openapi: 3.0.0 paths: /resources/auth/v2/api-token: post: operationId: AuthenticationApiTokenControllerV2_authApiToken summary: Authenticate Using API Token description: 'Authenticates using an account (tenant) or user API token. Obtain your `clientId` and `secret` from Admin Portal → API Tokens, then provide them in the request body. Send the request to your Frontegg environment (e.g., `https://.frontegg.com`). **Note:** By default, this endpoint enforces refresh token rotation. Each API token is limited to 100 active refresh tokens. When authenticating with the same API token for the 101st time, the oldest refresh token is automatically invalidated. Use this endpoint to securely authenticate automated services, back-end clients, or integrations that rely on static credentials.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AuthApiTokenDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/ApiTokenAuthV2Response' tags: - API Token /resources/auth/v2/api-token/token/refresh: post: operationId: AuthenticationApiTokenControllerV2_refreshToken summary: Refresh API Token description: 'Refreshes a JWT access token using a refresh token. If the refresh token is valid, returns a new JWT and refresh token pair. This maintains an authenticated session without requiring the user to log in again. If the refresh token is invalid, expired, or has been revoked due to rotation limits, the request will fail with an authentication error.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RefreshApiTokenDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/ApiTokenAuthV2Response' tags: - API Token /resources/tenants/access-tokens/v1: post: operationId: TenantAccessTokensV1Controller_createTenantAccessToken summary: Create Account (tenant) Access Token parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateTenantAccessTokenRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/TenantAccessTokenResponse' tags: - API Tokens description: Create an access token for a specific account (tenant). get: operationId: TenantAccessTokensV1Controller_getTenantAccessTokens summary: Get Account (tenant) Access Tokens parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetTenantAccessTokensResponse' tags: - API Tokens description: Retrieve all access tokens for a specific account (tenant). /resources/tenants/access-tokens/v1/{id}: delete: operationId: TenantAccessTokensV1Controller_deleteTenantAccessToken summary: Delete Account (tenant) Access Token parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: id required: true in: path schema: type: string responses: '200': description: '' tags: - API Tokens description: Delete an account (tenant) access token. /resources/tenants/api-tokens/v1: post: operationId: TenantApiTokensV1Controller_createTenantApiToken summary: Create Client Credentials Token description: Do not use. Instead, use v2 of this route. deprecated: true parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateTenantApiTokenDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/CreateTenantApiTokenResponseDto' tags: - API Tokens get: operationId: TenantApiTokensV1Controller_getTenantsApiTokens summary: Get Client Credentials Tokens description: Retrieve all API tokens for a specific account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/GetTenantApiTokensResponse' tags: - API Tokens /resources/tenants/api-tokens/v1/{id}: delete: operationId: TenantApiTokensV1Controller_deleteTenantApiToken summary: Delete Client Credentials Token description: Delete an account (tenant) API token. parameters: - name: id required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string responses: '200': description: '' tags: - API Tokens patch: operationId: TenantApiTokensV1Controller_updateTenantApiToken summary: Update Client Credentials Token description: Update an account (tenant) API token. parameters: - name: id required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateApiTokenDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UpdateTenantApiTokenResponseDto' tags: - API Tokens /resources/tenants/api-tokens/v2: post: operationId: TenantApiTokensV2Controller_createTenantApiToken summary: Create Client Credentials Token description: 'Create an account (tenant) API token. You can retrieve roles and permissions via the API.' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateTenantApiTokenDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/CreateTenantApiTokenResponseDto' tags: - API Tokens /resources/tenants/invites/v1/user: get: operationId: TenantInvitesController_getTenantInviteForUser summary: Get Account (tenant) Invite of User description: Retrieve an invitation for a specific user to join an account (tenant). parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/InviteTokenDto' tags: - Account Invitations post: operationId: TenantInvitesController_createTenantInviteForUser summary: Create Account (tenant) Invite for User description: 'Create an invitation for a specific user to join an account (tenant). To create a general invitation, use the general invitation route.' parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateInviteTokenRequestForUser' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/InviteTokenDto' tags: - Account Invitations delete: operationId: TenantInvitesController_deleteTenantInviteForUser summary: Delete Account (tenant) Invite of User description: 'Delete an invitation for a specific user to join an account (tenant). To delete a general invitation, use the general invitation route.' parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string responses: '200': description: '' tags: - Account Invitations patch: operationId: TenantInvitesController_updateTenantInviteForUser summary: Update Account (tenant) Invite of User description: 'Update an invitation for a specific user to join an account (tenant). To set a specific expiration time, use the `expiresInMinutes` parameter to define when the invitation will be invalidated. Use the `shouldSendEmail` Boolean parameter to control whether an invitation email is sent. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateInviteTokenRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/InviteTokenDto' tags: - Account Invitations /resources/tenants/invites/v1/verify: post: operationId: TenantInvitesController_verifyTenantInvite summary: Verify Account (tenant) Invite description: 'Verify an account (tenant) invitation. Pass the invitation token as the `token` parameter. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyInviteTokenRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/InviteTokenDto' tags: - Account Invitations /resources/tenants/invites/v1/configuration: get: operationId: getInvitationConfiguration summary: Get Account (tenant) Invite Configuration description: 'Check whether account (tenant) invitations are enabled and whether notifications are active for your environment. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/InvitationConfigurationResponse' tags: - Account Invitations /resources/tenants/invites/v2/user: post: operationId: TenantInvitesV2Controller_createTenantInviteForUser summary: Create Tenant Invite with Roles for User description: Creates an invitation with assigned roles for a specific user to join an account (tenant). Provide the user's ID via the `frontegg-user-id` header and the account ID via the `frontegg-tenant-id` header. For general invitations without a specific user, use the general invitation endpoint instead. parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string - name: frontegg-user-id in: header description: The user identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateInviteTokenRequestForUserV2' responses: '200': description: '' '201': description: '' content: application/json: schema: $ref: '#/components/schemas/InviteTokenDto' tags: - Account Invitations /resources/tenants/invites/v1: post: operationId: TenantInvitesController_createTenantInvite summary: Create Account (tenant) Invite description: 'Create a general or account (tenant)-specific invitation token. Use this endpoint to generate invitation tokens for accounts (tenants) or individual users. To create a general invitation token, send the request without specifying an account (tenant) or user. To create an account (tenant)-specific token, include the account (tenant) ID in the request body. To create a token for a specific user of an account (tenant), also include the user ID in the body parameters. If a user ID is provided, you can control whether an invitation email is sent by setting the `shouldSendEmail` parameter. To set a custom expiration time for the invitation, use the `expiresInMinutes` parameter to define when the token will expire. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateInviteTokenRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/InviteTokenDto' tags: - Account Invitations Settings /resources/tenants/invites/v1/all: get: operationId: TenantInvitesController_getAllInvites summary: Get All Account (tenant) Invites description: 'Retrieve all invitation tokens across all accounts (tenants). A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: [] responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/InviteTokenDto' tags: - Account Invitations Settings /resources/tenants/invites/v1/token/{id}: delete: operationId: TenantInvitesController_deleteTenantInvite summary: Delete an Account (tenant) Invite description: 'Delete an invitation for an account (tenant) using the invitation ID. Use this endpoint to delete a specific invitation by providing its invitation ID as a path parameter. You can obtain the invitation ID via the **Get all account (tenant) invites** API. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' tags: - Account Invitations Settings /resources/configurations/v1/activation/strategies: get: operationId: ActivationStrategyControllerV1_getActivationStrategy summary: Get Activation Strategies parameters: [] responses: '200': description: Retrieve the current account activation strategies configured in your environment. content: application/json: schema: $ref: '#/components/schemas/ActivationStrategyResponse' tags: - Account Invitations Settings post: operationId: ActivationStrategyControllerV1_createOrUpdateActivationStrategy summary: Create or Update Activation Strategy parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateOrUpdateActivationStrategyRequest' responses: '200': description: Create a new activation strategy or update the existing activation strategy for your environment. tags: - Account Invitations Settings /resources/configurations/v1/invitation/strategies: get: operationId: InvitationStrategyControllerV1_getInvitationStrategy summary: Get Invitation Strategies parameters: [] responses: '200': description: Retrieve the current invitation strategies configured in your environment. content: application/json: schema: $ref: '#/components/schemas/InvitationStrategyResponse' tags: - Account Invitations Settings post: operationId: InvitationStrategyControllerV1_createOrUpdateInvitationStrategy summary: Create or Update Invitation Strategy parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateOrUpdateInvitationStrategyRequest' responses: '200': description: Create a new invitation strategy or update the existing invitation strategy for your environment. tags: - Account Invitations Settings /resources/roles/v2: get: operationId: PermissionsControllerV2_getAllRoles summary: Get Roles V2 description: 'Retrieve all roles for your environment. Each role object includes the name, permissions, and other defining information.' parameters: - name: _limit required: false in: query schema: minimum: 1 maximum: 2000 default: 50 type: number - name: _sortBy required: true in: query schema: enum: - key - name - description - isDefault - firstUserRole - level - updatedAt - createdAt - permissions - userTenants - groups type: string - name: _levels required: false in: query schema: type: array items: type: number - name: _tenantIds required: false in: query schema: type: array items: type: string - name: _offset required: false in: query schema: minimum: 0 default: 0 type: number description: The page number to retrieve. For example, use 0 for the first page, 1 for the second page. - name: _order required: false in: query schema: enum: - ASC - DESC type: string - name: _filter required: false in: query schema: type: string - name: frontegg-tenant-id in: header description: For relating a role to a specific account (tenant), use `get accounts (tenants)` API to find the account (tenant) Ids required: false schema: type: string responses: '200': description: '' content: application/json: schema: allOf: - $ref: '#/components/schemas/FronteggPaginationWrapper' - properties: items: type: array items: $ref: '#/components/schemas/RoleResponse' _links: $ref: '#/components/schemas/FronteggPaginationLinks' _metadata: $ref: '#/components/schemas/FronteggPaginationMetadata' tags: - Account Roles post: operationId: RolesControllerV2_addRole summary: Create a New Role description: 'Add a new role for a specific account (tenant). Include the required permissions in the request body to customize the role.' parameters: - name: frontegg-tenant-id in: header description: For relating a role to a specific account (tenant), use `get accounts (tenants)` API to find the account (tenant) Ids required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AddRoleWithPermissionsRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/AddRoleWithPermissionsResponse' tags: - Account Roles /resources/roles/v2/distinct-levels: get: operationId: RolesControllerV2_getDistinctLevels summary: Get Distinct Levels of Roles description: Retrieve all role levels for your environment. parameters: - name: frontegg-tenant-id in: header description: For relating a role to a specific account (tenant), use `get accounts (tenants)` API to find the account (tenant) Ids required: false schema: type: string responses: '200': description: '' tags: - Account Roles /resources/roles/v2/distinct-tenants: get: operationId: RolesControllerV2_getDistinctTenants summary: Get Distinct Assigned Accounts (tenants) of Roles description: Retrieve all assigned account (tenant) IDs from roles for your environment. parameters: [] responses: '200': description: '' tags: - Account Roles /resources/approval-flows/v1: post: operationId: ApprovalFlowsController_createApprovalFlow summary: Create Approval Flow parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateApprovalFlowDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/ApprovalFlowResponseDto' '201': description: '' content: application/json: schema: $ref: '#/components/schemas/ApprovalFlowResponseDto' tags: - Approval Flows get: operationId: ApprovalFlowsController_getApprovalFlows summary: Get Approval Flows parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/ApprovalFlowsListResponseDto' tags: - Approval Flows /resources/approval-flows/v1/{id}: get: operationId: ApprovalFlowsController_getApprovalFlowById summary: Get Approval Flow by ID parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/ApprovalFlowResponseDto' tags: - Approval Flows patch: operationId: ApprovalFlowsController_updateApprovalFlow summary: Update Approval Flow parameters: - name: id required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateApprovalFlowDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/ApprovalFlowResponseDto' tags: - Approval Flows delete: operationId: ApprovalFlowsController_deleteApprovalFlow summary: Delete Approval Flow parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' '204': description: '' tags: - Approval Flows /resources/approval-flows/v1/approver-action: post: operationId: ApprovalFlowsController_approverAction summary: Approver Action parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ApproverActionDto' responses: '200': description: '' tags: - Approval Flows /resources/approval-flows/v1/execution-data: get: operationId: ApprovalFlowsController_getExecutionData summary: Get Approval Flow Execution Data parameters: - name: approvalFlowExecutionId required: true in: query schema: type: string - name: approverId required: true in: query schema: type: string - name: approvalFlowStepId required: true in: query schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/ExecutionDataResponseDto' tags: - Approval Flows /resources/approval-flows/v1/{id}/execute: post: operationId: ApprovalFlowsController_executeApprovalFlow summary: Execute Approval Flow parameters: - name: id required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string - name: frontegg-user-id in: header description: The user ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ExecuteApprovalFlowDto' responses: '200': description: '' tags: - Approval Flows /resources/approval-flows/v1/step-up/execute: post: operationId: ApprovalFlowsController_executeStepUpApprovalFlow summary: Execute Step up Approval Flow parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string - name: frontegg-user-id in: header description: The user ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ExecuteApprovalFlowDto' responses: '200': description: '' tags: - Approval Flows /resources/configurations/v1: post: operationId: VendorConfigController_addOrUpdateConfig summary: Update Identity Management Configuration description: 'Update the identity management configuration for your environment. Use this endpoint to add or update identity management parameters by sending the desired values in the request body. Refer to the parameter documentation for the list of supported values.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VendorConfigRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/VendorConfigResponse' tags: - Core Settings get: operationId: VendorConfigController_getVendorConfig summary: Get Identity Management Configuration description: 'Retrieve the identity management configuration for your environment. Use this endpoint to get the current identity management settings configured in your environment.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/VendorConfigResponse' tags: - Core Settings /resources/configurations/v1/captcha-policy: post: operationId: CaptchaPolicyController_createCaptchaPolicy summary: Create Captcha Policy description: 'Create a CAPTCHA policy for all accounts (tenants). Provide the required settings in the request body. To enable the policy, set the `enabled` parameter to `true`, and provide the `siteKey` and `secretKey` obtained from reCAPTCHA. You can also set the `minimumScore` parameter to a value between `0` and `1` to define the minimum score threshold.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CaptchaPolicyRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/CaptchaPolicyResponse' tags: - Core Settings put: operationId: CaptchaPolicyController_updateCaptchaPolicy summary: Update Captcha Policy description: 'Update the CAPTCHA policy for all accounts (tenants). Provide the desired settings in the request body. To enable the policy, set the `enabled` parameter to `true`, and provide the `siteKey` and `secretKey` obtained from reCAPTCHA. You can also set the `minimumScore` parameter to a value between `0` and `1` to define the minimum score threshold.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CaptchaPolicyRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/CaptchaPolicyResponse' tags: - Core Settings get: operationId: CaptchaPolicyController_getCaptchaPolicy summary: Get Captcha Policy description: 'Retrieve the CAPTCHA policy for your environment. The response includes the policy ID, `siteKey`, `secretKey`, `minimumScore`, list of ignored emails, and whether the policy is enabled.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/CaptchaPolicyResponse' tags: - Core Settings /resources/configurations/v1/jwt-template-targeting: get: operationId: JwtTemplateTargetingControllerV1_getJwtTemplateTargeting summary: Get JWT Template Targeting Configuration description: 'Retrieves the JWT template targeting configuration for your environment. Note: This feature must be enabled by request.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/JwtTemplateTargetingResponseDto' tags: - Core Settings post: operationId: JwtTemplateTargetingControllerV1_createJwtTemplateTargeting summary: Create JWT Template Targeting Configuration description: 'Creates a new JWT template targeting configuration for your environment. Note: This feature must be enabled by request.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateJwtTemplateTargetingRequestDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/JwtTemplateTargetingResponseDto' tags: - Core Settings put: operationId: JwtTemplateTargetingControllerV1_updateJwtTemplateTargeting summary: Update or Create JWT Template Targeting Configuration description: 'Updates or creates a JWT template targeting configuration for your environment. Note: This feature must be enabled by request.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateJwtTemplateTargetingRequestDto' responses: '200': description: '' tags: - Core Settings /resources/configurations/v1/jwt-template-targeting/{id}: patch: operationId: JwtTemplateTargetingControllerV1_patchJwtTemplateTargeting summary: Update JWT Template Targeting Configuration by ID description: 'Updates a specific JWT template targeting configuration by ID. Note: This feature must be enabled by request.' parameters: - name: id required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateJwtTemplateTargetingRequestDto' responses: '200': description: '' tags: - Core Settings delete: operationId: JwtTemplateTargetingControllerV1_deleteJwtTemplateTargeting summary: Delete JWT Template Targeting Configuration by ID description: 'Deletes a specific JWT template targeting configuration by ID. Note: This feature must be enabled by request.' parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' tags: - Core Settings /resources/jwt-templates/v1: post: operationId: JwtTemplatesController_createJwtTemplate summary: Create JWT Template parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateJwtTemplateDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/JwtTemplateResponseDto' tags: - Core Settings description: 'Creates a new JWT template for your environment. Note: This feature must be enabled by request.' get: operationId: JwtTemplatesController_getJwtTemplates summary: Get All JWT Templates parameters: - name: keys required: false in: query description: Filter by template keys schema: type: array items: type: string - name: ids required: false in: query description: Filter by template IDs schema: type: array items: type: string - name: _limit required: false in: query description: Maximum number of items to return schema: minimum: 1 type: number - name: _offset required: false in: query description: The page number to retrieve. For example, use 0 for the first page, 1 for the second page. schema: minimum: 0 type: number - name: _sortBy required: false in: query description: Field to sort by schema: enum: - id - key - name - createdAt - updatedAt type: string - name: _order required: false in: query description: Sort order schema: enum: - ASC - DESC type: string responses: '200': description: '' content: application/json: schema: allOf: - $ref: '#/components/schemas/FronteggPaginationWrapper' - properties: items: type: array items: $ref: '#/components/schemas/JwtTemplateResponseDto' _links: $ref: '#/components/schemas/FronteggPaginationLinks' _metadata: $ref: '#/components/schemas/FronteggPaginationMetadata' tags: - Core Settings description: 'Retrieves all JWT templates for your environment. Note: This feature must be enabled by request.' /resources/jwt-templates/v1/{id}: get: operationId: JwtTemplatesController_getJwtTemplateById summary: Get JWT Template by ID parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/JwtTemplateResponseDto' tags: - Core Settings description: 'Retrieves a specific JWT template by ID. Note: This feature must be enabled by request.' put: operationId: JwtTemplatesController_updateJwtTemplate summary: Update JWT Template parameters: - name: id required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateJwtTemplateDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/JwtTemplateResponseDto' tags: - Core Settings description: 'Updates an existing JWT template. Note: This feature must be enabled by request.' delete: operationId: JwtTemplatesController_deleteJwtTemplate summary: Delete JWT Template parameters: - name: id required: true in: path schema: type: string responses: '204': description: '' tags: - Core Settings description: 'Deletes an existing JWT template. Note: This feature must be enabled by request.' /resources/configurations/v1/basic: get: operationId: VendorConfigController_getVendorConfigBasic summary: Get Identity Management Configuration description: Retrieve the identity management configuration for your environment. parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/VendorConfigBasicResponse' tags: - Core Settings /resources/sso/custom/v1: post: operationId: CustomSsoV1Controller_createSsoProvider summary: Create Custom Oauth Provider description: 'Create a custom social login provider using the OAuth details of the identity provider. Provide the required OAuth parameters in the request body.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateCustomSsoRequestDto' responses: '200': description: '' tags: - Custom Social OAuth Provider get: operationId: SsoV2Controller_getSsoProviders summary: Get Custom Oauth Provider description: Retrieve the custom social login providers configured in your environment. parameters: [] responses: '200': description: '' tags: - Custom Social OAuth Provider /resources/sso/custom/v1/{id}: patch: operationId: CustomSsoV1Controller_updateSsoProvider summary: Update Custom Oauth Provider description: 'Update a custom social login provider in your environment by ID. Provide the ID of the custom social login provider and the desired OAuth parameters in the request body.' parameters: - name: id required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateCustomSsoRequestDto' responses: '200': description: '' tags: - Custom Social OAuth Provider delete: operationId: CustomSsoV1Controller_deleteCustomSsoConfig summary: Delete Custom Oauth Provider description: 'Delete a custom social login provider in your environment by ID. Provide the ID of the custom social login provider to delete.' parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' tags: - Custom Social OAuth Provider /resources/migrations/v1/auth0: post: operationId: UsersControllerV1_migrateUserFromAuth0 summary: Migrate From Auth0 description: 'Migrate users from Auth0 into your environment. Provide the `domain`, `clientId`, `secret`, and `tenantIdFieldName` parameters in the request body. These values can be obtained from your Auth0 account (tenant) configuration.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/Auth0Configuration' responses: '201': description: '' tags: - Data Migration /resources/migrations/v1/local: post: operationId: UsersControllerV1_migrateUserForVendor summary: Migrate a Single User description: 'Migrate a user into your environment. Provide the required fields: user''s email, `tenantId`, and metadata. You can also include additional properties such as the user''s name, phone number, hashed password, and other optional attributes.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MigrateUserRequestV1' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - Data Migration /resources/migrations/v1/local/bulk: post: operationId: UsersControllerV1_bulkMigrateUserForVendor summary: Migrate Users in Bulk description: 'Migrate users in bulk into your environment. Provide an array of `users` in the request body. Each user object must include the user''s `email` and `tenantId`, which specifies the user''s parent account. You can include additional fields as needed to store more information. If you need to store custom data, use the `metadata` property.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MigrateUsersRequestV1' responses: '202': description: '' content: application/json: schema: $ref: '#/components/schemas/MigrationContext' tags: - Data Migration /resources/migrations/v1/local/bulk/status/{migrationId}: get: operationId: UsersControllerV1_checkBulkMigrationStatus summary: Check Status of Bulk Migration description: 'Retrieve the status of a pending or completed migration. The response includes the migration''s `state`, the number of migrated users, and any errors that occurred during the migration. The response payload is limited to 1,000 users.' parameters: - name: migrationId required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/MigrationObject' tags: - Data Migration /resources/migrations/v2/local/bulk: post: operationId: UsersControllerV2_bulkMigrateUserForVendor summary: Migrate Vendor Users in Bulk description: Migrate users in bulk to your environment. Provide an array of user objects, each containing `email` and `tenantId`. Use the `metadata` property to store custom information for each user. parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MigrateUsersRequestV2' responses: '202': description: '' content: application/json: schema: $ref: '#/components/schemas/MigrationContext' tags: - Data Migration /resources/configurations/v1/delegation: get: operationId: DelegationConfigurationControllerV1_getDelegationConfiguration x-vendor-only: 'true' summary: Get Delegation Configuration description: 'Retrieve the delegation configuration for your environment. A valid environment token is required to call this endpoint.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetDelegationConfigurationResponseDto' tags: - Delegation post: operationId: DelegationConfigurationControllerV1_createOrUpdateDelegationConfiguration x-vendor-only: 'true' summary: Create or Update Delegation Configuration description: 'Enable or disable delegation in the token exchange flow. Use this endpoint to update the delegation configuration by enabling or disabling delegation for the token exchange flow. A valid environment token is required to call this endpoint.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateDelegationConfigurationRequestDto' responses: '200': description: '' tags: - Delegation /resources/configurations/restrictions/v1/email-domain: post: operationId: DomainRestrictionsController_createDomainRestriction summary: Create Domain Restriction description: Creates a new email domain restriction for an account (tenant). Provide the restriction configuration in the request body. See the schema below for available parameters and values. parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DomainRestrictionsCreateRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/DomainRestrictionsResponse' tags: - Domain Restrictions get: operationId: DomainRestrictionsController_getDomainRestrictions summary: Get Domain Restrictions description: Retrieve the domain restrictions for an account (tenant). parameters: [] responses: '200': description: '' content: application/json: schema: allOf: - $ref: '#/components/schemas/FronteggPaginationWrapper' - properties: items: type: array items: $ref: '#/components/schemas/DomainRestrictionsResponse' _links: $ref: '#/components/schemas/FronteggPaginationLinks' _metadata: $ref: '#/components/schemas/FronteggPaginationMetadata' tags: - Domain Restrictions /resources/configurations/restrictions/v1/email-domain/config: get: operationId: DomainRestrictionsController_getDomainRestrictionsConfig summary: Get Domain Restrictions description: Retrieve the domain restrictions for an account (tenant). parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/DomainRestrictionsConfigResponse' tags: - Domain Restrictions post: operationId: DomainRestrictionsController_updateDomainRestrictionsConfig summary: Change Domain Restrictions Config List Type and Toggle It Off/on description: 'Update the domain restrictions configuration. You can toggle the domain restriction check on or off.