:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/ method: post operationId: SCIMCreateGroup x-agentic-access: action-class: acting consequence: write subject: required scope: - scim:groups:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/ method: get operationId: SCIMListGroups x-agentic-access: action-class: connected consequence: read subject: optional scope: - scim:groups:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/{group_id} method: get operationId: SCIMGetGroup x-agentic-access: action-class: connected consequence: read subject: optional scope: - scim:groups:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/{group_id} method: patch operationId: SCIMUpdateGroup x-agentic-access: action-class: acting consequence: write subject: required scope: - scim:groups:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Groups/{group_id} method: delete operationId: SCIMDeleteGroup x-agentic-access: action-class: acting consequence: write subject: required scope: - scim:groups:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/ResourceTypes method: get operationId: ListResourceTypes x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/Schemas method: get operationId: ListSchemas x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/scim/v2/ServiceProviderConfig method: get operationId: GetServiceProviderConfig x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs method: post operationId: CreateSsoConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - sso-configs:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs method: get operationId: listSsoConfigs x-agentic-access: action-class: connected consequence: read subject: optional scope: - sso-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id} method: get operationId: GetSsoConfig x-agentic-access: action-class: connected consequence: read subject: optional scope: - sso-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id} method: patch operationId: UpdateSsoConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - sso-configs:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id} method: delete operationId: DeleteSsoConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - sso-configs:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:addIdentities method: post operationId: AddIdentitiesToSsoConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - sso-configs:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:deleteIdentities method: post operationId: DeleteIdentitiesFromSsoConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - sso-configs:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:listIdentityAssociations method: get operationId: ListIdentitiesForSsoConfig x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read - identities:read - sso-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/sso-configs/{sso_config_id}/is-identity-assigned method: get operationId: IdentityToSSOConfigCheck x-agentic-access: action-class: connected consequence: read subject: optional scope: - sso-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/sso-configs method: get operationId: ListSsoConfigsForIdentity x-agentic-access: action-class: connected consequence: read subject: optional scope: - sso-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/flow-type-config method: get operationId: GetFlowTypeConfig x-agentic-access: action-class: connected consequence: read subject: optional scope: - flow-type:create - flow-type:read - realms:read - tenants:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/flow-type-config method: patch operationId: UpdateFlowTypeConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - flow-type:create - flow-type:read - flow-type:update - realms:read - tenants:read audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:addGroups method: post operationId: AddGroupsToSsoConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - sso-configs:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:deleteGroups method: post operationId: DeleteGroupsFromSsoConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - sso-configs:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}:listGroupAssociations method: get operationId: ListGroupsForSSOConfig x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read - sso-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}/sso-configs method: get operationId: ListSsoConfigsForGroup x-agentic-access: action-class: connected consequence: read subject: optional scope: - sso-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}/is-group-assigned method: post operationId: SSOIsGroupAssigned x-agentic-access: action-class: acting consequence: write subject: required scope: - sso-configs:read audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id}/sso-configs-id method: get operationId: ApplicationIdToSSOConfigId x-agentic-access: action-class: connected consequence: read subject: optional scope: - sso-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/sso-configs/{sso_config_id}/test method: post operationId: TestSsoConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - sso-configs:read audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identity-providers method: get operationId: listIdentityProviders x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identity-providers method: post operationId: createIdentityProvider x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identity-providers/{identity_provider_id} method: patch operationId: updateIdentityProvider x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identity-providers/{identity_provider_id} method: get operationId: getIdentityProvider x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identity-providers/{identity_provider_id} method: delete operationId: deleteIdentityProvider x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id} method: get operationId: GetTenant x-agentic-access: action-class: connected consequence: read subject: optional scope: - tenants:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id} method: patch operationId: UpdateTenant x-agentic-access: action-class: acting consequence: write subject: required scope: - tenants:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms method: post operationId: CreateRealm x-agentic-access: action-class: acting consequence: write subject: required scope: - realms:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms method: get operationId: ListRealms x-agentic-access: action-class: connected consequence: read subject: optional scope: - realms:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id} method: get operationId: GetRealm x-agentic-access: action-class: connected consequence: read subject: optional scope: - realms:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id} method: patch operationId: UpdateRealm x-agentic-access: action-class: acting consequence: write subject: required scope: - realms:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id} method: delete operationId: DeleteRealm x-agentic-access: action-class: acting consequence: write subject: required scope: - realms:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups method: post operationId: CreateGroup x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups method: get operationId: ListGroups x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id} method: get operationId: GetGroup