---
openapi: 3.0.1
servers:
- url: https://[tenant_id].logto.app/
description: Logto endpoint address.
info:
title: Logto API references
description: |-
API references for Logto services.
Note: The documentation is for Logto Cloud. If you are using Logto OSS, please refer to the response of `/api/swagger.json` endpoint on your Logto instance.
version: Cloud
paths:
"/api/applications":
get:
operationId: ListApplications
tags:
- Applications
parameters:
- name: types
in: query
required: false
schema:
oneOf:
- type: array
items:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
- type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
description: An array of application types to filter applications.
- name: excludeRoleId
in: query
required: false
schema:
type: string
- name: excludeOrganizationId
in: query
required: false
schema:
type: string
- name: isThirdParty
in: query
required: false
schema:
oneOf:
- type: string
format: '"true"'
- type: string
format: '"false"'
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
- name: search_params
in: query
description: Search query parameters.
required: false
schema:
type: object
additionalProperties:
type: string
explode: true
responses:
'200':
description: A list of applications.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- secret
- description
- type
- oidcClientMetadata
- customClientMetadata
- protectedAppMetadata
- customData
- isThirdParty
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
secret:
"$ref": "#/components/schemas/ApplicationLegacySecret"
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get applications
description: Get applications that match the given query with pagination.
post:
operationId: CreateApplication
tags:
- Applications
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
- type
properties:
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
protectedAppMetadata:
type: object
required:
- subDomain
- origin
properties:
subDomain:
type: string
description: The subdomain prefix, e.g., my-site.
origin:
type: string
description: The origin of target website, e.g., https://example.com.
description: The data for protected app, this feature is not available
for open source version.
responses:
'200':
description: The application was created successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- secret
- description
- type
- oidcClientMetadata
- customClientMetadata
- protectedAppMetadata
- customData
- isThirdParty
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
secret:
"$ref": "#/components/schemas/ApplicationLegacySecret"
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Validation error. Please check the request body.
'500':
description: Internal Server Error
summary: Create an application
description: Create a new application with the given data.
"/api/applications/{id}":
get:
operationId: GetApplication
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
responses:
'200':
description: Details of the application.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- secret
- description
- type
- oidcClientMetadata
- customClientMetadata
- protectedAppMetadata
- customData
- isThirdParty
- createdAt
- isAdmin
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
secret:
"$ref": "#/components/schemas/ApplicationLegacySecret"
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
isAdmin:
type: boolean
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The application with the specified ID was not found.
summary: Get application
description: Get application details by ID.
patch:
operationId: UpdateApplication
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
customData:
type: object
description: arbitrary
protectedAppMetadata:
type: object
properties:
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
nullable: true
isAdmin:
type: boolean
description: Whether the application has admin access. User can
enable the admin access for Machine-to-Machine apps.
responses:
'200':
description: The application was updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- secret
- description
- type
- oidcClientMetadata
- customClientMetadata
- protectedAppMetadata
- customData
- isThirdParty
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
secret:
"$ref": "#/components/schemas/ApplicationLegacySecret"
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The application with the specified ID was not found.
'422':
description: Validation error. Please check the request body.
'500':
description: Internal server error.
summary: Update application
description: Update application details by ID with the given data.
delete:
operationId: DeleteApplication
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
responses:
'204':
description: The application was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The application with the specified ID was not found.
'422':
description: Unprocessable Content
summary: Delete application
description: Delete application by ID.
"/api/applications/{applicationId}/custom-data":
patch:
operationId: UpdateApplicationCustomData
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId"
requestBody:
required: true
content:
application/json:
schema:
type: object
description: An arbitrary JSON object.
responses:
'200':
description: The updated custom data in JSON.
content:
application/json:
schema:
type: object
description: arbitrary
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Update application custom data
description: Update the custom data of an application.
"/api/applications/{applicationId}/roles":
get:
operationId: ListApplicationRoles
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
- name: search_params
in: query
description: Search query parameters.
required: false
schema:
type: object
additionalProperties:
type: string
explode: true
responses:
'200':
description: An array of API resource roles assigned to the application.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
- type
- isDefault
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- User
- MachineToMachine
isDefault:
type: boolean
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Get application API resource roles
description: Get API resource roles assigned to the specified application with
pagination.
post:
operationId: AssignApplicationRoles
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- roleIds
properties:
roleIds:
type: array
items:
type: string
minLength: 1
description: An array of API resource role IDs to assign.
responses:
'201':
description: The API resource roles have been assigned to the application
successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Assign API resource roles to application
description: Assign API resource roles to the specified application. The API
resource roles will be added to the existing API resource roles.
put:
operationId: ReplaceApplicationRoles
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- roleIds
properties:
roleIds:
type: array
items:
type: string
minLength: 1
description: An array of API resource role IDs to update for the
application.
responses:
'200':
description: The API resource roles have been updated for the application
successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Update API resource roles for application
description: Update API resource roles assigned to the specified application.
This will replace the existing API resource roles.
"/api/applications/{applicationId}/roles/{roleId}":
delete:
operationId: DeleteApplicationRole
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId"
- "$ref": "#/components/parameters/roleId"
responses:
'204':
description: The API resource role has been removed from the application
successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Remove a API resource role from application
description: Remove a API resource role from the specified application.
"/api/applications/{id}/protected-app-metadata/custom-domains":
get:
operationId: ListApplicationProtectedAppMetadataCustomDomains
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
responses:
'200':
description: An array of the application custom domains.
content:
application/json:
schema:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
'400':
description: Faild to sync the domain info from remote provider.
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'501':
description: Not Implemented
summary: Get application custom domains.
description: Get custom domains of the specified application, the application
type should be protected app.
post:
operationId: CreateApplicationProtectedAppMetadataCustomDomain
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- domain
properties:
domain:
type: string
description: The domain to be added to the application.
responses:
'201':
description: The domain has been added to the application.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'409':
description: The domain already exists.
'422':
description: Exeeded the maximum number of domains allowed or the domain
is invalid.
'501':
description: Not Implemented
summary: Add a custom domain to the application.
description: Add a custom domain to the application. You'll need to setup DNS
record later.
"/api/applications/{id}/protected-app-metadata/custom-domains/{domain}":
delete:
operationId: DeleteApplicationProtectedAppMetadataCustomDomain
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
- name: domain
in: path
required: true
schema:
type: string
responses:
'204':
description: The domain has been removed.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Can not find the domain.
'501':
description: Not Implemented
summary: Remove custom domain.
description: Remove custom domain from the specified application.
"/api/applications/{id}/organizations":
get:
operationId: ListApplicationOrganizations
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: An array of organizations that the application is associated
with.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
- customData
- isMfaRequired
- color
- branding
- customCss
- createdAt
- organizationRoles
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
customData:
type: object
description: arbitrary
isMfaRequired:
type: boolean
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
createdAt:
type: number
organizationRoles:
type: array
items:
type: object
required:
- id
- name
properties:
id:
type: string
name:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get application organizations
description: Get the list of organizations that an application is associated
with.
"/api/applications/{id}/legacy-secret":
delete:
operationId: DeleteApplicationLegacySecret
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
responses:
'200':
description: OK
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- secret
- description
- type
- oidcClientMetadata
- customClientMetadata
- protectedAppMetadata
- customData
- isThirdParty
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
secret:
type: string
minLength: 1
maxLength: 64
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
'204':
description: The legacy secret was deleted successfully.
'400':
description: The application does not have a legacy secret.
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete application legacy secret
description: |-
Delete the legacy secret for the application and replace it with a new internal secret.
Note: This operation does not "really" delete the legacy secret because it is still needed for internal validation. We may remove the display of the legacy secret (the `secret` field in the application response) in the future.
"/api/applications/{id}/secrets":
get:
operationId: ListApplicationSecrets
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
responses:
'200':
description: A list of secrets.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- applicationId
- name
- value
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
applicationId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
value:
type: string
minLength: 1
maxLength: 64
createdAt:
type: number
expiresAt:
type: number
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get application secrets
description: Get all the secrets for the application.
post:
operationId: CreateApplicationSecret
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
properties:
name:
type: string
minLength: 1
maxLength: 256
description: The secret name. Must be unique within the application.
expiresAt:
type: number
nullable: true
description: The epoch time in milliseconds when the secret will
expire. If not provided, the secret will never expire.
responses:
'201':
description: The secret was added successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- applicationId
- name
- value
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
applicationId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
value:
type: string
minLength: 1
maxLength: 64
createdAt:
type: number
expiresAt:
type: number
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The secret name is already in use.
summary: Add application secret
description: Add a new secret for the application.
"/api/applications/{id}/secrets/{name}":
delete:
operationId: DeleteApplicationSecret
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
- name: name
in: path
required: true
schema:
type: string
description: The name of the secret.
responses:
'204':
description: The secret was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete application secret
description: Delete a secret for the application by name.
patch:
operationId: UpdateApplicationSecret
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
- name: name
in: path
required: true
schema:
type: string
description: The name of the secret.
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
properties:
name:
type: string
minLength: 1
maxLength: 256
description: The secret name to update. Must be unique within the
application.
responses:
'200':
description: OK
content:
application/json:
schema:
type: object
required:
- tenantId
- applicationId
- name
- value
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
applicationId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
value:
type: string
minLength: 1
maxLength: 64
createdAt:
type: number
expiresAt:
type: number
nullable: true
'204':
description: The secret was updated successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update application secret
description: Update a secret for the application by name.
"/api/applications/{applicationId}/user-consent-scopes":
post:
operationId: CreateApplicationUserConsentScope
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
organizationScopes:
type: array
items:
type: string
description: A list of organization scope id to assign to the application.
Throws error if any given organization scope is not found.
resourceScopes:
type: array
items:
type: string
description: A list of resource scope id to assign to the application.
Throws error if any given resource scope is not found.
organizationResourceScopes:
type: array
items:
type: string
description: A list of organization resource scope id to assign
to the application. Throws error if any given resource scope is
not found.
userScopes:
type: array
items:
type: string
enum:
- profile
- email
- phone
- address
- custom_data
- identities
- roles
- urn:logto:scope:organizations
- urn:logto:scope:organization_roles
- urn:logto:scope:sessions
description: A list of user scope enum value to assign to the application.
responses:
'201':
description: All the user consent scopes are assigned to the application
successfully
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The application is not found
'422':
description: Any of the given organization scope, resource scope or user
scope is not found
summary: Assign user consent scopes to application.
description: Assign the user consent scopes to an application by application
id
get:
operationId: ListApplicationUserConsentScopes
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId"
responses:
'200':
description: All the user consent scopes of the application are listed successfully
content:
application/json:
schema:
type: object
required:
- organizationScopes
- resourceScopes
- organizationResourceScopes
- userScopes
properties:
organizationScopes:
type: array
items:
type: object
required:
- id
- name
- description
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
description: A list of organization scope details assigned to
the application.
resourceScopes:
type: array
items:
type: object
required:
- resource
- scopes
properties:
resource:
type: object
required:
- id
- name
- indicator
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
scopes:
type: array
items:
type: object
required:
- id
- name
- description
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
description: A list of resource scope details grouped by resource
id assigned to the application.
organizationResourceScopes:
type: array
items:
type: object
required:
- resource
- scopes
properties:
resource:
type: object
required:
- id
- name
- indicator
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
scopes:
type: array
items:
type: object
required:
- id
- name
- description
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
description: A list of organization resource scope details grouped
by resource id assigned to the application.
userScopes:
type: array
items:
type: string
enum:
- profile
- email
- phone
- address
- custom_data
- identities
- roles
- urn:logto:scope:organizations
- urn:logto:scope:organization_roles
- urn:logto:scope:sessions
description: A list of user scope enum value assigned to the application.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The application is not found
summary: List all the user consent scopes of an application.
description: List all the user consent scopes of an application by application
id
"/api/applications/{applicationId}/user-consent-scopes/{scopeType}/{scopeId}":
delete:
operationId: DeleteApplicationUserConsentScope
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId"
- name: scopeType
in: path
required: true
schema:
type: string
enum:
- organization-scopes
- resource-scopes
- organization-resource-scopes
- user-scopes
- "$ref": "#/components/parameters/scopeId"
responses:
'204':
description: The user consent scope is removed from the application successfully
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The application or scope is not found
summary: Remove user consent scope from application.
description: Remove the user consent scope from an application by application
id, scope type and scope id
"/api/applications/{applicationId}/sign-in-experience":
put:
operationId: ReplaceApplicationSignInExperience
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- termsOfUseUrl
- privacyPolicyUrl
properties:
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
displayName:
type: string
maxLength: 256
nullable: true
termsOfUseUrl:
oneOf:
- type: string
format: url
maxLength: 2048
nullable: true
- type: string
format: empty
privacyPolicyUrl:
oneOf:
- type: string
format: url
maxLength: 2048
nullable: true
- type: string
format: empty
responses:
'200':
description: The application's sign-in experience was successfully updated.
content:
application/json:
schema:
type: object
required:
- tenantId
- applicationId
- color
- branding
- customCss
- termsOfUseUrl
- privacyPolicyUrl
- displayName
properties:
tenantId:
type: string
maxLength: 21
applicationId:
type: string
minLength: 1
maxLength: 21
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
termsOfUseUrl:
type: string
maxLength: 2048
nullable: true
privacyPolicyUrl:
type: string
maxLength: 2048
nullable: true
displayName:
type: string
maxLength: 256
nullable: true
'201':
description: A new application level sign-in experience settings was successfully
created.
content:
application/json:
schema:
type: object
required:
- tenantId
- applicationId
- color
- branding
- customCss
- termsOfUseUrl
- privacyPolicyUrl
- displayName
properties:
tenantId:
type: string
maxLength: 21
applicationId:
type: string
minLength: 1
maxLength: 21
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
termsOfUseUrl:
type: string
maxLength: 2048
nullable: true
privacyPolicyUrl:
type: string
maxLength: 2048
nullable: true
displayName:
type: string
maxLength: 256
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The application does not exist.
'422':
description: Unprocessable Content
summary: Update application level sign-in experience
description: "Update application level sign-in experience for the specified
application. Create a new sign-in experience if it does not exist. \n - Only
branding properties and terms links customization is supported for now. \n\n
- Only third-party applications can be customized for now. \n\n - Application
level sign-in experience customization is optional, if provided, it will override
the default branding and terms links."
get:
operationId: GetApplicationSignInExperience
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId"
responses:
'200':
description: Returns the application's application level sign-in experience.
content:
application/json:
schema:
type: object
required:
- tenantId
- applicationId
- color
- branding
- customCss
- termsOfUseUrl
- privacyPolicyUrl
- displayName
properties:
tenantId:
type: string
maxLength: 21
applicationId:
type: string
minLength: 1
maxLength: 21
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
termsOfUseUrl:
type: string
maxLength: 2048
nullable: true
privacyPolicyUrl:
type: string
maxLength: 2048
nullable: true
displayName:
type: string
maxLength: 256
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The application does not exist or the application level sign-in
experience does not exist.
summary: Get the application level sign-in experience
description: "Get application level sign-in experience for a given application.
\n - Only branding properties and terms links customization is supported for
now. \n\n - Only third-party applications can have the sign-in experience
customization for now."
"/api/applications/{id}/users/{userId}/consent-organizations":
get:
operationId: ListApplicationUserConsentOrganizations
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
- "$ref": "#/components/parameters/userId"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: List of organization entities granted by the user for the application.
content:
application/json:
schema:
type: object
required:
- organizations
properties:
organizations:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
- customData
- isMfaRequired
- color
- branding
- customCss
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
customData:
type: object
description: arbitrary
isMfaRequired:
type: boolean
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
createdAt:
type: number
description: A list of organization entities granted by the user
for the application.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: List all the user consented organizations of a application.
description: List all the user consented organizations for a application by
application id and user id.
put:
operationId: ReplaceApplicationUserConsentOrganizations
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- organizationIds
properties:
organizationIds:
type: array
items:
type: string
minLength: 1
description: A list of organization ids to be granted.
All
the existing organizations' access will be revoked if not in the
list.
If the list is empty, all the organizations' access
will be revoked.
responses:
'204':
description: 'All the request organizations''s access are granted to the
user for the application. '
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The application or user is not found.
'422':
description: The user is not a member of one of the organizations, or the
application is not a third-party application.
summary: Grant a list of organization access of a user for a application.
description: Grant a list of organization access of a user for a application
by application id and user id.
The user must be a member of all the
organizations.
Only third-party application needs to be granted access
to organizations, all the other applications can request for all the organizations'
access by default.
post:
operationId: CreateApplicationUserConsentOrganization
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- organizationIds
properties:
organizationIds:
type: array
items:
type: string
minLength: 1
description: A list of organization ids to be granted.
responses:
'201':
description: All the request organizations's access are granted to the user
for the application.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The application or user is not found.
'422':
description: The user is not a member of one of the organizations, or the
application is not a third-party application.
summary: Grant a list of organization access of a user for a application.
description: Grant a list of organization access of a user for a application
by application id and user id.
The user must be a member of all the
organizations.
Only third-party application needs to be granted access
to organizations, all the other applications can request for all the organizations'
access by default.
"/api/applications/{id}/users/{userId}/consent-organizations/{organizationId}":
delete:
operationId: DeleteApplicationUserConsentOrganization
tags:
- Applications
parameters:
- "$ref": "#/components/parameters/applicationId-root"
- "$ref": "#/components/parameters/userId"
- "$ref": "#/components/parameters/organizationId"
responses:
'204':
description: The user's access to the organization is revoked for the application.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The application, user or organization is not found.
'422':
description: Unprocessable Content
summary: Revoke a user's access to an organization for a application.
description: Revoke a user's access to an organization for a application by
application id, user id and organization id.
"/api/configs/admin-console":
get:
operationId: GetAdminConsoleConfig
tags:
- Configs
parameters: []
responses:
'200':
description: The configuration object.
content:
application/json:
schema:
type: object
required:
- signInExperienceCustomized
- organizationCreated
properties:
signInExperienceCustomized:
type: boolean
organizationCreated:
type: boolean
developmentTenantMigrationNotification:
type: object
required:
- isPaidTenant
- tag
properties:
isPaidTenant:
type: boolean
tag:
type: string
readAt:
type: number
checkedChargeNotification:
type: object
properties:
token:
type: boolean
apiResource:
type: boolean
machineToMachineApp:
type: boolean
tenantMember:
type: boolean
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Configuration not found.
summary: Get admin console config
description: Get the global configuration object for Logto Console.
patch:
operationId: UpdateAdminConsoleConfig
tags:
- Configs
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
signInExperienceCustomized:
type: boolean
organizationCreated:
type: boolean
developmentTenantMigrationNotification:
type: object
required:
- isPaidTenant
- tag
properties:
isPaidTenant:
type: boolean
tag:
type: string
readAt:
type: number
checkedChargeNotification:
type: object
properties:
token:
type: boolean
apiResource:
type: boolean
machineToMachineApp:
type: boolean
tenantMember:
type: boolean
responses:
'200':
description: The updated configuration object.
content:
application/json:
schema:
type: object
required:
- signInExperienceCustomized
- organizationCreated
properties:
signInExperienceCustomized:
type: boolean
organizationCreated:
type: boolean
developmentTenantMigrationNotification:
type: object
required:
- isPaidTenant
- tag
properties:
isPaidTenant:
type: boolean
tag:
type: string
readAt:
type: number
checkedChargeNotification:
type: object
properties:
token:
type: boolean
apiResource:
type: boolean
machineToMachineApp:
type: boolean
tenantMember:
type: boolean
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Configuration not found.
summary: Update admin console config
description: Update the global configuration object for Logto Console. This
method performs a partial update.