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DomainRestrictionsConfigUpdateRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/DomainRestrictionsConfigResponse' tags: - Domain Restrictions /resources/configurations/restrictions/v1/email-domain/{id}: delete: operationId: DomainRestrictionsController_deleteDomainRestriction summary: Delete Domain Restriction description: Delete a domain restriction. parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' tags: - Domain Restrictions /resources/configurations/restrictions/v1/email-domain/replace-bulk: post: operationId: DomainRestrictionsController_createBulkDomainsRestriction summary: Replace Bulk Domain Restriction description: Replace all domain restrictions with the domains provided in the request body. parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DomainRestrictionsBulkRequestRequest' responses: '201': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/DomainRestrictionsResponse' tags: - Domain Restrictions /resources/mail/v1/configurations: post: operationId: MailConfigController_createOrUpdateMailConfig summary: Create or Update Configuration description: 'Configure your SendGrid account to send emails from your environment. Provide your SendGrid secret key in the request body. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' deprecated: true parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateOrUpdateMailConfigRequestDto' responses: '200': description: '' '201': description: '' tags: - Email Configuration get: operationId: MailConfigController_getMailConfig summary: Get Configuration description: 'Retrieve the mail configuration for your SendGrid account. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetMailConfigResponseDto' tags: - Email Configuration delete: operationId: MailConfigController_deleteMailConfig summary: Delete Configuration description: 'Delete the mail configuration for your SendGrid account. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: [] responses: '200': description: '' tags: - Email Configuration /resources/mail/v2/configurations: post: operationId: MailConfigController_createOrUpdateMailConfigV2 summary: Create or Update Configuration V2 description: 'Configure email settings for your environment, supporting SES, Mailgun, and SendGrid. Provide the email provider, sender details, and any additional parameters in the request body. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: [] requestBody: required: true content: application/json: schema: type: object properties: payload: oneOf: - $ref: '#/components/schemas/SendGridDto' - $ref: '#/components/schemas/SesDto' - $ref: '#/components/schemas/MailgunDto' - $ref: '#/components/schemas/SesRoleDto' responses: '201': description: '' tags: - Email Configuration /resources/mail/v1/configs/templates: post: operationId: MailV1Controller_addOrUpdateTemplate summary: Add or Update Template description: 'Create or update an email template for your environment. Specify the email template using the `type` parameter. The value of `type` must match one of the predefined Frontegg email templates. Set the sender using the `senderEmail` parameter, and optionally include values for the other available body parameters. Provide the template information in the request body. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateTemplateDto' responses: '201': description: '' tags: - Email Templates get: operationId: MailV1Controller_getTemplateConfiguration summary: Get Template description: 'Retrieve all email templates for your environment. To retrieve a specific template, pass its `type` as a query parameter. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: type required: false in: query schema: enum: - ResetPassword - ActivateUser - InviteToTenant - PwnedPassword - MagicLink - OTC - ConnectNewDevice - UserUsedInvitation - ResetPhoneNumber - BulkInvitesToTenant - MFAEnroll - MFAUnenroll - NewMFAMethod - MFARecoveryCode - RemoveMFAMethod - EmailVerification - BruteForceProtection - SuspiciousIP - MFAOTC - ImpossibleTravel - BotDetection - SmsAuthenticationEnabled - UnlockUser - UnlockUserSuccess - ActivateUserWithCode - InviteToTenantWithCode - VerifyNewEmail - EmailAddressChanged - ApprovalFlowApprove type: string responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/GetTemplateResponseDto' tags: - Email Templates /resources/mail/v1/configs/templates/{templateId}: delete: operationId: MailV1Controller_deleteTemplate summary: Delete Template description: 'Delete a specified email template. Provide the ID of the template to delete. You can obtain the template ID via the **Get template** API. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: templateId required: true in: path schema: type: string responses: '200': description: '' tags: - Email Templates /resources/mail/v1/configs/{type}/default: get: operationId: MailV1Controller_getDefaultTemplateConfiguration summary: Get Default Template by Type description: 'Retrieve the default email template by type. Pass the required `type` as a query parameter.' parameters: - name: type required: true in: path description: The email template type schema: enum: - ResetPassword - ActivateUser - InviteToTenant - PwnedPassword - MagicLink - OTC - ConnectNewDevice - UserUsedInvitation - ResetPhoneNumber - BulkInvitesToTenant - MFAEnroll - MFAUnenroll - NewMFAMethod - MFARecoveryCode - RemoveMFAMethod - EmailVerification - BruteForceProtection - SuspiciousIP - MFAOTC - ImpossibleTravel - BotDetection - SmsAuthenticationEnabled - UnlockUser - UnlockUserSuccess - ActivateUserWithCode - InviteToTenantWithCode - VerifyNewEmail - EmailAddressChanged - ApprovalFlowApprove type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetTemplateResponseDto' tags: - Email Templates /resources/auth/v1/user: post: operationId: AuthenticatioAuthenticationControllerV1_authenticateLocalUser summary: Authenticate User with Password description: 'Authenticate a local user using their email and password. Include the user''s login credentials in the request body. This endpoint supports optional parameters such as an invitation token (for sign-up flows via invitation) and a reCAPTCHA token (if reCAPTCHA is enabled for login). If the credentials are valid, the response includes a signed JWT and a refresh token that can be used for future authenticated requests.' parameters: - name: frontegg-vendor-host in: header description: The vendor host domain required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AuthenticateUserPasswordDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - General /resources/auth/v1/user/token/refresh: post: operationId: AuthenticatioAuthenticationControllerV1_refreshToken summary: Refresh User JWT Token description: 'Refresh a JWT based on the refresh token''s expiration time. This endpoint returns a new JWT and refresh token if the existing refresh token is valid and not expired. The request must include the refresh token cookie for the currently logged-in user. Ensure your JWT settings are properly configured in the Frontegg Portal to support this flow.' parameters: - name: frontegg-vendor-host required: true in: header schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RefreshTokenDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - General /resources/auth/v1/logout: post: operationId: AuthenticatioAuthenticationControllerV1_logout summary: Logout User description: 'Log out a user by invalidating their refresh token. This endpoint logs out the currently authenticated user by invalidating the refresh token provided in the refresh token cookie. This route is intended for applications using Frontegg''s embedded login experience or for integrations that interact exclusively with Frontegg APIs.' parameters: - name: frontegg-vendor-host required: true in: header schema: type: string responses: '201': description: '' tags: - General /resources/users/v1/signUp: post: operationId: UsersControllerV1_signUpUser summary: Signup User description: 'Sign up a new user and create a new account (tenant). This endpoint registers a user with authentication details such as `email`, `password`, and the `provider` used for authentication (e.g., `local`, `saml`, `google`, `github`). Refer to the documentation or dropdown menu for the full list of supported provider values. Additional optional fields such as user metadata may also be included. If not needed, `metadata` can be passed as an empty object (e.g., `{}`). This endpoint is typically used during account (tenant) onboarding or self-sign-up flows.' parameters: - name: frontegg-vendor-host required: true in: header schema: type: string - name: frontegg-application-id in: header description: The application id required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/SignUpUserEmailDto' responses: '200': description: '' '201': description: '' content: application/json: schema: $ref: '#/components/schemas/SignUpUserEmailDto' tags: - General /resources/users/v1/signUp/username: post: operationId: UsersSignUpControllerV1_signUpUserUsername summary: Signup User with Username description: 'Sign up a new user and create a new account (tenant). Include the `frontegg-vendor-host` header (your domain name from Portal → Workspace Settings → Domains). Required fields: `email`, `provider` (authentication method: local, saml, google, github), `companyName`, and `metadata` (can be empty `{}`). Requires an environment authentication token.' parameters: - name: frontegg-vendor-host required: true in: header schema: type: string - name: frontegg-application-id in: header description: The application ID required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/SignUpUserUsernameDto' responses: '200': description: '' '201': description: '' content: application/json: schema: $ref: '#/components/schemas/SignUpResponseDto' tags: - General /resources/configurations/v1/restrictions/ip/config: post: operationId: IPRestrictionsControllerV1_createDomainRestriction summary: Create or Update IP Restriction Configuration (ALLOW/BLOCK) description: 'Create or update the IP restriction configuration. You can configure IP restrictions as either ALLOW or BLOCK.' parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateOrUpdateIpRestrictionConfigDto' responses: '201': description: '' tags: - IP Restrictions get: operationId: IPRestrictionsControllerV1_getIpRestrictionConfig summary: Get IP Restriction Configuration (ALLOW/BLOCK) description: 'Retrieve the IP restriction configuration for an account (tenant). The configuration defines whether IP restrictions are set to ALLOW or BLOCK.' parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string responses: '200': description: '' tags: - IP Restrictions /resources/configurations/v1/restrictions/ip: get: operationId: IPRestrictionsControllerV1_getAllIpRestrictions summary: Get All IP Restrictions description: Retrieve the IP restrictions for an account (tenant). parameters: - name: _limit required: false in: query schema: minimum: 1 type: number - name: _offset required: false in: query schema: minimum: 0 type: number description: The page number to retrieve. For example, use 0 for the first page, 1 for the second page. - name: _filter required: false in: query schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string responses: '200': description: '' content: application/json: schema: allOf: - $ref: '#/components/schemas/FronteggPaginationWrapper' - properties: items: type: array items: $ref: '#/components/schemas/GetIpRestrictionResponse' _links: $ref: '#/components/schemas/FronteggPaginationLinks' _metadata: $ref: '#/components/schemas/FronteggPaginationMetadata' tags: - IP Restrictions post: operationId: IPRestrictionsControllerV1_createIpRestriction summary: Create IP Restriction description: 'Create or update an IP restriction for an account (tenant). Provide the required values as objects in the request body. Refer to the parameter documentation for the list of supported values.' parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateOrUpdateIpRestrictionDto' responses: '201': description: '' tags: - IP Restrictions /resources/configurations/v1/restrictions/ip/verify: post: operationId: IPRestrictionsControllerV1_testCurrentIp summary: Test Current IP description: Check if the current IP is allowed based on the IP restriction configuration. parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string responses: '201': description: '' tags: - IP Restrictions /resources/configurations/v1/restrictions/ip/verify/allow: post: operationId: testCurrentIpInAllowList summary: Test Current IP Is in Allow List description: Verifies if the current IP address is in the allow list for your environment. parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string responses: '201': description: '' tags: - IP Restrictions /resources/configurations/v1/restrictions/ip/{id}: delete: operationId: IPRestrictionsControllerV1_deleteIpRestrictionById summary: Delete IP Restriction by IP description: 'Delete an IP restriction. Provide the IP restriction ID as a path parameter.' parameters: - name: id required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string responses: '200': description: '' tags: - IP Restrictions /resources/configurations/v1/lockout-policy: post: operationId: LockoutPolicyController_createLockoutPolicy summary: Create Lockout Policy description: 'Create a lockout policy for all accounts (tenants). To enable the lockout policy, set the `enabled` parameter to `true` and configure the `maximumAttempts` value as desired.' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/LockoutPolicyRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/LockoutPolicyResponse' '409': description: Lockout Policy already exists tags: - Lockout Policy patch: operationId: LockoutPolicyController_updateLockoutPolicy summary: Update Lockout Policy description: 'Update the lockout policy for all accounts (tenants). To disable the lockout policy, set the `enabled` parameter to `false`. You can also update the `maximumAttempts` value as desired.' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/LockoutPolicyRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/LockoutPolicyResponse' '404': description: Lockout Policy not found. Try to use the Create Lockout Policy API tags: - Lockout Policy get: operationId: LockoutPolicyController_getLockoutPolicy summary: Get Lockout Policy description: Retrieve the lockout policy for all accounts (tenants) or for a specific account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/LockoutPolicyResponse' '404': description: Lockout policy is not defined tags: - Lockout Policy /resources/vendor-only/users/access-tokens/v1/active: get: operationId: VendorOnlyUserAccessTokensV1Controller_getActiveAccessTokens summary: Get Active Access Tokens List parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: type: array items: type: string tags: - M2M Tokens description: 'Retrieve the list of active access tokens for a specified account (tenant). Pass the account''s `frontegg-tenant-id` as a query parameter.' /resources/vendor-only/users/access-tokens/v1/{id}: get: operationId: VendorOnlyUserAccessTokensV1Controller_getUserAccessTokenData summary: Get User Access Token Data parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: id required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthUserAccessTokenResponse' tags: - M2M Tokens description: 'Retrieve data for a specific user access token. Pass the account''s `frontegg-tenant-id` as a query parameter and the access token `id` as a path parameter.' /resources/vendor-only/tenants/access-tokens/v1/{id}: get: operationId: VendorOnlyTenantAccessTokensV1Controller_getTenantAccessTokenData summary: Get Account (tenant) Access Token Data parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: id required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthTenantAccessTokenResponse' tags: - M2M Tokens description: 'Retrieve data for a specific account (tenant) access token. Pass the account''s `frontegg-tenant-id` as a query parameter and the access token `id` as a path parameter.' /resources/auth/v1/user/mfa/recover: post: operationId: AuthenticationMFAControllerV1_recoverMfa summary: Recover MFA description: 'Recover multi-factor authentication (MFA) for a non-logged-in user. This endpoint verifies a user''s identity using a backup recovery code, typically generated by the user''s MFA authenticator app during initial setup. Use this when a user cannot access their MFA device and needs to authenticate with their recovery code.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RecoverMfaDto' responses: '200': description: '' tags: - MFA /resources/users/v1/mfa/disable: post: operationId: UsersMfaControllerV1_disableAuthAppMfa summary: Disable Authenticator App MFA description: 'Disable MFA enrollment for a logged-in user within a specific account (tenant). This endpoint disables multi-factor authentication for a user, using the `mfaToken` obtained from the user''s authenticator app. Use this endpoint to programmatically disable MFA when managing authentication settings at the account (tenant) level.' deprecated: true parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DisableMFAAuthAppRequest' responses: '200': description: '' tags: - MFA /resources/users/v1/mfa/authenticator/{deviceId}/disable/verify: post: operationId: UsersMfaControllerV1_disableAuthenticatorMfa summary: Disable Authenticator App MFA description: 'Disable multi-factor authentication (MFA) enrollment for a logged-in user within a specific account (tenant). This endpoint removes MFA for a user, typically used in administrative contexts where a backend system or admin manages user security settings. The request must include the `mfaToken`, which is the time-based one-time password (TOTP) generated by the user''s authenticator app. Use this endpoint to programmatically disable MFA for a specific user within an account (tenant).' parameters: - name: deviceId required: true in: path schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DisableMFAAuthAppRequest' responses: '200': description: '' tags: - MFA /resources/users/v1/mfa/sms/{deviceId}/disable: post: operationId: UsersMfaControllerV1_preDisableSMSMfa summary: Pre-disable SMS MFA parameters: - name: deviceId required: true in: path schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RequestDisableMFARequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/RequestDisableMFASMSResponse' tags: - MFA description: 'Initiate the process of disabling SMS-based multi-factor authentication (MFA) for a specific device. Provide the target `deviceId` in the request path to mark the SMS MFA device for pre-disablement. This action prepares the device for subsequent steps required to complete the removal. Use this route as part of the MFA management flow for disabling SMS-based MFA on a per-device basis.' /resources/users/v1/mfa/sms/{deviceId}/disable/verify: post: operationId: UsersMfaControllerV1_disableSMSMfa summary: Disable SMS MFA parameters: - name: deviceId required: true in: path schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/DisableMFASMSRequest' responses: '200': description: '' tags: - MFA description: 'Complete the process of disabling SMS-based multi-factor authentication (MFA) for a specific device. This step finalizes MFA deactivation for the given `deviceId` after a prior pre-disable action. The request must include: - `otcToken`: The one-time challenge token obtained during the pre-disable step. - `code`: The SMS verification code received by the user. Use this endpoint as the second step in the SMS MFA removal flow to verify the user''s identity and confirm the disable action.' /resources/auth/v1/user/mfa/verify: post: operationId: AuthenticationMFAControllerV1_verifyAuthenticatorMfaCode summary: Verify MFA Using Code From Authenticator App description: 'Verify a multi-factor authentication (MFA) code generated by an authenticator app during the authentication process. This endpoint completes the MFA step by validating the provided code. The request must include: - `value`: The MFA service name (e.g., `authenticator`), as configured in your Authentication Settings. - `mfaToken`: The time-based one-time password (TOTP) generated by the user''s authenticator app. Use this endpoint to verify the user''s MFA code during an authentication challenge, typically after the primary login step.' deprecated: true parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyMFAAuthAppRequest' responses: '201': description: '' tags: - MFA /resources/auth/v1/user/mfa/emailcode: post: operationId: AuthenticationMFAControllerV1_preVerifyEmailOtcMfa summary: Request Verify MFA Using Email Code parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AuthRequestVerifyMfaRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/RequestVerifyMFAEmailResponse' tags: - MFA description: 'Verify multi-factor authentication (MFA) using a code sent to the user''s email. This endpoint completes the email-based MFA verification step. The request must include: - `mfaToken`: The token provided after the user initiates MFA via email. Use this endpoint to confirm the email-based MFA challenge and finalize the login or authentication process.' /resources/auth/v1/user/mfa/emailcode/verify: post: operationId: AuthenticationMFAControllerV1_verifyEmailOtcMfa summary: Verify MFA Using Email Code parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyMFAEmailOTCRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - MFA description: 'Verify a multi-factor authentication (MFA) challenge using a code sent to the user''s email address. This endpoint finalizes the email-based MFA verification and completes the authentication process. The request must include: - `otcToken`: One-time challenge token received during the email MFA initiation. - `code`: The MFA code sent to the user''s email. - `mfaToken`: Token returned from the original MFA setup or step-up authentication request. - `rememberDevice` (optional): If set to `true`, the device will be remembered to reduce MFA prompts on future logins from the same client. Use this endpoint to confirm the MFA challenge and optionally remember the current device for future sessions.' /resources/auth/v1/user/mfa/authenticator/enroll: post: operationId: AuthenticationMFAControllerV1_preEnrollAuthenticatorMfa summary: Pre Enroll MFA Using Authenticator App parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AuthRequestEnrollMFARequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/RequestEnrollAuthenticatorAppMfaResponse' tags: - MFA description: 'Initiate enrollment in multi-factor authentication (MFA) using an authenticator app (e.g., Google Authenticator, Authy). This endpoint begins the MFA setup process and returns the necessary data for configuring an authenticator app, such as a QR code or secret key. The request must include: - `mfaToken`: A token received from the initial authentication flow that authorizes the MFA setup. Use this endpoint to generate the configuration required for linking an authenticator app before completing verification.' /resources/auth/v1/user/mfa/authenticator/enroll/verify: post: operationId: AuthenticationMFAControllerV1_enrollAuthenticatorMfa summary: Enroll MFA Using Authenticator App parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyEnrollMFAAuthAppRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - MFA description: 'Complete enrollment in multi-factor authentication (MFA) using an authenticator app. This endpoint verifies the MFA setup by validating the time-based one-time password (TOTP) generated by the authenticator app. The request must include: - `token`: The 6-digit TOTP code generated by the authenticator app. - `mfaToken`: Token from the initial MFA enrollment initiation. - `rememberDevice` (optional): If set to `true`, the device will be remembered and may skip MFA on future logins from the same browser or device. Use this endpoint to finalize MFA enrollment and activate the authenticator app for the user''s account.' /resources/auth/v1/user/mfa/authenticator/{deviceId}/verify: post: operationId: AuthenticationMFAControllerV1_verifyAuthenticatorMfa summary: Verify MFA Using Authenticator App description: 'Verify multi-factor authentication (MFA) during the authentication process. This endpoint is typically used after a primary login attempt when MFA is enabled for the user or account (tenant). The request must include: - `value`: The MFA service name (e.g., `authenticator`, `email`, `sms`) configured under Authentication Settings. - `mfaToken`: The token or code provided by the user''s MFA method (e.g., code from an authenticator app). Use this endpoint to complete the MFA verification step as part of the overall login flow.' parameters: - name: deviceId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyMFAAuthAppRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - MFA /resources/auth/v1/user/mfa/sms/enroll: post: operationId: AuthenticationMFAControllerV1_preEnrollSmsMfa summary: Pre-enroll MFA Using Sms parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RequestEnrollMFASMSRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/RequestEnrollMFASMSResponse' tags: - MFA description: 'Initiate multi-factor authentication (MFA) enrollment using SMS. This endpoint begins the SMS-based MFA setup by sending a verification code to the provided phone number. The request must include: - `phoneNumber`: The user''s mobile phone number in international format. It must match the format defined in your organization''s phone number validation pattern (`phoneNumberRegexp`). Use this endpoint as the first step in enabling SMS-based MFA for a user.' /resources/auth/v1/user/mfa/sms/enroll/verify: post: operationId: AuthenticationMFAControllerV1_enrollSmsMfa summary: Enroll MFA Using Sms parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyEnrollMFASMSRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - MFA description: 'Complete enrollment in multi-factor authentication (MFA) using SMS. This endpoint finalizes the SMS-based MFA setup for the user by verifying the code sent to their phone number. The request must include: - `otcToken`: Token received from the initial SMS MFA enrollment step. - `code`: The numeric code sent via SMS to the user''s registered phone number. Use this endpoint to verify the user''s phone number and activate SMS-based MFA on their account.' /resources/auth/v1/user/mfa/sms/{deviceId}: post: operationId: AuthenticationMFAControllerV1_preVerifySmsMfa summary: Request to Verify MFA Using Sms parameters: - name: deviceId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AuthRequestVerifyMfaRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/RequestVerifyMFASMSResponse' tags: - MFA description: 'Verify multi-factor authentication (MFA) using an SMS-based device. This endpoint confirms the SMS MFA challenge as part of the authentication or step-up verification process for a specific registered device. Path parameters: - `deviceId`: The unique identifier of the SMS MFA device being verified. Request body must include: - `mfaToken`: Token provided during the authentication or challenge flow. Use this endpoint to complete SMS-based MFA verification for the specified device.' /resources/auth/v1/user/mfa/sms/{deviceId}/verify: post: operationId: AuthenticationMFAControllerV1_verifySmsMfa summary: Verify MFA Using Sms parameters: - name: deviceId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyMFASMSRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - MFA description: 'Verify a multi-factor authentication (MFA) challenge using an SMS code for a specific registered device. This endpoint finalizes the MFA step by validating the SMS code and may mark the device as trusted if specified. Path parameters: - `deviceId`: The unique identifier of the SMS MFA device being verified. Request body must include: - `otcToken`: Token received from the SMS MFA challenge initiation. - `code`: The verification code sent to the user''s phone via SMS. - `mfaToken`: MFA token issued during the initial login or step-up challenge. - `rememberDevice` (optional): Set to `true` to remember the device and reduce future MFA prompts on this device. Use this endpoint to complete SMS-based MFA verification and optionally trust the device for future logins.' /resources/auth/v1/user/mfa/webauthn/enroll: post: operationId: AuthenticationMFAControllerV1_preEnrollWebauthnMfa summary: Pre Enroll MFA Using WebAuthN parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AuthRequestEnrollMFARequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/RequestEnrollMFAWebAuthnResponse' tags: - MFA description: 'Initiate multi-factor authentication (MFA) enrollment using WebAuthn (e.g., security keys, biometrics). This endpoint begins the WebAuthn MFA setup by returning a browser-based challenge needed to link a trusted device, such as a biometric reader or hardware security key. The request must include: - `mfaToken`: Token issued during the authentication flow to authorize MFA setup. Use this endpoint as the first step when enrolling a user in WebAuthn-based MFA.' /resources/auth/v1/user/mfa/webauthn/enroll/verify: post: operationId: AuthenticationMFAControllerV1_enrollWebauthnMfa summary: Enroll MFA Using WebAuthN parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyEnrollMFAWebAuthnRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - MFA description: "Complete enrollment in multi-factor authentication (MFA) using WebAuthn.\n\nThis endpoint verifies and registers a WebAuthn device, such as a biometric sensor (Platform) or hardware security key (CrossPlatform), finalizing the setup after the initial challenge.\n\nThe request must include:\n- `deviceType`: Type of device being enrolled. Accepts `Platform` (e.g., fingerprint scanner) or `CrossPlatform` (e.g., USB security key).\n- `webauthnToken`: Token received during the WebAuthn pre-enrollment step.\n- `options`: WebAuthn attestation data collected from the client.\n - `id`: Device identifier.\n - `response`: WebAuthn attestation response.\n - `clientDataJSON`: Base64-encoded client data from the browser.\n - `attestationObject`: Base64-encoded attestation object from the authenticator.\n - `deviceType` (optional): May repeat the selected device type.\n- `mfaToken`: Token used to authorize MFA enrollment.\n- `rememberDevice` (optional): Set to `true` to remember\ \ the device and reduce MFA prompts on future logins.\n\nUse this endpoint to complete WebAuthn-based MFA enrollment and register the user's trusted device." /resources/auth/v1/user/mfa/webauthn/{deviceId}: post: operationId: AuthenticationMFAControllerV1_preVerifyWebauthnMfa summary: Request Verify MFA Using WebAuthN parameters: - name: deviceId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AuthRequestVerifyMfaRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/RequestVerifyMFAWebAuthnResponse' tags: - MFA description: 'Verify a multi-factor authentication (MFA) challenge using a registered WebAuthn device. This endpoint completes WebAuthn-based MFA verification, typically following primary authentication when WebAuthn is required as a second factor. Path parameters: - `deviceId`: The unique identifier of the WebAuthn device to be verified. Request body must include: - `mfaToken`: Token issued during the login or step-up authentication flow. Use this endpoint to validate a WebAuthn device and complete the MFA step during authentication.' /resources/auth/v1/user/mfa/webauthn/{deviceId}/verify: post: operationId: AuthenticationMFAControllerV1_verifyWebauthnMfa summary: Verify MFA Using Webauthn parameters: - name: deviceId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyMFAWebAuthnRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - MFA description: "Verify a multi-factor authentication (MFA) challenge using a WebAuthn device.