generated: '2026-07-15' method: generated source: openapi/duo-admin-api-openapi.yml description: Recommended x-agentic-access execution contracts, classified heuristically from the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind audience per deployment. See research/curity/agentic-governance/. summary: operations: 32 by_action_class: connected: 13 acting: 19 by_consequence: read: 13 write: 17 physical: 2 human_in_the_loop_required: 0 operations: - path: /admin/v1/users method: get operationId: listUsers x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/users method: post operationId: createUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/bulk_create method: post operationId: bulkCreateUsers x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/bulk_restore method: post operationId: bulkRestoreUsers x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/bulk_send_to_trash method: post operationId: bulkSendUsersToTrash x-agentic-access: action-class: acting consequence: physical subject: required audience: null token: max-ttl: 300 exchange: true purpose-required: true escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id} method: get operationId: getUser x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/users/{user_id} method: post operationId: updateUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id} method: delete operationId: deleteUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/enroll method: post operationId: enrollUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id}/bypass_codes method: get operationId: listUserBypassCodes x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/users/{user_id}/bypass_codes method: post operationId: createUserBypassCodes x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id}/groups method: get operationId: listUserGroups x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/users/{user_id}/groups method: post operationId: associateUserGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id}/groups/{group_id} method: delete operationId: disassociateUserGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id}/phones method: get operationId: listUserPhones x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/users/{user_id}/phones method: post operationId: associateUserPhone x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id}/phones/{phone_id} method: delete operationId: disassociateUserPhone x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id}/tokens method: get operationId: listUserTokens x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/users/{user_id}/tokens method: post operationId: associateUserToken x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id}/tokens/{token_id} method: delete operationId: disassociateUserToken x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id}/webauthncredentials method: get operationId: listUserWebAuthnCredentials x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/users/{user_id}/desktopauthenticators method: get operationId: listUserDesktopAuthenticators x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/users/directorysync method: get operationId: listUserDirectorySyncs x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/users/directorysync/{directory_key}/syncuser method: post operationId: syncDirectoryUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id}/send_verification_push method: post operationId: sendVerificationPush x-agentic-access: action-class: acting consequence: physical subject: required audience: null token: max-ttl: 300 exchange: true purpose-required: true escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/users/{user_id}/verification_push_response method: get operationId: getVerificationPushResponse x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/groups method: get operationId: listGroups x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/groups method: post operationId: createGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v1/groups/{group_id} method: post operationId: updateGroup x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /admin/v2/groups/{group_id} method: get operationId: getGroupV2 x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v2/groups/{group_id}/users method: get operationId: listGroupUsersV2 x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /admin/v1/bulk method: post operationId: bulkOperations x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required