"/api/configs/oidc/session":
get:
operationId: GetOidcSessionConfig
tags:
- Configs
parameters: []
responses:
'200':
description: The OIDC session configuration. Returns empty object if the
configuration does not exist.
content:
application/json:
schema:
type: object
required:
- ttl
properties:
ttl:
type: number
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get OIDC session config
description: 'Get the OIDC session configuration for the tenant. '
patch:
operationId: UpdateOidcSessionConfig
tags:
- Configs
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
ttl:
type: number
responses:
'200':
description: The updated OIDC session configuration.
content:
application/json:
schema:
type: object
required:
- ttl
properties:
ttl:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Update OIDC session config
description: Update the OIDC session configuration for the tenant. This method
performs a partial update. If the configuration does not exist, it will be
created.
"/api/configs/oidc/{keyType}":
get:
operationId: GetOidcKeys
tags:
- Configs
parameters:
- name: keyType
in: path
required: true
schema:
type: string
enum:
- private-keys
- cookie-keys
description: Private keys are used to sign OIDC JWTs. Cookie keys are used
to sign OIDC cookies. For clients, they do not need to know private keys
to verify OIDC JWTs; they can use public keys from the JWKS endpoint instead.
responses:
'200':
description: An array of OIDC signing keys for the given key type.
content:
application/json:
schema:
type: array
items:
type: object
required:
- id
- createdAt
properties:
id:
type: string
createdAt:
type: number
signingKeyAlgorithm:
type: string
enum:
- RSA
- EC
status:
type: string
enum:
- Next
- Current
- Previous
effectiveAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get OIDC keys
description: Get OIDC signing keys by key type. The actual key will be redacted
from the result.
"/api/configs/oidc/{keyType}/{keyId}":
delete:
operationId: DeleteOidcKey
tags:
- Configs
parameters:
- name: keyType
in: path
required: true
schema:
type: string
enum:
- private-keys
- cookie-keys
description: Private keys are used to sign OIDC JWTs. Cookie keys are used
to sign OIDC cookies. For clients, they do not need to know private keys
to verify OIDC JWTs; they can use public keys from the JWKS endpoint instead.
- "$ref": "#/components/parameters/keyId"
responses:
'204':
description: The key was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The key was not found.
'422':
description: At least one key must be kept.
summary: Delete OIDC key
description: Delete an OIDC signing key by key type and key ID.
"/api/configs/oidc/{keyType}/rotate":
post:
operationId: RotateOidcKeys
tags:
- Configs
parameters:
- name: keyType
in: path
required: true
schema:
type: string
enum:
- private-keys
- cookie-keys
description: Private keys are used to sign OIDC JWTs. Cookie keys are used
to sign OIDC cookies. For clients, they do not need to know private keys
to verify OIDC JWTs; they can use public keys from the JWKS endpoint instead.
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
signingKeyAlgorithm:
type: string
enum:
- RSA
- EC
description: |-
The signing key algorithm the new generated private key is using.
Only applicable when `keyType` is `private-keys`.
rotationGracePeriod:
type: number
responses:
'200':
description: An array of OIDC signing keys after rotation.
content:
application/json:
schema:
type: array
items:
type: object
required:
- id
- createdAt
properties:
id:
type: string
createdAt:
type: number
signingKeyAlgorithm:
type: string
enum:
- RSA
- EC
status:
type: string
enum:
- Next
- Current
- Previous
effectiveAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Unprocessable Content
summary: Rotate OIDC keys
description: |-
A new key will be generated and prepend to the list of keys.
Only two recent keys will be kept. The oldest key will be automatically removed if there are more than two keys.
"/api/configs/jwt-customizer/{tokenTypePath}":
put:
operationId: UpsertJwtCustomizer
tags:
- Configs
parameters:
- name: tokenTypePath
in: path
required: true
schema:
type: string
enum:
- access-token
- client-credentials
description: The token type to create a JWT customizer for.
requestBody:
required: true
content:
application/json:
schema:
example: {}
properties:
script:
description: The script of the JWT customizer.
environmentVariables:
description: The environment variables for the JWT customizer.
contextSample:
description: The sample context for the JWT customizer script testing
purpose.
tokenSample:
description: The sample raw token payload for the JWT customizer
script testing purpose.
blockIssuanceOnError:
description: Whether to block token issuance when the JWT customizer
script fails.
responses:
'200':
description: The updated JWT customizer.
content:
application/json:
schema:
oneOf:
- type: object
required:
- script
properties:
script:
type: string
environmentVariables:
type: object
additionalProperties:
type: string
contextSample:
type: object
required:
- user
properties:
user:
type: object
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- issuer
- identityId
- detail
properties:
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
mfaVerificationFactors:
type: array
items:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
roles:
type: array
items:
type: object
required:
- id
- name
- description
- scopes
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
scopes:
type: array
items:
type: object
required:
- id
- name
- description
- resourceId
- resource
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
resourceId:
type: string
minLength: 1
maxLength: 21
resource:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
organizations:
type: array
items:
type: object
required:
- id
- name
- description
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
organizationRoles:
type: array
items:
type: object
required:
- organizationId
- roleId
- roleName
properties:
organizationId:
type: string
roleId:
type: string
roleName:
type: string
grant:
type: object
properties:
type:
type: string
format: '"urn:ietf:params:oauth:grant-type:token-exchange"'
subjectTokenContext:
type: object
description: arbitrary
interaction:
type: object
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
userId:
type: string
verificationRecords:
type: array
items:
oneOf:
- type: object
required:
- id
- type
- identifier
- verified
properties:
id:
type: string
type:
type: string
format: '"Password"'
identifier:
type: object
required:
- type
- value
properties:
type:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- userId
value:
type: string
verified:
type: boolean
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"EmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"PhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaEmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaPhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"Social"'
socialUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"EnterpriseSso"'
enterpriseSsoUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
issuer:
type: string
- type: object
required:
- id
- type
- userId
- verified
properties:
id:
type: string
type:
type: string
format: '"Totp"'
userId:
type: string
verified:
type: boolean
- type: object
required:
- id
- type
- userId
properties:
id:
type: string
type:
type: string
format: '"BackupCode"'
userId:
type: string
code:
type: string
- type: object
required:
- id
- verified
- type
- userId
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"WebAuthn"'
userId:
type: string
- type: object
required:
- id
- verified
- type
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"SignInPasskey"'
userId:
type: string
- type: object
required:
- id
- type
- verified
- identifier
properties:
id:
type: string
type:
type: string
format: '"OneTimeToken"'
verified:
type: boolean
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
oneTimeTokenContext:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
- type: object
required:
- id
- type
- identifier
properties:
id:
type: string
type:
type: string
format: '"NewPasswordIdentity"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
signInContext:
type: object
additionalProperties:
type: string
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
blockIssuanceOnError:
type: boolean
tokenSample:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
accountId:
type: string
expiresWithSession:
type: boolean
grantId:
type: string
gty:
type: string
sessionUid:
type: string
sid:
type: string
kind:
type: string
format: '"AccessToken"'
- type: object
required:
- script
properties:
script:
type: string
environmentVariables:
type: object
additionalProperties:
type: string
contextSample:
type: object
properties:
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
blockIssuanceOnError:
type: boolean
tokenSample:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
kind:
type: string
format: '"ClientCredentials"'
'201':
description: The created JWT customizer.
content:
application/json:
schema:
oneOf:
- type: object
required:
- script
properties:
script:
type: string
environmentVariables:
type: object
additionalProperties:
type: string
contextSample:
type: object
required:
- user
properties:
user:
type: object
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- issuer
- identityId
- detail
properties:
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
mfaVerificationFactors:
type: array
items:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
roles:
type: array
items:
type: object
required:
- id
- name
- description
- scopes
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
scopes:
type: array
items:
type: object
required:
- id
- name
- description
- resourceId
- resource
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
resourceId:
type: string
minLength: 1
maxLength: 21
resource:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
organizations:
type: array
items:
type: object
required:
- id
- name
- description
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
organizationRoles:
type: array
items:
type: object
required:
- organizationId
- roleId
- roleName
properties:
organizationId:
type: string
roleId:
type: string
roleName:
type: string
grant:
type: object
properties:
type:
type: string
format: '"urn:ietf:params:oauth:grant-type:token-exchange"'
subjectTokenContext:
type: object
description: arbitrary
interaction:
type: object
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
userId:
type: string
verificationRecords:
type: array
items:
oneOf:
- type: object
required:
- id
- type
- identifier
- verified
properties:
id:
type: string
type:
type: string
format: '"Password"'
identifier:
type: object
required:
- type
- value
properties:
type:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- userId
value:
type: string
verified:
type: boolean
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"EmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"PhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaEmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaPhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"Social"'
socialUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"EnterpriseSso"'
enterpriseSsoUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
issuer:
type: string
- type: object
required:
- id
- type
- userId
- verified
properties:
id:
type: string
type:
type: string
format: '"Totp"'
userId:
type: string
verified:
type: boolean
- type: object
required:
- id
- type
- userId
properties:
id:
type: string
type:
type: string
format: '"BackupCode"'
userId:
type: string
code:
type: string
- type: object
required:
- id
- verified
- type
- userId
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"WebAuthn"'
userId:
type: string
- type: object
required:
- id
- verified
- type
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"SignInPasskey"'
userId:
type: string
- type: object
required:
- id
- type
- verified
- identifier
properties:
id:
type: string
type:
type: string
format: '"OneTimeToken"'
verified:
type: boolean
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
oneTimeTokenContext:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
- type: object
required:
- id
- type
- identifier
properties:
id:
type: string
type:
type: string
format: '"NewPasswordIdentity"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
signInContext:
type: object
additionalProperties:
type: string
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
blockIssuanceOnError:
type: boolean
tokenSample:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
accountId:
type: string
expiresWithSession:
type: boolean
grantId:
type: string
gty:
type: string
sessionUid:
type: string
sid:
type: string
kind:
type: string
format: '"AccessToken"'
- type: object
required:
- script
properties:
script:
type: string
environmentVariables:
type: object
additionalProperties:
type: string
contextSample:
type: object
properties:
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
blockIssuanceOnError:
type: boolean
tokenSample:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
kind:
type: string
format: '"ClientCredentials"'
'400':
description: The request body is invalid.
'401':
description: Unauthorized
'403':
description: Permission denied.
summary: Create or update JWT customizer
description: Create or update a JWT customizer for the given token type.
patch:
operationId: UpdateJwtCustomizer
tags:
- Configs
parameters:
- name: tokenTypePath
in: path
required: true
schema:
type: string
enum:
- access-token
- client-credentials
description: The token type to update a JWT customizer for.
requestBody:
required: true
content:
application/json:
schema:
example: {}
properties:
script:
description: The script of the JWT customizer.
environmentVariables:
description: The environment variables for the JWT customizer.
contextSample:
description: The sample context for the JWT customizer script testing
purpose.
tokenSample:
description: The sample raw token payload for the JWT customizer
script testing purpose.
blockIssuanceOnError:
description: Whether to block token issuance when the JWT customizer
script fails.
responses:
'200':
description: The updated JWT customizer.
content:
application/json:
schema:
oneOf:
- type: object
required:
- script
properties:
script:
type: string
environmentVariables:
type: object
additionalProperties:
type: string
contextSample:
type: object
required:
- user
properties:
user:
type: object
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- issuer
- identityId
- detail
properties:
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
mfaVerificationFactors:
type: array
items:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
roles:
type: array
items:
type: object
required:
- id
- name
- description
- scopes
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
scopes:
type: array
items:
type: object
required:
- id
- name
- description
- resourceId
- resource
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
resourceId:
type: string
minLength: 1
maxLength: 21
resource:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
organizations:
type: array
items:
type: object
required:
- id
- name
- description
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
organizationRoles:
type: array
items:
type: object
required:
- organizationId
- roleId
- roleName
properties:
organizationId:
type: string
roleId:
type: string
roleName:
type: string
grant:
type: object
properties:
type:
type: string
format: '"urn:ietf:params:oauth:grant-type:token-exchange"'
subjectTokenContext:
type: object
description: arbitrary
interaction:
type: object
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
userId:
type: string
verificationRecords:
type: array
items:
oneOf:
- type: object
required:
- id
- type
- identifier
- verified
properties:
id:
type: string
type:
type: string
format: '"Password"'
identifier:
type: object
required:
- type
- value
properties:
type:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- userId
value:
type: string
verified:
type: boolean
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"EmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"PhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaEmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaPhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"Social"'
socialUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"EnterpriseSso"'
enterpriseSsoUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
issuer:
type: string
- type: object
required:
- id
- type
- userId
- verified
properties:
id:
type: string
type:
type: string
format: '"Totp"'
userId:
type: string
verified:
type: boolean
- type: object
required:
- id
- type
- userId
properties:
id:
type: string
type:
type: string
format: '"BackupCode"'
userId:
type: string
code:
type: string
- type: object
required:
- id
- verified
- type
- userId
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"WebAuthn"'
userId:
type: string
- type: object
required:
- id
- verified
- type
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"SignInPasskey"'
userId:
type: string
- type: object
required:
- id
- type
- verified
- identifier
properties:
id:
type: string
type:
type: string
format: '"OneTimeToken"'
verified:
type: boolean
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
oneTimeTokenContext:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
- type: object
required:
- id
- type
- identifier
properties:
id:
type: string
type:
type: string
format: '"NewPasswordIdentity"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
signInContext:
type: object
additionalProperties:
type: string
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
blockIssuanceOnError:
type: boolean
tokenSample:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
accountId:
type: string
expiresWithSession:
type: boolean
grantId:
type: string
gty:
type: string
sessionUid:
type: string
sid:
type: string
kind:
type: string
format: '"AccessToken"'
- type: object
required:
- script
properties:
script:
type: string
environmentVariables:
type: object
additionalProperties:
type: string
contextSample:
type: object
properties:
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
blockIssuanceOnError:
type: boolean
tokenSample:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
kind:
type: string
format: '"ClientCredentials"'
'400':
description: The request body is invalid.
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update JWT customizer
description: Update the JWT customizer for the given token type.
get:
operationId: GetJwtCustomizer
tags:
- Configs
parameters:
- name: tokenTypePath
in: path
required: true
schema:
type: string
enum:
- access-token
- client-credentials
description: The token type to get the JWT customizer for.
responses:
'200':
description: The JWT customizer.
content:
application/json:
schema:
oneOf:
- type: object
required:
- script
properties:
script:
type: string
environmentVariables:
type: object
additionalProperties:
type: string
contextSample:
type: object
required:
- user
properties:
user:
type: object
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- issuer
- identityId
- detail
properties:
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
mfaVerificationFactors:
type: array
items:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
roles:
type: array
items:
type: object
required:
- id
- name
- description
- scopes
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
scopes:
type: array
items:
type: object
required:
- id
- name
- description
- resourceId
- resource
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
resourceId:
type: string
minLength: 1
maxLength: 21
resource:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
organizations:
type: array
items:
type: object
required:
- id
- name
- description
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
organizationRoles:
type: array
items:
type: object
required:
- organizationId
- roleId
- roleName
properties:
organizationId:
type: string
roleId:
type: string
roleName:
type: string
grant:
type: object
properties:
type:
type: string
format: '"urn:ietf:params:oauth:grant-type:token-exchange"'
subjectTokenContext:
type: object
description: arbitrary
interaction:
type: object
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
userId:
type: string
verificationRecords:
type: array
items:
oneOf:
- type: object
required:
- id
- type
- identifier
- verified
properties:
id:
type: string
type:
type: string
format: '"Password"'
identifier:
type: object
required:
- type
- value
properties:
type:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- userId
value:
type: string
verified:
type: boolean
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"EmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"PhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaEmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaPhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"Social"'
socialUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"EnterpriseSso"'
enterpriseSsoUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
issuer:
type: string
- type: object
required:
- id
- type
- userId
- verified
properties:
id:
type: string
type:
type: string
format: '"Totp"'
userId:
type: string
verified:
type: boolean
- type: object
required:
- id
- type
- userId
properties:
id:
type: string
type:
type: string
format: '"BackupCode"'
userId:
type: string
code:
type: string
- type: object
required:
- id
- verified
- type
- userId
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"WebAuthn"'
userId:
type: string
- type: object
required:
- id
- verified
- type
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"SignInPasskey"'
userId:
type: string
- type: object
required:
- id
- type
- verified
- identifier
properties:
id:
type: string
type:
type: string
format: '"OneTimeToken"'
verified:
type: boolean
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
oneTimeTokenContext:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
- type: object
required:
- id
- type
- identifier
properties:
id:
type: string
type:
type: string
format: '"NewPasswordIdentity"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
signInContext:
type: object
additionalProperties:
type: string
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
blockIssuanceOnError:
type: boolean
tokenSample:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
accountId:
type: string
expiresWithSession:
type: boolean
grantId:
type: string
gty:
type: string
sessionUid:
type: string
sid:
type: string
kind:
type: string
format: '"AccessToken"'
- type: object
required:
- script
properties:
script:
type: string
environmentVariables:
type: object
additionalProperties:
type: string
contextSample:
type: object
properties:
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
blockIssuanceOnError:
type: boolean
tokenSample:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
kind:
type: string
format: '"ClientCredentials"'
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The JWT customizer does not exist.
summary: Get JWT customizer
description: Get the JWT customizer for the given token type.
delete:
operationId: DeleteJwtCustomizer
tags:
- Configs
parameters:
- name: tokenTypePath
in: path
required: true
schema:
type: string
enum:
- access-token
- client-credentials
description: The token type path to delete the JWT customizer for.
responses:
'204':
description: The JWT customizer was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The JWT customizer does not exist.
summary: Delete JWT customizer
description: Delete the JWT customizer for the given token type.
"/api/configs/jwt-customizer":
get:
operationId: ListJwtCustomizers
tags:
- Configs
parameters: []
responses:
'200':
description: The JWT customizers.
content:
application/json:
schema:
type: array
items:
oneOf:
- type: object
required:
- key
- value
properties:
key:
type: string
format: '"jwt.accessToken"'
value:
type: object
required:
- script
properties:
script:
type: string
environmentVariables:
type: object
additionalProperties:
type: string
contextSample:
type: object
required:
- user
properties:
user:
type: object
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- issuer
- identityId
- detail
properties:
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
mfaVerificationFactors:
type: array
items:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
roles:
type: array
items:
type: object
required:
- id
- name
- description
- scopes
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
scopes:
type: array
items:
type: object
required:
- id
- name
- description
- resourceId
- resource
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
resourceId:
type: string
minLength: 1
maxLength: 21
resource:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
organizations:
type: array
items:
type: object
required:
- id
- name
- description
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
organizationRoles:
type: array
items:
type: object
required:
- organizationId
- roleId
- roleName
properties:
organizationId:
type: string
roleId:
type: string
roleName:
type: string
grant:
type: object
properties:
type:
type: string
format: '"urn:ietf:params:oauth:grant-type:token-exchange"'
subjectTokenContext:
type: object
description: arbitrary
interaction:
type: object
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
userId:
type: string
verificationRecords:
type: array
items:
oneOf:
- type: object
required:
- id
- type
- identifier
- verified
properties:
id:
type: string
type:
type: string
format: '"Password"'
identifier:
type: object
required:
- type
- value
properties:
type:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- userId
value:
type: string
verified:
type: boolean
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"EmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"PhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaEmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaPhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"Social"'
socialUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON
object
- type: string
- type: number
- type: boolean
nullable: true
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"EnterpriseSso"'
enterpriseSsoUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON
object
- type: string
- type: number
- type: boolean
nullable: true
issuer:
type: string
- type: object
required:
- id
- type
- userId
- verified
properties:
id:
type: string
type:
type: string
format: '"Totp"'
userId:
type: string
verified:
type: boolean
- type: object
required:
- id
- type
- userId
properties:
id:
type: string
type:
type: string
format: '"BackupCode"'
userId:
type: string
code:
type: string
- type: object
required:
- id
- verified
- type
- userId
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"WebAuthn"'
userId:
type: string
- type: object
required:
- id
- verified
- type
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"SignInPasskey"'
userId:
type: string
- type: object
required:
- id
- type
- verified
- identifier
properties:
id:
type: string
type:
type: string
format: '"OneTimeToken"'
verified:
type: boolean
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
oneTimeTokenContext:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
- type: object
required:
- id
- type
- identifier
properties:
id:
type: string
type:
type: string
format: '"NewPasswordIdentity"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
signInContext:
type: object
additionalProperties:
type: string
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
blockIssuanceOnError:
type: boolean
tokenSample:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
accountId:
type: string
expiresWithSession:
type: boolean
grantId:
type: string
gty:
type: string
sessionUid:
type: string
sid:
type: string
kind:
type: string
format: '"AccessToken"'
- type: object
required:
- key
- value
properties:
key:
type: string
format: '"jwt.clientCredentials"'
value:
type: object
required:
- script
properties:
script:
type: string
environmentVariables:
type: object
additionalProperties:
type: string
contextSample:
type: object
properties:
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
blockIssuanceOnError:
type: boolean
tokenSample:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
kind:
type: string
format: '"ClientCredentials"'
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get all JWT customizers
description: Get all JWT customizers for the tenant.