\n\nThis endpoint completes MFA verification using a previously registered WebAuthn device such as a biometric sensor or hardware security key.\n\nPath parameters:\n- `deviceId`: The unique identifier of the registered WebAuthn device to be verified.\n\nRequest body must include:\n- `webauthnToken`: Token received from the server to initiate the WebAuthn challenge.\n- `options`: WebAuthn authentication response returned by the browser.\n - `id`: The credential ID of the WebAuthn device.\n - `response`: Object containing attestation data from the authenticator.\n - `clientDataJSON`: Base64-encoded client data.\n - `authenticatorData`: Base64-encoded data from the authenticator.\n - `signature`: Signature from the authenticator, proving user presence.\n - `userHandle`: The user's handle used during registration.\n - `recaptchaToken` (optional): Token to verify human interaction,\ \ if reCAPTCHA is enabled.\n - `invitationToken` (optional): Used when completing an MFA challenge as part of an invitation flow.\n- `mfaToken`: Token issued during the initial authentication step.\n- `rememberDevice` (optional): If set to `true`, this device will be remembered for future logins to reduce MFA prompts.\n\nUse this endpoint to complete WebAuthn-based MFA verification and confirm the user's identity using a secure hardware or platform authenticator." /resources/configurations/v1/mfa-policy/allow-remember-device: get: operationId: SecurityPolicyController_checkIfAllowToRememberDevice summary: Check if Remember Device Allowed description: 'Check whether the ''remember device'' feature is allowed for MFA verification. This endpoint returns whether device remembering is enabled globally or for a specific account (tenant), based on the request context. Query parameters: - `mfaToken`: Token generated from the authenticator app or MFA challenge step. Use this endpoint to determine whether the user should be prompted with the option to remember their device during MFA verification.' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string - name: mfaToken required: true in: query description: MFA token from the response body of the first factor authentication schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/CheckAllowRememberResponse' tags: - MFA /resources/users/v1/mfa/enroll: post: operationId: UsersMfaControllerV1_enrollAuthAppMfa summary: Enroll Authenticator App MFA description: 'Enroll a logged-in user in multi-factor authentication (MFA) for a specific account (tenant). This endpoint initiates MFA enrollment on behalf of a user within a specific account (tenant) context. Use this route to programmatically trigger MFA enrollment, typically as part of an administrative or backend workflow.' deprecated: true parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/RequestEnrollAuthenticatorAppMfaResponse' tags: - MFA /resources/users/v1/mfa/authenticator/enroll: post: operationId: UsersMfaControllerV1_enrollAuthenticatorMfa summary: Enroll Authenticator App MFA description: 'Enroll a logged-in user in multi-factor authentication (MFA) for a specific account (tenant). This endpoint initiates MFA enrollment on behalf of a user within a specific account (tenant) context. Use this route to programmatically trigger MFA enrollment, typically as part of an administrative or backend workflow.' parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/RequestEnrollAuthenticatorAppMfaResponse' tags: - MFA /resources/users/v1/mfa/enroll/verify: post: operationId: UsersMfaControllerV1_verifyAuthAppMfaEnrollment summary: Verify Authenticator App MFA Enrollment description: 'Verify multi-factor authentication (MFA) enrollment using a QR code for a specific user. This endpoint completes MFA setup after the user scans a QR code with their authenticator app (e.g., Google Authenticator, Authy). Request body must include: - `mfaToken`: The time-based one-time password (TOTP) generated by the user''s authenticator app after scanning the QR code. Use this endpoint to confirm that the user has successfully linked their authenticator app and to activate MFA for their account.' deprecated: true parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyEnrollMFAUserAuthAppRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/VerifyEnrollMFAResponse' tags: - MFA /resources/users/v1/mfa/authenticator/enroll/verify: post: operationId: UsersMfaControllerV1_verifyAuthenticatorMfaEnrollment summary: Verify Authenticator App MFA Enrollment description: 'Verify multi-factor authentication (MFA) enrollment using a QR code for a specific user within an account (tenant). This endpoint completes MFA enrollment after the user scans a QR code with an authenticator app (e.g., Google Authenticator, Authy). Request body must include: - `mfaToken`: The time-based one-time password (TOTP) generated by the authenticator app after scanning the QR code. Use this endpoint to confirm that the user has successfully registered their authenticator app and to activate MFA for their account.' parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyEnrollMFAUserAuthAppRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/VerifyEnrollMFAResponse' tags: - MFA /resources/users/v1/mfa/sms/enroll: post: operationId: UsersMfaControllerV1_preEnrollSmsMfa summary: Enroll SMS MFA parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/RequestEnrollMFASMSRequest' responses: '200': description: '' tags: - MFA description: 'Enroll a user in SMS-based multi-factor authentication (MFA). This endpoint initiates SMS MFA enrollment by sending a verification code to the user''s phone number. Request body must include: - `phoneNumber`: The user''s mobile number in international format. Must match the validation pattern defined by `phoneNumberRegexp`. Use this endpoint to begin the SMS MFA setup process for a specific user. The next step is to verify the SMS code to complete enrollment.' /resources/users/v1/mfa/sms/enroll/verify: post: operationId: UsersMfaControllerV1_enrollSmsMfa summary: Verify MFA Enrollment parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyEnrollMFASMSRequest' responses: '200': description: '' tags: - MFA description: 'Complete SMS-based multi-factor authentication (MFA) enrollment for a user. This endpoint finalizes SMS MFA setup by verifying the code sent to the user''s phone. Request body must include: - `otcToken`: One-time challenge token received from the initial enrollment step. - `code`: The verification code sent to the user''s phone via SMS. Use this endpoint to verify the user''s phone number and activate SMS-based MFA for their account.' /resources/configurations/v1/mfa: post: operationId: MfaController_upsertMfaConfig summary: Update MFA Configuration description: 'Update the MFA configuration for your environment. Provide the desired configuration values as objects in the request body. Refer to the parameter documentation for the list of supported values.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MfaConfigRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/MfaConfigResponse' tags: - MFA Configuration get: operationId: MfaController_getMfaConfig summary: Get MFA Configuration description: Retrieve the MFA configuration for your environment. parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/MfaConfigResponse' tags: - MFA Configuration /resources/configurations/v1/mfa-policy: post: operationId: SecurityPolicyController_createMfaPolicy summary: Create MFA Policy description: Create an MFA policy globally or for a specific account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MfaPolicyRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/MfaPolicyResponse' '409': description: MFA Policy already exists. Try to use the Update MFA Policy API tags: - MFA Settings patch: operationId: SecurityPolicyController_updateSecurityPolicy summary: Update Security Policy description: Update the MFA policy for all accounts (tenants). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MfaPolicyRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/MfaPolicyResponse' '400': description: Missing parameters to update '404': description: Security policy not found tags: - MFA Settings put: operationId: SecurityPolicyController_upsertSecurityPolicy summary: Upsert Security Policy description: Create or update the MFA policy for all accounts (tenants). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MfaPolicyRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/MfaPolicyResponse' tags: - MFA Settings get: operationId: SecurityPolicyController_getSecurityPolicy summary: Get Security Policy description: This route gets the MFA policy for all accounts (tenants). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/MfaPolicyResponse' '404': description: Security Policy not found. MFA is disabled tags: - MFA Settings /resources/configurations/v1/mfa/strategies: get: operationId: MFAStrategiesControllerV1_getMFAStrategies summary: Get MFA Strategies parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/MFAStrategiesResponse' tags: - MFA Settings description: Retrieve the MFA strategies configured for your environment. post: operationId: MFAStrategiesControllerV1_createOrUpdateMFAStrategy summary: Create or Update MFA Strategy parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateOrUpdateMFAStrategyRequest' responses: '201': description: '' tags: - MFA Settings description: 'Create or update an MFA strategy. Provide the desired strategy configuration in the request body.' /resources/configurations/v1/password: post: operationId: PasswordPolicyController_addOrUpdatePasswordConfig summary: Create or Update Password Configuration description: Create or update the password policy for the entire environment. parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PasswordConfigRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/PasswordConfigResponse' tags: - Password Settings get: operationId: PasswordPolicyController_getPasswordConfig summary: Get Password Policy Configuration description: Retrieve the password policy for all accounts (tenants). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/PasswordConfigResponse' tags: - Password Settings /resources/configurations/v1/password-history-policy: post: operationId: PasswordHistoryPolicyController_createPolicy summary: Create Password History Policy description: 'Create a password history policy for all accounts (tenants). To enable the password history policy, set the `enabled` parameter to `true` and specify the `passwordHistorySize` as a number between 1 and 10.' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PasswordHistoryPolicyRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/PasswordHistoryPolicyResponse' '409': description: Policy already exists. Use the Update Password History Policy API. tags: - Password Settings patch: operationId: PasswordHistoryPolicyController_updatePolicy summary: Update Password History Policy description: 'Update the password history policy for all accounts (tenants). To disable the password history policy, set the `enabled` parameter to `false`. You can also update the `passwordHistorySize` value to a number between 1 and 10.' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PasswordHistoryPolicyRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/PasswordHistoryPolicyResponse' '404': description: History size must to be between 1 to 10 tags: - Password Settings get: operationId: PasswordHistoryPolicyController_getPolicy summary: Get Password History Policy description: Retrieve the password history policy for all accounts (tenants) or for a specific account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/PasswordHistoryPolicyResponse' '404': description: Password History Policy not found. Policy is disabled tags: - Password Settings /resources/users/v1/passwords/reset: post: operationId: UsersPasswordControllerV1_resetPassword summary: Reset Password description: 'Send a reset password email to a user. Provide the user''s email in the request body. If your email template uses metadata, include the email metadata in the request body as well.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ResetPasswordDto' responses: '201': description: '' tags: - Password Settings /resources/users/v1/passwords/reset/verify: post: operationId: UsersPasswordControllerV1_verifyResetPassword summary: Verify Password description: 'Verify a user''s password using a verification token. Provide the `userId`, `token`, and `password` in the request body. The `token` can be obtained using the route for generating a user password reset token.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyPasswordDto' responses: '201': description: '' tags: - Password Settings /resources/users/v1/passwords/change: post: operationId: UsersPasswordControllerV1_changePassword summary: Change Password description: 'Change the password for a logged-in user. Include the current and new passwords in the request body.' parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateUserPasswordDto' responses: '201': description: '' tags: - Password Settings /resources/users/v1/passwords/config: get: operationId: UsersPasswordControllerV1_getUserPasswordConfig summary: Get Strictest Password Configuration description: 'Retrieve the user''s strictest password configuration. This is useful when a user belongs to multiple accounts (tenants) with varying password complexity requirements. The route returns the strictest setting the user is subject to.' parameters: - name: userId required: false in: query schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/PasswordConfigResponse' tags: - Password Settings /resources/users/v2/passwords/reset/email: post: operationId: UsersPasswordControllerV2_resetPasswordViaEmail summary: Reset Password via Email description: Sends a password reset email to the user. Provide the user's email address in the request body to initiate the reset process. parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ResetPasswordDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/ResetPasswordViaSmsResponseDto' tags: - Password Settings /resources/users/v2/passwords/reset/sms: post: operationId: UsersPasswordControllerV2_resetPasswordViaSms summary: Reset Password via SMS description: Sends a password reset SMS with a one-time code (OTP) to the user. Provide the user's phone number in the request body to initiate the reset process. parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ResetPasswordDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/ResetPasswordViaSmsResponseDto' tags: - Password Settings /resources/users/v2/passwords/reset/sms/verify: post: operationId: UsersPasswordControllerV2_verifyResetPasswordViaSmsOtc summary: Verify Password Reset Code Sent via SMS description: Verifies the one-time code (OTP) sent via SMS for password reset. Provide the OTP in the request body. If valid, returns the user ID and reset token. parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyPasswordViaSmsRequestDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/VerifyPasswordViaSmsResponseDto' tags: - Password Settings /resources/configurations/v1/password-rotation: get: operationId: PasswordRotationConfigControllerV1_getPasswordRotationConfiguration summary: Get Password Expiration Period Configuration description: Retrieve the password expiration period configuration for your environment or for a specific account (tenant). parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/PasswordRotationConfigurationResponse' '404': description: Password rotation configuration not found tags: - Password Settings post: operationId: PasswordRotationConfigControllerV1_upsertPasswordRotationConfiguration summary: Manage Password Expiration description: 'Create or update the configuration for the password expiration policy. If no configuration exists, a default policy will be applied.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateOrUpdatePasswordRotationDto' responses: '200': description: '' tags: - Password Settings /resources/configurations/v1/password-rotation/vendor: get: operationId: PasswordRotationConfigControllerV1_getVendorPasswordRotationConfiguration summary: Get Environment Configuration for Password Expiration Period. description: Retrieve the password expiration period configuration for your environment or for a specific account (tenant). parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/PasswordRotationConfigurationResponse' '404': description: Password rotation configuration not found tags: - Password Settings /resources/auth/v1/passwordless/smscode/prelogin: post: operationId: AuthenticationPasswordlessControllerV1_smsCodePreLogin summary: SMS Code Prelogin description: 'Initiate SMS-based passwordless authentication by sending a one-time code (OTC) to the user''s phone. This is the first step in the SMS OTC passwordless login flow. The system sends an SMS to the user associated with the provided email address. Request body must include: - `email`: The email address of the user initiating the login. - `invitationToken` (optional): Include if the user is signing up through an invitation. - `recaptchaToken` (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to begin the passwordless login process using SMS verification.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PasswordlessAuthenticationSmsOtcPreloginDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/PasswordlessAuthenticationSmsOTCPreloginResponseDto' '400': description: User does not have a phone number tags: - Passwordless /resources/auth/v1/passwordless/smscode/postlogin: post: operationId: AuthenticationPasswordlessControllerV1_smsCodePostLogin summary: SMS Code Postlogin description: 'Complete passwordless authentication using a one-time code (OTC) sent via SMS. This is the second step in the SMS OTC passwordless login flow. After the user receives the code, this endpoint finalizes authentication and returns a valid JWT and refresh cookie. Request body must include: - `token`: The token ID associated with the SMS OTC sent to the user. - `invitationToken` (optional): Include if the user is signing up through an invitation. - `recaptchaToken` (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to complete passwordless login via SMS and receive authentication tokens for the session.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AuthenticateUserPasswordlessDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - Passwordless /resources/auth/v1/passwordless/magiclink/prelogin: post: operationId: AuthenticationPasswordlessControllerV1_magicLinkPrelogin summary: Magic Link Prelogin description: 'Initiate passwordless authentication by sending a magic link to the user''s email address. This is the first step in the magic link passwordless login flow for local users. The system sends an email containing a secure login link to the provided address. Request body must include: - `email`: The email address of the user initiating the login. - `invitationToken` (optional): Include if the user is signing up through an invitation. - `recaptchaToken` (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to start the magic link authentication process by delivering a login link to the user''s email inbox.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PasswordlessAuthenticationPreloginDto' responses: '200': description: '' '400': description: Invalid authentication type, magic link authentication should be enabled tags: - Passwordless /resources/auth/v1/passwordless/magiclink/postlogin: post: operationId: AuthenticationPasswordlessControllerV1_magicLinkPostLogin summary: Magic Link Postlogin description: 'Complete passwordless authentication using a magic link. This is the second step in the magic link passwordless login flow for local users. After the user clicks the link in their email, this endpoint validates the token and authenticates the user. Request body must include: - `token`: The token ID extracted from the magic link. - `invitationToken` (optional): Include if the user is signing up through an invitation. - `recaptchaToken` (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to complete the magic link login flow and receive authentication credentials, including a JWT and a refresh cookie.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AuthenticateUserPasswordlessDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - Passwordless /resources/auth/v1/passwordless/code/prelogin: post: operationId: AuthenticationPasswordlessControllerV1_emailCodePrelogin summary: OTC (One-Time Code) Prelogin description: 'Initiate passwordless authentication by sending a one-time code (OTC) to the user''s email address. This is the first step in the email OTC (one-time code) passwordless login flow for local users. The system sends a time-sensitive code to the specified email address. Request body must include: - `email`: The email address of the user initiating the login. - `invitationToken` (optional): Include if the user is signing up through an invitation. - `recaptchaToken` (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to start the passwordless login process via an email-based one-time code.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PasswordlessAuthenticationPreloginDto' responses: '201': description: '' '400': description: Invalid authentication type, OTC (One-Time Code) authentication should be enabled tags: - Passwordless /resources/auth/v1/passwordless/code/postlogin: post: operationId: AuthenticationPasswordlessControllerV1_emailCodePostLogin summary: OTC (One-Time Code) Postlogin description: 'Complete passwordless authentication using a one-time code (OTC) sent to the user''s email. This is the second step in the email OTC passwordless login flow. After the user receives and enters the code, this endpoint validates the token and finalizes authentication. Request body must include: - `token`: The token ID associated with the email OTC sent to the user. - `invitationToken` (optional): Include if the user is signing up via an invitation. - `recaptchaToken` (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to validate the email-based one-time code and receive authentication credentials, including a JWT and refresh cookie.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AuthenticateUserPasswordlessDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - Passwordless /resources/permissions/v1: get: operationId: PermissionsControllerV1_getAllPermissions summary: Get Permissions description: 'Retrieve all permissions configured for your environment. Each permission object includes the name, description, assigned roles, categories, and other defining information.' parameters: [] responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/PermissionResponse' tags: - Permissions post: operationId: PermissionsControllerV1_addPermissions summary: Create Permissions description: 'Add a new permission. Provide the permission information in the request body. This route does not associate permissions with roles. Use the associate permission to roles route to manage role associations.' parameters: [] requestBody: required: true content: application/json: schema: type: array items: $ref: '#/components/schemas/AddPermissionRequest' responses: '201': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/PermissionResponse' tags: - Permissions /resources/permissions/v1/{permissionId}: delete: operationId: PermissionsControllerV1_deletePermission summary: Delete Permission description: 'Delete a permission. Provide the permission ID as a path parameter to specify which permission to delete. You can obtain the permission ID using the **Get permissions** API.' parameters: - name: permissionId required: true in: path schema: type: string responses: '204': description: '' tags: - Permissions patch: operationId: PermissionsControllerV1_updatePermission summary: Update Permission description: 'Update an existing permission. Provide the permission ID as a path parameter to specify which permission to update, and send the updated permission information in the request body. This route does not update role associations for the permission. Use the associate permission to roles route to manage role associations.' parameters: - name: permissionId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdatePermissionRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/PermissionResponse' tags: - Permissions /resources/permissions/v1/{permissionId}/roles: put: operationId: PermissionsControllerV1_setRolesToPermission summary: Set a Permission to Multiple Roles description: 'Associate a permission with multiple roles. Provide the permission ID as a path parameter and include the role IDs in the request body as an array of strings. Any pre-existing role associations will remain. You can obtain role IDs using the **Get roles** API.' parameters: - name: permissionId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AddRolesToPermissionRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/PermissionResponse' tags: - Permissions /resources/permissions/v1/classification: put: operationId: PermissionsControllerV1_updatePermissionsAssignmentType summary: Set Permissions Classification description: 'Classify permissions for self-service usage. Provide an array of `permissionIds` and the classification `type` in the request body. This allows you to segregate which permissions will be used for self-service.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ClassifyPermissionsDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/PermissionResponse' tags: - Permissions /resources/permissions/v1/categories: get: operationId: PermissionsCategoriesController_getAllCategoriesWithPermissions summary: Get Permissions Categories description: Retrieves all permission categories for your environment. Each category includes its name, description, associated permissions, and metadata. parameters: [] responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/PermissionCategoryResponseDto' tags: - Permissions Categories post: operationId: PermissionsCategoriesController_createPermissionCategory summary: Create Category description: 'Add a new permissions category. Provide the category information in the request body. Note that categories are not associated with permissions in this route — you can associate permissions by sending the category ID in the add or update permission routes.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateCategoryDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/PermissionCategoryResponseDto' tags: - Permissions Categories /resources/permissions/v1/categories/{categoryId}: patch: operationId: PermissionsCategoriesController_updateCategory summary: Update Category description: 'Update an existing permissions category. Provide the category ID as a path parameter to specify which category to update, and send the updated category information in the request body. This route does not update the permissions associated with the category. Use the add or update permissions routes to manage permission associations.' parameters: - name: categoryId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateCategoryDto' responses: '200': description: '' tags: - Permissions Categories delete: operationId: PermissionsCategoriesController_deleteCategory summary: Delete Category description: 'Delete a permissions category. Provide the category ID as a path parameter to specify which category to delete. You can obtain the category ID using the **Get categories** API.' parameters: - name: categoryId required: true in: path schema: type: string responses: '200': description: '' tags: - Permissions Categories /resources/users/access-tokens/v1: post: operationId: UserAccessTokensV1Controller_createUserAccessToken summary: Create User Access Token parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUserAccessTokenRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/UserAccessTokenResponse' tags: - Personal Tokens description: Create an access token for a specific user. get: operationId: UserAccessTokensV1Controller_getUserAccessTokens summary: Get User Access Tokens parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetUserAccessTokensResponse' tags: - Personal Tokens description: Retrieve all access tokens for a specific user. /resources/users/access-tokens/v1/{id}: delete: operationId: UserAccessTokensV1Controller_deleteUserAccessToken summary: Delete User Access Token by Token ID parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string - name: id required: true in: path schema: type: string responses: '200': description: '' tags: - Personal Tokens description: Delete a user access token. /resources/users/api-tokens/v1: post: operationId: UserApiTokensV1Controller_createTenantApiToken summary: Create User Client Credentials Token description: Create a user-specific API token. parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUserApiTokenDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/CreateUserApiTokenResponseDto' tags: - Personal Tokens get: operationId: UserApiTokensV1Controller_getApiTokens summary: Get User Client Credentials Tokens description: Retrieve a user-specific API token. parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/GetUserApiTokensResponseDto' tags: - Personal Tokens /resources/users/api-tokens/v1/{id}: delete: operationId: UserApiTokensV1Controller_deleteApiToken summary: Delete User Client Credentials Token by Token ID description: Delete a user-specific API token. parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string - name: id required: true in: path schema: type: string responses: '200': description: '' tags: - Personal Tokens /resources/roles/v1: get: operationId: PermissionsControllerV1_getAllRoles summary: Get Roles description: 'Retrieve all roles across all accounts (tenants). Each role object includes the name, permissions, and other defining information.' parameters: - name: frontegg-tenant-id in: header description: For relating a role to a specific account (tenant), use `get accounts (tenants)` API to find the account (tenant) Ids required: false schema: type: string responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/RoleResponse' tags: - Roles post: operationId: PermissionsControllerV1_addRoles summary: Create Roles description: 'Add a new role across all accounts (tenants). This route does not assign permissions to the role. Use the attach permissions to role route to manage role permissions.' parameters: - name: frontegg-tenant-id in: header description: For relating a role to a specific account (tenant), use `get accounts (tenants)` API to find the account (tenant) Ids required: false schema: type: string requestBody: required: true content: application/json: schema: type: array items: $ref: '#/components/schemas/AddRoleRequest' responses: '201': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/RoleResponse' tags: - Roles /resources/roles/v1/{roleId}: delete: operationId: PermissionsControllerV1_deleteRole summary: Delete Role description: 'Delete a role. Provide the role ID as a path parameter to specify which role to delete.' parameters: - name: roleId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: For relating a role to a specific account (tenant), use `get accounts (tenants)` API to find the account (tenant) Ids required: false schema: type: string responses: '204': description: '' tags: - Roles patch: operationId: PermissionsControllerV1_updateRole summary: Update Role description: 'Update an existing role. Provide the role ID as a path parameter to specify which role to update, and send the updated role information in the request body. This route does not update permissions for the role. Use the attach permissions to role route to manage role permissions. You can obtain the role ID using the **Get roles** API.' parameters: - name: roleId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: For relating a role to a specific account (tenant), use `get accounts (tenants)` API to find the account (tenant) Ids required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateRoleRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/RoleResponse' tags: - Roles /resources/roles/v1/{roleId}/permissions: put: operationId: PermissionsControllerV1_setPermissionsToRole summary: Assign Permissions to a Role description: 'Assign permissions to a role. Provide the role ID as a path parameter and include the permission IDs in the request body as an array of strings. Any pre-existing permissions will be overridden by the new permissions. You can obtain role IDs using the **Get roles** API and permission IDs using the **Get permissions** API.' parameters: - name: roleId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: For relating a role to a specific account (tenant), use `get accounts (tenants)` API to find the account (tenant) Ids required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AddPermissionToRoleRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/RoleResponse' tags: - Roles /resources/roles/v1/{roleId}/tenant: put: operationId: PermissionsControllerV1_updateRoleTenant summary: Update Role Tenant description: Updates the account (tenant) ID for a specific role. This is a management-only endpoint. parameters: - name: roleId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateRoleTenantRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/RoleResponse' tags: - Roles /resources/users/phone-numbers/v1: get: operationId: UserPhoneNumbersControllerV1_getAllPhoneNumbers summary: Get All Phone Numbers description: 'Retrieve a paginated list of all user phone numbers associated with your environment. This endpoint returns user phone numbers along with pagination metadata and navigation links. It supports filtering, sorting, and offset-based pagination for efficient querying. Query parameters (optional): - `_limit` (number ≥ 1): Maximum number of items to return per page. - `_offset` (number ≥ 0): The page number to retrieve. For example, use 0 for the first page, 1 for the second page. - `_sortBy` (string): Field to sort by. Allowed values: `userId`, `phoneNumber`. - `_order` (string): Sort order. Allowed values: `ASC`, `DESC`. - `_phoneNumber` (string): Filter by a specific phone number. Use this endpoint to list or search user phone numbers in a paginated format, ideal for administrative tools or reporting.' deprecated: true parameters: - name: _limit required: false in: query schema: minimum: 1 type: number - name: _offset required: false in: query schema: minimum: 0 type: number description: The page number to retrieve. For example, use 0 for the first page, 1 for the second page. - name: _sortBy required: false in: query schema: enum: - userId - phoneNumber type: string - name: _order required: false in: query schema: enum: - ASC - DESC type: string - name: _phoneNumber required: false in: query schema: type: string responses: '200': description: '' content: application/json: schema: allOf: - $ref: '#/components/schemas/FronteggPaginationWrapper' - properties: items: type: array items: $ref: '#/components/schemas/UserPhoneNumberResponseDto' _links: $ref: '#/components/schemas/FronteggPaginationLinks' _metadata: $ref: '#/components/schemas/FronteggPaginationMetadata' tags: - SMS post: operationId: UserPhoneNumbersControllerV1_createUserPhoneNumber summary: Set Phone Number for a User description: 'Assign a new phone number to a user and optionally trigger a verification code. By default, the system sends an SMS verification code to the provided phone number. To skip verification (e.g., for internal setup), set the `verify` field to `false`. Request body must include: - `phoneNumber`: The new phone number to assign to the user. Must follow international format. - `verify` (optional): Whether to send an SMS verification code. Defaults to `true` if not provided. Use this endpoint to set or update a user''s phone number, with optional control over verification.