x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id} method: patch operationId: UpdateGroup x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id} method: delete operationId: DeleteGroup x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:listMembers method: get operationId: ListGroupMembers x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read - identities:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:addMembers method: post operationId: AddGroupMembers x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:update - identities:read audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/groups/{group_id}:deleteMembers method: post operationId: DeleteGroupMembers x-agentic-access: action-class: acting consequence: write subject: required scope: - groups:update - identities:read audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities method: post operationId: CreateIdentity x-agentic-access: action-class: acting consequence: write subject: required scope: - identities:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities method: get operationId: ListIdentities x-agentic-access: action-class: connected consequence: read subject: optional scope: - identities:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id} method: get operationId: GetIdentity x-agentic-access: action-class: connected consequence: read subject: optional scope: - identities:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id} method: patch operationId: UpdateIdentity x-agentic-access: action-class: acting consequence: write subject: required scope: - identities:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id} method: delete operationId: DeleteIdentity x-agentic-access: action-class: acting consequence: write subject: required scope: - identities:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}:listGroups method: get operationId: ListIdentityGroups x-agentic-access: action-class: connected consequence: read subject: optional scope: - groups:read - identities:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials method: get operationId: ListCredentials x-agentic-access: action-class: connected consequence: read subject: optional scope: - credentials:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id} method: get operationId: GetCredential x-agentic-access: action-class: connected consequence: read subject: optional scope: - credentials:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credentials/{credential_id}:revoke method: post operationId: RevokeCredential x-agentic-access: action-class: acting consequence: safety-critical subject: required scope: - credentials:revoke audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs method: post operationId: CreateCredentialBindingJob x-agentic-access: action-class: acting consequence: write subject: required scope: - credential-binding-jobs:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs method: get operationId: ListCredentialBindingJobs x-agentic-access: action-class: connected consequence: read subject: optional scope: - credential-binding-jobs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/identities/{identity_id}/credential-binding-jobs/{credential_binding_job_id} method: get operationId: GetCredentialBindingJob x-agentic-access: action-class: connected consequence: read subject: optional scope: - credential-binding-jobs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes method: post operationId: CreateTheme x-agentic-access: action-class: acting consequence: write subject: required scope: - themes:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/active method: get operationId: GetActiveTheme x-agentic-access: action-class: connected consequence: read subject: optional scope: - themes:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/{theme_id} method: get operationId: GetTheme x-agentic-access: action-class: connected consequence: read subject: optional scope: - themes:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/themes/{theme_id} method: patch operationId: UpdateTheme x-agentic-access: action-class: acting consequence: write subject: required scope: - themes:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications method: post operationId: CreateApplication x-agentic-access: action-class: acting consequence: write subject: required scope: - applications:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications method: get operationId: ListApplications x-agentic-access: action-class: connected consequence: read subject: optional scope: - applications:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id} method: get operationId: GetApplication x-agentic-access: action-class: connected consequence: read subject: optional scope: - applications:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id} method: patch operationId: UpdateApplication x-agentic-access: action-class: acting consequence: write subject: required scope: - applications:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/applications/{application_id} method: delete operationId: DeleteApplication x-agentic-access: action-class: acting consequence: write subject: required scope: - applications:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs method: post operationId: CreateAuthenticatorConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - authenticator-configs:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs method: get operationId: ListAuthenticatorConfigs x-agentic-access: action-class: connected consequence: read subject: optional scope: - authenticator-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id} method: get operationId: GetAuthenticatorConfig x-agentic-access: action-class: connected consequence: read subject: optional scope: - authenticator-configs:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id} method: patch operationId: UpdateAuthenticatorConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - authenticator-configs:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/authenticator-configs/{authenticator_config_id} method: delete operationId: DeleteAuthenticatorConfig x-agentic-access: action-class: acting consequence: write subject: required scope: - authenticator-configs:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers method: post operationId: CreateResourceServer x-agentic-access: action-class: acting consequence: write subject: required scope: - resource-servers:create audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers method: get operationId: ListResourceServers x-agentic-access: action-class: connected consequence: read subject: optional scope: - resource-servers:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id} method: get operationId: GetResourceServer x-agentic-access: action-class: connected consequence: read subject: optional scope: - resource-servers:read token: max-ttl: 3600 audit: none - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id} method: patch operationId: UpdateResourceServer x-agentic-access: action-class: acting consequence: write subject: required scope: - resource-servers:update audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /v1/tenants/{tenant_id}/realms/{realm_id}/resource-servers/{resource_server_id} method: delete operationId: DeleteResourceServer x-agentic-access: action-class: acting consequence: write subject: required scope: - resource-servers:delete audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required