"/api/configs/jwt-customizer/test":
post:
operationId: TestJwtCustomizer
tags:
- Configs
parameters: []
requestBody:
required: true
content:
application/json:
schema:
oneOf:
- type: object
required:
- tokenType
- script
- token
- context
properties:
tokenType:
type: string
format: '"access-token"'
environmentVariables:
type: object
additionalProperties:
type: string
script:
type: string
token:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
accountId:
type: string
expiresWithSession:
type: boolean
grantId:
type: string
gty:
type: string
sessionUid:
type: string
sid:
type: string
kind:
type: string
format: '"AccessToken"'
context:
type: object
required:
- user
properties:
user:
type: object
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- issuer
- identityId
- detail
properties:
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
mfaVerificationFactors:
type: array
items:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
roles:
type: array
items:
type: object
required:
- id
- name
- description
- scopes
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
scopes:
type: array
items:
type: object
required:
- id
- name
- description
- resourceId
- resource
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
resourceId:
type: string
minLength: 1
maxLength: 21
resource:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
organizations:
type: array
items:
type: object
required:
- id
- name
- description
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
organizationRoles:
type: array
items:
type: object
required:
- organizationId
- roleId
- roleName
properties:
organizationId:
type: string
roleId:
type: string
roleName:
type: string
grant:
type: object
properties:
type:
type: string
format: '"urn:ietf:params:oauth:grant-type:token-exchange"'
subjectTokenContext:
type: object
description: arbitrary
interaction:
type: object
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
userId:
type: string
verificationRecords:
type: array
items:
oneOf:
- type: object
required:
- id
- type
- identifier
- verified
properties:
id:
type: string
type:
type: string
format: '"Password"'
identifier:
type: object
required:
- type
- value
properties:
type:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- userId
value:
type: string
verified:
type: boolean
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"EmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"PhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaEmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaPhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"Social"'
socialUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"EnterpriseSso"'
enterpriseSsoUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
issuer:
type: string
- type: object
required:
- id
- type
- userId
- verified
properties:
id:
type: string
type:
type: string
format: '"Totp"'
userId:
type: string
verified:
type: boolean
- type: object
required:
- id
- type
- userId
properties:
id:
type: string
type:
type: string
format: '"BackupCode"'
userId:
type: string
code:
type: string
- type: object
required:
- id
- verified
- type
- userId
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"WebAuthn"'
userId:
type: string
- type: object
required:
- id
- verified
- type
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"SignInPasskey"'
userId:
type: string
- type: object
required:
- id
- type
- verified
- identifier
properties:
id:
type: string
type:
type: string
format: '"OneTimeToken"'
verified:
type: boolean
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
oneTimeTokenContext:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
- type: object
required:
- id
- type
- identifier
properties:
id:
type: string
type:
type: string
format: '"NewPasswordIdentity"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
signInContext:
type: object
additionalProperties:
type: string
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
- type: object
required:
- tokenType
- script
- token
- context
properties:
tokenType:
type: string
format: '"client-credentials"'
environmentVariables:
type: object
additionalProperties:
type: string
script:
type: string
token:
type: object
properties:
jti:
type: string
aud:
oneOf:
- type: string
- type: array
items:
type: string
scope:
type: string
clientId:
type: string
kind:
type: string
format: '"ClientCredentials"'
context:
type: object
properties:
application:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
properties:
tokenType:
description: The token type to test the JWT customizer for.
payload:
properties:
script:
description: The code snippet of the JWT customizer.
environmentVariables:
description: The environment variables for the JWT customizer.
contextSample:
description: The sample context for the JWT customizer script
testing purpose.
tokenSample:
description: The sample token payload for the JWT customizer
script testing purpose.
responses:
'200':
description: The result of the JWT customizer script testing.
content:
application/json:
schema:
type: object
description: arbitrary
'400':
description: Zod errors in cloud service (data type does not match expectation,
can be either request body or response body).
'401':
description: Unauthorized
'403':
description: Cloud connection does not have enough permission to perform
the action.
'422':
description: Syntax errors in cloud service.
summary: Test JWT customizer
description: Test the JWT customizer script with the given sample context and
sample token payload.
"/api/configs/id-token":
get:
operationId: GetIdTokenConfig
tags:
- Configs
parameters: []
responses:
'200':
description: The ID token claims configuration.
content:
application/json:
schema:
type: object
properties:
enabledExtendedClaims:
type: array
items:
type: string
enum:
- custom_data
- identities
- sso_identities
- roles
- organizations
- organization_data
- organization_roles
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Configuration not found.
summary: Get ID token claims configuration
description: Get the ID token extended claims configuration for the tenant.
This configuration controls which extended claims (e.g., `custom_data`, `identities`,
`roles`, `organizations`, `organization_roles`) are included in ID tokens.
put:
operationId: UpsertIdTokenConfig
tags:
- Configs
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
enabledExtendedClaims:
type: array
items:
type: string
enum:
- custom_data
- identities
- sso_identities
- roles
- organizations
- organization_data
- organization_roles
description: 'An array of extended claims to include in ID tokens.
Possible values: `custom_data`, `identities`, `sso_identities`,
`roles`, `organizations`, `organization_data`, `organization_roles`.'
responses:
'200':
description: The updated ID token claims configuration.
content:
application/json:
schema:
type: object
properties:
enabledExtendedClaims:
type: array
items:
type: string
enum:
- custom_data
- identities
- sso_identities
- roles
- organizations
- organization_data
- organization_roles
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: The tenant's subscription plan does not support this feature.
summary: Upsert ID token claims configuration
description: Create or update the ID token extended claims configuration for
the tenant. This controls which extended claims are included in ID tokens
when the corresponding scopes are requested.
"/api/connectors":
post:
operationId: CreateConnector
tags:
- Connectors
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- connectorId
properties:
config:
type: object
description: The connector config object that will be passed to
the connector. The config object should be compatible with the
connector factory.
connectorId:
type: string
minLength: 1
maxLength: 128
description: The connector factory ID for creating the connector.
metadata:
type: object
properties:
target:
type: string
name:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
description: Custom connector metadata, will be used to overwrite
the default connector factory metadata.
syncProfile:
type: boolean
description: Whether to sync user profile from the identity provider
to Logto at each sign-in. If `false`, the user profile will only
be synced when the user is created.
enableTokenStorage:
type: boolean
id:
type: string
minLength: 1
maxLength: 128
description: The unique ID for the connector. If not provided, a
random ID will be generated.
responses:
'200':
description: The created connector.
content:
application/json:
schema:
type: object
required:
- id
- syncProfile
- enableTokenStorage
- config
- metadata
- connectorId
- target
- name
- description
- logo
- logoDark
- readme
- platform
- type
properties:
id:
type: string
syncProfile:
type: boolean
enableTokenStorage:
type: boolean
config:
type: object
description: arbitrary
metadata:
type: object
properties:
target:
type: string
name:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
connectorId:
type: string
minLength: 1
maxLength: 128
target:
type: string
name:
type: object
description: Validator function
description:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
readme:
type: string
configTemplate:
type: string
formItems:
type: array
items:
oneOf:
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"Select"'
selectItems:
type: array
items:
type: object
required:
- value
- title
properties:
value:
type: string
title:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"MultiSelect"'
selectItems:
type: array
items:
type: object
required:
- value
properties:
value:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- key
- label
properties:
type:
type: string
enum:
- Text
- Number
- MultilineText
- Switch
- Json
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
customData:
type: object
additionalProperties:
example: {}
fromEmail:
type: string
platform:
type: string
enum:
- Native
- Universal
- Web
nullable: true
isStandard:
type: boolean
isTokenStorageSupported:
type: boolean
type:
type: string
enum:
- Email
- Sms
- Social
isDemo:
type: boolean
extraInfo:
type: object
additionalProperties:
example: {}
usage:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: The tenant has reached the maximum number of connectors.
'422':
description: Invalid request body.
summary: Create connector
description: Create a connector with the given data.
get:
operationId: ListConnectors
tags:
- Connectors
parameters:
- name: target
in: query
required: false
schema:
type: string
description: Filter connectors by target.
responses:
'200':
description: An array of connectors.
content:
application/json:
schema:
type: array
items:
type: object
required:
- id
- syncProfile
- enableTokenStorage
- config
- metadata
- connectorId
- target
- name
- description
- logo
- logoDark
- readme
- platform
- type
properties:
id:
type: string
syncProfile:
type: boolean
enableTokenStorage:
type: boolean
config:
type: object
description: arbitrary
metadata:
type: object
properties:
target:
type: string
name:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
connectorId:
type: string
minLength: 1
maxLength: 128
target:
type: string
name:
type: object
description: Validator function
description:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
readme:
type: string
configTemplate:
type: string
formItems:
type: array
items:
oneOf:
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"Select"'
selectItems:
type: array
items:
type: object
required:
- value
- title
properties:
value:
type: string
title:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"MultiSelect"'
selectItems:
type: array
items:
type: object
required:
- value
properties:
value:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- key
- label
properties:
type:
type: string
enum:
- Text
- Number
- MultilineText
- Switch
- Json
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
customData:
type: object
additionalProperties:
example: {}
fromEmail:
type: string
platform:
type: string
enum:
- Native
- Universal
- Web
nullable: true
isStandard:
type: boolean
isTokenStorageSupported:
type: boolean
type:
type: string
enum:
- Email
- Sms
- Social
isDemo:
type: boolean
extraInfo:
type: object
additionalProperties:
example: {}
usage:
type: number
'400':
description: The target only allows one connector to exist, but there are
multiple connectors with this target.
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get connectors
description: Get all connectors in the current tenant.
"/api/connectors/{id}":
get:
operationId: GetConnector
tags:
- Connectors
parameters:
- "$ref": "#/components/parameters/connectorId-root"
responses:
'200':
description: The connector data.
content:
application/json:
schema:
type: object
required:
- id
- syncProfile
- enableTokenStorage
- config
- metadata
- connectorId
- target
- name
- description
- logo
- logoDark
- readme
- platform
- type
properties:
id:
type: string
syncProfile:
type: boolean
enableTokenStorage:
type: boolean
config:
type: object
description: arbitrary
metadata:
type: object
properties:
target:
type: string
name:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
connectorId:
type: string
minLength: 1
maxLength: 128
target:
type: string
name:
type: object
description: Validator function
description:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
readme:
type: string
configTemplate:
type: string
formItems:
type: array
items:
oneOf:
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"Select"'
selectItems:
type: array
items:
type: object
required:
- value
- title
properties:
value:
type: string
title:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"MultiSelect"'
selectItems:
type: array
items:
type: object
required:
- value
properties:
value:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- key
- label
properties:
type:
type: string
enum:
- Text
- Number
- MultilineText
- Switch
- Json
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
customData:
type: object
additionalProperties:
example: {}
fromEmail:
type: string
platform:
type: string
enum:
- Native
- Universal
- Web
nullable: true
isStandard:
type: boolean
isTokenStorageSupported:
type: boolean
type:
type: string
enum:
- Email
- Sms
- Social
isDemo:
type: boolean
extraInfo:
type: object
additionalProperties:
example: {}
usage:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Connector not found.
summary: Get connector
description: Get connector data by ID
patch:
operationId: UpdateConnector
tags:
- Connectors
parameters:
- "$ref": "#/components/parameters/connectorId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
config:
type: object
description: The connector config object that will be passed to
the connector. The config object should be compatible with the
connector factory.
metadata:
type: object
properties:
target:
type: string
name:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
description: Custom connector metadata, will be used to overwrite
the default connector metadata.
syncProfile:
type: boolean
description: Whether to sync user profile from the identity provider
to Logto at each sign-in. If `false`, the user profile will only
be synced when the user is created.
enableTokenStorage:
type: boolean
responses:
'200':
description: The updated connector.
content:
application/json:
schema:
type: object
required:
- id
- syncProfile
- enableTokenStorage
- config
- metadata
- connectorId
- target
- name
- description
- logo
- logoDark
- readme
- platform
- type
properties:
id:
type: string
syncProfile:
type: boolean
enableTokenStorage:
type: boolean
config:
type: object
description: arbitrary
metadata:
type: object
properties:
target:
type: string
name:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
connectorId:
type: string
minLength: 1
maxLength: 128
target:
type: string
name:
type: object
description: Validator function
description:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
readme:
type: string
configTemplate:
type: string
formItems:
type: array
items:
oneOf:
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"Select"'
selectItems:
type: array
items:
type: object
required:
- value
- title
properties:
value:
type: string
title:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"MultiSelect"'
selectItems:
type: array
items:
type: object
required:
- value
properties:
value:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- key
- label
properties:
type:
type: string
enum:
- Text
- Number
- MultilineText
- Switch
- Json
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
customData:
type: object
additionalProperties:
example: {}
fromEmail:
type: string
platform:
type: string
enum:
- Native
- Universal
- Web
nullable: true
isStandard:
type: boolean
isTokenStorageSupported:
type: boolean
type:
type: string
enum:
- Email
- Sms
- Social
isDemo:
type: boolean
extraInfo:
type: object
additionalProperties:
example: {}
usage:
type: number
'400':
description: Invalid request body.
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Connector not found.
'422':
description: Patch operation triggered a connector conflict.
summary: Update connector
description: Update connector by ID with the given data. This methods performs
a partial update.
delete:
operationId: DeleteConnector
tags:
- Connectors
parameters:
- "$ref": "#/components/parameters/connectorId-root"
responses:
'204':
description: The connector has been successfully deleted.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Connector not found.
summary: Delete connector
description: Delete connector by ID.
"/api/connectors/{factoryId}/test":
post:
operationId: CreateConnectorTest
tags:
- Connectors
parameters:
- "$ref": "#/components/parameters/factoryId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- config
properties:
phone:
type: string
format: regex
pattern: "/^\\d+$/"
description: Phone number to send test message to. If this is set,
email will be ignored.
email:
type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
description: Email address to send test message to. If phone is
set, this will be ignored.
config:
type: object
description: Connector configuration object for testing.
locale:
type: string
description: Preferred language for the message. If not set, the
default language will be used. (Applicable only when custom i18n
templates are configured.)
responses:
'204':
description: Test message was sent successfully.
'400':
description: Invalid request body (e.g. wrong phone number, email or config).
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Connector not found.
summary: Test passwordless connector
description: Test a passwordless (email or SMS) connector by sending a test
message to the given phone number or email address.
"/api/connectors/{connectorId}/authorization-uri":
post:
operationId: CreateConnectorAuthorizationUri
tags:
- Connectors
parameters:
- "$ref": "#/components/parameters/connectorId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- state
- redirectUri
properties:
state:
type: string
description: A random string generated on the client side to prevent
CSRF (Cross-Site Request Forgery) attacks.
redirectUri:
type: string
description: The URI to navigate back to after the user is authenticated
by the connected social identity provider and has granted access
to the connector.
responses:
'200':
description: Successfully built authorization URI.
content:
application/json:
schema:
type: object
required:
- redirectTo
properties:
redirectTo:
type: string
format: url
redirectUri:
description: The URI to navigate for authentication and authorization
in the connected social identity provider.
'400':
description: Unable to build authorization URI.
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The connector with the specified ID does not exist.
summary: Get connector's authorization URI
description: Get authorization URI for specified connector by providing redirect
URI and randomly generated state.
"/api/connector-factories":
get:
operationId: ListConnectorFactories
tags:
- Connector factories
parameters: []
responses:
'200':
description: An array of connector factories.
content:
application/json:
schema:
type: array
items:
type: object
required:
- type
- id
- target
- name
- description
- logo
- logoDark
- readme
- platform
properties:
type:
type: string
enum:
- Email
- Sms
- Social
isDemo:
type: boolean
id:
type: string
target:
type: string
name:
type: object
description: Validator function
description:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
readme:
type: string
configTemplate:
type: string
formItems:
type: array
items:
oneOf:
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"Select"'
selectItems:
type: array
items:
type: object
required:
- value
- title
properties:
value:
type: string
title:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"MultiSelect"'
selectItems:
type: array
items:
type: object
required:
- value
properties:
value:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- key
- label
properties:
type:
type: string
enum:
- Text
- Number
- MultilineText
- Switch
- Json
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
customData:
type: object
additionalProperties:
example: {}
fromEmail:
type: string
platform:
type: string
enum:
- Native
- Universal
- Web
nullable: true
isStandard:
type: boolean
isTokenStorageSupported:
type: boolean
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get connector factories
description: Get all connector factories data available in Logto.
"/api/connector-factories/{id}":
get:
operationId: GetConnectorFactory
tags:
- Connector factories
parameters:
- "$ref": "#/components/parameters/connectorFactoryId-root"
responses:
'200':
description: Connector factory data.
content:
application/json:
schema:
type: object
required:
- type
- id
- target
- name
- description
- logo
- logoDark
- readme
- platform
properties:
type:
type: string
enum:
- Email
- Sms
- Social
isDemo:
type: boolean
id:
type: string
target:
type: string
name:
type: object
description: Validator function
description:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
readme:
type: string
configTemplate:
type: string
formItems:
type: array
items:
oneOf:
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"Select"'
selectItems:
type: array
items:
type: object
required:
- value
- title
properties:
value:
type: string
title:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- selectItems
- key
- label
properties:
type:
type: string
format: '"MultiSelect"'
selectItems:
type: array
items:
type: object
required:
- value
properties:
value:
type: string
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
- type: object
required:
- type
- key
- label
properties:
type:
type: string
enum:
- Text
- Number
- MultilineText
- Switch
- Json
key:
type: string
label:
type: string
placeholder:
type: string
required:
type: boolean
defaultValue:
example: {}
showConditions:
type: array
items:
type: object
required:
- targetKey
properties:
targetKey:
type: string
expectValue:
example: {}
description:
type: string
tooltip:
type: string
isConfidential:
type: boolean
isDevFeature:
type: boolean
customData:
type: object
additionalProperties:
example: {}
fromEmail:
type: string
platform:
type: string
enum:
- Native
- Universal
- Web
nullable: true
isStandard:
type: boolean
isTokenStorageSupported:
type: boolean
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Connector factory not found.
summary: Get connector factory
description: Get connector factory by the given ID.
"/api/resources":
get:
operationId: ListResources
tags:
- Resources
parameters:
- name: includeScopes
in: query
required: false
schema:
type: string
description: If it's provided with a truthy value (`true`, `1`, `yes`), the
scopes of each resource will be included in the response.