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUserPhoneNumberRequestDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/UserPhoneNumberCreatedResponseDto' tags: - SMS /resources/users/phone-numbers/v1/preverify: post: operationId: UserPhoneNumbersControllerV1_preVerifyUserPhoneNumber summary: Pre-verify User's Phone Number description: 'Send a one-time code (OTC) to the specified phone number to initiate verification. This endpoint is used to pre-verify a phone number before associating it with a user account. It sends an SMS-based one-time code to the provided number. Request body must include: - `phoneNumber`: The phone number to verify, in international format. Use this endpoint to validate ownership of a phone number by sending a one-time code for user input during onboarding or account setup.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PreVerifyUserPhoneNumberRequestDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserPhoneNumberCreatedResponseDto' tags: - SMS /resources/users/phone-numbers/v1/verify: post: operationId: UserPhoneNumbersControllerV1_verifyCreateUserPhoneNumber summary: Verify Creation of Phone Number for User description: 'Verify a user''s phone number using a one-time code (OTC) that was sent via SMS. This is the final step in the phone number verification process. After initiating verification via the pre-verification route, use this endpoint to confirm the phone number by submitting the OTC and code. Request body must include: - `otcToken`: The token issued when the OTC was sent. - `code`: The one-time code the user received on their phone. Use this endpoint to validate the user''s ownership of the phone number and complete the verification process.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyPhoneNumberOTCRequestDto' responses: '200': description: '' tags: - SMS /resources/users/phone-numbers/v1/{id}: delete: operationId: UserPhoneNumbersControllerV1_deleteUserPhoneNumber summary: Delete User's Phone Number description: 'Initiate the deletion process for a user''s phone number. This endpoint begins the phone number removal workflow by sending a verification code to the user. The phone number will not be deleted until the verification step is completed. Path parameters: - `id`: The unique identifier of the phone number to be deleted. Use this endpoint to trigger the secure deletion process for a user''s phone number. A follow-up verification step is required to finalize the removal.' parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserPhoneNumberDeleteCodeResponseDto' tags: - SMS /resources/users/phone-numbers/v1/{id}/delete/verify: post: operationId: UserPhoneNumbersControllerV1_verifyDeleteUserPhoneNumber summary: Verify Delete User's Phone Number description: 'Verify the deletion of a user''s phone number using a one-time code (OTC). This is the final step in the phone number deletion process. After initiating deletion, the system sends a verification code to the user''s phone. This endpoint confirms the deletion by validating the OTC and code. Path parameters: - `id`: The unique identifier of the phone number to delete. Request body must include: - `otcToken`: The token issued during the deletion request. - `code`: The one-time code sent to the user via SMS. Use this endpoint to securely complete the deletion of a user''s phone number.' parameters: - name: id required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/VerifyPhoneNumberOTCRequestDto' responses: '200': description: '' tags: - SMS /resources/users/phone-numbers/v1/me: get: operationId: UserPhoneNumbersControllerV1_getUserOwnPhoneNumbers summary: Get Current User's Phone Numbers parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string - name: frontegg-user-id in: header description: The user id required: true schema: type: string responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/UserPhoneNumberResponseDto' tags: - SMS description: 'Retrieve all phone numbers associated with the current user. This endpoint returns a list of phone numbers linked to the authenticated user, including verification status and timestamps. The response includes metadata such as verification status and timestamps for creation and last update. Use this endpoint to display or manage the user''s registered phone numbers in your application.' /resources/users/phone-numbers/v2: get: operationId: UserPhoneNumbersControllerV2_getAllPhoneNumbers summary: Get All Phone Numbers V2 description: This route returns all user phone numbers. parameters: - name: _limit required: false in: query schema: minimum: 1 maximum: 250 type: number - name: _offset required: false in: query schema: minimum: 0 type: number description: The page number to retrieve. For example, use 0 for the first page, 1 for the second page. - name: _sortBy required: false in: query schema: enum: - userId - phoneNumber type: string - name: _order required: false in: query schema: enum: - ASC - DESC type: string - name: _phoneNumber required: false in: query schema: type: string - name: userIds required: false in: query schema: type: array items: type: string responses: '200': description: '' content: application/json: schema: allOf: - $ref: '#/components/schemas/FronteggPaginationWrapper' - properties: items: type: array items: $ref: '#/components/schemas/UserPhoneNumberResponseDto' _links: $ref: '#/components/schemas/FronteggPaginationLinks' _metadata: $ref: '#/components/schemas/FronteggPaginationMetadata' tags: - SMS /resources/configurations/v1/sms: post: operationId: VendorSmsController_createSmsVendorConfig summary: Creates or Updates a Vendor SMS Config description: 'Create or update the SMS configuration for your environment. Provide the desired SMS configuration values in the request body.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateSmsVendorConfigRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/SmsVendorConfigResponse' '201': description: '' content: application/json: schema: $ref: '#/components/schemas/SmsVendorConfigResponse' tags: - SMS Configuration delete: operationId: VendorSmsController_deleteSmsVendorConfig summary: Deletes a Vendor SMS Config parameters: [] responses: '200': description: '' tags: - SMS Configuration description: Delete the SMS configuration for your environment. get: operationId: VendorSmsController_getSmsVendorConfig summary: Gets a Vendor SMS Config parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/SmsVendorConfigResponse' tags: - SMS Configuration description: Retrieve the SMS configuration for your environment. /resources/configurations/v1/sms/templates: get: operationId: VendorSmsController_getAllSmsTemplates summary: Gets Vendor SMS Templates parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/SmsTemplateResponse' tags: - SMS Templates description: Retrieve the SMS templates configured for your environment. /resources/configurations/v1/sms/templates/{type}: get: operationId: VendorSmsController_getSmsTemplate summary: Gets Vendor SMS Template by Type parameters: - name: type required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/SmsTemplateResponse' tags: - SMS Templates description: 'Retrieve an SMS template by type. Provide the `type` as a path parameter to specify which SMS template to retrieve.' delete: operationId: VendorSmsController_deleteSmsTemplate summary: Deletes Vendor SMS Template by Type parameters: - name: type required: true in: path schema: type: string responses: '200': description: '' tags: - SMS Templates description: 'Delete an SMS template by type. Provide the `type` as a path parameter to specify which SMS template to delete.' post: operationId: VendorSmsController_createSmsTemplate summary: Create or Update a Vendor SMS Template parameters: - name: type required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateSmsTemplateRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/SmsTemplateResponse' '201': description: '' content: application/json: schema: $ref: '#/components/schemas/SmsTemplateResponse' tags: - SMS Templates description: 'Create or update an SMS template by type. Provide the `type` as a path parameter and include the SMS template details in the request body.' /resources/configurations/v1/sms/templates/{type}/default: get: operationId: VendorSmsController_getSmsDefaultTemplate summary: Gets Vendor Default SMS Template by Type parameters: - name: type required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/SmsTemplateResponse' tags: - SMS Templates description: 'Retrieve the default SMS template by type. Provide the `type` as a path parameter to specify which default SMS template to retrieve.' /resources/configurations/v1/sms/templates/default/all: get: operationId: VendorSmsController_getAllSmsDefaultTemplates summary: Gets All Vendor Default SMS Templates parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/SmsTemplateResponse' tags: - SMS Templates /resources/configurations/sessions/v1/vendor: get: operationId: SessionConfigurationControllerV1_getVendorSessionConfiguration summary: Get Environment Session Configuration parameters: [] responses: '200': description: '' tags: - Sessions Configuration description: Retrieve the session configuration for your environment. /resources/configurations/sessions/v1: get: operationId: SessionConfigurationControllerV1_getSessionConfiguration summary: Get Account (tenant) or Vendor Default Session Configuration description: Retrieve the session configuration for the entire environment or for a specific account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string responses: '200': description: '' tags: - Sessions Management post: operationId: SessionConfigurationControllerV1_createSessionConfiguration summary: Create or Update Account (tenant) or Vendor Default Session Configuration description: Create or update the session configuration for the entire environment or for a specific account (tenant). parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateSessionConfigurationRequest' responses: '201': description: '' tags: - Sessions Management /resources/configurations/v1/user-emails-policy: get: operationId: UserEmailsPolicyControllerV1_getUserEmailsPolicy summary: Get User Emails Policy description: Get information about the user emails policy. An environment token is required for this route. parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetUserEmailsPolicyResponseDto' tags: - User Emails Policy post: operationId: UserEmailsPolicyControllerV1_createOrUpdateUserEmailsPolicy summary: Create or Update User Emails Policy description: Enable or disable the ability to change user emails. An environment token is required for this route. parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUserEmailsPolicyRequestDto' responses: '200': description: '' tags: - User Emails Policy /resources/groups/v1: get: operationId: GroupsControllerV1_getAllGroups summary: Get All Groups description: Retrieve all user groups for an account (tenant). parameters: - name: _groupsRelations required: false in: query schema: enum: - roles - users - rolesAndUsers type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GroupsResponse' tags: - User Groups post: operationId: GroupsControllerV1_createGroup summary: Create Group description: 'Create a user group for an account (tenant). Provide the group details in the request body.' parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateGroupDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/GroupResponse' tags: - User Groups /resources/groups/v1/bulkGet: post: operationId: GroupsControllerV1_getGroupsByIds summary: Get Groups by Ids description: 'Retrieve user groups by given IDs for an account (tenant). Provide the group IDs in the request body.' parameters: - name: _groupsRelations required: false in: query schema: enum: - roles - users - rolesAndUsers type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/GetGroupsDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/GroupsResponse' tags: - User Groups /resources/groups/v1/{id}: patch: operationId: GroupsControllerV1_updateGroup summary: Update Group description: 'Update a user group by ID for an account (tenant). Provide the group ID as a path parameter and the updated group details in the request body.' parameters: - name: id required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateGroupDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GroupResponse' tags: - User Groups delete: operationId: GroupsControllerV1_deleteGroup summary: Delete Group description: 'Delete a user group by ID for an account (tenant). Provide the group ID as a path parameter.' parameters: - name: id required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string responses: '200': description: '' tags: - User Groups get: operationId: GroupsControllerV1_getGroupById summary: Get Group by ID description: 'Retrieve a user group by ID for an account (tenant). Provide the group ID as a path parameter.' parameters: - name: id required: true in: path schema: type: string - name: _groupsRelations required: false in: query schema: enum: - roles - users - rolesAndUsers type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GroupResponse' tags: - User Groups /resources/groups/v1/config: get: operationId: GroupsControllerV1_getGroupsConfiguration summary: Get Groups Configuration description: Retrieve the user group configuration for your environment. parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetGroupConfigurationResponse' tags: - User Groups post: operationId: GroupsControllerV1_createOrUpdateGroupsConfiguration summary: Create or Update Groups Configuration description: 'Create or update the user group configuration for your environment. Provide the configuration details in the request body.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateOrUpdateGroupConfigurationDto' responses: '201': description: '' tags: - User Groups /resources/groups/v1/{groupId}/roles: post: operationId: GroupsControllerV1_addRolesToGroup summary: Add Roles to Group description: 'Add roles to an existing user group. A user can assign only roles that are lower than their own.' parameters: - name: groupId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateRolesOnGroupDto' responses: '201': description: '' tags: - User Groups delete: operationId: GroupsControllerV1_removeRolesFromGroup summary: Remove Roles From Group description: 'Remove roles from an existing user group. Provide the roles to remove in the request body.' parameters: - name: groupId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateRolesOnGroupDto' responses: '200': description: '' tags: - User Groups /resources/groups/v1/{groupId}/users: post: operationId: GroupsControllerV1_addUsersToGroup summary: Add Users to Group description: 'Add users to an existing user group. Only users with higher roles than the group''s roles are allowed to perform this action.' parameters: - name: groupId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateUsersOnGroupDto' responses: '201': description: '' tags: - User Groups delete: operationId: GroupsControllerV1_removeUsersFromGroup summary: Remove Users From Group description: 'Remove users from an existing user group. Provide the users to remove in the request body.' parameters: - name: groupId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateUsersOnGroupDto' responses: '200': description: '' tags: - User Groups /resources/groups/v2: get: operationId: GroupsControllerV2_getAllGroupsPaginated summary: Get All Groups Paginated description: 'Retrieve all user groups for an account (tenant), with pagination. Use query parameters to control pagination and optionally include related group data.' parameters: - name: _groupsRelations required: false in: query schema: enum: - roles - users - rolesAndUsers type: string - name: _limit required: false in: query schema: minimum: 1 type: number - name: _offset required: false in: query schema: minimum: 0 type: number description: The page number to retrieve. For example, use 0 for the first page, 1 for the second page. - name: _sortBy required: false in: query schema: enum: - id - name - createdAt - updatedAt type: string - name: _order required: false in: query schema: enum: - ASC - DESC type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string responses: '200': description: '' content: application/json: schema: allOf: - $ref: '#/components/schemas/FronteggPaginationWrapper' - properties: items: type: array items: $ref: '#/components/schemas/GroupResponse' _links: $ref: '#/components/schemas/FronteggPaginationLinks' _metadata: $ref: '#/components/schemas/FronteggPaginationMetadata' tags: - User Groups /resources/tenants/users/v1/{userId}/disable: post: operationId: UsersTenantsControllerV1_disableUserTenant summary: Disable User Account (tenant) description: 'Disable a user for an account (tenant). A disabled user cannot log in to the account (tenant) or use the system. Provide the user''s ID as a path parameter.' parameters: - name: userId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string responses: '200': description: '' '201': description: '' '403': description: '' tags: - User Management /resources/tenants/users/v1/{userId}/enable: post: operationId: UsersTenantsControllerV1_enableUserTenant summary: Enable User Account (tenant) description: 'Enable a disabled user for an account (tenant). An enabled user can log in and use the system. Provide the user''s ID as a path parameter.' parameters: - name: userId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string responses: '200': description: '' '201': description: '' '403': description: '' tags: - User Management /resources/users/temporary/v1/{userId}: put: operationId: TemporaryUsersV1Controller_editTimeLimit summary: Sets a Permanent User to Temporary description: 'Update the settings for temporary users. Use this route to enable or disable temporary users for your environment' parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/TemporaryUserDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/TemporaryUserDto' tags: - User Management delete: operationId: TemporaryUsersV1Controller_setUserPermanent summary: Sets a Temporary User to Permanent description: 'Set an existing temporary user as permanent. Provide the user''s ID as a path parameter.' parameters: - name: userId required: true in: path schema: type: string responses: '200': description: '' tags: - User Management /resources/users/temporary/v1/configuration: get: operationId: TemporaryUsersV1Controller_getConfiguration summary: Gets Temporary Users Configuration description: 'Retrieve the settings for temporary users. Use this endpoint to check whether the policy is enabled or disabled.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/TemporaryUsersConfigurationDto' tags: - User Management put: operationId: TemporaryUsersV1Controller_updateConfiguration summary: Set Temporary Users Configuration description: This route updates the settings for temporary users, use it to enable or disable it for an environment parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/TemporaryUsersConfigurationDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/TemporaryUsersConfigurationDto' tags: - Users /resources/users/emails/v1: get: operationId: UserEmailsControllerV1_getAllEmails summary: Get All User Emails description: 'This route returns all user emails. ' parameters: - name: _limit required: false in: query schema: minimum: 1 type: number - name: _offset required: false in: query schema: minimum: 0 type: number description: The page number to retrieve. For example, use 0 for the first page, 1 for the second page. - name: _sortBy required: false in: query schema: enum: - userId - email type: string - name: _order required: false in: query schema: enum: - ASC - DESC type: string - name: _email required: false in: query schema: type: string - name: userIds required: false in: query schema: type: string - name: frontegg-tenant-id in: header description: The tenant ID identifier required: false schema: type: string responses: '200': description: '' content: application/json: schema: allOf: - $ref: '#/components/schemas/FronteggPaginationWrapper' - properties: items: type: array items: $ref: '#/components/schemas/UserEmailResponseDto' _links: $ref: '#/components/schemas/FronteggPaginationLinks' _metadata: $ref: '#/components/schemas/FronteggPaginationMetadata' tags: - User Management post: operationId: UserEmailsControllerV1_createUserEmail summary: Create a User Email description: This route creates a user email. parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUserEmailRequestDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserEmailResponseDto' '201': description: '' content: application/json: schema: $ref: '#/components/schemas/UserEmailResponseDto' tags: - User Management /resources/users/emails/v1/verify: post: operationId: UserEmailsControllerV1_verifyUserEmail summary: Verify User Email description: This route verifies a user email. parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUserEmailVerifyRequestDto' responses: '200': description: '' tags: - User Management /resources/users/emails/v1/{emailId}: delete: operationId: UserEmailsControllerV1_deleteUserEmail summary: Delete a User Email description: This route deletes a user email. parameters: - name: emailId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string - name: frontegg-user-id in: header description: The user ID required: true schema: type: string responses: '200': description: '' tags: - User Management /resources/users/emails/v1/vendor/{userId}: post: operationId: UserEmailsControllerV1_createUserEmailForVendor summary: Create a User Email for Vendor description: Creates a new email address for a user. parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUserEmailVendorRequestDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserEmailResponseDto' '201': description: '' content: application/json: schema: $ref: '#/components/schemas/UserEmailResponseDto' tags: - User Management /resources/users/emails/v1/vendor/{userId}/{emailId}: delete: operationId: UserEmailsControllerV1_deleteUserEmailForVendor summary: Delete a User Email for Vendor description: This route deletes a user email. parameters: - name: userId required: true in: path schema: type: string - name: emailId required: true in: path schema: type: string responses: '200': description: '' tags: - User Management /resources/users/emails/v1/vendor/{userId}/primary: post: operationId: UserEmailsControllerV1_markEmailAsPrimary summary: Mark Email as Primary for Vendor description: This route marks an email as primary. parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MarkEmailAsPrimaryRequestDto' responses: '200': description: '' tags: - User Management /resources/users/emails/v1/me/primary: post: operationId: UserEmailsControllerV1_markEmailAsPrimaryMe summary: Mark Email as Primary description: This route marks an email as primary. parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MarkEmailAsPrimaryRequestDto' responses: '200': description: '' tags: - User Management /resources/users/emails/v1/me: get: operationId: UserEmailsControllerV1_getUserOwnEmails summary: Get Current User`s Emails description: This route returns all user emails for the current user. parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string - name: frontegg-user-id in: header description: The user ID required: true schema: type: string responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/UserEmailResponseDto' tags: - User Management /resources/sub-tenants/users/v1/{userId}/access: put: operationId: UsersControllerV1_setUserRolesFromSubTenants summary: Set Sub-account Access for a User description: 'Set sub-account access for a user. Use this endpoint to enable or disable sub-account access by setting the value to `true` or `false`.' parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateSubAccountAccessRequestDto' responses: '200': description: '' tags: - User Management /resources/users/v1/activate/reset: post: operationId: UsersActivationControllerV1_resetActivationToken summary: Reset User Activation Token description: 'Reset the activation token for a user and trigger a new activation email. Provide the user''s ID as a path parameter.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ResetActivationTokenDto' responses: '201': description: '' tags: - User Management /resources/users/v1/invitation/reset: post: operationId: UsersTenantManagementControllerV1_resetTenantInvitationToken summary: Reset Invitation description: 'Reset an invitation for a user to join a specific account (tenant). The response includes a new invitation link with a new token.' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ResetTenantInvitationDto' responses: '200': description: '' tags: - User Management /resources/users/v1/invitation/reset/all: post: operationId: UsersTenantManagementControllerV1_resetAllTenantsInvitationToken summary: Reset All Invitation Tokens description: 'Reset all invitations for a user to join all sub-accounts (tenants) that currently have an invitation token. The response includes new invitation links with new tokens.' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ResetTenantInvitationDto' responses: '200': description: '' tags: - User Management /resources/users/v3: get: operationId: UsersControllerV3_getUsers summary: Get Users description: Retrieve all users for an account (tenant) or for the entire environment. parameters: - name: _limit required: false in: query description: The default limit is 50 users per request, the maximum is 200 schema: type: number - name: _identifier required: false in: query description: Filter users by username prefix match. Must be provided together with _identifierType schema: type: string - name: _identifierType required: false in: query description: Filter users by username. Must be provided together with _identifier schema: enum: - email - phoneNumber - username type: string - name: _includeSubTenants required: false in: query description: when passing a user id, gives the option to include or not include sub accounts (tenants) when searching users schema: default: true type: boolean - name: _namePrefix required: false in: query description: Filter users by prefix name match schema: type: string - name: _offset required: false in: query schema: minimum: 0 type: number description: The page number to retrieve. For example, use 0 for the first page, 1 for the second page. - name: _email required: false in: query schema: type: string - name: _tenantId required: false in: query schema: type: string - name: ids required: false in: query schema: type: string - name: _sortBy required: false in: query schema: enum: - createdAt - name - email - id - verified - isLocked - provider - tenantId type: string - name: _order required: false in: query schema: enum: - ASC - DESC type: string - name: _externalIds required: false in: query schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string responses: '200': description: '' content: application/json: schema: allOf: - $ref: '#/components/schemas/FronteggPaginationWrapper' - properties: items: type: array items: $ref: '#/components/schemas/UserV3Dto' _links: $ref: '#/components/schemas/FronteggPaginationLinks' _metadata: $ref: '#/components/schemas/FronteggPaginationMetadata' tags: - User Management /resources/users/v3/roles: get: operationId: UsersControllerV3_getUsersRoles summary: Get Users Roles description: Retrieve all user roles for an account (tenant). parameters: - name: ids required: true in: query schema: type: array items: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetUserRolesResponse' tags: - User Management /resources/users/v3/groups: get: operationId: UsersControllerV3_getUsersGroups summary: Get Users Groups description: Retrieve all user groups for an account (tenant). parameters: - name: ids required: true in: query schema: type: array items: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetUserGroupsResponse' tags: - User Management /resources/users/v3/me/unlock: post: operationId: UsersControllerV3_unlock summary: Unlock User parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UnlockUserRequestDto' responses: '200': description: '' tags: - User Management description: 'Unlock your user account. Provide the required information in the request body to unlock the account.' /resources/users/v2: post: operationId: UsersControllerV2_createUser summary: Invite User description: 'Create a user for a specific account (tenant). Include the user''s information in the request body. The `email` and `metadata` fields are required. The `metadata` field can be empty (e.g., `{}`).' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUserDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/UserCreatedResponse' tags: - User Management /resources/users/v2/me: put: operationId: UsersControllerV2_updateUserProfile summary: Update User Profile description: 'Update the profile of a logged-in user. Provide the updated values in the request body. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateUserDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - User Management get: operationId: UsersControllerV2_getUserProfile summary: Get User Profile description: 'Retrieve the profile of a logged-in user. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - User Management /resources/users/v1: post: operationId: UsersControllerV1_createUser summary: Create User description: Use the V2 route for Invite User. This route is no longer relevant. deprecated: true parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUserDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/UserCreatedResponse' tags: - User Management put: operationId: UsersControllerV1_updateUser summary: Update User description: 'TUpdate a user''s information for a specific account (tenant). Include the updated user information in the request body.' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateUserDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - User Management /resources/users/v1/{userId}: delete: operationId: UsersControllerV1_removeUserFromTenant summary: Remove User description: 'Remove a user globally or from a specific account (tenant). An environment token is required for this route and can be obtained from the environment authentication route.' parameters: - name: userId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier (optional) required: false schema: type: string responses: '200': description: '' tags: - User Management put: operationId: UsersControllerV1_updateUserForVendor summary: Update User (global) description: Updates a user’s information globally. Provide the user ID as a path parameter and include the fields to update in the request body. The route supports partial updates—only the provided fields are changed. For identifier fields such as `emails` or `phones`, new items are added instead of replacing existing ones. parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateVendorUserDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - Users /resources/users/v1/{userId}/roles: post: operationId: UsersControllerV1_addRolesToUser summary: Assign Roles to User description: Associate roles to a specific user for a specific account (tenant). parameters: - name: userId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AssignUserToRolesDto' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/AssignUserToRolesResponseDto' tags: - User Management delete: operationId: UsersControllerV1_deleteRolesFromUser summary: Unassign Roles From User description: 'Disassociate roles from a specific user for a specific account (tenant). Include the role IDs in the request body as an array of strings.' parameters: - name: userId required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UnassignUserFromRolesDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/DeleteUserToRolesResponseDto' tags: - User Management /resources/users/v1/tenant: put: operationId: UsersControllerV1_updateUserTenant summary: Update User's Active Account (tenant) description: 'Update the current account (tenant) for a logged-in user. Use this endpoint when a user belongs to multiple accounts (tenants) and wants to change the active account (tenant). Include the target account (tenant) ID in the request body.' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateUserTenantDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - User Management /resources/users/v1/query/phrase: get: operationId: UsersControllerV1_searchUsers summary: Get Users with Fuzzy Search description: 'Retrieve all users for a specific account (tenant) or for the entire environment. In addition to all standard Get users query parameters, this route supports phrase search, enabling complex queries with options such as `contains`, `excludes`, `optional`, and approximate matching.' parameters: - name: _limit required: false in: query description: The default limit is 50 users per request, the maximum is 200 schema: type: number - name: _identifier required: false in: query description: Filter users by username prefix match. Must be provided together with _identifierType schema: type: string - name: _identifierType required: false in: query description: Filter users by username. Must be provided together with _identifier schema: enum: - email - phoneNumber - username type: string - name: _includeSubTenants required: false in: query description: when passing a user id, gives the option to include or not include sub accounts (tenants) when searching users schema: default: true type: boolean - name: _namePrefix required: false in: query description: Filter users by prefix name match schema: type: string - name: _phraseSearchContains required: false in: query description: Pass a list of strings, separated by comma, to search for users that contain all of the strings in the list schema: type: array items: type: string - name: _phraseSearchExcludes required: false in: query description: Pass a list of strings, separated by comma, to search for users that do not contain any of the strings in the list schema: type: array items: type: string - name: _phraseSearchOptional required: false in: query description: Pass a list of strings, separated by comma, to search for users that contain at least one of the strings in the list schema: type: array items: type: string - name: _phraseSearchApproximate required: false in: query description: When true, the search will be approximate (fuzzy), meaning it will include similar characters to the ones in the search string schema: default: false type: boolean - name: _offset required: false in: query schema: minimum: 0 type: number description: The page number to retrieve. For example, use 0 for the first page, 1 for the second page. - name: _email required: false in: query schema: type: string - name: _tenantId required: false in: query schema: type: string - name: ids required: false in: query schema: type: string - name: _sortBy required: false in: query schema: enum: - createdAt - name - email - id - verified - isLocked - provider - tenantId type: string - name: _order required: false in: query schema: enum: - ASC - DESC type: string - name: _externalIds required: false in: query schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: false schema: type: string responses: '200': description: '' content: application/json: schema: allOf: - $ref: '#/components/schemas/FronteggPaginationWrapper' - properties: items: type: array items: $ref: '#/components/schemas/UserV3Dto' _links: $ref: '#/components/schemas/FronteggPaginationLinks' _metadata: $ref: '#/components/schemas/FronteggPaginationMetadata' tags: - User Management /resources/usernames/v1: get: operationId: UsernamesControllerV1_getUsersUsernames summary: Get Usernames for Users description: This route gets usernames for users. parameters: - name: _limit required: false in: query schema: minimum: 1 type: number - name: _offset required: false in: query schema: minimum: 0 type: number description: The page number to retrieve. For example, use 0 for the first page, 1 for the second page. - name: _sortBy required: false in: query schema: enum: - userId - username type: string - name: _order required: false in: query schema: enum: - ASC - DESC type: string - name: _usernamePrefix required: false in: query schema: type: string - name: userIds required: false in: query schema: type: array items: type: string - name: usernames required: false in: query schema: type: array items: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UsernameResponseDto' tags: - User Management post: operationId: UsernamesControllerV1_createUsername summary: Create a Username for User description: This route creates a username for a user. parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUsernameRequestDto' responses: '200': description: '' '201': description: '' tags: - User Management /resources/usernames/v1/{username}: delete: operationId: UsernamesControllerV1_deleteUsername summary: Delete a Username for User description: This route deletes a username for a user. parameters: - name: username required: true in: path schema: type: string responses: '200': description: '' tags: - User Management /resources/usernames/v1/me: get: operationId: UsernamesControllerV1_getMeUsernames summary: Get Authenticated User's Username parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string - name: frontegg-user-id in: header description: The user id required: true schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UsernameResponseDto' tags: - User Management /resources/users/v1/email/me: post: operationId: SelfEmailUpdateControllerV1_updateEmailMe summary: Update User Email description: This route updates the email for a user. parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/SelfEmailUpdateRequestDto' responses: '200': description: '' tags: - User Management /resources/users/v1/email/me/verify: post: operationId: SelfEmailUpdateControllerV1_verifyEmailMe summary: Verify User Email description: This route verifies the email for a user. parameters: - name: frontegg-tenant-id in: header description: The tenant identifier. Required for requests to api.frontegg.com (or your region) when using a management token. Parsed from the token when using user or API tokens required: false schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/SelfEmailUpdateVerifyRequestDto' responses: '200': description: '' tags: - User Management /resources/users/v1/activate: post: operationId: UsersActivationControllerV1_activateUser summary: Activate User description: 'Activate a non-activated user. Include the `userId` and `activationToken` in the request body. If required by your environment''s sign-in flow, also include the user''s password and reCAPTCHA values. You can generate an activation token using the route under Users → Generate Activation Token. Alternatively, you can use the built-in email template for user activation.' parameters: - name: frontegg-vendor-host required: true in: header schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ActivateUserDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - User Management /resources/users/v1/activate/code: post: operationId: UsersActivationControllerV1_activateUserWithCode summary: Activate User with Code description: 'Activate a non-activated user. Use this endpoint to implement a custom activation flow. Include the `userId`, `activationToken`, and `code` in the request body. If required by your environment''s sign-in flow, also include the user''s password and reCAPTCHA values. You can generate an activation token using the route under Users → Generate Activation Token. Alternatively, you can use the built-in email template for user activation.' parameters: - name: frontegg-vendor-host required: true in: header schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ActivateUserWithCodeDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/AuthenticationResponseDto' tags: - User Management /resources/users/v1/activate/strategy: get: operationId: UsersActivationControllerV1_getActivationStrategy summary: Get User Activation Strategy description: 'Retrieve a user''s activation strategy. The activation strategy indicates whether the user needs to set a password. Include the `userId` and `activationToken` in the request body. You can generate an activation token using the route under Users → Generate Activation Token. The response returns a Boolean field `shouldSetPassword`. If `true`, the user needs to set a password. If `false`, the user does not need to set a password (for example, SSO users do not set passwords).' parameters: - name: userId required: true in: query schema: type: string - name: token required: true in: query schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetActivateStrategyResponseDto' tags: - User Management /resources/users/v1/invitation/accept: post: operationId: UsersTenantManagementControllerV1_acceptInvitation summary: Accept Invitation description: 'Accept an invitation for a user to join a specific account (tenant). Include the `userId` and `invitationToken` in the request body. These values appear as query parameters in the URL that Frontegg sends to the user in the activation email.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AcceptInvitationDto' responses: '200': description: '' '201': description: '' tags: - User Management /resources/users/v1/invitation/accept/code: post: operationId: UsersTenantManagementControllerV1_acceptInvitationWithCode summary: Accept Invitation with Code parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AcceptInvitationWithCodeDto' responses: '200': description: '' tags: - User Management description: 'Accept an invitation to join a specific account (tenant) using an invitation code. Include the required `userId`, `invitationToken`, and `code` in the request body.' /resources/users/v3/me: get: operationId: UsersControllerV3_getUserProfile summary: Get User Profile description: 'Retrieve the profile of a logged-in user. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserV3Dto' tags: - User Management /resources/users/v2/me/tenants: get: operationId: UsersControllerV2_getUserTenants summary: Get User Accounts (tenants) description: 'Retrieve the list of accounts (tenants) that a logged-in user belongs to. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication.' parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/UserTenantDataDto' tags: - User Management /resources/users/v2/me/hierarchy: get: operationId: UsersControllerV2_getUserTenantsHierarchy summary: Get User Accounts (tenants) Hierarchy description: 'Retrieve the list of accounts (tenants) with hierarchy metadata that a logged-in user belongs to. If the user is a member of multiple accounts (tenants) in a hierarchy, some entries may be reduced based on the hierarchy structure. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetUserTenantsHierarchyResponseDto' tags: - User Management /resources/users/v1/me/authorization: get: operationId: UsersControllerV1_getMeAuthorization summary: Get User Permissions and Roles description: 'Retrieve the list of permissions and roles that a logged-in user has. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/MeAuthorizationResponseDto' tags: - User Management /resources/users/v1/me/tenants: get: operationId: UsersControllerV1_getUserTenants summary: Get User Accounts (tenants) description: 'Retrieve the list of accounts (tenants) that a logged-in user belongs to. No parameters are required. Use your Frontegg subdomain or custom domain as the host. A user token is required for this route and can be obtained after user authentication.' parameters: [] responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetUserTenantsResponseDto' tags: - User Management /resources/user-sources/v1: get: operationId: UserSourcesControllerV1_getUserSources summary: Get Vendor User Sources description: 'Retrieve all user sources configured for your environment. A valid environment token is required to call this endpoint.' parameters: [] responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/GetUserSourceExtendedResponseDTO' tags: - User Pools /resources/user-sources/v1/{id}: get: operationId: UserSourcesControllerV1_getUserSource summary: Get Vendor User Source description: 'Retrieve a user source by ID. A valid environment token is required to call this endpoint.' parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/GetUserSourceResponseDTO' tags: - User Pools delete: operationId: UserSourcesControllerV1_deleteUserSource summary: Delete User Source description: 'Delete a user source. A valid environment token is required to call this endpoint.' parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' tags: - User Pools /resources/user-sources/v1/external/auth0: post: operationId: UserSourcesControllerV1_createAuth0ExternalUserSource summary: Create Auth0 External User Source description: 'Create a new external user source. A valid environment token is required to call this endpoint.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateAuth0ExternalUserSourceRequestDTO' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/CreateUserSourceResponse' tags: - User Pools /resources/user-sources/v1/external/cognito: post: operationId: UserSourcesControllerV1_createCognitoExternalUserSource summary: Create Cognito External User Source description: 'Create a new external user source. A valid environment token is required to call this endpoint.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateCognitoExternalUserSourceRequestDTO' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/CreateUserSourceResponse' tags: - User Pools /resources/user-sources/v1/external/firebase: post: operationId: UserSourcesControllerV1_createFirebaseExternalUserSource summary: Create Firebase External User Source description: 'Create a new external user source. A valid environment token is required to call this endpoint.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateFirebaseExternalUserSourceRequestDTO' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/CreateUserSourceResponse' tags: - User Pools /resources/user-sources/v1/external/custom-code: post: operationId: UserSourcesControllerV1_createCustomCodeExternalUserSource summary: Create Custom-Code External User Source description: 'Create a new external user source. A valid environment token is required to call this endpoint.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateCustomCodeExternalUserSourceRequestDTO' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/CreateUserSourceResponse' tags: - User Pools /resources/user-sources/v1/federation: post: operationId: UserSourcesControllerV1_createFederationUserSource summary: Create Federation User Source description: 'Create a new federation user source. A valid environment token is required to call this endpoint.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateFederationUserSourceRequestDTO' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/CreateUserSourceResponse' tags: - User Pools /resources/user-sources/v1/external/auth0/{id}: put: operationId: UserSourcesControllerV1_updateAuth0ExternalUserSource summary: Update Auth0 External User Source description: 'Update an external user source. A valid environment token is required to call this endpoint.' parameters: - name: id required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateExternalAuth0UserSourceRequestDTO' responses: '200': description: '' tags: - User Pools /resources/user-sources/v1/external/cognito/{id}: put: operationId: UserSourcesControllerV1_updateCognitoExternalUserSource summary: Update Cognito External User Source description: 'Update an external user source. A valid environment token is required to call this endpoint.' parameters: - name: id required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateExternalCognitoUserSourceRequestDTO' responses: '200': description: '' tags: - User Pools /resources/user-sources/v1/external/firebase/{id}: put: operationId: UserSourcesControllerV1_updateFirebaseExternalUserSource summary: Update Firebase External User Source description: 'Update an external user source. A valid environment token is required to call this endpoint.' parameters: - name: id required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateExternalFirebaseUserSourceRequestDTO' responses: '200': description: '' tags: - User Pools /resources/user-sources/v1/external/custom-code/{id}: put: operationId: UserSourcesControllerV1_updateCustomCodeExternalUserSource summary: Update Custom-Code External User Source description: 'Update an external user source. A valid environment token is required to call this endpoint.' parameters: - name: id required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateExternalCustomCodeUserSourceRequestDTO' responses: '200': description: '' tags: - User Pools /resources/user-sources/v1/federation/{id}: put: operationId: UserSourcesControllerV1_updateFederationUserSource summary: Update Federation User Source description: 'Update a federation user source. A valid environment token is required to call this endpoint.' parameters: - name: id required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateFederationUserSourceRequestDTO' responses: '200': description: '' tags: - User Pools /resources/user-sources/v1/assign: post: operationId: UserSourcesControllerV1_assignUserSource summary: Assign Applications to a User Source description: 'Assign applications to a user source. A valid environment token is required to call this endpoint.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AssignApplicationsToUserSourceRequestDTO' responses: '201': description: '' tags: - User Pools /resources/user-sources/v1/unassign: post: operationId: UserSourcesControllerV1_unassignUserSource summary: Unassign Applications From a User Source description: 'Unassign applications from a user source. A valid environment token is required to call this endpoint.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UnassignApplicationsFromUserSourceRequestDTO' responses: '201': description: '' tags: - User Pools /resources/user-sources/v1/{id}/users: get: operationId: UserSourcesControllerV1_getUserSourceUsers summary: Get User Source Users description: 'Retrieve all users of a user source. A valid environment token is required to call this endpoint.' parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: allOf: - $ref: '#/components/schemas/FronteggPaginationWrapper' - properties: items: type: array items: $ref: '#/components/schemas/GetUserSourceUsersResponseDTO' _links: $ref: '#/components/schemas/FronteggPaginationLinks' _metadata: $ref: '#/components/schemas/FronteggPaginationMetadata' tags: - User Pools /resources/users/sessions/v1/me: get: operationId: UserSessionsControllerV1_getActiveSessions summary: Get User's Active Sessions description: Retrieve all active sessions for a user. parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/GetActiveSessionsResponse' tags: - User Sessions /resources/users/sessions/v1/me/all: delete: operationId: UserSessionsControllerV1_deleteAllUserActiveSessions summary: Delete All User Sessions description: Delete all active sessions for a user. parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string responses: '200': description: '' tags: - User Sessions /resources/users/sessions/v1/me/{id}: delete: operationId: UserSessionsControllerV1_deleteUserSession summary: Delete Single User's Session description: Delete a specific active session for a user. parameters: - name: id required: true in: path schema: type: string - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string responses: '200': description: '' tags: - User Sessions /resources/vendor-only/users/v1/{userId}: get: operationId: VendorOnlyUsers_getUserById summary: Get User description: 'Retrieve a user by ID, regardless of account (tenant). Provide the user''s ID as a path parameter. This route is for management use only.' parameters: - name: userId required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - Users /resources/vendor-only/users/v1/{userId}/mfa/unenroll: post: operationId: VendorOnlyUsers_MFAUnenroll summary: Unenroll User From MFA Globally description: 'Unenroll a user from MFA, regardless of account (tenant). Provide the user''s ID as a path parameter. This route is for manag use only.' parameters: - name: userId required: true in: path schema: type: string responses: '200': description: '' tags: - Users /resources/vendor-only/users/v1/passwords/verify: post: operationId: VendorOnlyUsers_verifyUserPassword summary: Verify User's Password description: 'Verify a user''s email and password. Provide the user''s email and password in the request body. The response will indicate `true` or `false`. This route is for management use only.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/ValidateUserPasswordRequest' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/ValidateUserPasswordResponse' tags: - Users /resources/vendor-only/users/v1: post: operationId: VendorOnlyUsers_createUser summary: Create User description: 'Create a user and set the `mfaBypass` property for testing purposes. This route is for management use only.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/CreateUserDtoVendorOnly' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - Users /resources/tenants/users/v1/statuses: get: operationId: get summary: Get Users Account (tenant) Statuses description: 'Retrieve the account (tenant) statuses of vendor users. Provide an array of `userIds` (maximum 200) and optionally an array of `userTenantStatuses` as query parameters. There is a limit of 2000 account (tenant) statuses per user.' parameters: - name: userIds required: true in: query description: User IDs schema: type: array items: type: string - name: userTenantStatuses required: false in: query description: Account (tenant) Statuses schema: type: array items: type: string enum: - PendingInvitation - PendingLogin - Activated - NotActivated responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserTenantStatusesResponse' tags: - Users /resources/users/phone-numbers/v1/vendor/{userId}: post: operationId: UserPhoneNumbersControllerV1_createUserPhoneNumberVendor summary: Create User Phone Number Verified by Default description: Creates a new phone number for a user. Phone numbers added via this management endpoint are automatically verified. parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PreVerifyUserPhoneNumberRequestDto' responses: '201': description: '' tags: - Users /resources/users/phone-numbers/v1/vendor/{userId}/{phoneId}: delete: operationId: UserPhoneNumbersControllerV1_deleteUserPhoneNumberVendor summary: Delete User Phone Number on an Environment description: Delete a user phone number without verification. parameters: - name: phoneId required: true in: path schema: type: string - name: userId required: true in: path schema: type: string responses: '200': description: '' tags: - Users /resources/users/bulk/v1/invite: post: operationId: UsersBulkControllerV1_bulkInviteUsers summary: Invite Users to an Account (tenant) in Bulk description: 'Invite users to an account (tenant) in bulk. Provide an array of `users` in the request body. Each entry must include a user''s `email`.' parameters: - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UsersBulkInviteRequestDto' responses: '202': description: '' content: application/json: schema: $ref: '#/components/schemas/TaskContext' tags: - Users /resources/users/bulk/v1/status/{id}: get: operationId: UsersBulkControllerV1_getBulkInviteStatus summary: Get Status of Bulk Invite Task description: 'Invite users to an account (tenant) in bulk. Provide an array of `users` in the request body. Each entry must include a user''s `email`.' parameters: - name: id required: true in: path schema: type: string responses: '200': description: '' tags: - Users /resources/vendor-only/users/v1/{userId}/roles/bulk: patch: operationId: VendorOnlyUsers_bulkUpdateRolesAcrossAllTenants summary: Bulk Update User Roles Across All Tenants parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/BulkUpdateUserRolesRequestDto' responses: '200': description: Roles updated successfully (sync) or task queued (async) content: application/json: schema: $ref: '#/components/schemas/BulkUpdateUserRolesSyncResponseDto' tags: - Users /resources/vendor-only/users/v1/bulk-roles/status/{taskId}: get: operationId: VendorOnlyUsers_getBulkRolesTaskStatus summary: Get Status of Bulk Roles Update Task parameters: - name: taskId required: true in: path schema: type: string responses: '200': description: Task status content: application/json: schema: $ref: '#/components/schemas/BulkRolesTaskStatusResponseDto' tags: - Users /resources/users/v1/email: get: operationId: UsersControllerV1_getUserByEmail summary: Get User by Email description: 'Retrieve a user by email. Provide the user''s `email` as a query parameter.' parameters: - name: email required: true in: query schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/CoreUserDto' tags: - Users /resources/users/v1/{id}: get: operationId: UsersControllerV1_getUserById summary: Get User by ID description: 'Retrieve a specific user from an account (tenant). A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: id required: true in: path schema: type: string - name: frontegg-tenant-id in: header description: The account (tenant) ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - Users /resources/users/v1/{userId}/verify: post: operationId: UsersControllerV1_verifyUser summary: Verify User description: 'Mark a user as verified. Provide the user''s ID as a path parameter. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: userId required: true in: path schema: type: string responses: '200': description: '' tags: - Users /resources/users/v1/{userId}/invisible: put: operationId: UsersControllerV1_setUserInvisibleMode summary: Make User Invisible description: 'Set whether a user is invisible or visible. An invisible user remains part of the account (tenant) but will not appear in the list of users in the admin box. The user data remains in the system. Provide the user''s ID as a path parameter and a Boolean `invisible` value in the request body (`true` for invisible, `false` for visible). A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateUserInvisibleDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - Users /resources/users/v1/{userId}/superuser: put: operationId: UsersControllerV1_setUserSuperuserMode summary: Make User Super-user description: 'Set a user as a super-user. Super-user functionality is no longer maintained due to incompatibility with newer features. A super-user has access to all accounts (tenants) within the workspace. Provide the user''s ID as a path parameter and a Boolean `superUser` value in the request body (`true` for super-user, `false` for regular user). A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateUserSuperuserDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - Users /resources/users/v1/{userId}/tenant: put: operationId: UsersControllerV1_updateUserTenantForVendor summary: Set User's Account (tenant) description: 'Set the active account (tenant) of a user. The active account (tenant) is the account (tenant) the user will see in their admin portal and the account (tenant) used by default for account (tenant)-specific API routes. Provide the user''s ID as a path parameter and the account (tenant) ID as a `tenantId` value in the request body. If a non-existing account (tenant) ID is provided, an account (tenant) will be created for that ID. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateUserTenantWithValidationDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - Users post: operationId: UsersControllerV1_addUserToTenantForVendor summary: Add User to Account (tenant) description: 'Add a user to an account (tenant). Provide the user''s ID as a path parameter and the account (tenant) ID as a `tenantId` value in the request body. To skip sending an invite email, include the optional `skipInviteEmail` parameter in the request body and set it to `true`. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AddUserToTenantRequest' responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - Users /resources/users/v1/{userId}/email: put: operationId: UsersControllerV1_updateUserEmail summary: Update User Email description: 'Update a user''s email address globally, regardless of account (tenant). Provide the user''s ID as a path parameter and the new email address as an `email` value in the request body.' parameters: - name: userId required: true in: path schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UpdateUserEmailDto' responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserDto' tags: - Users /resources/users/v1/{userId}/links/generate-activation-token: post: operationId: UsersControllerV1_generateUserActivationLink summary: Generate Activation Token description: 'Generate a new activation token for a user. Provide the user''s ID as a path parameter. This route does not send the activation email but returns the activation link and token. It can be used in combination with the routes under **Users Activation**. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: userId required: true in: path schema: type: string responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/GenerateUserActivationLinkResponseDto' tags: - Users /resources/users/v1/{userId}/links/generate-password-reset-token: post: operationId: UsersControllerV1_generateUserPasswordResetLink summary: Generate Password Reset Token description: 'Generate a password reset token for a user. Provide the user''s ID as a path parameter. This route does not send the reset password email but returns the reset link and token. It can be used in combination with the routes under **Users Passwords**. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: userId required: true in: path schema: type: string responses: '201': description: '' content: application/json: schema: $ref: '#/components/schemas/GenerateUserResetPasswordLinkResponseDto' tags: - Users /resources/users/v1/{userId}/unlock: post: operationId: UsersControllerV1_unlockUser summary: Unlock User description: 'Unlock a locked user. An unlocked user can sign in and use the system globally, regardless of account (tenant). Provide the user''s ID as a path parameter. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: userId required: true in: path schema: type: string responses: '200': description: '' tags: - Users /resources/users/v1/{userId}/lock: post: operationId: UsersControllerV1_lockUser summary: Lock User description: 'Lock a user. A locked user cannot sign in or use the system globally, regardless of account (tenant). Provide the user''s ID as a path parameter. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: - name: userId required: true in: path schema: type: string responses: '200': description: '' tags: - Users /resources/users/v1/tenants/migrate: put: operationId: UsersControllerV1_moveAllUsersTenants summary: Move All Users From One Account (tenant) to Another description: 'Migrate all users from a source account (tenant) to a target account (tenant). Specify `srcTenantId` (source account (tenant) ID) and `targetTenantId` (target account (tenant) ID) in the request body. A valid environment token is required to call this endpoint. You can obtain it from the environment authentication route.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/MigrateUsersFromTenantToTenantRequest' responses: '200': description: '' tags: - Users /resources/applications/v1/{appId}/users: get: operationId: ApplicationsControllerV1_getUsersForApplication summary: Get Users for Application description: 'Retrieve users for an application. Provide the application ID as a path parameter.' parameters: - name: appId required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: type: array items: type: string tags: - Users-applications Management /resources/applications/v1/{userId}/apps: get: operationId: ApplicationsControllerV1_getApplicationsForUser summary: Get Applications for User description: 'Retrieve applications for a user. Provide the user''s ID as a path parameter' parameters: - name: userId required: true in: path schema: type: string responses: '200': description: '' content: application/json: schema: type: array items: type: string tags: - Users-applications Management /resources/applications/v1: post: operationId: ApplicationsControllerV1_assignUsersToApplication summary: Assign Users to Application description: 'Assign users to an application. Provide the application ID as a path parameter and the user IDs in the request body.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/AssignUsersToAppRequestDto' responses: '201': description: '' content: application/json: schema: type: array items: $ref: '#/components/schemas/ApplicationUserTenantsResponseDto' tags: - Users-applications Management delete: operationId: ApplicationsControllerV1_unassignUsersFromApplication summary: Unassign Users From Application description: 'Unassign users from an application. Provide the application ID as a path parameter and the user IDs in the request body.' parameters: [] requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/UnassignUsersFromAppRequestDto' responses: '200': description: '' tags: - Users-applications Management /resources/applications/user-tenants/active/v1: get: operationId: ApplicationsActiveUserTenantsControllerV1_getUserApplicationActiveTenants summary: Get User Active Accounts (tenants) in Applications description: 'Retrieve the active accounts (tenants) of a user for an application. Provide the application ID and the user ID as path parameters.' parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string responses: '200': description: '' content: application/json: schema: $ref: '#/components/schemas/UserApplicationActiveTenantsResponseDto' tags: - Users-applications Management put: operationId: ApplicationsActiveUserTenantsControllerV1_switchUserApplicationActiveTenant summary: Switch Users Active Account (tenant) in Applications description: 'Update the active accounts (tenants) of a user for an application. Provide the application ID and the user ID as path parameters and the updated list of account (tenant) IDs in the request body.' parameters: - name: frontegg-user-id in: header description: The user ID identifier required: true schema: type: string requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/SwitchApplicationActiveUserTenantsRequestDto' responses: '200': description: '' tags: - Users-applications Management info: title: Authentication and Identity Management description: 'Frontegg offers a comprehensive suite of authentication, user management, and security features to streamline identity management and enhance application security. This section provides an overview of all relevant API endpoints, organized into Authentication, Management, and Self-Service categories. **Authentication Endpoints**: Enable secure user login, multi-factor authentication (MFA), passwordless options, and social login integrations, allowing for a flexible and robust sign-in experience. **Management Endpoints**: Require environment-level authorization and provide full control over SSO (SAML and OpenID Connect) resources, user roles, permissions, and configurations. These endpoints are designed for administrative use, allowing for centralized identity and access management. **Self-Service Endpoints**: Accessible with a user token (JWT), these endpoints empower users to manage their SSO connections and other account settings. Users with the necessary permissions can create, update, or delete SSO configurations directly, ensuring they have the tools to manage their access securely and independently. Each category in this section helps you configure and extend Frontegg’s capabilities, providing the flexibility to manage user identities, authentication protocols, and access controls as per your application’s needs.' version: '1.0' servers: - url: https://api.frontegg.com/identity description: EU Region - url: https://api.us.frontegg.com/identity description: US Region - url: https://api.ca.frontegg.com/identity description: CA Region - url: https://api.au.frontegg.com/identity description: AU Region - url: https://{domain}.frontegg.com/identity description: Frontegg sub-domain for use with user tokens variables: domain: default: app-xxx components: securitySchemes: bearer: scheme: bearer bearerFormat: JWT type: http schemas: PermissionResponse: type: object properties: id: type: string key: type: string name: type: string description: type: string createdAt: format: date-time type: string updatedAt: format: date-time type: string roleIds: type: array items: type: string categoryId: type: string fePermission: type: boolean required: - id - key - name - description - createdAt - updatedAt - roleIds - categoryId - fePermission AddPermissionRequest: type: object properties: key: type: string name: type: string description: type: string categoryId: type: string assignmentType: type: string enum: - NEVER - ALWAYS - ASSIGNABLE required: - key - name UpdatePermissionRequest: type: object properties: key: type: string name: type: string description: type: string categoryId: type: string AddRolesToPermissionRequest: type: object properties: roleIds: description: The permission will be assigned to the specified roles type: array items: type: string required: - roleIds ClassifyPermissionsDto: type: object properties: permissionIds: type: array items: type: string type: type: string enum: - NEVER - ALWAYS - ASSIGNABLE required: - permissionIds - type PermissionCategoryResponseDto: type: object properties: id: type: string name: type: string description: type: string nullable: true createdAt: format: date-time type: string feCategory: type: boolean required: - id - name - description - createdAt - feCategory CreateCategoryDto: type: object properties: name: type: string description: type: string id: type: string required: - name UpdateCategoryDto: type: object properties: name: type: string description: type: string CreateUserAccessTokenRequest: type: object properties: description: type: string expiresInMinutes: type: number minimum: 1 description: Token expiration time in minutes. In case of undefined, the token won't be expired UserAccessTokenResponse: type: object properties: id: type: string description: type: string createdAt: format: date-time type: string secret: type: string expires: format: date-time type: string required: - id - createdAt GetUserAccessTokensResponse: type: object properties: accessTokens: type: array items: $ref: '#/components/schemas/UserAccessTokenResponse' required: - accessTokens CreateTenantAccessTokenRequest: type: object properties: description: type: string expiresInMinutes: type: number minimum: 1 description: Token expiration time in minutes. In case of undefined, the token won't be expired roleIds: description: Array of role IDs to attach to the token type: array items: type: string TenantAccessTokenResponse: type: object properties: id: type: string description: type: string createdAt: format: date-time type: string secret: type: string expires: format: date-time type: string roleIds: description: Array of role Ids type: array items: type: string createdByUserId: type: string nullable: true required: - id - createdAt - roleIds - createdByUserId GetTenantAccessTokensResponse: type: object properties: accessTokens: type: array items: $ref: '#/components/schemas/TenantAccessTokenResponse' required: - accessTokens AuthUserAccessTokenResponse: type: object properties: userId: type: string id: type: string tenantId: type: string permissions: type: array items: type: string roles: type: array items: type: string expires: format: date-time type: string required: - userId - id - tenantId - permissions - roles AuthTenantAccessTokenResponse: type: object properties: id: type: string tenantId: type: string permissions: type: array items: type: string roles: type: array items: type: string expires: format: date-time type: string required: - id - tenantId - permissions - roles GetActiveSessionsResponse: type: object properties: {} RecoverMfaDto: type: object properties: recoveryCode: type: string email: type: string required: - recoveryCode - email VendorConfigRequest: type: object properties: defaultTokenExpiration: type: number defaultRefreshTokenExpiration: type: number maximum: 15552000 cookieSameSite: enum: - STRICT - LAX - NONE type: string machineToMachineAuthStrategy: enum: - ClientCredentials - AccessToken type: string allowSignups: type: boolean apiTokensEnabled: type: boolean allowOverridePasswordComplexity: type: boolean allowOverridePasswordExpiration: type: boolean allowOverrideEnforcePasswordHistory: type: boolean jwtAlgorithm: enum: - HS256 - RS256 type: string allowNotVerifiedUsersLogin: type: boolean forcePermissions: type: boolean addSamlAttributesToJwt: type: boolean authStrategy: enum: - Code - EmailAndPassword - MagicLink - NoLocalAuthentication - SmsCode type: string defaultPasswordlessTokenExpiration: type: number forceSameDeviceOnAuth: type: boolean allowTenantInvitations: type: boolean rotateRefreshTokens: type: boolean skipTenantValidation: type: boolean addRolesToJwt: type: boolean addPermissionsToJwt: type: boolean allowCustomLoginTenantSwitch: type: boolean VendorConfigResponse: type: object properties: id: type: string defaultTokenExpiration: type: number defaultRefreshTokenExpiration: type: number publicKey: type: string cookieSameSite: enum: - STRICT - LAX - NONE type: string allowSignups: type: boolean apiTokensEnabled: type: boolean allowOverridePasswordComplexity: type: boolean allowOverridePasswordExpiration: type: boolean allowOverrideEnforcePasswordHistory: type: boolean jwtAlgorithm: enum: - RS256 - HS256 type: string jwtSecret: type: string allowNotVerifiedUsersLogin: type: boolean forcePermissions: type: boolean authStrategy: enum: - EmailAndPassword - MagicLink - Code - NoLocalAuthentication - SmsCode - UsernameAndPassword - UsernameAndMagicLink - UsernameAndCode - UsernameAndSms type: string defaultPasswordlessTokenExpiration: type: number forceSameDeviceOnAuth: type: boolean allowTenantInvitations: type: boolean rotateRefreshTokens: type: boolean machineToMachineAuthStrategy: enum: - ClientCredentials - AccessToken type: string addRolesToJwt: type: boolean addPermissionsToJwt: type: boolean refreshTokensRotationLimit: type: number addSamlAttributesToJwt: type: boolean allowCustomLoginTenantSwitch: type: boolean required: - id - defaultTokenExpiration - defaultRefreshTokenExpiration - publicKey - cookieSameSite - allowSignups - apiTokensEnabled - allowOverridePasswordComplexity - allowOverridePasswordExpiration - allowOverrideEnforcePasswordHistory - jwtAlgorithm - jwtSecret - allowNotVerifiedUsersLogin - forcePermissions - authStrategy - defaultPasswordlessTokenExpiration - forceSameDeviceOnAuth - allowTenantInvitations - rotateRefreshTokens - machineToMachineAuthStrategy - addRolesToJwt - addPermissionsToJwt - refreshTokensRotationLimit - addSamlAttributesToJwt - allowCustomLoginTenantSwitch MfaAuthAppConfig: type: object properties: active: type: boolean serviceName: type: string required: - active - serviceName MfaSmsConfig: type: object properties: active: type: boolean tokenLifetimeSeconds: type: number minimum: 300 required: - active - tokenLifetimeSeconds MfaEmailConfig: type: object properties: active: type: boolean tokenLifetimeSeconds: type: number minimum: 300 sender: type: string required: - active - tokenLifetimeSeconds - sender MfaConfigRequest: type: object properties: authenticationApp: $ref: '#/components/schemas/MfaAuthAppConfig' sms: $ref: '#/components/schemas/MfaSmsConfig' email: $ref: '#/components/schemas/MfaEmailConfig' AuthenticationAppConfiguration: type: object properties: active: type: boolean serviceName: type: string required: - active - serviceName SmsConfiguration: type: object properties: active: type: boolean tokenLifetimeSeconds: type: number required: - active - tokenLifetimeSeconds EmailConfiguration: type: object properties: active: type: boolean tokenLifetimeSeconds: type: number sender: type: string required: - active - tokenLifetimeSeconds - sender MfaConfigResponse: type: object properties: authenticationApp: $ref: '#/components/schemas/AuthenticationAppConfiguration' sms: $ref: '#/components/schemas/SmsConfiguration' email: $ref: '#/components/schemas/EmailConfiguration' required: - authenticationApp - sms - email OptionalTestsConfig: type: object properties: requireLowercase: type: boolean description: Require at least one lowercase letter requireUppercase: type: boolean description: Require at least one uppercase letter requireNumbers: type: boolean description: Require at least one number requireSpecialChars: type: boolean description: Require at least one special character RequiredTestsConfig: type: object properties: checkThreeRepeatedChars: type: boolean description: Check if the password contains three repeated characters PasswordConfigRequest: type: object properties: allowPassphrases: type: boolean maxLength: type: number minLength: type: number minPhraseLength: type: number minOptionalTestsToPass: type: number blockPwnedPasswords: type: boolean optionalTests: $ref: '#/components/schemas/OptionalTestsConfig' requiredTests: $ref: '#/components/schemas/RequiredTestsConfig' PasswordConfigResponse: type: object properties: allowPassphrases: type: boolean maxLength: type: number minLength: type: number minPhraseLength: type: number minOptionalTestsToPass: type: number blockPwnedPasswords: type: boolean optionalTests: type: object requiredTests: type: object required: - blockPwnedPasswords MfaPolicyRequest: type: object properties: enforceMFAType: type: string enum: - DontForce - Force - ForceExceptSAML description: Determine whether MFA should be enforced. default: Force allowRememberMyDevice: type: boolean description: Determine whether devices can be remembered and authentication can be skipped. default: false mfaDeviceExpiration: type: number description: Expiration time of device in seconds default: 1209600 MfaPolicyResponse: type: object properties: id: type: string enforceMFAType: type: string allowRememberMyDevice: type: boolean mfaDeviceExpiration: type: number createdAt: format: date-time type: string updatedAt: format: date-time type: string required: - id - allowRememberMyDevice - mfaDeviceExpiration - createdAt - updatedAt LockoutPolicyRequest: type: object properties: enabled: type: boolean description: Determine whether the Lockout Policy is enabled maxAttempts: type: number description: The number of the maximum login attempts user can do minimum: 1 required: - enabled - maxAttempts LockoutPolicyResponse: type: object properties: id: type: string enabled: type: boolean maxAttempts: type: number createdAt: format: date-time type: string updatedAt: format: date-time type: string required: - id - enabled - maxAttempts - createdAt - updatedAt PasswordHistoryPolicyRequest: type: object properties: enabled: type: boolean description: Detemine whether the history policy is enbaled. default: false historySize: type: number description: Number of passwords per user to remember in the history. maximum: 10 minimum: 1 default: 1 required: - enabled - historySize PasswordHistoryPolicyResponse: type: object properties: id: type: string enabled: type: boolean historySize: type: number createdAt: format: date-time type: string updatedAt: format: date-time type: string required: - id - enabled - historySize - createdAt - updatedAt CaptchaPolicyRequest: type: object properties: enabled: type: boolean siteKey: type: string secretKey: type: string minScore: type: number ignoredEmails: description: Captcha validation will be skipped for those emails. type: array items: type: string required: - enabled - siteKey - secretKey - minScore CaptchaPolicyResponse: type: object properties: id: type: string siteKey: type: string secretKey: type: string enabled: type: boolean minScore: type: number ignoredEmails: type: array items: type: string createdAt: format: date-time type: string updatedAt: format: date-time type: string required: - id - siteKey - secretKey - enabled - minScore - ignoredEmails - createdAt - updatedAt CreateTemplateDto: type: object properties: type: type: string enum: - ResetPassword - ActivateUser - InviteToTenant - PwnedPassword - MagicLink - OTC - ConnectNewDevice - UserUsedInvitation - ResetPhoneNumber - BulkInvitesToTenant - MFAEnroll - MFAUnenroll - NewMFAMethod - MFARecoveryCode - RemoveMFAMethod - EmailVerification - BruteForceProtection - SuspiciousIP - MFAOTC - ImpossibleTravel - BotDetection - SmsAuthenticationEnabled - UnlockUser - UnlockUserSuccess - ActivateUserWithCode - InviteToTenantWithCode - VerifyNewEmail - EmailAddressChanged - ApprovalFlowApprove senderEmail: type: string description: Email of the sender cannot exceed 512 characters subject: type: string description: Subject of the email cannot exceed 512 characters fromName: type: string description: Name of the sender cannot exceed 512 characters redirectURL: type: string description: 'Only required for: ResetPassword, ActivateUser, InviteToTenant, MagicLink, BulkInvitesToTenant' htmlTemplate: type: string maxLength: 1000000 successRedirectUrl: type: string active: type: boolean required: - type GetTemplateResponseDto: type: object properties: htmlTemplate: type: string senderEmail: type: string redirectURL: type: string successRedirectUrl: type: string subject: type: string fromName: type: string active: type: boolean type: type: object redirectURLPattern: type: string successRedirectUrlPattern: type: string required: - htmlTemplate - senderEmail - redirectURL - successRedirectUrl - subject - fromName - active - type CreateOrUpdateMailConfigRequestDto: type: object properties: secret: type: string required: - secret GetMailConfigResponseDto: type: object properties: secret: type: string createdAt: format: date-time type: string updatedAt: format: date-time type: string extension: type: array items: type: object provider: type: string enum: - sendgrid - mailgun - ses - ses-role required: - secret - createdAt - updatedAt - extension - provider SendGridDto: type: object properties: provider: type: string enum: - sendgrid secret: type: string required: - provider - secret SesDto: type: object properties: provider: type: string enum: - ses secret: type: string id: type: string region: type: string required: - provider - secret - id - region MailgunDto: type: object properties: provider: type: string enum: - mailgun secret: type: string domain: type: string region: default: us enum: - US: us EU: eu type: number required: - provider - secret - domain - region SesRoleDto: type: object properties: provider: type: string enum: - ses-role secret: type: string region: type: string required: - provider - secret - region CreateTenantApiTokenDto: type: object properties: metadata: type: object description: Extra data that will be encoded as part of the JWT description: type: string roleIds: description: Array of role Ids. Either this or permissionIds must be provided, but not both. type: array items: type: string permissionIds: description: Array of permission Ids. Either this or roleIds must be provided, but not both. roleIds will override permissionIds. type: array items: type: string expiresInMinutes: type: number minimum: 1 description: Token expiration time in minutes. In case of undefined, the token won't be expired CreateTenantApiTokenResponseDto: type: object properties: clientId: type: string description: type: string nullable: true tenantId: type: string secret: type: string createdByUserId: type: string nullable: true metadata: type: object description: Extra data that will be encoded as part of the JWT createdAt: format: date-time type: string permissionIds: description: Array of permission Ids type: array items: type: string roleIds: description: Array of role Ids type: array items: type: string expires: format: date-time type: string required: - clientId - description - tenantId - secret - createdByUserId - metadata - createdAt GetTenantApiTokensResponse: type: object properties: clientId: type: string description: type: string nullable: true tenantId: type: string createdByUserId: type: string nullable: true metadata: type: object description: Extra data that will be encoded as part of the JWT createdAt: format: date-time type: string permissionIds: description: Array of permission Ids. Either this or roleIds will be present, but not both. type: array items: type: string roleIds: description: Array of role Ids. Either this or permissionIds will be present, but not both. type: array items: type: string expires: format: date-time type: string required: - clientId - description - tenantId - createdByUserId - metadata - createdAt - permissionIds - roleIds - expires UpdateApiTokenDto: type: object properties: metadata: type: object description: Extra data that will be encoded as part of the JWT description: type: string roleIds: description: Array of role Ids type: array items: type: string permissionIds: description: Array of permission Ids type: array items: type: string UpdateTenantApiTokenResponseDto: type: object properties: clientId: type: string description: type: string nullable: true tenantId: type: string createdByUserId: type: string nullable: true metadata: type: object description: Extra data that will be encoded as part of the JWT createdAt: format: date-time type: string permissionIds: description: Array of permission Ids type: array items: type: string roleIds: description: Array of role Ids type: array items: type: string expires: format: date-time type: string required: - clientId - description - tenantId - createdByUserId - metadata - createdAt CreateUserApiTokenDto: type: object properties: metadata: type: object description: Extra data that will be encoded as part of the JWT description: type: string expiresInMinutes: type: number minimum: 1 maximum: 5256000 description: Token expiration time in minutes. In case of undefined, the token won't be expired CreateUserApiTokenResponseDto: type: object properties: clientId: type: string description: type: string metadata: type: object description: Extra data that will be encoded as part of the JWT createdAt: format: date-time type: string secret: type: string expires: format: date-time type: string required: - clientId - description - metadata - createdAt - secret GetUserApiTokensResponseDto: type: object properties: clientId: type: string description: type: string metadata: type: object description: Extra data that will be encoded as part of the JWT createdAt: format: date-time type: string expires: format: date-time type: string required: - clientId - description - metadata - createdAt RoleResponse: type: object properties: id: type: string vendorId: type: string tenantId: type: string key: type: string name: type: string description: type: string isDefault: type: boolean firstUserRole: type: boolean level: type: number createdAt: format: date-time type: string updatedAt: format: date-time type: string permissions: type: array items: type: string required: - id - vendorId - tenantId - key - name - description - isDefault - firstUserRole - level - createdAt - updatedAt - permissions UserTenantDto: type: object properties: tenantId: type: string roles: type: array items: $ref: '#/components/schemas/RoleResponse' temporaryExpirationDate: format: date-time type: string isDisabled: type: boolean required: - tenantId - roles UserDto: type: object properties: id: type: string email: type: string name: type: string profilePictureUrl: type: string sub: type: string verified: type: boolean mfaEnrolled: type: boolean mfaBypass: type: boolean phoneNumber: type: string roles: type: array items: $ref: '#/components/schemas/RoleResponse' permissions: type: array items: $ref: '#/components/schemas/PermissionResponse' provider: type: string tenantId: type: string tenantIds: type: array items: type: string activatedForTenant: type: boolean isLocked: type: boolean tenants: type: array items: $ref: '#/components/schemas/UserTenantDto' invisible: type: boolean superUser: type: boolean metadata: type: string vendorMetadata: type: string externalId: type: string createdAt: format: date-time type: string lastLogin: format: date-time type: string groups: type: array items: type: object subAccountAccessAllowed: type: boolean managedBy: enum: - frontegg - scim2 - external type: string required: - id - email - name - profilePictureUrl - sub - verified - mfaEnrolled - roles - permissions - provider - tenantId - tenantIds - tenants - metadata - vendorMetadata - createdAt - lastLogin - subAccountAccessAllowed ValidateUserPasswordRequest: type: object properties: email: type: string password: type: string required: - email - password ValidateUserPasswordResponse: type: object properties: {} CreateUserDtoVendorOnly: type: object properties: email: type: string description: The email of the user. If not provided, the username is required username: type: string description: The username of the user. If not provided, the email is required. Maximum length is 255 characters. maxLength: 255 name: type: string password: type: string phoneNumber: type: string metadata: type: string description: Stringified JSON object vendorMetadata: type: string description: Extra vendor-only data. stringified JSON object roleIds: description: Role IDs to assign to the user type: array items: type: string tenantId: type: string expirationInSeconds: type: number description: Temporary user expiration in seconds mfaBypass: type: boolean description: Bypass MFA for this user externalId: type: string description: The external id of the user required: - tenantId CreateInviteTokenRequest: type: object properties: tenantId: type: string userId: type: string expiresInMinutes: type: number shouldSendEmail: type: boolean roleIds: description: Array of role IDs to assign to invited users type: array items: type: string required: - tenantId InviteTokenDto: type: object properties: id: type: string vendorId: type: string tenantId: type: string userId: type: string token: type: string expires: format: date-time type: string shouldSendEmail: type: boolean name: type: string roleIds: type: array items: type: string required: - id - vendorId - tenantId - token - expires - shouldSendEmail CreateInviteTokenRequestForUser: type: object properties: expiresInMinutes: type: number shouldSendEmail: type: boolean required: - expiresInMinutes - shouldSendEmail UpdateInviteTokenRequest: type: object properties: expiresInMinutes: type: number shouldSendEmail: type: boolean VerifyInviteTokenRequest: type: object properties: token: type: string required: - token InvitationConfigurationResponse: type: object properties: tenantInvitationsAllowed: type: boolean emailsEnabled: type: boolean required: - tenantInvitationsAllowed - emailsEnabled CreateInviteTokenRequestForUserV2: type: object properties: expiresInMinutes: type: number shouldSendEmail: type: boolean roleIds: description: Array of role IDs to assign to invited users example: - role1 - role2 type: array items: type: string required: - expiresInMinutes - shouldSendEmail - roleIds SessionIdleTimeoutConfigurationDto: type: object properties: isActive: type: boolean timeout: type: number minimum: 60 maximum: 2073600 required: - isActive - timeout SessionTimeoutConfigurationDto: type: object properties: isActive: type: boolean timeout: type: number minimum: 60 required: - isActive - timeout SessionConcurrentConfigurationDto: type: object properties: isActive: type: boolean maxSessions: type: number minimum: 1 required: - isActive - maxSessions CreateSessionConfigurationRequest: type: object properties: sessionIdleTimeoutConfiguration: $ref: '#/components/schemas/SessionIdleTimeoutConfigurationDto' sessionTimeoutConfiguration: $ref: '#/components/schemas/SessionTimeoutConfigurationDto' sessionConcurrentConfiguration: $ref: '#/components/schemas/SessionConcurrentConfigurationDto' MFAStrategyResponse: type: object properties: strategy: enum: - AuthenticatorApp - WebAuthnPlatform - WebAuthnCrossPlatform - SMS - EmailCode type: string isActive: type: boolean required: - strategy - isActive MFAStrategiesResponse: type: object properties: strategies: type: array items: $ref: '#/components/schemas/MFAStrategyResponse' required: - strategies CreateOrUpdateMFAStrategyRequest: type: object properties: isActive: type: boolean strategy: type: string enum: - AuthenticatorApp - WebAuthnPlatform - WebAuthnCrossPlatform - SMS - EmailCode required: - isActive - strategy RoleDto: type: object properties: id: type: string vendorId: type: string tenantId: type: string key: type: string name: type: string description: type: string isDefault: type: boolean firstUserRole: type: boolean level: type: number createdAt: format: date-time type: string updatedAt: format: date-time type: string required: - id - vendorId - tenantId - key - name - description - isDefault - firstUserRole - level - createdAt - updatedAt GroupUserDto: type: object properties: id: type: string email: type: string name: type: string profilePictureUrl: type: string createdAt: format: date-time type: string activatedForTenant: type: boolean required: - id - email - name - profilePictureUrl - createdAt - activatedForTenant GroupResponse: type: object properties: id: type: string name: type: string color: type: string description: type: string metadata: type: string roles: type: array items: $ref: '#/components/schemas/RoleDto' users: type: array items: $ref: '#/components/schemas/GroupUserDto' managedBy: enum: - frontegg - scim2 type: string createdAt: format: date-time type: string updatedAt: format: date-time type: string required: - id - name - color - description - metadata - roles - users - managedBy - createdAt - updatedAt GroupsResponse: type: object properties: groups: type: array items: $ref: '#/components/schemas/GroupResponse' required: - groups GetGroupsDto: type: object properties: groupsIds: description: Group IDs type: array items: type: string required: - groupsIds CreateGroupDto: type: object properties: color: type: string description: Color for group display description: type: string description: Group description metadata: type: string description: Stringified JSON object example: '{}' name: type: string description: Group unique name required: - name UpdateGroupDto: type: object properties: color: type: string description: Color for group display description: type: string description: Group description metadata: type: string description: Stringified JSON object example: '{}' name: type: string description: Group unique name GetGroupConfigurationResponse: type: object properties: enabled: type: boolean rolesEnabled: type: boolean required: - enabled - rolesEnabled CreateOrUpdateGroupConfigurationDto: type: object properties: enabled: type: boolean description: Determine whether groups are enabled/disabled. Default value is true. default: true rolesEnabled: type: boolean description: Determine whether groups can have roles or not. Default value is true. default: true UpdateRolesOnGroupDto: type: object properties: roleIds: description: Will add / remove requested roles from the group example: - 5fbae0d3-a3b7-4b1e-8d64-6c9428f84aae - 8b2d0f9a-f39e-49b3-98ca-93c85c06d1a7 type: array items: type: string required: - roleIds UpdateUsersOnGroupDto: type: object properties: userIds: description: An array of User IDs to add / remove existing users to / from the group. example: - 262io276-3c5v-9y31-ba03-281674a89d4c - eeooc819-87dd-1cdd-b81d-e8829vm9d684 type: array items: type: string required: - userIds FronteggPaginationWrapper: type: object properties: {} FronteggPaginationLinks: type: object properties: next: type: string prev: type: string first: type: string last: type: string required: - next - prev - first - last FronteggPaginationMetadata: type: object properties: totalItems: type: number totalPages: type: number required: - totalItems - totalPages TenantStatus: type: object properties: tenantId: type: string status: type: string enum: - PendingInvitation - PendingLogin - Activated - NotActivated required: - tenantId - status UserTenantStatusesResponse: type: object properties: userId: type: string tenantsStatuses: description: Tenants Statuses type: array items: $ref: '#/components/schemas/TenantStatus' required: - userId - tenantsStatuses AddRoleRequest: type: object properties: key: type: string name: type: string description: type: string isDefault: type: boolean description: This role will be assigned for every user that will be added without specified roles migrateRole: type: boolean description: Set this property to `true` together with `isDefault` in order to assign this role to all users firstUserRole: type: boolean description: This role will be assigned to the first user of a tenant (new tenants only) level: type: number minimum: 0 maximum: 32767 description: Role level for roles elevation, lower level means stronger role. required: - key - name - level UpdateRoleRequest: type: object properties: isDefault: type: boolean description: This role will be assigned for every user that will be added without specified roles firstUserRole: type: boolean description: This role will be assigned to the first user of a tenant (new tenants only) migrateRole: type: boolean description: Set this property to `true` together with `isDefault` in order to assign this role to all users level: type: number minimum: 0 maximum: 32767 description: Role level for roles elevation, lower level means stronger role. key: type: string name: type: string description: type: string AddPermissionToRoleRequest: type: object properties: permissionIds: description: Set permission Ids to attach to the role type: array items: type: string required: - permissionIds UpdateRoleTenantRequest: type: object properties: tenantId: type: string nullable: true required: - tenantId AddRoleWithPermissionsRequest: type: object properties: key: type: string name: type: string description: type: string isDefault: type: boolean description: This role will be assigned for every user that will be added without specified roles baseRoleId: type: string description: Role level of the new role will be based on this parameter permissionIds: type: array items: type: string required: - key - name - baseRoleId - permissionIds AddRoleWithPermissionsResponse: type: object properties: id: type: string vendorId: type: string tenantId: type: string key: type: string name: type: string description: type: string isDefault: type: boolean permissions: type: array items: type: string required: - id - vendorId - tenantId - key - name - description - isDefault - permissions TemporaryUserDto: type: object properties: expirationInSeconds: type: number minimum: 300 required: - expirationInSeconds TemporaryUsersConfigurationDto: type: object properties: enabled: type: boolean required: - enabled UserPhoneNumberResponseDto: type: object properties: id: type: string userId: type: string phoneNumber: type: string verified: type: boolean createdAt: format: date-time type: string updatedAt: format: date-time type: string required: - id - userId - phoneNumber - verified - createdAt - updatedAt CreateUserPhoneNumberRequestDto: type: object properties: phoneNumber: type: string description: New phone number verify: type: boolean default: true description: Should send verification code, default is true required: - phoneNumber UserPhoneNumberCreatedResponseDto: type: object properties: {} PreVerifyUserPhoneNumberRequestDto: type: object properties: phoneNumber: type: string description: New phone number required: - phoneNumber VerifyPhoneNumberOTCRequestDto: type: object properties: otcToken: type: string description: OTC token code: type: string description: Code that was sent to the user required: - otcToken - code UserPhoneNumberDeleteCodeResponseDto: type: object properties: {} UserEmailResponseDto: type: object properties: id: type: string userId: type: string email: type: string verified: type: boolean isPrimary: type: boolean createdAt: format: date-time type: string updatedAt: format: date-time type: string required: - id - userId - email - verified - isPrimary - createdAt - updatedAt CreateUserEmailRequestDto: type: object properties: email: type: string description: New email required: - email CreateUserEmailVerifyRequestDto: type: object properties: code: type: string description: The code for the user to verify their email email: type: string description: The email for the user to verify their email required: - code - email CreateUserEmailVendorRequestDto: type: object properties: email: type: string description: New email isVerified: type: boolean description: Is user email verified required: - email MarkEmailAsPrimaryRequestDto: type: object properties: email: type: string description: Email to mark as primary required: - email UserBulkInviteRequestDto: type: object properties: email: type: string format: email description: The email of the user. If not provided, the username is required username: type: string maxLength: 255 pattern: /^[a-zA-Z0-9._-]+$/ description: The username of the user. If not provided, the email is required. Maximum length is 255 characters. name: type: string profilePictureUrl: type: string maxLength: 4095 password: type: string phoneNumber: type: string provider: type: string default: local enum: - local - saml - google - github - facebook - microsoft - scim2 - slack - apple metadata: type: string description: Stringified JSON object example: '{}' skipInviteEmail: type: boolean roleIds: type: array items: type: string emailMetadata: type: object expirationInSeconds: type: number minimum: 300 description: Temporary user expiration in seconds verified: type: boolean UsersBulkInviteRequestDto: type: object properties: users: type: array items: $ref: '#/components/schemas/UserBulkInviteRequestDto' required: - users TaskContext: type: object properties: {} BulkUpdateUserRolesRequestDto: type: object properties: addRoleIds: description: Role IDs to add across tenants example: - role-uuid-1 - role-uuid-2 type: array items: type: string removeRoleIds: description: Role IDs to remove across tenants example: - role-uuid-3 type: array items: type: string tenantIds: description: Specific tenant IDs to update. If not provided, all tenants the user belongs to will be updated. example: - tenant-uuid-1 - tenant-uuid-2 type: array items: type: string BulkUpdateUserRolesSyncResponseDto: type: object properties: userId: type: string description: The user ID that was updated example: user-uuid affectedTenants: type: number description: Number of tenants affected by the update example: 15 rolesAdded: description: Role IDs that were added example: - role-uuid-1 type: array items: type: string rolesRemoved: description: Role IDs that were removed example: - role-uuid-2 type: array items: type: string required: - userId - affectedTenants - rolesAdded - rolesRemoved BulkRolesTaskError: type: object properties: message: type: string description: Error message example: Failed to update roles for tenant tenantId: type: string description: Tenant ID where the error occurred details: type: string description: Additional error details tenantIds: description: Tenant IDs affected by this error (for batch failures) type: array items: type: string required: - message BulkRolesTaskStatusResponseDto: type: object properties: id: type: string description: Task ID example: task-uuid userId: type: string description: User ID being updated example: user-uuid status: enum: - NotStarted - InProgress - Completed - CompletedWithErrors type: string description: Current status of the task example: InProgress totalTenants: type: number description: Total number of tenants to update example: 500 processedTenants: type: number description: Number of tenants already processed example: 150 addedRoleIds: description: Role IDs being added example: - role-uuid-1 type: array items: type: string removedRoleIds: description: Role IDs being removed example: - role-uuid-2 type: array items: type: string errors: description: Errors encountered during processing type: array items: $ref: '#/components/schemas/BulkRolesTaskError' required: - id - userId - status - totalTenants - processedTenants - addedRoleIds - removedRoleIds Auth0Configuration: type: object properties: domain: type: string clientId: type: string secret: type: string tenantIdFieldName: type: string description: The field name that the tenant ID will be taken from under app metadata isTenantIdOnUserMetadata: type: boolean description: If you would like to take tenant ID from user metadata, set this field to true required: - domain - clientId - secret - tenantIdFieldName PasswordHashingType: type: string enum: - bcrypt - scrypt - firebase-scrypt - pbkdf2 - argon2 - sha256 - sha1 PhoneNumberType: type: string enum: - auth - mfa MigrateUserRequestV1: type: object properties: tenantId: type: string description: The tenant id of the user name: type: string description: The name of the user profilePictureUrl: type: string description: The profile picture url of the user maxLength: 4095 passwordHash: type: string description: The password hash. For SCrypt should include the salt and key seperated by the salt separator passwordHashType: $ref: '#/components/schemas/PasswordHashingType' passwordHashConfig: type: string maxLength: 4095 description: Stringified JSON Hashing config for the migrated password. For SCrypt should be formatted as { saltSeparator, N, r, p, keyLen }. For FirebaseScrypt should be formatted as { memCost, rounds, saltSeparator, signerKey } authenticatorAppMfaSecret: type: string description: The authenticator app MFA secret phoneNumber: type: string description: 'phoneNumber can be used both for login with SMS and for MFA This auto-enrolls the user in MFA, prompting them at first login (regardless of tenant/vendor MFA settings). The required format is an area code + number, no spaces. For example: "+16037184056" The number must be unique' phoneNumberType: $ref: '#/components/schemas/PhoneNumberType' provider: type: string enum: - local - saml - google - github - facebook - microsoft - scim2 - slack - apple default: local metadata: type: string description: Stringified JSON object roleIds: default: [] description: Role ids of the migrated users. If not provided, the user will be assigned the default roles type: array items: type: string vendorMetadata: type: string description: Extra vendor-only data. stringified JSON object externalId: type: string description: The external id of the user username: type: string description: The username of the user. If not provided, the email is required. Maximum length is 255 characters. maxLength: 128 email: type: string description: The email of the user. If not provided, the username is required verifyUser: type: boolean default: false description: Whether to verify the user as part of the migration process. If this is set to false, another call is required for the verify user API required: - tenantId - email MigrateUsersRequestV1: type: object properties: users: type: array items: $ref: '#/components/schemas/MigrateUserRequestV1' required: - users MigrationContext: type: object properties: migrationId: type: string required: - migrationId MigrationObject: type: object properties: {} EmailObjectDto: type: object properties: email: type: string description: The email address format: email primary: type: boolean description: Whether this is the primary email verified: type: boolean description: Whether this email is verified required: - email - primary - verified MigrateUserRequestV2: type: object properties: tenantId: type: string description: The tenant id of the user name: type: string description: The name of the user profilePictureUrl: type: string description: The profile picture url of the user maxLength: 4095 passwordHash: type: string description: The password hash. For SCrypt should include the salt and key seperated by the salt separator passwordHashType: $ref: '#/components/schemas/PasswordHashingType' passwordHashConfig: type: string maxLength: 4095 description: Stringified JSON Hashing config for the migrated password. For SCrypt should be formatted as { saltSeparator, N, r, p, keyLen }. For FirebaseScrypt should be formatted as { memCost, rounds, saltSeparator, signerKey } authenticatorAppMfaSecret: type: string description: The authenticator app MFA secret phoneNumber: type: string description: 'phoneNumber can be used both for login with SMS and for MFA This auto-enrolls the user in MFA, prompting them at first login (regardless of tenant/vendor MFA settings). The required format is an area code + number, no spaces. For example: "+16037184056" The number must be unique' phoneNumberType: $ref: '#/components/schemas/PhoneNumberType' provider: type: string enum: - local - saml - google - github - facebook - microsoft - scim2 - slack - apple default: local metadata: type: string description: Stringified JSON object roleIds: default: [] description: Role ids of the migrated users. If not provided, the user will be assigned the default roles type: array items: type: string vendorMetadata: type: string description: Extra vendor-only data. stringified JSON object externalId: type: string description: The external id of the user username: type: string description: The username of the user. If not provided, the email is required. Maximum length is 128 characters. maxLength: 128 emails: description: The emails of the user. If not provided, the username is required type: array items: $ref: '#/components/schemas/EmailObjectDto' required: - tenantId MigrateUsersRequestV2: type: object properties: users: type: array items: $ref: '#/components/schemas/MigrateUserRequestV2' required: - users UpdateSubAccountAccessRequestDto: type: object properties: allowAccess: type: boolean required: - allowAccess ResetPasswordV1Dto: type: object properties: email: type: string format: email emailMetadata: type: object required: - email VerifyPasswordDto: type: object properties: userId: type: string token: type: string password: type: string required: - userId - token - password UpdateUserPasswordDto: type: object properties: password: type: string newPassword: type: string required: - password - newPassword ResetPasswordDto: type: object properties: identifier: type: string description: User identifier (phone number or email) identifierType: enum: - email - phoneNumber - username type: string description: Type of the identifier emailMetadata: type: object required: - identifier - identifierType ResetPasswordViaSmsResponseDto: type: object properties: sessionId: type: string required: - sessionId VerifyPasswordViaSmsRequestDto: type: object properties: otcToken: type: string sessionId: type: string required: - otcToken - sessionId VerifyPasswordViaSmsResponseDto: type: object properties: userId: type: string token: type: string required: - userId - token ResetActivationTokenDto: type: object properties: email: type: string format: email emailMetadata: type: object required: - email - emailMetadata CreateCustomSsoRequestDto: type: object properties: type: type: string clientId: type: string secret: type: string redirectUrl: type: string authorizationUrl: type: string tokenUrl: type: string userInfoUrl: type: string scopes: type: string ssoLogoUrl: type: string displayName: type: string active: type: boolean required: - type - clientId - secret - redirectUrl - authorizationUrl - tokenUrl - userInfoUrl - scopes - ssoLogoUrl - displayName - active UpdateCustomSsoRequestDto: type: object properties: type: type: string clientId: type: string secret: type: string redirectUrl: type: string authorizationUrl: type: string tokenUrl: type: string userInfoUrl: type: string scopes: type: string ssoLogoUrl: type: string displayName: type: string active: type: boolean AssignUsersToAppRequestDto: type: object properties: appId: type: string tenantId: type: string userIds: type: array items: type: string required: - appId - tenantId - userIds ApplicationUserTenantsResponseDto: type: object properties: appId: type: string userTenantId: type: string createdAt: format: date-time type: string required: - appId - userTenantId - createdAt UnassignUsersFromAppRequestDto: type: object properties: appId: type: string tenantId: type: string userIds: type: array items: type: string required: - appId - tenantId - userIds UserApplicationActiveTenantResponse: type: object properties: tenantId: type: string applicationId: type: string required: - tenantId - applicationId UserApplicationActiveTenantsResponseDto: type: object properties: applicationActiveTenants: type: array items: $ref: '#/components/schemas/UserApplicationActiveTenantResponse' required: - applicationActiveTenants SwitchApplicationActiveUserTenantDto: type: object properties: applicationId: type: string description: Desired application to set active tenant in tenantId: type: string description: Desired tenant to set as active tenant for user in application required: - applicationId - tenantId SwitchApplicationActiveUserTenantsRequestDto: type: object properties: activeApplicationTenants: description: List of applications and tenants to set as active, for user type: array items: $ref: '#/components/schemas/SwitchApplicationActiveUserTenantDto' required: - activeApplicationTenants GetDelegationConfigurationResponseDto: type: object properties: enabled: type: boolean description: Indicates whether delegation has been enabled or disabled. example: 'true' required: - enabled CreateDelegationConfigurationRequestDto: type: object properties: enabled: type: boolean description: Used to enable or disable delegation for access tokens created using Token Exchange. example: 'true' DisableMFAAuthAppRequest: type: object properties: token: type: string RequestDisableMFARequest: type: object properties: {} RequestDisableMFASMSResponse: type: object properties: {} DisableMFASMSRequest: type: object properties: otcToken: type: string code: type: string required: - otcToken - code ResetTenantInvitationDto: type: object properties: email: type: string required: - email UserV3Dto: type: object properties: id: type: string email: type: string name: type: string profilePictureUrl: type: string sub: type: string verified: type: boolean mfaEnrolled: type: boolean mfaBypass: type: boolean phoneNumber: type: string provider: type: string tenantId: type: string tenantIds: type: array items: type: string activatedForTenant: type: boolean isLocked: type: boolean tenants: type: array items: $ref: '#/components/schemas/UserTenantDto' invisible: type: boolean superUser: type: boolean metadata: type: string vendorMetadata: type: string externalId: type: string createdAt: format: date-time type: string lastLogin: format: date-time type: string subAccountAccessAllowed: type: boolean managedBy: enum: - frontegg - scim2 - external type: string required: - id - email - name - profilePictureUrl - sub - verified - mfaEnrolled - provider - tenantId - tenantIds - tenants - metadata - vendorMetadata - createdAt - lastLogin - subAccountAccessAllowed GetUserRolesResponse: type: object properties: {} GetUserGroupsResponse: type: object properties: {} UnlockUserRequestDto: type: object properties: token: type: string required: - token CreateUserDto: type: object properties: email: type: string format: email description: The email of the user. If not provided, the username is required username: type: string maxLength: 255 pattern: /^[a-zA-Z0-9._-]+$/ description: The username of the user. If not provided, the email is required. Maximum length is 255 characters. name: type: string profilePictureUrl: type: string maxLength: 4095 password: type: string phoneNumber: type: string provider: type: string default: local enum: - local - saml - google - github - facebook - microsoft - scim2 - slack - apple metadata: type: string description: Stringified JSON object example: '{}' skipInviteEmail: type: boolean roleIds: type: array items: type: string emailMetadata: type: object expirationInSeconds: type: number minimum: 300 description: Temporary user expiration in seconds UserCreatedResponse: type: object properties: id: type: string email: type: string verified: type: boolean name: type: string profilePictureUrl: type: string roles: type: array items: type: string permissions: type: array items: type: string metadata: type: string createdAt: format: date-time type: string lastLogin: format: date-time type: string activatedForTenant: type: boolean temporaryExpirationDate: format: date-time type: string UpdateUserDto: type: object properties: phoneNumber: type: string pattern: ^\+[1-9]{1}(\-?)(([0-9])(\-?)){5,13}(([0-9]$){1}) profilePictureUrl: type: string nullable: true maxLength: 4095 metadata: type: string description: Stringified JSON object example: '{}' name: type: string CoreUserDto: type: object properties: id: type: string email: type: string name: type: string profilePictureUrl: type: string sub: type: string verified: type: boolean mfaEnrolled: type: boolean mfaBypass: type: boolean phoneNumber: type: string provider: type: string tenantId: type: string tenantIds: type: array items: type: string activatedForTenant: type: boolean isLocked: type: boolean tenants: type: array items: $ref: '#/components/schemas/UserTenantDto' invisible: type: boolean superUser: type: boolean metadata: type: string vendorMetadata: type: string externalId: type: string createdAt: format: date-time type: string lastLogin: format: date-time type: string subAccountAccessAllowed: type: boolean managedBy: type: string enum: - frontegg - scim2 - external required: - id - email - name - profilePictureUrl - sub - verified - mfaEnrolled - provider - tenantId - tenantIds - tenants - metadata - vendorMetadata - createdAt - lastLogin - subAccountAccessAllowed AssignUserToRolesDto: type: object properties: roleIds: type: array items: type: string required: - roleIds IRole: type: object properties: id: type: string key: type: string name: type: string description: type: string isDefault: type: boolean level: type: number createdAt: format: date-time type: string required: - id - key - name - description - isDefault - level - createdAt AssignUserToRolesResponseDto: type: object properties: tenantId: type: string userId: type: string roles: type: array items: $ref: '#/components/schemas/IRole' required: - tenantId - userId - roles UnassignUserFromRolesDto: type: object properties: roleIds: type: array items: type: string required: - roleIds DeleteUserToRolesResponseDto: type: object properties: tenantId: type: string userId: type: string roles: type: array items: $ref: '#/components/schemas/IRole' required: - tenantId - userId - roles UpdateUserTenantDto: type: object properties: tenantId: type: string description: Desired tenant to set as active tenant for user required: - tenantId UpdateUserInvisibleDto: type: object properties: invisible: type: boolean required: - invisible UpdateUserSuperuserDto: type: object properties: superUser: type: boolean required: - superUser UpdateVendorUserDto: type: object properties: phoneNumber: type: string pattern: ^\+[1-9]{1}(\-?)