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: An array of resources.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
scopes:
type: array
items:
type: object
required:
- tenantId
- id
- resourceId
- name
- description
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
resourceId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get API resources
description: Get API resources in the current tenant with pagination.
post:
operationId: CreateResource
tags:
- Resources
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
- indicator
properties:
tenantId:
type: string
maxLength: 21
name:
type: string
minLength: 1
description: The name of the resource.
indicator:
type: string
minLength: 1
description: The unique resource indicator. Should be a valid URI.
accessTokenTtl:
type: number
description: The access token TTL in seconds. It affects the `exp`
claim of the access token granted for this resource.
default: 3600
responses:
'201':
description: The created resource.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
scopes:
type: array
items:
type: object
required:
- tenantId
- id
- resourceId
- name
- description
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
resourceId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Unprocessable Content
summary: Create an API resource
description: Create an API resource in the current tenant.
"/api/resources/{id}":
get:
operationId: GetResource
tags:
- Resources
parameters:
- "$ref": "#/components/parameters/resourceId-root"
responses:
'200':
description: The requested resource.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get API resource
description: Get an API resource details by ID.
patch:
operationId: UpdateResource
tags:
- Resources
parameters:
- "$ref": "#/components/parameters/resourceId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
tenantId:
type: string
maxLength: 21
name:
type: string
minLength: 1
description: The updated name of the resource.
accessTokenTtl:
type: number
description: The updated access token TTL in seconds.
responses:
'200':
description: The updated resource.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update API resource
description: Update an API resource details by ID with the given data. This
method performs a partial update.
delete:
operationId: DeleteResource
tags:
- Resources
parameters:
- "$ref": "#/components/parameters/resourceId-root"
responses:
'204':
description: The resource was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete API resource
description: Delete an API resource by ID.
"/api/resources/{id}/is-default":
patch:
operationId: UpdateResourceIsDefault
tags:
- Resources
parameters:
- "$ref": "#/components/parameters/resourceId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- isDefault
properties:
isDefault:
type: boolean
description: The updated value of the `isDefault` property.
responses:
'200':
description: The updated resource.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Set API resource as default
description: |-
Set an API resource as the default resource for the current tenant.
Each tenant can have only one default API resource. If an API resource is set as default, the previously set default API resource will be set as non-default. See [this section](https://docs.logto.io/docs/references/resources/#default-api) for more information.
"/api/resources/{resourceId}/scopes":
get:
operationId: ListResourceScopes
tags:
- Resources
parameters:
- "$ref": "#/components/parameters/resourceId"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
- name: search_params
in: query
description: Search query parameters.
required: false
schema:
type: object
additionalProperties:
type: string
explode: true
responses:
'200':
description: An array of scopes for the requested resource.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- resourceId
- name
- description
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
resourceId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get API resource scopes
description: Get scopes (permissions) defined for an API resource.
post:
operationId: CreateResourceScope
tags:
- Resources
parameters:
- "$ref": "#/components/parameters/resourceId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
properties:
name:
type: string
minLength: 1
maxLength: 256
description: The name of the scope. It should be unique for the
resource.
description:
type: string
nullable: true
responses:
'201':
description: The created scope.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- resourceId
- name
- description
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
resourceId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Create API resource scope
description: Create a new scope (permission) for an API resource.
"/api/resources/{resourceId}/scopes/{scopeId}":
patch:
operationId: UpdateResourceScope
tags:
- Resources
parameters:
- "$ref": "#/components/parameters/resourceId"
- "$ref": "#/components/parameters/scopeId"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
name:
type: string
minLength: 1
maxLength: 256
description: The updated name of the scope. It should be unique
for the resource.
description:
type: string
nullable: true
responses:
'200':
description: The updated scope.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- resourceId
- name
- description
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
resourceId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Update API resource scope
description: Update an API resource scope (permission) for the given resource.
This method performs a partial update.
delete:
operationId: DeleteResourceScope
tags:
- Resources
parameters:
- "$ref": "#/components/parameters/resourceId"
- "$ref": "#/components/parameters/scopeId"
responses:
'204':
description: The scope was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete API resource scope
description: Delete an API resource scope (permission) from the given resource.
"/api/sign-in-exp":
get:
operationId: GetSignInExp
tags:
- Sign-in experience
parameters: []
responses:
'200':
description: Default sign-in experience settings.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- color
- branding
- hideLogtoBranding
- languageInfo
- termsOfUseUrl
- privacyPolicyUrl
- agreeToTermsPolicy
- signIn
- signUp
- socialSignIn
- socialSignInConnectorTargets
- signInMode
- customCss
- customContent
- customUiAssets
- passwordPolicy
- mfa
- adaptiveMfa
- singleSignOnEnabled
- supportEmail
- supportWebsiteUrl
- unknownSessionRedirectUrl
- captchaPolicy
- sentinelPolicy
- emailBlocklistPolicy
- forgotPasswordMethods
- passkeySignIn
- signUpProfileFields
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
color:
type: object
required:
- primaryColor
- isDarkModeEnabled
- darkPrimaryColor
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
description: The primary branding color for the sign-in page (both
light/dark mode).
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
hideLogtoBranding:
type: boolean
description: Cloud only. Whether to hide the Logto branding on
hosted sign-in pages.
languageInfo:
type: object
required:
- autoDetect
- fallbackLanguage
properties:
autoDetect:
type: boolean
fallbackLanguage:
type: string
enum:
- af-ZA
- am-ET
- ar
- ar-AR
- as-IN
- az-AZ
- be-BY
- bg-BG
- bn-IN
- br-FR
- bs-BA
- ca-ES
- cb-IQ
- co-FR
- cs
- cs-CZ
- cx-PH
- cy-GB
- da-DK
- de
- de-DE
- el-GR
- en
- en-GB
- en-US
- eo-EO
- es
- es-ES
- es-419
- et-EE
- eu-ES
- fa-IR
- ff-NG
- fi
- fi-FI
- fo-FO
- fr
- fr-CA
- fr-FR
- fy-NL
- ga-IE
- gl-ES
- gn-PY
- gu-IN
- ha-NG
- he-IL
- hi-IN
- hr-HR
- ht-HT
- hu-HU
- hy-AM
- id-ID
- ik-US
- is-IS
- it
- it-IT
- iu-CA
- ja
- ja-JP
- ja-KS
- jv-ID
- ka-GE
- kk-KZ
- km-KH
- kn-IN
- ko
- ko-KR
- ku-TR
- ky-KG
- lo-LA
- lt-LT
- lv-LV
- mg-MG
- mk-MK
- ml-IN
- mn-MN
- mr-IN
- ms-MY
- mt-MT
- my-MM
- nb-NO
- ne-NP
- nl
- nl-BE
- nl-NL
- nn-NO
- or-IN
- pa-IN
- pl-PL
- ps-AF
- pt
- pt-BR
- pt-PT
- ro-RO
- ru
- ru-RU
- rw-RW
- sc-IT
- si-LK
- sk-SK
- sl-SI
- sn-ZW
- sq-AL
- sr-RS
- sv
- sv-SE
- sw-KE
- sy-SY
- sz-PL
- ta-IN
- te-IN
- tg-TJ
- th
- th-TH
- tl-PH
- tr
- tr-TR
- tt-RU
- tz-MA
- uk-UA
- ur-PK
- uz-UZ
- vi-VN
- zh
- zh-CN
- zh-HK
- zh-MO
- zh-TW
- zz-TR
description: The language detection policy for the sign-in page.
termsOfUseUrl:
type: string
maxLength: 2048
nullable: true
privacyPolicyUrl:
type: string
maxLength: 2048
nullable: true
agreeToTermsPolicy:
type: string
enum:
- Automatic
- ManualRegistrationOnly
- Manual
signIn:
type: object
required:
- methods
properties:
methods:
type: array
items:
type: object
required:
- identifier
- password
- verificationCode
- isPasswordPrimary
properties:
identifier:
type: string
enum:
- username
- email
- phone
password:
type: boolean
verificationCode:
type: boolean
isPasswordPrimary:
type: boolean
description: Sign-in method settings.
signUp:
type: object
required:
- identifiers
- password
- verify
properties:
identifiers:
type: array
items:
type: string
enum:
- username
- email
- phone
description: Allowed identifiers when signing-up.
password:
type: boolean
description: Whether the user is required to set a password
when signing-up.
verify:
type: boolean
description: Whether the user is required to verify their
email/phone when signing-up.
secondaryIdentifiers:
type: array
items:
type: object
required:
- identifier
properties:
identifier:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- emailOrPhone
verify:
type: boolean
description: Additional identifiers required during sign-up.
Once specified, users will be prompted to provide these
identifiers when creating an account.
description: Sign-up method settings.
socialSignIn:
type: object
properties:
automaticAccountLinking:
type: boolean
skipRequiredIdentifiers:
type: boolean
socialSignInConnectorTargets:
type: array
items:
type: string
description: Enabled social sign-in connectors, will displayed
on the sign-in page.
signInMode:
type: string
enum:
- SignIn
- Register
- SignInAndRegister
customCss:
type: string
nullable: true
customContent:
type: object
additionalProperties:
type: string
description: Custom content to display on experience flow pages.
the page pathname will be the config key, the content will be
the config value.
customUiAssets:
type: object
required:
- id
- createdAt
properties:
id:
type: string
createdAt:
type: number
nullable: true
passwordPolicy:
type: object
properties:
length:
default: {}
type: object
required:
- min
- max
properties:
min:
default: 8
type: number
max:
default: 256
type: number
characterTypes:
default: {}
type: object
required:
- min
properties:
min:
default: 1
type: number
rejects:
default: {}
type: object
required:
- pwned
- repetitionAndSequence
- userInfo
- words
properties:
pwned:
default: true
type: boolean
repetitionAndSequence:
default: true
type: boolean
userInfo:
default: true
type: boolean
words:
default: []
type: array
items:
type: string
description: Password policies to adjust the password strength
requirements.
mfa:
type: object
required:
- factors
- policy
properties:
factors:
type: array
items:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
policy:
type: string
enum:
- UserControlled
- Mandatory
- PromptOnlyAtSignIn
- PromptAtSignInAndSignUp
- NoPrompt
- PromptAtSignInAndSignUpMandatory
- PromptOnlyAtSignInMandatory
organizationRequiredMfaPolicy:
type: string
enum:
- NoPrompt
- Mandatory
description: MFA settings
adaptiveMfa:
type: object
properties:
enabled:
type: boolean
description: Adaptive MFA settings.
singleSignOnEnabled:
type: boolean
supportEmail:
type: string
nullable: true
description: The support email address to display on the error
pages.
supportWebsiteUrl:
type: string
nullable: true
description: The support website URL to display on the error pages.
unknownSessionRedirectUrl:
type: string
nullable: true
description: The fallback URL to redirect users when the sign-in
session does not exist or unknown. Client should initiates a
new authentication flow after the redirection.
captchaPolicy:
type: object
properties:
enabled:
type: boolean
sentinelPolicy:
type: object
properties:
maxAttempts:
type: number
lockoutDuration:
type: number
description: Custom sentinel policy settings. Use this field to
customize the user lockout policy. The default value is 100
failed attempts within one hour. The user will be locked out
for 60 minutes after exceeding the limit.
emailBlocklistPolicy:
type: object
properties:
blockDisposableAddresses:
type: boolean
blockSubaddressing:
type: boolean
description: Whether to block sub-addresses. (E.g., example+shopping@test.com)
customBlocklist:
type: array
items:
type: string
description: Custom blocklist of email addresses or domains.
blockDisposableAddress:
description: Cloud only. Whether to block disposable email
addresses. Once enabled, Logto will check the email domain
against a list of known disposable email domains. If the
domain is found in the list, the email address will be blocked.
description: Define email restriction policies. Users will be
prohibited from registering or linking any email addresses that
are included in the blocklist.
forgotPasswordMethods:
type: array
items:
type: string
enum:
- EmailVerificationCode
- PhoneVerificationCode
nullable: true
passkeySignIn:
type: object
properties:
enabled:
type: boolean
showPasskeyButton:
type: boolean
allowAutofill:
type: boolean
signUpProfileFields:
type: array
items:
type: object
required:
- name
properties:
name:
type: string
nullable: true
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Default sign-in experience settings not found.
summary: Get default sign-in experience settings
description: Get the default sign-in experience settings.
patch:
operationId: UpdateSignInExp
tags:
- Sign-in experience
parameters:
- name: removeUnusedDemoSocialConnector
in: query
required: false
schema:
type: string
description: Whether to remove unused demo social connectors. (These demo
social connectors are only used during cloud user onboarding)
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
tenantId:
type: string
maxLength: 21
color:
type: object
required:
- primaryColor
- isDarkModeEnabled
- darkPrimaryColor
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
description: Specify the primary branding color for the sign-in
page (both light/dark mode).
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
hideLogtoBranding:
type: boolean
description: Cloud only. Whether to hide the Logto branding on hosted
sign-in pages.
languageInfo:
type: object
required:
- autoDetect
- fallbackLanguage
properties:
autoDetect:
type: boolean
fallbackLanguage:
type: string
enum:
- af-ZA
- am-ET
- ar
- ar-AR
- as-IN
- az-AZ
- be-BY
- bg-BG
- bn-IN
- br-FR
- bs-BA
- ca-ES
- cb-IQ
- co-FR
- cs
- cs-CZ
- cx-PH
- cy-GB
- da-DK
- de
- de-DE
- el-GR
- en
- en-GB
- en-US
- eo-EO
- es
- es-ES
- es-419
- et-EE
- eu-ES
- fa-IR
- ff-NG
- fi
- fi-FI
- fo-FO
- fr
- fr-CA
- fr-FR
- fy-NL
- ga-IE
- gl-ES
- gn-PY
- gu-IN
- ha-NG
- he-IL
- hi-IN
- hr-HR
- ht-HT
- hu-HU
- hy-AM
- id-ID
- ik-US
- is-IS
- it
- it-IT
- iu-CA
- ja
- ja-JP
- ja-KS
- jv-ID
- ka-GE
- kk-KZ
- km-KH
- kn-IN
- ko
- ko-KR
- ku-TR
- ky-KG
- lo-LA
- lt-LT
- lv-LV
- mg-MG
- mk-MK
- ml-IN
- mn-MN
- mr-IN
- ms-MY
- mt-MT
- my-MM
- nb-NO
- ne-NP
- nl
- nl-BE
- nl-NL
- nn-NO
- or-IN
- pa-IN
- pl-PL
- ps-AF
- pt
- pt-BR
- pt-PT
- ro-RO
- ru
- ru-RU
- rw-RW
- sc-IT
- si-LK
- sk-SK
- sl-SI
- sn-ZW
- sq-AL
- sr-RS
- sv
- sv-SE
- sw-KE
- sy-SY
- sz-PL
- ta-IN
- te-IN
- tg-TJ
- th
- th-TH
- tl-PH
- tr
- tr-TR
- tt-RU
- tz-MA
- uk-UA
- ur-PK
- uz-UZ
- vi-VN
- zh
- zh-CN
- zh-HK
- zh-MO
- zh-TW
- zz-TR
description: Control the language detection policy for the sign-in
page.
agreeToTermsPolicy:
type: string
enum:
- Automatic
- ManualRegistrationOnly
- Manual
signIn:
type: object
required:
- methods
properties:
methods:
type: array
items:
type: object
required:
- identifier
- password
- verificationCode
- isPasswordPrimary
properties:
identifier:
type: string
enum:
- username
- email
- phone
password:
type: boolean
verificationCode:
type: boolean
isPasswordPrimary:
type: boolean
description: Sign-in method settings
signUp:
type: object
required:
- identifiers
- password
- verify
properties:
identifiers:
type: array
items:
type: string
enum:
- username
- email
- phone
description: Specify allowed identifiers when signing-up.
password:
type: boolean
description: Whether the user is required to set a password
when signing-up.
verify:
type: boolean
description: Whether the user is required to verify their email/phone
when signing-up.
secondaryIdentifiers:
type: array
items:
type: object
required:
- identifier
properties:
identifier:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- emailOrPhone
verify:
type: boolean
description: Sign-up method settings
socialSignIn:
type: object
properties:
automaticAccountLinking:
type: boolean
skipRequiredIdentifiers:
type: boolean
socialSignInConnectorTargets:
type: array
items:
type: string
description: Specify the social sign-in connectors to display on
the sign-in page.
signInMode:
type: string
enum:
- SignIn
- Register
- SignInAndRegister
customCss:
type: string
nullable: true
customContent:
type: object
additionalProperties:
type: string
description: Custom content to display on experience flow pages.
the page pathname will be the config key, the content will be
the config value.
customUiAssets:
type: object
required:
- id
- createdAt
properties:
id:
type: string
createdAt:
type: number
nullable: true
passwordPolicy:
type: object
properties:
length:
default: {}
type: object
required:
- min
- max
properties:
min:
default: 8
type: number
max:
default: 256
type: number
characterTypes:
default: {}
type: object
required:
- min
properties:
min:
default: 1
type: number
rejects:
default: {}
type: object
required:
- pwned
- repetitionAndSequence
- userInfo
- words
properties:
pwned:
default: true
type: boolean
repetitionAndSequence:
default: true
type: boolean
userInfo:
default: true
type: boolean
words:
default: []
type: array
items:
type: string
description: Password policies to adjust the password strength requirements.
mfa:
type: object
required:
- factors
- policy
properties:
factors:
type: array
items:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
policy:
type: string
enum:
- UserControlled
- Mandatory
- PromptOnlyAtSignIn
- PromptAtSignInAndSignUp
- NoPrompt
- PromptAtSignInAndSignUpMandatory
- PromptOnlyAtSignInMandatory
organizationRequiredMfaPolicy:
type: string
enum:
- NoPrompt
- Mandatory
description: MFA settings
adaptiveMfa:
type: object
properties:
enabled:
type: boolean
description: Adaptive MFA settings. Only effective when developer
features are enabled.
singleSignOnEnabled:
type: boolean
captchaPolicy:
type: object
properties:
enabled:
type: boolean
sentinelPolicy:
type: object
properties:
maxAttempts:
type: number
lockoutDuration:
type: number
description: Custom sentinel policy settings. Use this field to
customize the user lockout policy. The default value is 100 failed
attempts within one hour. The user will be locked out for 60 minutes
after exceeding the limit.
emailBlocklistPolicy:
type: object
properties:
blockDisposableAddresses:
type: boolean
blockSubaddressing:
type: boolean
description: Whether to block sub-addresses. (E.g., example+shopping@test.com)
customBlocklist:
type: array
items:
type: string
description: Custom blocklist of email addresses or domains.
blockDisposableAddress:
description: Cloud only. Whether to block disposable email
addresses. Once enabled, Logto will check the email domain
against a list of known disposable email domains. If the domain
is found in the list, the email address will be blocked.
description: Define email restriction policies. Users will be prohibited
from registering or linking any email addresses that are included
in the blocklist.
forgotPasswordMethods:
type: array
items:
type: string
enum:
- EmailVerificationCode
- PhoneVerificationCode
nullable: true
passkeySignIn:
type: object
properties:
enabled:
type: boolean
showPasskeyButton:
type: boolean
allowAutofill:
type: boolean
signUpProfileFields:
type: array
items:
type: object
required:
- name
properties:
name:
type: string
nullable: true
termsOfUseUrl:
oneOf:
- type: string
format: url
nullable: true
- type: string
format: empty
privacyPolicyUrl:
oneOf:
- type: string
format: url
nullable: true
- type: string
format: empty
supportEmail:
oneOf:
- type: string
format: email
nullable: true
- type: string
format: empty
description: The support email address to display on the error pages.
supportWebsiteUrl:
oneOf:
- type: string
format: url
nullable: true
- type: string
format: empty
description: The support website URL to display on the error pages.
unknownSessionRedirectUrl:
oneOf:
- type: string
format: url
nullable: true
- type: string
format: empty
description: The fallback URL to redirect users when the sign-in
session does not exist or unknown. Client should initiate a new
authentication flow after the redirection.
responses:
'200':
description: Updated default sign-in experience settings.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- color
- branding
- hideLogtoBranding
- languageInfo
- termsOfUseUrl
- privacyPolicyUrl
- agreeToTermsPolicy
- signIn
- signUp
- socialSignIn
- socialSignInConnectorTargets
- signInMode
- customCss
- customContent
- customUiAssets
- passwordPolicy
- mfa
- adaptiveMfa
- singleSignOnEnabled
- supportEmail
- supportWebsiteUrl
- unknownSessionRedirectUrl
- captchaPolicy
- sentinelPolicy
- emailBlocklistPolicy
- forgotPasswordMethods
- passkeySignIn
- signUpProfileFields
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
color:
type: object
required:
- primaryColor
- isDarkModeEnabled
- darkPrimaryColor
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
hideLogtoBranding:
type: boolean
languageInfo:
type: object
required:
- autoDetect
- fallbackLanguage
properties:
autoDetect:
type: boolean
fallbackLanguage:
type: string
enum:
- af-ZA
- am-ET
- ar
- ar-AR
- as-IN
- az-AZ
- be-BY
- bg-BG
- bn-IN
- br-FR
- bs-BA
- ca-ES
- cb-IQ
- co-FR
- cs
- cs-CZ
- cx-PH
- cy-GB
- da-DK
- de
- de-DE
- el-GR
- en
- en-GB
- en-US
- eo-EO
- es
- es-ES
- es-419
- et-EE
- eu-ES
- fa-IR
- ff-NG
- fi
- fi-FI
- fo-FO
- fr
- fr-CA
- fr-FR
- fy-NL
- ga-IE
- gl-ES
- gn-PY
- gu-IN
- ha-NG
- he-IL
- hi-IN
- hr-HR
- ht-HT
- hu-HU
- hy-AM
- id-ID
- ik-US
- is-IS
- it
- it-IT
- iu-CA
- ja
- ja-JP
- ja-KS
- jv-ID
- ka-GE
- kk-KZ
- km-KH
- kn-IN
- ko
- ko-KR
- ku-TR
- ky-KG
- lo-LA
- lt-LT
- lv-LV
- mg-MG
- mk-MK
- ml-IN
- mn-MN
- mr-IN
- ms-MY
- mt-MT
- my-MM
- nb-NO
- ne-NP
- nl
- nl-BE
- nl-NL
- nn-NO
- or-IN
- pa-IN
- pl-PL
- ps-AF
- pt
- pt-BR
- pt-PT
- ro-RO
- ru
- ru-RU
- rw-RW
- sc-IT
- si-LK
- sk-SK
- sl-SI
- sn-ZW
- sq-AL
- sr-RS
- sv
- sv-SE
- sw-KE
- sy-SY
- sz-PL
- ta-IN
- te-IN
- tg-TJ
- th
- th-TH
- tl-PH
- tr
- tr-TR
- tt-RU
- tz-MA
- uk-UA
- ur-PK
- uz-UZ
- vi-VN
- zh
- zh-CN
- zh-HK
- zh-MO
- zh-TW
- zz-TR
termsOfUseUrl:
type: string
maxLength: 2048
nullable: true
privacyPolicyUrl:
type: string
maxLength: 2048
nullable: true
agreeToTermsPolicy:
type: string
enum:
- Automatic
- ManualRegistrationOnly
- Manual
signIn:
type: object
required:
- methods
properties:
methods:
type: array
items:
type: object
required:
- identifier
- password
- verificationCode
- isPasswordPrimary
properties:
identifier:
type: string
enum:
- username
- email
- phone
password:
type: boolean
verificationCode:
type: boolean
isPasswordPrimary:
type: boolean
signUp:
type: object
required:
- identifiers
- password
- verify
properties:
identifiers:
type: array
items:
type: string
enum:
- username
- email
- phone
password:
type: boolean
verify:
type: boolean
secondaryIdentifiers:
type: array
items:
type: object
required:
- identifier
properties:
identifier:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- emailOrPhone
verify:
type: boolean
socialSignIn:
type: object
properties:
automaticAccountLinking:
type: boolean
skipRequiredIdentifiers:
type: boolean
socialSignInConnectorTargets:
type: array
items:
type: string
signInMode:
type: string
enum:
- SignIn
- Register
- SignInAndRegister
customCss:
type: string
nullable: true
customContent:
type: object
additionalProperties:
type: string
customUiAssets:
type: object
required:
- id
- createdAt
properties:
id:
type: string
createdAt:
type: number
nullable: true
passwordPolicy:
type: object
properties:
length:
default: {}
type: object
required:
- min
- max
properties:
min:
default: 8
type: number
max:
default: 256
type: number
characterTypes:
default: {}
type: object
required:
- min
properties:
min:
default: 1
type: number
rejects:
default: {}
type: object
required:
- pwned
- repetitionAndSequence
- userInfo
- words
properties:
pwned:
default: true
type: boolean
repetitionAndSequence:
default: true
type: boolean
userInfo:
default: true
type: boolean
words:
default: []
type: array
items:
type: string
mfa:
type: object
required:
- factors
- policy
properties:
factors:
type: array
items:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
policy:
type: string
enum:
- UserControlled
- Mandatory
- PromptOnlyAtSignIn
- PromptAtSignInAndSignUp
- NoPrompt
- PromptAtSignInAndSignUpMandatory
- PromptOnlyAtSignInMandatory
organizationRequiredMfaPolicy:
type: string
enum:
- NoPrompt
- Mandatory
adaptiveMfa:
type: object
properties:
enabled:
type: boolean
singleSignOnEnabled:
type: boolean
supportEmail:
type: string
nullable: true
supportWebsiteUrl:
type: string
nullable: true
unknownSessionRedirectUrl:
type: string
nullable: true
captchaPolicy:
type: object
properties:
enabled:
type: boolean
sentinelPolicy:
type: object
properties:
maxAttempts:
type: number
lockoutDuration:
type: number
emailBlocklistPolicy:
type: object
properties:
blockDisposableAddresses:
type: boolean
blockSubaddressing:
type: boolean
customBlocklist:
type: array
items:
type: string
forgotPasswordMethods:
type: array
items:
type: string
enum:
- EmailVerificationCode
- PhoneVerificationCode
nullable: true
passkeySignIn:
type: object
properties:
enabled:
type: boolean
showPasskeyButton:
type: boolean
allowAutofill:
type: boolean
signUpProfileFields:
type: array
items:
type: object
required:
- name
properties:
name:
type: string
nullable: true
'400':
description: Bad request. Invalid data provided.
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Default sign-in experience settings not found.
'422':
description: Unprocessable Entity. Invalid data provided.
summary: Update default sign-in experience settings
description: Update the default sign-in experience settings with the provided
data.
"/api/sign-in-exp/default/check-password":
post:
operationId: CheckPasswordWithDefaultSignInExperience
tags:
- Sign-in experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- password
properties:
password:
type: string
description: The password to check.
userId:
type: string
description: The user ID to check the password for. It is required
if rejects user info is enabled in the password policy.
responses:
'200':
description: The password meets the password policy.
content:
application/json:
schema:
oneOf:
- type: object
required:
- result
properties:
result:
type: boolean
format: 'true'
- type: object
required:
- result
- issues
properties:
result:
type: boolean
format: 'false'
issues:
type: array
items:
type: object
required:
- code
properties:
code:
type: string
interpolation:
type: object
additionalProperties:
example: {}
'400':
description: The password does not meet the password policy or no user ID
provided.
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Check if a password meets the password policy
description: Check if a password meets the password policy in the sign-in experience
settings.
"/api/sign-in-exp/default/custom-ui-assets":
post:
operationId: UploadCustomUiAssets
tags:
- Sign-in experience
parameters: []
requestBody:
content:
multipart/form-data:
schema:
properties:
file:
description: The zip file containing custom web assets such as HTML,
CSS, and JavaScript files.
responses:
'200':
description: An JSON object containing the custom UI assets ID.
content:
application/json:
schema:
type: object
required:
- customUiAssetId
properties:
customUiAssetId:
type: string
'400':
description: Bad request. The request body is invalid.
'401':
description: Unauthorized
'403':
description: Forbidden
'500':
description: Failed to unzip or upload the custom UI assets to storage provider.
summary: Upload custom UI assets
description: Upload a zip file containing custom web assets such as HTML, CSS,
and JavaScript files, then replace the default sign-in experience with the
custom UI assets.
"/api/users/{userId}":
get:
operationId: GetUser
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- name: includeSsoIdentities
in: query
required: false
schema:
type: string
description: If it's provided with a truthy value (`true`, `1`, `yes`), each
user in the response will include a `ssoIdentities` property containing
a list of SSO identities associated with the user.
- name: includePasswordHash
in: query
required: false
schema:
type: string
description: If it's provided with a truthy value (`true`, `1`, `yes`), the
response will include the `passwordDigest` and `passwordAlgorithm` fields.
These fields are omitted by default for security reasons.
responses:
'200':
description: User data for the given ID.
content:
application/json:
schema:
type: object
required:
- id
- username
- primaryEmail
- primaryPhone
- name
- avatar
- customData
- identities
- lastSignInAt
- createdAt
- updatedAt
- profile
- applicationId
- isSuspended
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
description: List of SSO identities associated with the user.
Only available when the `includeSsoIdentities` query parameter
is provided with a truthy value.
passwordDigest:
type: string
maxLength: 256
nullable: true
description: The hashed password of the user. Only present when
`includePasswordHash` is provided with a truthy value. `null`
if the user has no password set.
passwordAlgorithm:
type: string
enum:
- Argon2i
- Argon2id
- Argon2d
- SHA1
- SHA256
- MD5
- Bcrypt
- Legacy
nullable: true
description: The algorithm used to hash the password. Only present
when `includePasswordHash` is provided with a truthy value.
`null` if the user has no password set.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get user
description: Get user data for the given ID.
patch:
operationId: UpdateUser
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
username:
oneOf:
- type: string
format: regex
pattern: "/^[A-Z_a-z]\\w*$/"
- type: string
format: empty
nullable: true
type: string
description: Updated username for the user. It should be unique
across all users.
primaryEmail:
oneOf:
- type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
- type: string
format: empty
nullable: true
type: string
description: Updated primary email address for the user. It should
be unique across all users.
primaryPhone:
oneOf:
- type: string
format: regex
pattern: "/^\\d+$/"
- type: string
format: empty
nullable: true
type: string
description: Updated primary phone number for the user. It should
be unique across all users.
name:
oneOf:
- type: string
- type: string
format: empty
nullable: true
type: string
avatar:
oneOf:
- type: string
format: url
- type: string
format: empty
nullable: true
type: string
customData:
type: object
description: |-
Custom data object to update for the given user ID. Note this will replace the entire custom data object.
If you want to perform a partial update, use the `PATCH /api/users/{userId}/custom-data` endpoint instead.
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
responses:
'200':
description: Updated user data for the given ID.
content:
application/json:
schema:
type: object
required:
- id
- username
- primaryEmail
- primaryPhone
- name
- avatar
- customData
- identities
- lastSignInAt
- createdAt
- updatedAt
- profile
- applicationId
- isSuspended
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
passwordDigest:
type: string
maxLength: 256
nullable: true
passwordAlgorithm:
type: string
enum:
- Argon2i
- Argon2id
- Argon2d
- SHA1
- SHA256
- MD5
- Bcrypt
- Legacy
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Update user
description: Update user data for the given ID. This method performs a partial
update.
delete:
operationId: DeleteUser
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
responses:
'204':
description: User deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete user
description: Delete user with the given ID. Note all associated data will be
deleted cascadingly.
"/api/users/{userId}/custom-data":
get:
operationId: ListUserCustomData
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
responses:
'200':
description: Custom data in JSON for the given user ID.
content:
application/json:
schema:
type: object
description: arbitrary
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get user custom data
description: Get custom data for the given user ID.
patch:
operationId: UpdateUserCustomData
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- customData
properties:
customData:
type: object
description: Partial custom data object to update for the given
user ID.
responses:
'200':
description: Updated custom data in JSON for the given user ID.
content:
application/json:
schema:
type: object
description: arbitrary
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update user custom data
description: Update custom data for the given user ID. This method performs
a partial update of the custom data object.
"/api/users/{userId}/logto-configs":
get:
operationId: ListUserLogtoConfigs
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
responses:
'200':
description: Returns the exposed user logto config fields, including MFA
states (enabled, skipped, skipMfaOnSignIn) and passkey sign-in states
(skipped).
content:
application/json:
schema:
type: object
required:
- mfa
- passkeySignIn
properties:
mfa:
type: object
required:
- skipped
- skipMfaOnSignIn
properties:
enabled:
type: boolean
skipped:
type: boolean
skipMfaOnSignIn:
type: boolean
passkeySignIn:
type: object
required:
- skipped
properties:
skipped:
type: boolean
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get user logto config
description: Retrieve the exposed portion of a user's logto config. Includes
MFA states (enabled, skipped, skipMfaOnSignIn) and passkey sign-in states
(skipped).
patch:
operationId: UpdateUserLogtoConfigs
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
mfa:
type: object
properties:
enabled:
type: boolean
description: Set whether MFA is enabled for the user.
skipped:
type: boolean
description: Set whether the user is marked as having skipped
MFA binding.
additionalBindingSuggestionSkipped:
type: boolean
skipMfaOnSignIn:
type: boolean
description: Set whether the user has opted to skip MFA verification
on sign-in. This is ignored when the MFA policy is mandatory.
passkeySignIn:
type: object
properties:
skipped:
type: boolean
description: Set whether the user has persistently skipped binding
a passkey for sign-in.
responses:
'200':
description: The exposed logto config fields were updated successfully.
content:
application/json:
schema:
type: object
required:
- mfa
- passkeySignIn
properties:
mfa:
type: object
required:
- skipped
- skipMfaOnSignIn
properties:
enabled:
type: boolean
skipped:
type: boolean
skipMfaOnSignIn:
type: boolean
passkeySignIn:
type: object
required:
- skipped
properties:
skipped:
type: boolean
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update user logto config
description: Update the exposed portion of a user's logto config. Supports updating
MFA states (enabled, skipped, skipMfaOnSignIn) and passkey sign-in states
(skipped). All fields are optional — only provided fields will be updated.
"/api/users/{userId}/profile":
patch:
operationId: UpdateUserProfile
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- profile
properties:
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
description: Partial profile object to update for the given user
ID.
responses:
'200':
description: Updated profile in JSON for the given user ID.
content:
application/json:
schema:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update user profile
description: Update profile for the given user ID. This method performs a partial
update of the profile object.
"/api/users":
post:
operationId: CreateUser
tags:
- Users
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
primaryPhone:
type: string
format: regex
pattern: "/^\\d+$/"
description: Primary phone number for the user. It should be unique
across all users.
primaryEmail:
type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
description: Primary email address for the user. It should be unique
across all users.
username:
type: string
format: regex
pattern: "/^[A-Z_a-z]\\w*$/"
description: Username for the user. It should be unique across all
users.
password:
type: string
minLength: 1
description: Plain text password for the user.
passwordDigest:
type: string
maxLength: 256
description: In case you already have the password digests and not
the passwords, you can use them for the newly created user via
this property. The algorithm can be specified using the `passwordAlgorithm`
property. For `Legacy`, pass a JSON string in the format `[algorithm,
args, encryptedPassword]`, where `args` is a string array that
MUST contain an `@` placeholder, which will be replaced by the
plain text password at runtime. For PBKDF2 under `Legacy`, `args`
is expected to be in the order `[salt, iterations, keylen, digest,
'@']`. The salt supports a plain string or a `hex:`-prefixed hex
string (for binary salt bytes).
passwordAlgorithm:
type: string
enum:
- Argon2i
- Argon2id
- Argon2d
- SHA1
- SHA256
- MD5
- Bcrypt
- Legacy
description: The hash algorithm used for the password. It should
be one of the supported algorithms, including `Legacy` for custom
legacy expressions. Should the encryption algorithm differ from
`Argon2i`, it will automatically be upgraded to `Argon2i` upon
the user's next sign-in.
name:
type: string
avatar:
oneOf:
- type: string
format: url
- type: string
format: empty
nullable: true
type: string
customData:
type: object
description: arbitrary
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
description: User data to create a new user. All properties are optional.
responses:
'200':
description: User data for the newly created user.
content:
application/json:
schema:
type: object
required:
- id
- username
- primaryEmail
- primaryPhone
- name
- avatar
- customData
- identities
- lastSignInAt
- createdAt
- updatedAt
- profile
- applicationId
- isSuspended
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
passwordDigest:
type: string
maxLength: 256
nullable: true
passwordAlgorithm:
type: string
enum:
- Argon2i
- Argon2id
- Argon2d
- SHA1
- SHA256
- MD5
- Bcrypt
- Legacy
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Create user
description: Create a new user with the given data.
get:
operationId: ListUsers
tags:
- Users
parameters:
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
- name: search_params
in: query
description: Search query parameters.
required: false
schema:
type: object
additionalProperties:
type: string
explode: true
responses:
'200':
description: An array of users that match the given criteria.
content:
application/json:
schema:
type: array
items:
type: object
required:
- id
- username
- primaryEmail
- primaryPhone
- name
- avatar
- customData
- identities
- lastSignInAt
- createdAt
- updatedAt
- profile
- applicationId
- isSuspended
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
passwordDigest:
type: string
maxLength: 256
nullable: true
passwordAlgorithm:
type: string
enum:
- Argon2i
- Argon2id
- Argon2d
- SHA1
- SHA256
- MD5
- Bcrypt
- Legacy
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get users
description: |-
Get users with filters and pagination.
Logto provides a very flexible way to query users. You can filter users by almost any fields with multiple modes. To learn more about the query syntax, please refer to [Advanced user search](https://docs.logto.io/docs/recipes/manage-users/advanced-user-search/).
"/api/users/{userId}/password":
patch:
operationId: UpdateUserPassword
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- password
properties:
password:
type: string
minLength: 1
description: New password for the user.
responses:
'200':
description: User password updated successfully.
content:
application/json:
schema:
type: object
required:
- id
- username
- primaryEmail
- primaryPhone
- name
- avatar
- customData
- identities
- lastSignInAt
- createdAt
- updatedAt
- profile
- applicationId
- isSuspended
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
passwordDigest:
type: string
maxLength: 256
nullable: true
passwordAlgorithm:
type: string
enum:
- Argon2i
- Argon2id
- Argon2d
- SHA1
- SHA256
- MD5
- Bcrypt
- Legacy
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Unprocessable Content
summary: Update user password
description: Update user password for the given ID.
"/api/users/{userId}/password/verify":
post:
operationId: VerifyUserPassword
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- password
properties:
password:
type: string
minLength: 1
description: Password to verify.
responses:
'204':
description: User password matches.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: User password does not match.
summary: Verify user password
description: Test if the given password matches the user's password.
"/api/users/{userId}/has-password":
get:
operationId: GetUserHasPassword
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
responses:
'200':
description: The result of the check.
content:
application/json:
schema:
type: object
required:
- hasPassword
properties:
hasPassword:
type: boolean
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Check if user has password
description: Check if the user with the given ID has a password set.