(([0-9])(\-?)){5,13}(([0-9]$){1}) profilePictureUrl: type: string nullable: true maxLength: 4095 metadata: type: string description: Stringified JSON object example: '{}' vendorMetadata: type: string description: Extra vendor-only data. stringified JSON object mfaBypass: type: boolean description: Indicates whether MFA should be bypassed for this user externalId: type: string description: The external id of the user name: type: string UpdateUserTenantWithValidationDto: type: object properties: tenantId: type: string description: Desired tenant to set as active tenant for user validateTenantExist: type: boolean required: - tenantId AddUserToTenantRequest: type: object properties: validateTenantExist: type: boolean tenantId: type: string skipInviteEmail: type: boolean required: - tenantId UpdateUserEmailDto: type: object properties: email: type: string format: email required: - email GenerateUserActivationLinkResponseDto: type: object properties: link: type: string token: type: string userId: type: string required: - link - token - userId GenerateUserResetPasswordLinkResponseDto: type: object properties: link: type: string token: type: string userId: type: string required: - link - token - userId MigrateUsersFromTenantToTenantRequest: type: object properties: srcTenantId: type: string targetTenantId: type: string required: - srcTenantId - targetTenantId GetUserSourceExtendedResponseDTO: type: object properties: id: type: string name: type: string type: type: string description: type: string appIds: type: array items: type: string index: type: number configuration: type: object usersCount: type: number required: - id - name - type - description - appIds - index - configuration - usersCount GetUserSourceResponseDTO: type: object properties: id: type: string name: type: string type: type: string description: type: string appIds: type: array items: type: string index: type: number configuration: type: object required: - id - name - type - description - appIds - index - configuration UserSourceDynamicTenantConfig: type: object properties: tenantIdFieldName: type: string description: The attribute name of which the tenant id would be taken from tenantResolverType: type: string enum: - dynamic required: - tenantIdFieldName - tenantResolverType UserSourceNewTenantConfig: type: object properties: tenantResolverType: type: string enum: - new required: - tenantResolverType UserSourceStaticTenantConfig: type: object properties: tenantId: type: string description: The tenant id which all of the users would be added to tenantResolverType: type: string enum: - static required: - tenantId - tenantResolverType UserSourceFromSourceTenantConfig: type: object properties: tenantResolverType: type: string enum: - from-source required: - tenantResolverType ExternalAuth0UserSourceConfig: type: object properties: syncOnLogin: type: boolean description: Whether to sync user profile attributes on each login isMigrated: type: boolean description: Whether to migrate the users domain: type: string description: the auth0 domain clientId: type: string description: the auth0 application clientId secret: type: string description: the auth0 application secret tenantConfig: oneOf: - $ref: '#/components/schemas/UserSourceDynamicTenantConfig' - $ref: '#/components/schemas/UserSourceStaticTenantConfig' - $ref: '#/components/schemas/UserSourceNewTenantConfig' required: - syncOnLogin - isMigrated - domain - clientId - secret - tenantConfig CreateAuth0ExternalUserSourceRequestDTO: type: object properties: name: type: string description: The user source name configuration: description: User source configuration allOf: - $ref: '#/components/schemas/ExternalAuth0UserSourceConfig' appIds: description: The application Ids to assign to this user source type: array items: type: string index: type: number description: The user source index description: type: string description: The user source description required: - name - configuration - index CreateUserSourceResponse: type: object properties: id: type: string name: type: string type: type: string appIds: type: array items: type: string description: type: string index: type: number required: - id - name - type - appIds - description - index ExternalCognitoUserSourceConfig: type: object properties: syncOnLogin: type: boolean description: Whether to sync user profile attributes on each login isMigrated: type: boolean description: Whether to migrate the users region: type: string description: The aws region of the cognito user pool clientId: type: string description: The cognito app client id userPoolId: type: string description: The id of the cognito user pool accessKeyId: type: string description: The access key of the aws account secretAccessKey: type: string description: The secret of the aws account clientSecret: type: string description: The cognito application client secret, required if the app client is configured with a client secret tenantConfig: oneOf: - $ref: '#/components/schemas/UserSourceDynamicTenantConfig' - $ref: '#/components/schemas/UserSourceStaticTenantConfig' - $ref: '#/components/schemas/UserSourceNewTenantConfig' required: - syncOnLogin - isMigrated - region - clientId - userPoolId - accessKeyId - secretAccessKey - tenantConfig CreateCognitoExternalUserSourceRequestDTO: type: object properties: name: type: string description: The user source name configuration: description: User source configuration allOf: - $ref: '#/components/schemas/ExternalCognitoUserSourceConfig' appIds: description: The application Ids to assign to this user source type: array items: type: string index: type: number description: The user source index description: type: string description: The user source description required: - name - configuration - index FirebaseServiceAccountConfig: type: object properties: type: type: string project_id: type: string private_key_id: type: string private_key: type: string client_email: type: string client_id: type: string auth_uri: type: string token_uri: type: string auth_provider_x509_cert_url: type: string client_x509_cert_url: type: string universe_domain: type: string required: - type - project_id - private_key_id - private_key - client_email - client_id - auth_uri - token_uri - auth_provider_x509_cert_url - client_x509_cert_url - universe_domain ExternalFirebaseUserSourceConfig: type: object properties: syncOnLogin: type: boolean description: Whether to sync user profile attributes on each login isMigrated: type: boolean description: Whether to migrate the users apiKey: type: string description: The firebase Web API Key serviceAccount: $ref: '#/components/schemas/FirebaseServiceAccountConfig' tenantConfig: oneOf: - $ref: '#/components/schemas/UserSourceStaticTenantConfig' - $ref: '#/components/schemas/UserSourceNewTenantConfig' required: - syncOnLogin - isMigrated - apiKey - serviceAccount - tenantConfig CreateFirebaseExternalUserSourceRequestDTO: type: object properties: name: type: string description: The user source name configuration: description: User source configuration allOf: - $ref: '#/components/schemas/ExternalFirebaseUserSourceConfig' appIds: description: The application Ids to assign to this user source type: array items: type: string index: type: number description: The user source index description: type: string description: The user source description required: - name - configuration - index ExternalCustomCodeUserSourceConfig: type: object properties: syncOnLogin: type: boolean description: Whether to sync user profile attributes on each login isMigrated: type: boolean description: Whether to migrate the users codePayload: type: string getUserCodePayload: type: string tenantConfig: oneOf: - $ref: '#/components/schemas/UserSourceNewTenantConfig' - $ref: '#/components/schemas/UserSourceFromSourceTenantConfig' required: - syncOnLogin - isMigrated - codePayload - tenantConfig CreateCustomCodeExternalUserSourceRequestDTO: type: object properties: name: type: string description: The user source name configuration: description: User source configuration allOf: - $ref: '#/components/schemas/ExternalCustomCodeUserSourceConfig' appIds: description: The application Ids to assign to this user source type: array items: type: string index: type: number description: The user source index description: type: string description: The user source description required: - name - configuration - index Oauth2UserSourceConfig: type: object properties: authorizationUrl: type: string description: The authorization URL of the OAuth2 provider tokenUrl: type: string description: The token URL of the OAuth2 provider userInfoUrl: type: string description: The user info URL of the OAuth2 provider scopes: description: The scopes to request from the OAuth2 provider example: - openid - email - profile type: array items: type: string grantTypes: description: The OAuth2 grant types example: - authorization_code type: array items: type: string required: - authorizationUrl - tokenUrl - userInfoUrl FederationUserSourceConfig: type: object properties: syncOnLogin: type: boolean description: Whether to sync user profile attributes on each login wellknownUrl: type: string description: The url of the service provider oauth2Config: description: OAuth2 configuration (required if wellknownUrl is not provided) allOf: - $ref: '#/components/schemas/Oauth2UserSourceConfig' clientId: type: string description: The client id from the service provider secret: type: string description: The secret from the service provider tenantConfig: oneOf: - $ref: '#/components/schemas/UserSourceDynamicTenantConfig' - $ref: '#/components/schemas/UserSourceStaticTenantConfig' - $ref: '#/components/schemas/UserSourceNewTenantConfig' required: - syncOnLogin - clientId - secret - tenantConfig CreateFederationUserSourceRequestDTO: type: object properties: name: type: string description: The user source name configuration: description: User source configuration allOf: - $ref: '#/components/schemas/FederationUserSourceConfig' appIds: description: The application Ids to assign to this user source type: array items: type: string index: type: number description: The user source index description: type: string description: The user source description required: - name - configuration - index UpdateExternalAuth0UserSourceRequestDTO: type: object properties: name: type: string description: The user source name configuration: description: User source configuration allOf: - $ref: '#/components/schemas/ExternalAuth0UserSourceConfig' index: type: number description: The user source index description: type: string description: The user source description UpdateExternalCognitoUserSourceRequestDTO: type: object properties: name: type: string description: The user source name configuration: description: User source configuration allOf: - $ref: '#/components/schemas/ExternalCognitoUserSourceConfig' index: type: number description: The user source index description: type: string description: The user source description UpdateExternalFirebaseUserSourceRequestDTO: type: object properties: name: type: string description: The user source name configuration: description: User source configuration allOf: - $ref: '#/components/schemas/ExternalFirebaseUserSourceConfig' index: type: number description: The user source index description: type: string description: The user source description UpdateExternalCustomCodeUserSourceRequestDTO: type: object properties: name: type: string description: The user source name configuration: description: User source configuration allOf: - $ref: '#/components/schemas/ExternalCustomCodeUserSourceConfig' index: type: number description: The user source index description: type: string description: The user source description UpdateFederationUserSourceRequestDTO: type: object properties: name: type: string description: The user source name configuration: description: User source configuration allOf: - $ref: '#/components/schemas/FederationUserSourceConfig' index: type: number description: The user source index description: type: string description: The user source description AssignApplicationsToUserSourceRequestDTO: type: object properties: appIds: description: The application Ids to assign to this user source type: array items: type: string userSourceId: type: string description: The user source id required: - appIds - userSourceId UnassignApplicationsFromUserSourceRequestDTO: type: object properties: appIds: description: The application Ids to assign to this user source type: array items: type: string userSourceId: type: string description: The user source id required: - appIds - userSourceId GetUserSourceUsersResponseDTO: type: object properties: email: type: string lastLogin: format: date-time type: string required: - email - lastLogin ActivationStrategyResponse: type: object properties: strategy: type: string enum: - code - link codeExpiration: type: number required: - strategy - codeExpiration CreateOrUpdateActivationStrategyRequest: type: object properties: codeExpiration: type: number minimum: 60 strategy: type: string enum: - code - link required: - strategy InvitationStrategyResponse: type: object properties: strategy: type: string enum: - code - link codeExpiration: type: number required: - strategy - codeExpiration CreateOrUpdateInvitationStrategyRequest: type: object properties: codeExpiration: type: number PasswordRotationConfigurationResponse: type: object properties: createdAt: format: date-time type: string updatedAt: format: date-time type: string isActive: type: boolean rotationPeriod: type: number notificationPeriod: type: number tenantId: type: string required: - createdAt - updatedAt - isActive - rotationPeriod - notificationPeriod - tenantId CreateOrUpdatePasswordRotationDto: type: object properties: isActive: type: boolean description: Indicates whether password expiration is enabled default: false rotationPeriod: type: number minimum: 1 maximum: 2628000 description: The password expiration period, in minutes default: 129600 notificationPeriod: type: number minimum: 0 maximum: 2628000 description: Notification period before password expiration, in minutes default: 10080 GetUserEmailsPolicyResponseDto: type: object properties: allowEmailChange: type: boolean description: Indicates whether email change has been enabled or disabled. example: 'true' required: - allowEmailChange CreateUserEmailsPolicyRequestDto: type: object properties: allowEmailChange: type: boolean description: Used to enable or disable email change for users. example: 'true' UsernameResponseDto: type: object properties: username: type: string description: The username value example: user.name userId: type: string description: The user id value example: user-id required: - username - userId CreateUsernameRequestDto: type: object properties: username: type: string description: 'The username to create. Allowed characters: alphanumeric (a-z, 0-9), ^, $, ., !, -, #, +, '', ~, _ (no spaces, no accents, automatically converted to lowercase). Max length: 128 characters.' example: john.doe$!#-+'~_ required: - username SelfEmailUpdateRequestDto: type: object properties: email: type: string description: The email to update to required: - email SelfEmailUpdateVerifyRequestDto: type: object properties: code: type: string description: The code for the user to verify their email email: type: string description: The email for the user to verify their email required: - code - email ApprovalFlowChannelDto: type: object properties: email: type: boolean sms: type: boolean required: - email - sms ApprovalFlowConfigurationDto: type: object properties: autoApproveInMinutes: type: number minimum: 1 reminderIntervalMinutes: type: number minimum: 60 notifyOnDecisions: type: boolean timeoutMinutes: type: number minimum: 5 maximum: 10080 webhookUrl: type: string ApproverSelectorDto: type: object properties: roleKeys: type: array items: type: string emails: type: array items: type: string phoneNumbers: type: array items: type: string StepConfigurationDto: type: object properties: minApprovals: type: number minimum: 1 required: - minApprovals CreateApprovalFlowStepDto: type: object properties: approverSelectors: $ref: '#/components/schemas/ApproverSelectorDto' configuration: $ref: '#/components/schemas/StepConfigurationDto' stepOrder: type: number minimum: 1 required: - approverSelectors - configuration - stepOrder CreateApprovalFlowDto: type: object properties: name: type: string description: type: string isActive: type: boolean channels: $ref: '#/components/schemas/ApprovalFlowChannelDto' configuration: $ref: '#/components/schemas/ApprovalFlowConfigurationDto' steps: type: array items: $ref: '#/components/schemas/CreateApprovalFlowStepDto' required: - name - channels - configuration - steps ApprovalFlowChannel: type: object properties: {} ApprovalFlowConfigurationResponseDto: type: object properties: autoApproveInMinutes: type: number reminderIntervalMinutes: type: number notifyOnDecisions: type: boolean logging: type: boolean timeoutMinutes: type: number webhookUrl: type: string ApproverSelectorResponseDto: type: object properties: roleKeys: type: array items: type: string emails: type: array items: type: string phoneNumbers: type: array items: type: string required: - roleKeys - emails - phoneNumbers StepConfigurationResponseDto: type: object properties: minApprovals: type: number ApprovalFlowStepResponseDto: type: object properties: id: type: string stepOrder: type: number approverSelectors: $ref: '#/components/schemas/ApproverSelectorResponseDto' configuration: $ref: '#/components/schemas/StepConfigurationResponseDto' createdAt: format: date-time type: string updatedAt: format: date-time type: string required: - id - stepOrder - approverSelectors - configuration - createdAt - updatedAt ApprovalFlowResponseDto: type: object properties: id: type: string vendorId: type: string tenantId: type: string name: type: string description: type: string isActive: type: boolean channels: $ref: '#/components/schemas/ApprovalFlowChannel' configuration: $ref: '#/components/schemas/ApprovalFlowConfigurationResponseDto' steps: type: array items: $ref: '#/components/schemas/ApprovalFlowStepResponseDto' createdAt: format: date-time type: string updatedAt: format: date-time type: string required: - id - vendorId - name - isActive - channels - configuration - steps - createdAt - updatedAt ApprovalFlowsListResponseDto: type: object properties: items: type: array items: $ref: '#/components/schemas/ApprovalFlowResponseDto' total: type: number required: - items - total UpdateApprovalFlowDto: type: object properties: name: type: string description: type: string isActive: type: boolean channels: $ref: '#/components/schemas/ApprovalFlowChannelDto' configuration: $ref: '#/components/schemas/ApprovalFlowConfigurationDto' steps: type: array items: $ref: '#/components/schemas/CreateApprovalFlowStepDto' ApproverActionDto: type: object properties: approved: type: boolean approvalFlowExecutionId: type: string approverId: type: string approvalFlowStepId: type: string required: - approved - approvalFlowExecutionId - approverId - approvalFlowStepId ExecutionDataResponseDto: type: object properties: approvalFlowName: type: string approvalFlowDescription: type: string requester: type: string approvalFlowRequestDate: format: date-time type: string executionData: type: object required: - approvalFlowName - requester - approvalFlowRequestDate ExecuteApprovalFlowDto: type: object properties: executionData: type: object webhookUrl: type: string JwtTemplateTargetingResponseDto: type: object properties: id: type: string description: Jwt template targeting ID createdAt: format: date-time type: string description: Created at updatedAt: format: date-time type: string description: Last updated at targeting: type: object description: Targeting rules required: - id - createdAt - updatedAt - targeting UpdateJwtTemplateTargetingRequestDto: type: object properties: rules: type: array items: $ref: '#/components/schemas/IdentityRuleDto' JwtTemplatePayloadDto: type: object properties: claims: type: object description: Claims mapping as key-value pairs required: - claims CreateJwtTemplateDto: type: object properties: key: type: string description: Unique key for the template name: type: string description: Name of the template description: type: string description: Description of the template expiration: type: number minimum: 10 maximum: 15552000 description: Token expiration time in seconds algorithm: enum: - RS256 - HS256 type: string description: JWT signing algorithm templateSchema: description: JWT template schema allOf: - $ref: '#/components/schemas/JwtTemplatePayloadDto' required: - key - name - expiration - algorithm - templateSchema JwtTemplatePayloadResponseDto: type: object properties: claims: type: object description: Claims mapping as key-value pairs required: - claims JwtTemplateResponseDto: type: object properties: id: type: string description: Template ID vendorId: type: string description: Vendor ID key: type: string description: Unique key for the template name: type: string description: Name of the template description: type: string nullable: true description: Description of the template expiration: type: number description: Token expiration time in seconds algorithm: enum: - RS256 - HS256 type: string description: JWT signing algorithm templateSchema: description: JWT template schema allOf: - $ref: '#/components/schemas/JwtTemplatePayloadResponseDto' createdAt: format: date-time type: string description: Creation timestamp updatedAt: format: date-time type: string description: Last update timestamp required: - id - vendorId - key - name - expiration - algorithm - templateSchema - createdAt - updatedAt UpdateJwtTemplateDto: type: object properties: key: type: string description: Unique key for the template name: type: string description: Name of the template description: type: string description: Description of the template expiration: type: number minimum: 10 maximum: 15552000 description: Token expiration time in seconds algorithm: enum: - RS256 - HS256 type: string description: JWT signing algorithm templateSchema: description: JWT template schema allOf: - $ref: '#/components/schemas/JwtTemplatePayloadDto' CreateOrUpdateIpRestrictionConfigDto: type: object properties: strategy: enum: - ALLOW - BLOCK type: string isActive: type: boolean GetIpRestrictionResponse: type: object properties: {} CreateOrUpdateIpRestrictionDto: type: object properties: ip: type: string description: IP or CIDR (v4 and v6 are supported) description: type: string strategy: type: string enum: - ALLOW - BLOCK isActive: type: boolean required: - ip - strategy DomainRestrictionsCreateRequest: type: object properties: domain: type: string pattern: domainRegex type: type: string enum: - ALLOW - BLOCK required: - domain - type DomainRestrictionsResponse: type: object properties: id: type: string domain: type: string type: enum: - ALLOW - BLOCK type: string required: - id - domain - type DomainRestrictionsConfigResponse: type: object properties: active: type: boolean listType: enum: - ALLOW - BLOCK type: string blockPublicDomains: type: boolean required: - active - listType - blockPublicDomains DomainRestrictionsConfigUpdateRequest: type: object properties: active: type: boolean blockPublicDomains: type: boolean type: type: string enum: - ALLOW - BLOCK required: - active DomainRestrictionsBulkRequestRequest: type: object properties: type: type: string enum: - ALLOW - BLOCK domains: type: array items: type: string pattern: domainRegexString required: - type - domains CreateSmsVendorConfigRequest: type: object properties: senderName: type: string description: The sender name will be used only when alphanumeric sender is supported in the recipient country. This is usually a phone number or the name of the sender, dependeing on what is configured on your Twilio account accountId: type: string description: account ID token: type: string description: token serviceId: type: string description: service ID provider: type: string description: provider channel: type: string description: channel SmsVendorConfigResponse: type: object properties: {} SmsTemplateResponse: type: object properties: {} CreateSmsTemplateRequest: type: object properties: {} VendorConfigBasicResponse: type: object properties: forcePermissions: type: boolean machineToMachineAuthStrategy: type: string enum: - ClientCredentials - AccessToken required: - forcePermissions - machineToMachineAuthStrategy ActivateUserDto: type: object properties: userId: type: string token: type: string password: type: string recaptchaToken: type: string lastTermsCheck: type: string required: - userId - token UserMFAWebAuthnDeviceResponse: type: object properties: id: type: string deviceType: type: string enum: - Platform - CrossPlatform name: type: string required: - id - deviceType - name UserMFAPhoneDeviceResponse: type: object properties: id: type: string phoneNumber: type: string required: - id - phoneNumber UserMFAAuthenticatorAppResponse: type: object properties: id: type: string required: - id UserMFAEmailCodeResponse: type: object properties: email: type: string required: - email UserMFADevicesResponse: type: object properties: webauthn: type: array items: $ref: '#/components/schemas/UserMFAWebAuthnDeviceResponse' phones: type: array items: $ref: '#/components/schemas/UserMFAPhoneDeviceResponse' authenticators: type: array items: $ref: '#/components/schemas/UserMFAAuthenticatorAppResponse' emails: type: array items: $ref: '#/components/schemas/UserMFAEmailCodeResponse' required: - webauthn - phones - authenticators - emails AuthenticationResponseDto: type: object properties: tokenType: type: string default: bearer otcToken: type: string mfaRequired: type: boolean mfaToken: type: string resetPasswordToken: type: string passwordExpiresIn: type: number notificationPeriod: type: number mfaEnrolled: type: boolean mfaDevices: $ref: '#/components/schemas/UserMFADevicesResponse' mfaStrategies: type: object qrCode: type: string recoveryCode: type: string accessToken: type: string refreshToken: type: string expiresIn: type: number expires: type: string userId: type: string userEmail: type: string emailVerified: type: boolean isBreachedPassword: type: boolean required: - mfaRequired - accessToken - refreshToken - expiresIn - expires ActivateUserWithCodeDto: type: object properties: userId: type: string token: type: string password: type: string recaptchaToken: type: string lastTermsCheck: type: string code: type: string required: - userId - token - code GetActivateStrategyResponseDto: type: object properties: shouldSetPassword: type: boolean required: - shouldSetPassword AuthenticateUserPasswordDto: type: object properties: email: type: string description: User email. Either email or username must be provided. username: type: string description: Username. Either email or username must be provided. password: type: string recaptchaToken: type: string invitationToken: type: string required: - password RefreshTokenDto: type: object properties: {} AuthApiTokenDto: type: object properties: clientId: type: string secret: type: string required: - clientId - secret ApiTokenAuthV2Response: type: object properties: access_token: type: string refresh_token: type: string expires_in: type: number expires: type: string required: - access_token - refresh_token - expires_in - expires RefreshApiTokenDto: type: object properties: refreshToken: type: string required: - refreshToken PasswordlessAuthenticationSmsOtcPreloginDto: type: object properties: recaptchaToken: type: string invitationToken: type: string email: type: string userId: type: string username: type: string phoneNumber: type: string required: - email - userId - username - phoneNumber PasswordlessAuthenticationSmsOTCPreloginResponseDto: type: object properties: phoneNumber: type: string resetPhoneNumberToken: type: string AuthenticateUserPasswordlessDto: type: object properties: token: type: string description: One time code to login with - get it from the email sent after prelogin request recaptchaToken: type: string invitationToken: type: string required: - token PasswordlessAuthenticationPreloginDto: type: object properties: recaptchaToken: type: string invitationToken: type: string email: type: string userId: type: string username: type: string required: - email - userId - username VerifyMFAAuthAppRequest: type: object properties: value: type: string mfaToken: type: string rememberDevice: type: boolean required: - value - mfaToken AuthRequestVerifyMfaRequest: type: object properties: mfaToken: type: string required: - mfaToken RequestVerifyMFAEmailResponse: type: object properties: {} VerifyMFAEmailOTCRequest: type: object properties: otcToken: type: string code: type: string mfaToken: type: string rememberDevice: type: boolean required: - otcToken - code - mfaToken AuthRequestEnrollMFARequest: type: object properties: mfaToken: type: string required: - mfaToken RequestEnrollAuthenticatorAppMfaResponse: type: object properties: qrCode: type: string description: QR code to be verified by authenticator app required: - qrCode VerifyEnrollMFAAuthAppRequest: type: object properties: token: type: string mfaToken: type: string rememberDevice: type: boolean required: - token - mfaToken RequestEnrollMFASMSRequest: type: object properties: phoneNumber: type: string pattern: phoneNumberRegexp required: - phoneNumber RequestEnrollMFASMSResponse: type: object properties: {} VerifyEnrollMFASMSRequest: type: object properties: otcToken: type: string code: type: string required: - otcToken - code RequestVerifyMFASMSResponse: type: object properties: {} VerifyMFASMSRequest: type: object properties: otcToken: type: string code: type: string mfaToken: type: string rememberDevice: type: boolean required: - otcToken - code - mfaToken WebAuthnCredentialCreationOptions: type: object properties: {} RequestEnrollMFAWebAuthnResponse: type: object properties: options: $ref: '#/components/schemas/WebAuthnCredentialCreationOptions' required: - options WebAuthNClientResponse: type: object properties: clientDataJSON: type: string attestationObject: type: string required: - clientDataJSON - attestationObject VerifyNewWebAuthnDeviceRequest: type: object properties: id: type: string response: $ref: '#/components/schemas/WebAuthNClientResponse' deviceType: type: string enum: - Platform - CrossPlatform required: - id - response VerifyEnrollMFAWebAuthnRequest: type: object properties: deviceType: type: string enum: - Platform - CrossPlatform webauthnToken: type: string options: $ref: '#/components/schemas/VerifyNewWebAuthnDeviceRequest' mfaToken: type: string rememberDevice: type: boolean required: - deviceType - webauthnToken - options - mfaToken RequestVerifyMFAWebAuthnResponse: type: object properties: {} WebAuthNResponse: type: object properties: clientDataJSON: type: string authenticatorData: type: string signature: type: string userHandle: type: string required: - clientDataJSON - authenticatorData - signature - userHandle AuthenticateUserWebAuthNDto: type: object properties: id: type: string response: $ref: '#/components/schemas/WebAuthNResponse' recaptchaToken: type: string invitationToken: type: string required: - id - response VerifyMFAWebAuthnRequest: type: object properties: webauthnToken: type: string options: $ref: '#/components/schemas/AuthenticateUserWebAuthNDto' mfaToken: type: string rememberDevice: type: boolean required: - webauthnToken - options - mfaToken CheckAllowRememberResponse: type: object properties: {} VerifyEnrollMFAUserAuthAppRequest: type: object properties: token: type: string required: - token VerifyEnrollMFAResponse: type: object properties: recoveryCode: type: string required: - recoveryCode AcceptInvitationDto: type: object properties: userId: type: string token: type: string required: - userId - token AcceptInvitationWithCodeDto: type: object properties: userId: type: string token: type: string code: type: string required: - userId - token - code SignUpUserEmailDto: type: object properties: provider: type: string enum: - local - saml - google - github - facebook - microsoft - scim2 - slack - apple metadata: type: string description: Stringified JSON object. Use the JSON.stringify() method. email: type: string username: type: string name: type: string profilePictureUrl: type: string maxLength: 4095 password: type: string skipInviteEmail: type: boolean roleIds: type: array items: type: string emailMetadata: type: object companyName: type: string recaptchaToken: type: string invitationToken: type: string phoneNumber: type: string required: - provider - email - companyName SignUpResponseDto: type: object properties: shouldActivate: type: boolean userId: type: string tenantId: type: string authResponse: $ref: '#/components/schemas/AuthenticationResponseDto' activationToken: type: string SignUpUserUsernameDto: type: object properties: provider: type: string enum: - local - saml - google - github - facebook - microsoft - scim2 - slack - apple metadata: type: string description: Stringified JSON object. Use the JSON.stringify() method. username: type: string maxLength: 255 pattern: /^[a-zA-Z0-9._-]+$/ name: type: string profilePictureUrl: type: string maxLength: 4095 password: type: string skipInviteEmail: type: boolean roleIds: type: array items: type: string emailMetadata: type: object companyName: type: string recaptchaToken: type: string invitationToken: type: string email: type: string phoneNumber: type: string required: - provider - username - companyName UserTenantDataDto: type: object properties: tenantId: type: string name: type: string required: - tenantId - name GetUserTenantsHierarchyResponseDto: type: object properties: {} MeAuthorizationResponseDto: type: object properties: roles: type: array items: $ref: '#/components/schemas/RoleResponse' permissions: type: array items: $ref: '#/components/schemas/PermissionResponse' required: - roles - permissions GetUserTenantsResponseDto: type: object properties: {} IdentityConditionDto: type: object properties: attribute: enum: - userId - applicationId - tenantId - roleIds - tokenType - userEmail type: string description: The attribute to evaluate op: enum: - in_list - contains - ends_with type: string description: The operation to apply value: type: object description: The value to compare against negate: type: boolean description: The negate flag required: - attribute - op - value - negate IdentityRuleDto: type: object properties: conditionLogic: type: string enum: - and description: The logic to combine conditions conditions: description: The conditions to evaluate type: array items: $ref: '#/components/schemas/IdentityConditionDto' treatment: type: string description: The treatment value (template key) if conditions match required: - conditionLogic - conditions - treatment security: - bearer: [] x-tagGroups: - name: Authentication tags: - API token - General - MFA - Passwordless - SMS - name: Management tags: - Account invitations settings - Core settings - Custom social OAuth provider - Data migration - Delegation - Email configuration - Email templates - M2M tokens - MFA configuration - Permissions categories - Permissions - Roles - SMS configuration - SMS templates - Sessions configuration - User pools - Users - name: Self-Service tags: - Account invitations - Account roles - API tokens - Domain restrictions - IP restrictions - Lockout policy - MFA settings - Password settings - Personal tokens - Sessions management - User groups - User management - User sessions - name: Applications tags: - Users-applications management