"/api/users/{userId}/is-suspended":
patch:
operationId: UpdateUserIsSuspended
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- isSuspended
properties:
isSuspended:
type: boolean
description: New suspension status for the user.
responses:
'200':
description: User suspension status updated successfully.
content:
application/json:
schema:
type: object
required:
- id
- username
- primaryEmail
- primaryPhone
- name
- avatar
- customData
- identities
- lastSignInAt
- createdAt
- updatedAt
- profile
- applicationId
- isSuspended
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
passwordDigest:
type: string
maxLength: 256
nullable: true
passwordAlgorithm:
type: string
enum:
- Argon2i
- Argon2id
- Argon2d
- SHA1
- SHA256
- MD5
- Bcrypt
- Legacy
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update user suspension status
description: Update user suspension status for the given ID.
"/api/users/{userId}/roles":
get:
operationId: ListUserRoles
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
- name: search_params
in: query
description: Search query parameters.
required: false
schema:
type: object
additionalProperties:
type: string
explode: true
responses:
'200':
description: An array of API resource roles assigned to the user.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
- type
- isDefault
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- User
- MachineToMachine
isDefault:
type: boolean
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get roles for user
description: Get API resource roles assigned to the user with pagination.
post:
operationId: AssignUserRoles
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- roleIds
properties:
roleIds:
type: array
items:
type: string
minLength: 1
description: An array of API resource role IDs to assign.
responses:
'201':
description: The API resource roles has been assigned to the user.
content:
application/json:
schema:
type: object
required:
- roleIds
- addedRoleIds
properties:
roleIds:
type: array
items:
type: string
minLength: 1
description: An array of API resource role IDs requested for assignment.
addedRoleIds:
type: array
items:
type: string
minLength: 1
description: An array of API resource role IDs newly assigned
to the user.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Assign roles to user
description: Assign API resource roles to the user. The roles will be added
to the existing roles.
put:
operationId: ReplaceUserRoles
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- roleIds
properties:
roleIds:
type: array
items:
type: string
minLength: 1
description: An array of API resource role IDs to assign.
responses:
'200':
description: The API resource roles has been updated for the user successfully.
content:
application/json:
schema:
type: object
required:
- roleIds
properties:
roleIds:
type: array
items:
type: string
minLength: 1
description: An array of API resource role IDs assigned to the
user.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Update roles for user
description: Update API resource roles assigned to the user. This will replace
the existing roles.
"/api/users/{userId}/roles/{roleId}":
delete:
operationId: DeleteUserRole
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- "$ref": "#/components/parameters/roleId"
responses:
'204':
description: The API resource role has been removed from the user.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Remove role from user
description: Remove an API resource role from the user.
"/api/users/{userId}/identities/{target}":
put:
operationId: ReplaceUserIdentity
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- name: target
in: path
required: true
schema:
type: string
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- userId
properties:
userId:
type: string
description: The user's social identity ID.
details:
type: object
description: The user's social identity details.
responses:
'200':
description: The identity is updated.
content:
application/json:
schema:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
'201':
description: The identity is created.
content:
application/json:
schema:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Update social identity of user
description: Directly update a social identity of the user.
delete:
operationId: DeleteUserIdentity
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- name: target
in: path
required: true
schema:
type: string
responses:
'200':
description: The identity is deleted from the user.
content:
application/json:
schema:
type: object
required:
- id
- username
- primaryEmail
- primaryPhone
- name
- avatar
- customData
- identities
- lastSignInAt
- createdAt
- updatedAt
- profile
- applicationId
- isSuspended
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete social identity from user
description: Delete a social identity from the user.
get:
operationId: GetUserIdentity
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- name: target
in: path
required: true
schema:
type: string
- name: includeTokenSecret
in: query
required: false
schema:
type: string
description: Whether to include the token secret in the response. Defaults
to false. Token storage must be supported and enabled by the connector to
return the token secret.
responses:
'200':
description: Returns the user's social identity and associated token storage.
content:
application/json:
schema:
type: object
required:
- identity
properties:
identity:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
description: The user's social identity.
tokenSecret:
type: object
required:
- tenantId
- id
- userId
- type
- metadata
- createdAt
- updatedAt
- connectorId
- identityId
- target
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 21
type:
type: string
format: '"federated_token_set"'
metadata:
type: object
required:
- hasRefreshToken
properties:
scope:
type: string
expiresAt:
type: number
tokenType:
type: string
hasRefreshToken:
type: boolean
createdAt:
type: number
updatedAt:
type: number
connectorId:
type: string
identityId:
type: string
target:
type: string
description: |-
The desensitized token set secret associated with the user's social identity.
This field is included only if the `includeTokenSecret` query parameter is provided and the corresponding connector has token storage enabled.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: User social identity not found.
summary: Retrieve a user's social identity and associated token storage .
description: This API retrieves the social identity and its associated token
set for the specified user from the Logto Secret Vault. The token set will
only be available if token storage is enabled for the corresponding social
connector.
"/api/users/{userId}/identities":
post:
operationId: CreateUserIdentity
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- connectorId
- connectorData
properties:
connectorId:
type: string
description: The Logto connector ID.
connectorData:
type: object
additionalProperties:
example: {}
description: A json object constructed from the url query params
returned by the social platform. Typically it contains `code`,
`state` and `redirectUri` fields.
responses:
'200':
description: A new identity is linked to the user.
content:
application/json:
schema:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Link social identity to user
description: |-
Link authenticated user identity from a social platform to a Logto user.
The usage of this API is usually coupled with `POST /connectors/:connectorId/authorization-uri`. With the help of these pair of APIs, you can implement a user profile page with the link social account feature in your application.
Note: Currently due to technical limitations, this API does not support the following connectors that rely on Logto interaction session: `@logto/connector-apple`, `@logto/connector-saml`, `@logto/connector-oidc` and `@logto/connector-oauth`.
"/api/users/{userId}/organizations":
get:
operationId: ListUserOrganizations
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
responses:
'200':
description: An array of organizations that the user is a member of.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
- customData
- isMfaRequired
- color
- branding
- customCss
- createdAt
- organizationRoles
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
customData:
type: object
description: arbitrary
isMfaRequired:
type: boolean
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
createdAt:
type: number
organizationRoles:
type: array
items:
type: object
required:
- id
- name
properties:
id:
type: string
name:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get organizations for a user
description: Get all organizations that the user is a member of. In each organization
object, the user's roles in that organization are included in the `organizationRoles`
array.
"/api/users/{userId}/grants":
get:
operationId: ListUserGrants
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- name: appType
in: query
required: false
schema:
type: string
enum:
- firstParty
- thirdParty
description: Application type filter. Use 'thirdParty' to list third-party
app grants only, or 'firstParty' to list first-party app grants only. If
omitted, grants from all applications are returned.
responses:
'200':
description: Return non-expired grants of the user. Results are filtered
by app type when `appType` is provided.
content:
application/json:
schema:
type: object
required:
- grants
properties:
grants:
type: array
items:
type: object
required:
- id
- payload
- expiresAt
properties:
id:
type: string
payload:
type: object
required:
- exp
- iat
- jti
- kind
- clientId
- accountId
properties:
exp:
type: number
iat:
type: number
jti:
type: string
kind:
type: string
format: '"Grant"'
clientId:
type: string
accountId:
type: string
expiresAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'500':
description: Internal Server Error
summary: Get user active grants
description: Retrieve all non-expired grants of the user. Optionally filter
by application type via `appType`; when omitted, grants from all application
types are returned.
"/api/users/{userId}/grants/{grantId}":
delete:
operationId: DeleteUserGrant
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- "$ref": "#/components/parameters/grantId"
responses:
'204':
description: Grant revoked successfully. If the grant already expired, this
endpoint returns success without token-chain changes.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Grant not found. This can occur if the grant ID is invalid,
or the grant does not belong to the user.
'500':
description: Internal Server Error
summary: Revoke a user grant
description: Revoke a specific grant and its associated token chain by grant
ID. Also removes the matching session authorization entry for this grant from
the related active session. The grant must belong to the user.
"/api/users/{userId}/mfa-verifications":
get:
operationId: ListUserMfaVerifications
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
responses:
'200':
description: An array of MFA verifications for the user.
content:
application/json:
schema:
type: array
items:
type: object
required:
- id
- createdAt
- type
properties:
id:
type: string
createdAt:
type: string
lastUsedAt:
type: string
type:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
agent:
type: string
name:
type: string
remainCodes:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get user's MFA verifications
description: Get a user's existing MFA verifications for a given user ID.
post:
operationId: CreateUserMfaVerification
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
oneOf:
- type: object
required:
- type
properties:
type:
type: string
format: '"Totp"'
secret:
type: string
- type: object
required:
- type
properties:
type:
type: string
format: '"BackupCode"'
codes:
type: array
items:
type: string
- type: object
properties:
type:
type: string
description: The type of MFA verification to create.
secret:
type: string
description: The secret for the MFA verification, if not provided,
a new secret will be generated.
required:
- type
- type: object
properties:
type:
type: string
description: The type of MFA verification to create.
codes:
type: array
items:
type: string
description: The backup codes for the MFA verification, if not
provided, a new group of backup codes will be generated.
required:
- type
responses:
'200':
description: The MFA verification that was created.
content:
application/json:
schema:
oneOf:
- type: object
required:
- type
- secret
- secretQrCode
properties:
type:
type: string
format: '"Totp"'
secret:
type: string
secretQrCode:
type: string
- type: object
required:
- type
- codes
properties:
type:
type: string
format: '"BackupCode"'
codes:
type: array
items:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Create an MFA verification for a user
description: Create a new MFA verification for a given user ID.
"/api/users/{userId}/mfa-verifications/{verificationId}":
delete:
operationId: DeleteUserMfaVerification
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- "$ref": "#/components/parameters/verificationId"
responses:
'204':
description: The MFA verification was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete an MFA verification for a user
description: Delete an MFA verification for the user with the given verification
ID. The verification ID must be associated with the given user ID.
"/api/users/{userId}/personal-access-tokens":
get:
operationId: ListUserPersonalAccessTokens
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
responses:
'200':
description: A list of personal access tokens.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- userId
- name
- value
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
value:
type: string
minLength: 1
maxLength: 64
createdAt:
type: number
expiresAt:
type: number
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get personal access tokens
description: Get all personal access tokens for the user.
post:
operationId: CreateUserPersonalAccessToken
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
properties:
name:
type: string
minLength: 1
maxLength: 256
description: The personal access token name. Must be unique within
the user.
expiresAt:
type: number
nullable: true
description: The epoch time in milliseconds when the token will
expire. If not provided, the token will never expire.
responses:
'201':
description: The personal access token was added successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- userId
- name
- value
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
value:
type: string
minLength: 1
maxLength: 64
createdAt:
type: number
expiresAt:
type: number
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The personal access token name is already in use.
summary: Add personal access token
description: Add a new personal access token for the user.
patch:
operationId: UpdatePersonalAccessTokenName
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
properties:
name:
type: string
minLength: 1
maxLength: 256
description: The new token name. Must be unique within the user.
currentName:
type: string
description: The current name of the token to update.
responses:
'200':
description: The token was updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- userId
- name
- value
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
value:
type: string
minLength: 1
maxLength: 64
createdAt:
type: number
expiresAt:
type: number
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update personal access token
description: Update a token for the user by name.
"/api/users/{userId}/personal-access-tokens/{name}":
delete:
operationId: DeleteUserPersonalAccessToken
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- name: name
in: path
required: true
schema:
type: string
description: The name of the token.
responses:
'204':
description: The token was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete personal access token
description: 'Delete a token for the user by name using the legacy path parameter.
Deprecated: use the POST /delete endpoint instead to avoid url name encoding
issues.'
patch:
operationId: UpdateUserPersonalAccessToken
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- name: name
in: path
required: true
schema:
type: string
description: The current name of the token.
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
properties:
name:
type: string
minLength: 1
maxLength: 256
description: The new token name. Must be unique within the user.
responses:
'200':
description: The token was updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- userId
- name
- value
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
value:
type: string
minLength: 1
maxLength: 64
createdAt:
type: number
expiresAt:
type: number
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update personal access token
description: 'Update a token for the user by name using the legacy path parameter.
Deprecated: use the PATCH /personal-access-tokens endpoint instead to avoid
url name encoding issues.'
"/api/users/{userId}/personal-access-tokens/delete":
post:
operationId: DeletePersonalAccessTokenPost
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
properties:
name:
type: string
description: The name of the token to delete.
responses:
'204':
description: The token was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete personal access token
description: Delete a token for the user by name.
"/api/users/{userId}/sso-identities/{ssoConnectorId}":
get:
operationId: GetUserSsoIdentity
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- "$ref": "#/components/parameters/ssoConnectorId"
- name: includeTokenSecret
in: query
required: false
schema:
type: string
description: Whether to include the token secret in the response. Defaults
to false. Token storage must be supported and enabled by the connector to
return the token secret.
responses:
'200':
description: Returns the user's enterprise SSO identity and associated token
secret.
content:
application/json:
schema:
type: object
required:
- ssoIdentity
properties:
ssoIdentity:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
description: The user's enterprise SSO identity.
tokenSecret:
type: object
required:
- tenantId
- id
- userId
- type
- metadata
- createdAt
- updatedAt
- ssoConnectorId
- issuer
- identityId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 21
type:
type: string
format: '"federated_token_set"'
metadata:
type: object
required:
- hasRefreshToken
properties:
scope:
type: string
expiresAt:
type: number
tokenType:
type: string
hasRefreshToken:
type: boolean
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
issuer:
type: string
identityId:
type: string
description: |-
The desensitized token set secret associated with the user's SSO identity.
This field is included only if the `includeTokenSecret` query parameter is provided and the corresponding connector has token storage enabled.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: User enterprise SSO identity not found.
summary: Retrieve a user's enterprise SSO identity and associated token secret
(if token storage is enabled).
description: This API retrieves the user's enterprise SSO identity and associated
token set record from the Logto Secret Vault. The token set will only be available
if token storage is enabled for the corresponding SSO connector.
"/api/users/{userId}/all-identities":
get:
operationId: ListUserAllIdentities
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- name: includeTokenSecret
in: query
required: false
schema:
type: string
description: Whether to include the token secret in the response. Defaults
to false. Token storage must be supported and enabled by the connector to
return the token secret.
responses:
'200':
description: Returns the user's social identities, enterprise SSO identities
and associated token secret.
content:
application/json:
schema:
type: object
required:
- socialIdentities
- ssoIdentities
properties:
socialIdentities:
type: array
items:
type: object
required:
- identity
- target
properties:
identity:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
tokenSecret:
type: object
required:
- tenantId
- id
- userId
- type
- metadata
- createdAt
- updatedAt
- connectorId
- identityId
- target
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 21
type:
type: string
format: '"federated_token_set"'
metadata:
type: object
required:
- hasRefreshToken
properties:
scope:
type: string
expiresAt:
type: number
tokenType:
type: string
hasRefreshToken:
type: boolean
createdAt:
type: number
updatedAt:
type: number
connectorId:
type: string
identityId:
type: string
target:
type: string
target:
type: string
description: The user's social identities.
ssoIdentities:
type: array
items:
type: object
required:
- ssoIdentity
- ssoConnectorId
properties:
ssoIdentity:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
tokenSecret:
type: object
required:
- tenantId
- id
- userId
- type
- metadata
- createdAt
- updatedAt
- ssoConnectorId
- issuer
- identityId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 21
type:
type: string
format: '"federated_token_set"'
metadata:
type: object
required:
- hasRefreshToken
properties:
scope:
type: string
expiresAt:
type: number
tokenType:
type: string
hasRefreshToken:
type: boolean
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
issuer:
type: string
identityId:
type: string
ssoConnectorId:
type: string
description: The user's enterprise SSO identities.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: User not found.
summary: Retrieve social identities, enterprise SSO identities and associated
token secret (if token storage is enabled) for a user.
description: This API retrieves all identities (social and enterprise SSO) for
a user, along with their associated token set records from the Logto Secret
Vault. The token sets will only be available if token storage is enabled for
the corresponding identity connector.
"/api/users/{userId}/sessions":
get:
operationId: ListUserSessions
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
responses:
'200':
description: Return a list of non-expired sessions of the user.
content:
application/json:
schema:
type: object
required:
- sessions
properties:
sessions:
type: array
items:
type: object
required:
- payload
- lastSubmission
- clientId
- accountId
- expiresAt
properties:
payload:
type: object
required:
- exp
- iat
- jti
- uid
- kind
- loginTs
- accountId
properties:
exp:
type: number
iat:
type: number
jti:
type: string
uid:
type: string
kind:
type: string
format: '"Session"'
loginTs:
type: number
accountId:
type: string
authorizations:
type: object
additionalProperties:
type: object
properties:
sid:
type: string
grantId:
type: string
persistsLogout:
type: boolean
lastSubmission:
type: object
required:
- interactionEvent
- userId
- verificationRecords
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
userId:
type: string
verificationRecords:
type: array
items:
oneOf:
- type: object
required:
- id
- type
- identifier
- verified
properties:
id:
type: string
type:
type: string
format: '"Password"'
identifier:
type: object
required:
- type
- value
properties:
type:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- userId
value:
type: string
verified:
type: boolean
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"EmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"PhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaEmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaPhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"Social"'
socialUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"EnterpriseSso"'
enterpriseSsoUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
issuer:
type: string
- type: object
required:
- id
- type
- userId
- verified
properties:
id:
type: string
type:
type: string
format: '"Totp"'
userId:
type: string
verified:
type: boolean
- type: object
required:
- id
- type
- userId
properties:
id:
type: string
type:
type: string
format: '"BackupCode"'
userId:
type: string
code:
type: string
- type: object
required:
- id
- verified
- type
- userId
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"WebAuthn"'
userId:
type: string
- type: object
required:
- id
- verified
- type
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"SignInPasskey"'
userId:
type: string
- type: object
required:
- id
- type
- verified
- identifier
properties:
id:
type: string
type:
type: string
format: '"OneTimeToken"'
verified:
type: boolean
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
oneTimeTokenContext:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
- type: object
required:
- id
- type
- identifier
properties:
id:
type: string
type:
type: string
format: '"NewPasswordIdentity"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
signInContext:
type: object
additionalProperties:
type: string
nullable: true
clientId:
type: string
nullable: true
accountId:
type: string
nullable: true
expiresAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'500':
description: Internal Server Error
summary: Get user active sessions
description: Retrieve all non-expired sessions for the user, including session
metadata and interaction details when available.
"/api/users/{userId}/sessions/{sessionId}":
get:
operationId: GetUserSession
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- "$ref": "#/components/parameters/sessionId"
responses:
'200':
description: Return a non-expired session of the user.
content:
application/json:
schema:
type: object
required:
- payload
- lastSubmission
- clientId
- accountId
- expiresAt
properties:
payload:
type: object
required:
- exp
- iat
- jti
- uid
- kind
- loginTs
- accountId
properties:
exp:
type: number
iat:
type: number
jti:
type: string
uid:
type: string
kind:
type: string
format: '"Session"'
loginTs:
type: number
accountId:
type: string
authorizations:
type: object
additionalProperties:
type: object
properties:
sid:
type: string
grantId:
type: string
persistsLogout:
type: boolean
lastSubmission:
type: object
required:
- interactionEvent
- userId
- verificationRecords
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
userId:
type: string
verificationRecords:
type: array
items:
oneOf:
- type: object
required:
- id
- type
- identifier
- verified
properties:
id:
type: string
type:
type: string
format: '"Password"'
identifier:
type: object
required:
- type
- value
properties:
type:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- userId
value:
type: string
verified:
type: boolean
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"EmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"PhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaEmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaPhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"Social"'
socialUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"EnterpriseSso"'
enterpriseSsoUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
issuer:
type: string
- type: object
required:
- id
- type
- userId
- verified
properties:
id:
type: string
type:
type: string
format: '"Totp"'
userId:
type: string
verified:
type: boolean
- type: object
required:
- id
- type
- userId
properties:
id:
type: string
type:
type: string
format: '"BackupCode"'
userId:
type: string
code:
type: string
- type: object
required:
- id
- verified
- type
- userId
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"WebAuthn"'
userId:
type: string
- type: object
required:
- id
- verified
- type
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"SignInPasskey"'
userId:
type: string
- type: object
required:
- id
- type
- verified
- identifier
properties:
id:
type: string
type:
type: string
format: '"OneTimeToken"'
verified:
type: boolean
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
oneTimeTokenContext:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
- type: object
required:
- id
- type
- identifier
properties:
id:
type: string
type:
type: string
format: '"NewPasswordIdentity"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
signInContext:
type: object
additionalProperties:
type: string
nullable: true
clientId:
type: string
nullable: true
accountId:
type: string
nullable: true
expiresAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'500':
description: Internal Server Error
summary: Get user active session
description: Retrieve a non-expired session for the user by session ID, including
session metadata and interaction details when available.
delete:
operationId: DeleteUserSession
tags:
- Users
parameters:
- "$ref": "#/components/parameters/userId"
- "$ref": "#/components/parameters/sessionId"
- name: revokeGrantsTarget
in: query
required: false
schema:
type: string
enum:
- all
- firstParty
description: Optional target for revoking associated grants and tokens. 'all'
revokes grants for every application authorized by this session. 'firstParty'
revokes only first-party app grants; third-party app grants remain active.
If omitted, grants remain active when the session authorizations include
offline_access; otherwise they are revoked.
responses:
'204':
description: Session revoked successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'500':
description: Internal Server Error
summary: Revoke a user session
description: Revoke a specific user session by its ID, optionally revoking associated
target grants and tokens.
"/api/logs":
get:
operationId: ListLogs
tags:
- Audit logs
parameters:
- name: userId
in: query
required: false
schema:
type: string
description: Filter logs by user ID.
- name: applicationId
in: query
required: false
schema:
type: string
description: Filter logs by application ID.
- name: logKey
in: query
required: false
schema:
type: string
description: Filter logs by log key.
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: An array of logs that match the given query.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- key
- payload
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
key:
type: string
minLength: 1
maxLength: 128
payload:
type: object
required:
- key
- result
properties:
key:
type: string
result:
type: string
enum:
- Success
- Error
error:
oneOf:
- type: object
additionalProperties:
example: {}
- type: string
ip:
type: string
userAgent:
type: string
userAgentParsed:
type: object
properties:
ua:
type: string
browser:
type: object
properties:
name:
type: string
version:
type: string
major:
type: string
type:
type: string
device:
type: object
properties:
model:
type: string
type:
type: string
vendor:
type: string
engine:
type: object
properties:
name:
type: string
version:
type: string
os:
type: object
properties:
name:
type: string
version:
type: string
cpu:
type: object
properties:
architecture:
type: string
userId:
type: string
applicationId:
type: string
sessionId:
type: string
params:
type: object
additionalProperties:
example: {}
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get logs
description: Get logs that match the given query with pagination.
"/api/logs/{id}":
get:
operationId: GetLog
tags:
- Audit logs
parameters:
- "$ref": "#/components/parameters/logId-root"
responses:
'200':
description: Log details.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- key
- payload
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
key:
type: string
minLength: 1
maxLength: 128
payload:
type: object
required:
- key
- result
properties:
key:
type: string
result:
type: string
enum:
- Success
- Error
error:
oneOf:
- type: object
additionalProperties:
example: {}
- type: string
ip:
type: string
userAgent:
type: string
userAgentParsed:
type: object
properties:
ua:
type: string
browser:
type: object
properties:
name:
type: string
version:
type: string
major:
type: string
type:
type: string
device:
type: object
properties:
model:
type: string
type:
type: string
vendor:
type: string
engine:
type: object
properties:
name:
type: string
version:
type: string
os:
type: object
properties:
name:
type: string
version:
type: string
cpu:
type: object
properties:
architecture:
type: string
userId:
type: string
applicationId:
type: string
sessionId:
type: string
params:
type: object
additionalProperties:
example: {}
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Log not found.
summary: Get log
description: Get log details by ID.
"/api/roles":
get:
operationId: ListRoles
tags:
- Roles
parameters:
- name: excludeUserId
in: query
required: false
schema:
type: string
description: Exclude roles assigned to a user.
- name: excludeApplicationId
in: query
required: false
schema:
type: string
description: Exclude roles assigned to an application.
- name: type
in: query
required: false
schema:
type: string
enum:
- User
- MachineToMachine
description: Filter by role type.
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
- name: search_params
in: query
description: Search query parameters.
required: false
schema:
type: object
additionalProperties:
type: string
explode: true
responses:
'200':
description: An array of roles matching the filters.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
- type
- isDefault
- usersCount
- featuredUsers
- applicationsCount
- featuredApplications
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- User
- MachineToMachine
isDefault:
type: boolean
usersCount:
type: number
featuredUsers:
type: array
items:
type: object
required:
- id
- avatar
- name
properties:
id:
type: string
minLength: 1
maxLength: 12
avatar:
type: string
maxLength: 2048
nullable: true
name:
type: string
maxLength: 128
nullable: true
applicationsCount:
type: number
featuredApplications:
type: array
items:
type: object
required:
- id
- name
- type
properties:
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get roles
description: Get roles with filters and pagination.
post:
operationId: CreateRole
tags:
- Roles
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
- description
properties:
tenantId:
type: string
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description: The name of the role. It should be unique within the
tenant.
description:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- User
- MachineToMachine
description: The type of the role. It cannot be changed after creation.
isDefault:
type: boolean
scopeIds:
type: array
items:
type: string
minLength: 1
description: The initial API resource scopes assigned to the role.
responses:
'200':
description: The created role.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- type
- isDefault
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- User
- MachineToMachine
isDefault:
type: boolean
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Create a role
description: Create a new role with the given data.
"/api/roles/{id}":
get:
operationId: GetRole
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
responses:
'200':
description: Details of the role.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- type
- isDefault
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- User
- MachineToMachine
isDefault:
type: boolean
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get role
description: Get role details by ID.
patch:
operationId: UpdateRole
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
name:
type: string
minLength: 1
maxLength: 128
description: The name of the role. It should be unique within the
tenant.
description:
type: string
minLength: 1
maxLength: 128
isDefault:
type: boolean
responses:
'200':
description: The updated role.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- type
- isDefault
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- User
- MachineToMachine
isDefault:
type: boolean
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Update role
description: Update role details. This method performs a partial update.
delete:
operationId: DeleteRole
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
responses:
'204':
description: The role was deleted.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete role
description: Delete a role with the given ID.
"/api/roles/{id}/users":
get:
operationId: ListRoleUsers
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
- name: search_params
in: query
description: Search query parameters.
required: false
schema:
type: object
additionalProperties:
type: string
explode: true
responses:
'200':
description: An array of users who have the role assigned.
content:
application/json:
schema:
type: array
items:
type: object
required:
- id
- username
- primaryEmail
- primaryPhone
- name
- avatar
- customData
- identities
- lastSignInAt
- createdAt
- updatedAt
- profile
- applicationId
- isSuspended
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get role users
description: Get users who have the role assigned with pagination.
post:
operationId: CreateRoleUser
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- userIds
properties:
userIds:
type: array
items:
type: string
minLength: 1
description: An array of user IDs to be assigned.
responses:
'201':
description: The role was assigned to the users successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Assign role to users
description: Assign a role to a list of users. The role must have the type `User`.
"/api/roles/{id}/users/{userId}":
delete:
operationId: DeleteRoleUser
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
- "$ref": "#/components/parameters/userId"
responses:
'204':
description: The role was removed from the user.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Remove role from user
description: Remove a role from a user with the given ID.
"/api/roles/{id}/applications":
get:
operationId: ListRoleApplications
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
- name: search_params
in: query
description: Search query parameters.
required: false
schema:
type: object
additionalProperties:
type: string
explode: true
responses:
'200':
description: An array of applications that have the role assigned.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- secret
- description
- type
- oidcClientMetadata
- customClientMetadata
- protectedAppMetadata
- customData
- isThirdParty
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
secret:
type: string
minLength: 1
maxLength: 64
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
'204':
description: No Content
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get role applications
description: Get applications that have the role assigned with pagination.
post:
operationId: CreateRoleApplication
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- applicationIds
properties:
applicationIds:
type: array
items:
type: string
minLength: 1
description: An array of application IDs to be assigned.
responses:
'201':
description: The role was assigned to the applications successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Assign role to applications
description: Assign a role to a list of applications. The role must have the
type `Application`.
"/api/roles/{id}/applications/{applicationId}":
delete:
operationId: DeleteRoleApplication
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
- "$ref": "#/components/parameters/applicationId"
responses:
'204':
description: The role was removed from the application.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Remove role from application
description: Remove the role from an application with the given ID.
"/api/roles/{id}/scopes":
get:
operationId: ListRoleScopes
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
- name: search_params
in: query
description: Search query parameters.
required: false
schema:
type: object
additionalProperties:
type: string
explode: true
responses:
'200':
description: An array of API resource scopes linked with the role.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- resourceId
- name
- description
- createdAt
- resource
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
resourceId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
createdAt:
type: number
resource:
type: object
required:
- tenantId
- id
- name
- indicator
- isDefault
- accessTokenTtl
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
indicator:
type: string
minLength: 1
isDefault:
type: boolean
accessTokenTtl:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get role scopes
description: Get API resource scopes (permissions) linked with a role.
post:
operationId: CreateRoleScope
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- scopeIds
properties:
scopeIds:
type: array
items:
type: string
minLength: 1
description: An array of API resource scope IDs to be linked.
responses:
'200':
description: The role was linked to the scopes successfully.
'201':
description: Created
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- resourceId
- name
- description
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
resourceId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Link scopes to role
description: Link a list of API resource scopes (permissions) to a role. The
original linked scopes will be kept.
"/api/roles/{id}/scopes/{scopeId}":
delete:
operationId: DeleteRoleScope
tags:
- Roles
parameters:
- "$ref": "#/components/parameters/roleId-root"
- "$ref": "#/components/parameters/scopeId"
responses:
'204':
description: The API resource scope was unlinked from the role.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Unlink scope from role
description: Unlink an API resource scope (permission) from a role with the
given ID.
"/api/dashboard/users/total":
get:
operationId: GetTotalUserCount
tags:
- Dashboard
parameters: []
responses:
'200':
description: Total user count.
content:
application/json:
schema:
type: object
required:
- totalUserCount
properties:
totalUserCount:
type: number
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get total user count
description: Get total user count in the current tenant.
"/api/dashboard/users/new":
get:
operationId: GetNewUserCounts
tags:
- Dashboard
parameters: []
responses:
'200':
description: New user count.
content:
application/json:
schema:
type: object
required:
- today
- last7Days
properties:
today:
type: object
required:
- count
- delta
properties:
count:
type: number
delta:
type: number
last7Days:
type: object
required:
- count
- delta
properties:
count:
type: number
delta:
type: number
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get new user count
description: Get new user count in the past 7 days.
"/api/dashboard/users/active":
get:
operationId: GetActiveUserCounts
tags:
- Dashboard
parameters:
- name: date
in: query
required: false
schema:
type: string
format: regex
pattern: "/^\\d{4}(-\\d{2}){2}/"
description: The date to get active user data.
responses:
'200':
description: Active user data object.
content:
application/json:
schema:
type: object
required:
- dauCurve
- dau
- wau
- mau
properties:
dauCurve:
type: array
items:
type: object
required:
- date
- count
properties:
date:
type: string
count:
type: number
dau:
type: object
required:
- count
- delta
properties:
count:
type: number
delta:
type: number
wau:
type: object
required:
- count
- delta
properties:
count:
type: number
delta:
type: number
mau:
type: object
required:
- count
- delta
properties:
count:
type: number
delta:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get active user data
description: Get active user data, including daily active user (DAU), weekly
active user (WAU) and monthly active user (MAU). It also includes an array
of DAU in the past 30 days.
"/api/custom-phrases":
get:
operationId: ListCustomPhrases
tags:
- Custom phrases
parameters: []
responses:
'200':
description: An array of custom phrases.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- languageTag
- translation
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
languageTag:
type: string
minLength: 1
maxLength: 16
translation:
"$ref": "#/components/schemas/TranslationObject"
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get all custom phrases
description: Get all custom phrases for all languages.
"/api/custom-phrases/{languageTag}":
get:
operationId: GetCustomPhrase
tags:
- Custom phrases
parameters:
- name: languageTag
in: path
required: true
schema:
type: string
enum:
- af-ZA
- am-ET
- ar
- ar-AR
- as-IN
- az-AZ
- be-BY
- bg-BG
- bn-IN
- br-FR
- bs-BA
- ca-ES
- cb-IQ
- co-FR
- cs
- cs-CZ
- cx-PH
- cy-GB
- da-DK
- de
- de-DE
- el-GR
- en
- en-GB
- en-US
- eo-EO
- es
- es-ES
- es-419
- et-EE
- eu-ES
- fa-IR
- ff-NG
- fi
- fi-FI
- fo-FO
- fr
- fr-CA
- fr-FR
- fy-NL
- ga-IE
- gl-ES
- gn-PY
- gu-IN
- ha-NG
- he-IL
- hi-IN
- hr-HR
- ht-HT
- hu-HU
- hy-AM
- id-ID
- ik-US
- is-IS
- it
- it-IT
- iu-CA
- ja
- ja-JP
- ja-KS
- jv-ID
- ka-GE
- kk-KZ
- km-KH
- kn-IN
- ko
- ko-KR
- ku-TR
- ky-KG
- lo-LA
- lt-LT
- lv-LV
- mg-MG
- mk-MK
- ml-IN
- mn-MN
- mr-IN
- ms-MY
- mt-MT
- my-MM
- nb-NO
- ne-NP
- nl
- nl-BE
- nl-NL
- nn-NO
- or-IN
- pa-IN
- pl-PL
- ps-AF
- pt
- pt-BR
- pt-PT
- ro-RO
- ru
- ru-RU
- rw-RW
- sc-IT
- si-LK
- sk-SK
- sl-SI
- sn-ZW
- sq-AL
- sr-RS
- sv
- sv-SE
- sw-KE
- sy-SY
- sz-PL
- ta-IN
- te-IN
- tg-TJ
- th
- th-TH
- tl-PH
- tr
- tr-TR
- tt-RU
- tz-MA
- uk-UA
- ur-PK
- uz-UZ
- vi-VN
- zh
- zh-CN
- zh-HK
- zh-MO
- zh-TW
- zz-TR
responses:
'200':
description: Custom phrases for the specified language tag.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- languageTag
- translation
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
languageTag:
type: string
minLength: 1
maxLength: 16
translation:
"$ref": "#/components/schemas/TranslationObject"
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Custom phrases not found.
summary: Get custom phrases
description: Get custom phrases for the specified language tag.
put:
operationId: ReplaceCustomPhrase
tags:
- Custom phrases
parameters:
- name: languageTag
in: path
required: true
schema:
type: string
enum:
- af-ZA
- am-ET
- ar
- ar-AR
- as-IN
- az-AZ
- be-BY
- bg-BG
- bn-IN
- br-FR
- bs-BA
- ca-ES
- cb-IQ
- co-FR
- cs
- cs-CZ
- cx-PH
- cy-GB
- da-DK
- de
- de-DE
- el-GR
- en
- en-GB
- en-US
- eo-EO
- es
- es-ES
- es-419
- et-EE
- eu-ES
- fa-IR
- ff-NG
- fi
- fi-FI
- fo-FO
- fr
- fr-CA
- fr-FR
- fy-NL
- ga-IE
- gl-ES
- gn-PY
- gu-IN
- ha-NG
- he-IL
- hi-IN
- hr-HR
- ht-HT
- hu-HU
- hy-AM
- id-ID
- ik-US
- is-IS
- it
- it-IT
- iu-CA
- ja
- ja-JP
- ja-KS
- jv-ID
- ka-GE
- kk-KZ
- km-KH
- kn-IN
- ko
- ko-KR
- ku-TR
- ky-KG
- lo-LA
- lt-LT
- lv-LV
- mg-MG
- mk-MK
- ml-IN
- mn-MN
- mr-IN
- ms-MY
- mt-MT
- my-MM
- nb-NO
- ne-NP
- nl
- nl-BE
- nl-NL
- nn-NO
- or-IN
- pa-IN
- pl-PL
- ps-AF
- pt
- pt-BR
- pt-PT
- ro-RO
- ru
- ru-RU
- rw-RW
- sc-IT
- si-LK
- sk-SK
- sl-SI
- sn-ZW
- sq-AL
- sr-RS
- sv
- sv-SE
- sw-KE
- sy-SY
- sz-PL
- ta-IN
- te-IN
- tg-TJ
- th
- th-TH
- tl-PH
- tr
- tr-TR
- tt-RU
- tz-MA
- uk-UA
- ur-PK
- uz-UZ
- vi-VN
- zh
- zh-CN
- zh-HK
- zh-MO
- zh-TW
- zz-TR
requestBody:
required: true
content:
application/json:
schema:
"$ref": "#/components/schemas/TranslationObject"
example:
phraseKey1: new value1
phraseKey2: new value2
responses:
'201':
description: Custom phrases created or updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- languageTag
- translation
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
languageTag:
type: string
minLength: 1
maxLength: 16
translation:
"$ref": "#/components/schemas/TranslationObject"
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Invalid translation structure.
summary: Upsert custom phrases
description: Upsert custom phrases for the specified language tag. Upsert means
that if the custom phrases already exist, they will be updated. Otherwise,
they will be created.
delete:
operationId: DeleteCustomPhrase
tags:
- Custom phrases
parameters:
- name: languageTag
in: path
required: true
schema:
type: string
enum:
- af-ZA
- am-ET
- ar
- ar-AR
- as-IN
- az-AZ
- be-BY
- bg-BG
- bn-IN
- br-FR
- bs-BA
- ca-ES
- cb-IQ
- co-FR
- cs
- cs-CZ
- cx-PH
- cy-GB
- da-DK
- de
- de-DE
- el-GR
- en
- en-GB
- en-US
- eo-EO
- es
- es-ES
- es-419
- et-EE
- eu-ES
- fa-IR
- ff-NG
- fi
- fi-FI
- fo-FO
- fr
- fr-CA
- fr-FR
- fy-NL
- ga-IE
- gl-ES
- gn-PY
- gu-IN
- ha-NG
- he-IL
- hi-IN
- hr-HR
- ht-HT
- hu-HU
- hy-AM
- id-ID
- ik-US
- is-IS
- it
- it-IT
- iu-CA
- ja
- ja-JP
- ja-KS
- jv-ID
- ka-GE
- kk-KZ
- km-KH
- kn-IN
- ko
- ko-KR
- ku-TR
- ky-KG
- lo-LA
- lt-LT
- lv-LV
- mg-MG
- mk-MK
- ml-IN
- mn-MN
- mr-IN
- ms-MY
- mt-MT
- my-MM
- nb-NO
- ne-NP
- nl
- nl-BE
- nl-NL
- nn-NO
- or-IN
- pa-IN
- pl-PL
- ps-AF
- pt
- pt-BR
- pt-PT
- ro-RO
- ru
- ru-RU
- rw-RW
- sc-IT
- si-LK
- sk-SK
- sl-SI
- sn-ZW
- sq-AL
- sr-RS
- sv
- sv-SE
- sw-KE
- sy-SY
- sz-PL
- ta-IN
- te-IN
- tg-TJ
- th
- th-TH
- tl-PH
- tr
- tr-TR
- tt-RU
- tz-MA
- uk-UA
- ur-PK
- uz-UZ
- vi-VN
- zh
- zh-CN
- zh-HK
- zh-MO
- zh-TW
- zz-TR
responses:
'204':
description: Custom phrases deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Custom phrases not found.
'409':
description: Cannot delete the default language.
summary: Delete custom phrase
description: Delete custom phrases for the specified language tag.
"/api/hooks":
get:
operationId: ListHooks
tags:
- Hooks
parameters:
- name: includeExecutionStats
in: query
required: false
schema:
type: string
description: Whether to include execution stats in the response.
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of hooks.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- event
- events
- config
- signingKey
- enabled
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
maxLength: 256
event:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
nullable: true
events:
type: array
items:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
config:
type: object
required:
- url
properties:
url:
type: string
headers:
type: object
additionalProperties:
type: string
retries:
type: number
signingKey:
type: string
maxLength: 64
enabled:
type: boolean
createdAt:
type: number
executionStats:
type: object
required:
- successCount
- requestCount
properties:
successCount:
type: number
requestCount:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get hooks
description: Get a list of hooks with optional pagination.
post:
operationId: CreateHook
tags:
- Hooks
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- config
properties:
tenantId:
type: string
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description: The name of the hook.
event:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
deprecated: true
description: Use `events` instead.
events:
type: array
items:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
description: An array of hook events.
config:
type: object
required:
- url
properties:
url:
type: string
headers:
type: object
additionalProperties:
type: string
retries:
type: number
deprecated: true
description: Now the retry times is fixed to 3. Keep for backward
compatibility.
enabled:
type: boolean
createdAt:
type: number
responses:
'201':
description: The hook was created successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- event
- events
- config
- signingKey
- enabled
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
maxLength: 256
event:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
nullable: true
events:
type: array
items:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
config:
type: object
required:
- url
properties:
url:
type: string
headers:
type: object
additionalProperties:
type: string
retries:
type: number
signingKey:
type: string
maxLength: 64
enabled:
type: boolean
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Create a hook
description: Create a new hook with the given data.
"/api/hooks/{id}":
get:
operationId: GetHook
tags:
- Hooks
parameters:
- "$ref": "#/components/parameters/hookId-root"
- name: includeExecutionStats
in: query
required: false
schema:
type: string
description: Whether to include execution stats in the response.
responses:
'200':
description: Details of the hook.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- event
- events
- config
- signingKey
- enabled
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
maxLength: 256
event:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
nullable: true
events:
type: array
items:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
config:
type: object
required:
- url
properties:
url:
type: string
headers:
type: object
additionalProperties:
type: string
retries:
type: number
signingKey:
type: string
maxLength: 64
enabled:
type: boolean
createdAt:
type: number
executionStats:
type: object
required:
- successCount
- requestCount
properties:
successCount:
type: number
requestCount:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get hook
description: Get hook details by ID.
patch:
operationId: UpdateHook
tags:
- Hooks
parameters:
- "$ref": "#/components/parameters/hookId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
tenantId:
type: string
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description: The updated name of the hook.
event:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
nullable: true
deprecated: true
description: Use `events` instead.
events:
type: array
items:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
description: An array of updated hook events.
config:
type: object
required:
- url
properties:
url:
type: string
headers:
type: object
additionalProperties:
type: string
retries:
type: number
deprecated: true
description: Now the retry times is fixed to 3. Keep for backward
compatibility.
enabled:
type: boolean
createdAt:
type: number
responses:
'200':
description: The hook was updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- event
- events
- config
- signingKey
- enabled
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
maxLength: 256
event:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
nullable: true
events:
type: array
items:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
config:
type: object
required:
- url
properties:
url:
type: string
headers:
type: object
additionalProperties:
type: string
retries:
type: number
signingKey:
type: string
maxLength: 64
enabled:
type: boolean
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update hook
description: Update hook details by ID with the given data.
delete:
operationId: DeleteHook
tags:
- Hooks
parameters:
- "$ref": "#/components/parameters/hookId-root"
responses:
'204':
description: The hook was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete hook
description: Delete hook by ID.
"/api/hooks/{id}/recent-logs":
get:
operationId: ListHookRecentLogs
tags:
- Hooks
parameters:
- "$ref": "#/components/parameters/hookId-root"
- name: logKey
in: query
required: false
schema:
type: string
description: The log key to filter logs.
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of recent logs for the hook.
content:
application/json:
schema:
type: array
items:
type: object
required:
- id
- key
- payload
- createdAt
properties:
id:
type: string
minLength: 1
maxLength: 21
key:
type: string
minLength: 1
maxLength: 128
payload:
type: object
required:
- key
- result
properties:
key:
type: string
result:
type: string
enum:
- Success
- Error
error:
oneOf:
- type: object
additionalProperties:
example: {}
- type: string
ip:
type: string
userAgent:
type: string
userAgentParsed:
type: object
properties:
ua:
type: string
browser:
type: object
properties:
name:
type: string
version:
type: string
major:
type: string
type:
type: string
device:
type: object
properties:
model:
type: string
type:
type: string
vendor:
type: string
engine:
type: object
properties:
name:
type: string
version:
type: string
os:
type: object
properties:
name:
type: string
version:
type: string
cpu:
type: object
properties:
architecture:
type: string
userId:
type: string
applicationId:
type: string
sessionId:
type: string
params:
type: object
additionalProperties:
example: {}
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get recent logs for a hook
description: Get recent logs that match the given query for the specified hook
with pagination.
"/api/hooks/{id}/test":
post:
operationId: CreateHookTest
tags:
- Hooks
parameters:
- "$ref": "#/components/parameters/hookId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- events
- config
properties:
events:
type: array
items:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
description: An array of hook events for testing.
config:
type: object
required:
- url
properties:
url:
type: string
headers:
type: object
additionalProperties:
type: string
retries:
type: number
deprecated: true
description: Now the retry times is fixed to 3. Keep for backward
compatibility.
description: The hook configuration for testing.
event:
deprecated: true
description: Use `events` instead.
responses:
'204':
description: The hook test was successful.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Test hook
description: Test the specified hook with the given events and config.
"/api/hooks/{id}/signing-key":
patch:
operationId: UpdateHookSigningKey
tags:
- Hooks
parameters:
- "$ref": "#/components/parameters/hookId-root"
responses:
'200':
description: The signing key for the hook was updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- event
- events
- config
- signingKey
- enabled
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
maxLength: 256
event:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
nullable: true
events:
type: array
items:
type: string
enum:
- PostRegister
- PostSignIn
- PostSignInAdaptiveMfaTriggered
- PostResetPassword
- User.Created
- User.Deleted
- User.Data.Updated
- User.SuspensionStatus.Updated
- Role.Created
- Role.Deleted
- Role.Data.Updated
- Role.Scopes.Updated
- Scope.Created
- Scope.Deleted
- Scope.Data.Updated
- Organization.Created
- Organization.Deleted
- Organization.Data.Updated
- Organization.Membership.Updated
- OrganizationRole.Created
- OrganizationRole.Deleted
- OrganizationRole.Data.Updated
- OrganizationRole.Scopes.Updated
- OrganizationScope.Created
- OrganizationScope.Deleted
- OrganizationScope.Data.Updated
- Identifier.Lockout
config:
type: object
required:
- url
properties:
url:
type: string
headers:
type: object
additionalProperties:
type: string
retries:
type: number
signingKey:
type: string
maxLength: 64
enabled:
type: boolean
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update signing key for a hook
description: Update the signing key for the specified hook.
"/api/verification-codes":
post:
operationId: CreateVerificationCode
tags:
- Verification codes
parameters: []
requestBody:
required: true
content:
application/json:
schema:
oneOf:
- type: object
required:
- email
properties:
email:
type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
- type: object
required:
- phone
properties:
phone:
type: string
format: regex
pattern: "/^\\d+$/"
responses:
'204':
description: Verification code requested and sent successfully.
'400':
description: Bad request. The payload may be invalid.
'401':
description: Unauthorized
'403':
description: Forbidden
'501':
description: Not Implemented
summary: Request and send a verification code
description: |-
Request a verification code for the provided identifier (email/phone).
if you're using email as the identifier, you need to setup your email connector first.
if you're using phone as the identifier, you need to setup your SMS connector first.
"/api/verification-codes/verify":
post:
operationId: VerifyVerificationCode
tags:
- Verification codes
parameters: []
requestBody:
required: true
content:
application/json:
schema:
oneOf:
- type: object
required:
- email
- verificationCode
properties:
email:
type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
verificationCode:
type: string
minLength: 1
- type: object
required:
- phone
- verificationCode
properties:
phone:
type: string
format: regex
pattern: "/^\\d+$/"
verificationCode:
type: string
minLength: 1
responses:
'204':
description: Verification code verified successfully.
'400':
description: Bad request. The payload may be invalid.
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Verify a verification code
description: |-
Verify a verification code for a specified identifier.
if you're using email as the identifier, you need to setup your email connector first.
if you're using phone as the identifier, you need to setup your SMS connector first.
"/api/user-assets/service-status":
get:
operationId: GetUserAssetServiceStatus
tags:
- User assets
parameters: []
responses:
'200':
description: An object containing the service status and metadata.
content:
application/json:
schema:
type: object
required:
- status
properties:
status:
oneOf:
- type: string
format: '"ready"'
- type: string
format: '"not_configured"'
allowUploadMimeTypes:
type: array
items:
type: string
enum:
- image/jpeg
- image/png
- image/gif
- image/vnd.microsoft.icon
- image/x-icon
- image/svg+xml
- image/tiff
- image/webp
- image/bmp
- application/zip
maxUploadFileSize:
type: number
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get service status
description: Get user assets service status.
"/api/user-assets":
post:
operationId: CreateUserAsset
tags:
- User assets
parameters: []
requestBody:
content:
multipart/form-data:
schema:
properties:
file:
description: The file asset to upload.
responses:
'200':
description: An object containing the uploaded asset metadata.
content:
application/json:
schema:
type: object
required:
- url
properties:
url:
type: string
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Upload asset
description: Upload a user asset.
"/api/domains":
get:
operationId: ListDomains
tags:
- Domains
parameters: []
responses:
'200':
description: A list of domains.
content:
application/json:
schema:
type: array
items:
type: object
required:
- id
- domain
- status
- errorMessage
- dnsRecords
- createdAt
properties:
id:
type: string
minLength: 1
maxLength: 21
domain:
type: string
minLength: 1
maxLength: 256
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
maxLength: 1024
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
createdAt:
type: number
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get domains
description: Get all of your custom domains.
post:
operationId: CreateDomain
tags:
- Domains
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- domain
properties:
domain:
type: string
minLength: 1
maxLength: 256
description: The domain name, e.g. `example.com`.
responses:
'201':
description: The domain was created successfully.
content:
application/json:
schema:
type: object
required:
- id
- domain
- status
- errorMessage
- dnsRecords
- createdAt
properties:
id:
type: string
minLength: 1
maxLength: 21
domain:
type: string
minLength: 1
maxLength: 256
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
maxLength: 1024
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Validation error. Please check the request body.
summary: Create domain
description: Create a new domain with the given data. The maximum domain number
is 1, once created, can not be modified, you'll have to delete and recreate
one.
"/api/domains/{id}":
get:
operationId: GetDomain
tags:
- Domains
parameters:
- "$ref": "#/components/parameters/domainId-root"
responses:
'200':
description: Details of the domain.
content:
application/json:
schema:
type: object
required:
- id
- domain
- status
- errorMessage
- dnsRecords
- createdAt
properties:
id:
type: string
minLength: 1
maxLength: 21
domain:
type: string
minLength: 1
maxLength: 256
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
maxLength: 1024
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The domain with the specified ID was not found.
summary: Get domain
description: Get domain details by ID, by calling this API, the domain status
will be synced from remote provider.
delete:
operationId: DeleteDomain
tags:
- Domains
parameters:
- "$ref": "#/components/parameters/domainId-root"
responses:
'204':
description: The domain was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The domain with the specified ID was not found.
summary: Delete domain
description: Delete domain by ID.
"/api/domains/cleanup":
post:
operationId: CleanupDomains
tags:
- Domains
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- staleDays
properties:
staleDays:
type: number
description: The number of days a domain must be inactive before
it is considered stale and eligible for cleanup.
responses:
'200':
description: The cleanup result summary.
content:
application/json:
schema:
type: object
required:
- scannedCount
- deletedCount
- skippedActiveCount
- failedCount
properties:
scannedCount:
type: number
deletedCount:
type: number
skippedActiveCount:
type: number
failedCount:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Cleanup stale domains
description: Clean up custom domains that have been inactive (not verified)
for a specified number of days. This uses Cloudflare as the source of truth
to determine domain activity.
"/api/organization-roles/{id}":
get:
operationId: GetOrganizationRole
tags:
- Organization roles
parameters:
- "$ref": "#/components/parameters/organizationRoleId-root"
responses:
'200':
description: Details of the organization role.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- type
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
type:
type: string
enum:
- User
- MachineToMachine
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get organization role
description: Get organization role details by ID.
patch:
operationId: UpdateOrganizationRole
tags:
- Organization roles
parameters:
- "$ref": "#/components/parameters/organizationRoleId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description: The updated name of the organization role. It must
be unique within the organization template.
description:
type: string
maxLength: 256
nullable: true
description: The updated description of the organization role.
type:
type: string
enum:
- User
- MachineToMachine
responses:
'200':
description: The organization role was updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- type
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
type:
type: string
enum:
- User
- MachineToMachine
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: The organization role name is already in use.
summary: Update organization role
description: Update organization role details by ID with the given data.
delete:
operationId: DeleteOrganizationRole
tags:
- Organization roles
parameters:
- "$ref": "#/components/parameters/organizationRoleId-root"
responses:
'204':
description: The organization role was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete organization role
description: Delete organization role by ID.
"/api/organization-roles":
get:
operationId: ListOrganizationRoles
tags:
- Organization roles
parameters:
- name: q
in: query
required: false
schema:
type: string
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of organization roles.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
- type
- scopes
- resourceScopes
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
type:
type: string
enum:
- User
- MachineToMachine
scopes:
type: array
items:
type: object
required:
- id
- name
properties:
id:
type: string
name:
type: string
resourceScopes:
type: array
items:
type: object
required:
- id
- name
- resource
properties:
id:
type: string
name:
type: string
resource:
type: object
required:
- id
- name
properties:
id:
type: string
name:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get organization roles
description: Get organization roles with pagination.
post:
operationId: CreateOrganizationRole
tags:
- Organization roles
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
- organizationScopeIds
- resourceScopeIds
properties:
tenantId:
type: string
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description: The name of the organization role. It must be unique
within the organization template.
description:
type: string
maxLength: 256
nullable: true
description: The description of the organization role.
type:
type: string
enum:
- User
- MachineToMachine
organizationScopeIds:
default: []
type: array
items:
type: string
description: An array of organization scope IDs to be assigned to
the organization role.
resourceScopeIds:
default: []
type: array
items:
type: string
description: An array of resource scope IDs to be assigned to the
organization role.
responses:
'201':
description: The organization role was created successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- type
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
type:
type: string
enum:
- User
- MachineToMachine
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The organization role name is already in use.
summary: Create an organization role
description: Create a new organization role with the given data.
"/api/organization-roles/{id}/scopes":
get:
operationId: ListOrganizationRoleScopes
tags:
- Organization roles
parameters:
- "$ref": "#/components/parameters/organizationRoleId-root"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of organization scopes.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get organization role scopes
description: Get organization scopes that are assigned to the specified organization
role with optional pagination.
post:
operationId: CreateOrganizationRoleScope
tags:
- Organization roles
parameters:
- "$ref": "#/components/parameters/organizationRoleId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- organizationScopeIds
properties:
organizationScopeIds:
type: array
items:
type: string
minLength: 1
description: An array of organization scope IDs to be assigned.
Existed scope IDs assignments will be ignored.
responses:
'201':
description: Organization scopes were assigned successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: At least one of the IDs provided is invalid. For example, the
organization scope ID does not exist;
summary: Assign organization scopes to organization role
description: Assign organization scopes to the specified organization role
put:
operationId: ReplaceOrganizationRoleScopes
tags:
- Organization roles
parameters:
- "$ref": "#/components/parameters/organizationRoleId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- organizationScopeIds
properties:
organizationScopeIds:
type: array
items:
type: string
minLength: 1
description: An array of organization scope IDs to replace existing
scopes.
responses:
'204':
description: Organization scopes were replaced successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: At least one of the IDs provided is invalid. For example, the
organization scope ID does not exist.
summary: Replace organization scopes for organization role
description: Replace all organization scopes that are assigned to the specified
organization role with the given organization scopes. This effectively removes
all existing organization scope assignments and replaces them with the new
ones.
"/api/organization-roles/{id}/scopes/{organizationScopeId}":
delete:
operationId: DeleteOrganizationRoleScope
tags:
- Organization roles
parameters:
- "$ref": "#/components/parameters/organizationRoleId-root"
- "$ref": "#/components/parameters/organizationScopeId"
responses:
'204':
description: Organization scope assignment was removed successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Unprocessable Content
summary: Remove organization scope
description: Remove a organization scope assignment from the specified organization
role.
"/api/organization-roles/{id}/resource-scopes":
get:
operationId: ListOrganizationRoleResourceScopes
tags:
- Organization roles
parameters:
- "$ref": "#/components/parameters/organizationRoleId-root"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of resource scopes.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- resourceId
- name
- description
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
resourceId:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get organization role resource scopes
description: Get resource scopes that are assigned to the specified organization
role with optional pagination.
post:
operationId: CreateOrganizationRoleResourceScope
tags:
- Organization roles
parameters:
- "$ref": "#/components/parameters/organizationRoleId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- scopeIds
properties:
scopeIds:
type: array
items:
type: string
minLength: 1
description: An array of resource scope IDs to be assigned. Existed
scope IDs assignments will be ignored.
responses:
'201':
description: Resource scopes were assigned successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: At least one of the IDs provided is invalid. For example, the
resource scope ID does not exist;
summary: Assign resource scopes to organization role
description: Assign resource scopes to the specified organization role
put:
operationId: ReplaceOrganizationRoleResourceScopes
tags:
- Organization roles
parameters:
- "$ref": "#/components/parameters/organizationRoleId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- scopeIds
properties:
scopeIds:
type: array
items:
type: string
minLength: 1
description: An array of resource scope IDs to replace existing
scopes.
responses:
'204':
description: Resource scopes were replaced successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: At least one of the IDs provided is invalid. For example, the
resource scope ID does not exist.
summary: Replace resource scopes for organization role
description: Replace all resource scopes that are assigned to the specified
organization role with the given resource scopes. This effectively removes
all existing organization scope assignments and replaces them with the new
ones.
"/api/organization-roles/{id}/resource-scopes/{scopeId}":
delete:
operationId: DeleteOrganizationRoleResourceScope
tags:
- Organization roles
parameters:
- "$ref": "#/components/parameters/organizationRoleId-root"
- "$ref": "#/components/parameters/scopeId"
responses:
'204':
description: Resource scope assignment was removed successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Unprocessable Content
summary: Remove resource scope
description: Remove a resource scope assignment from the specified organization
role.
"/api/organization-scopes":
get:
operationId: ListOrganizationScopes
tags:
- Organization scopes
parameters:
- name: q
in: query
required: false
schema:
type: string
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of organization scopes.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get organization scopes
description: Get organization scopes that match with optional pagination.
post:
operationId: CreateOrganizationScope
tags:
- Organization scopes
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
properties:
tenantId:
type: string
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description: The name of the organization scope. It must be unique
within the organization template.
description:
type: string
maxLength: 256
nullable: true
description: The description of the organization scope.
responses:
'201':
description: The organization scope was created successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The organization scope name is already in use.
summary: Create an organization scope
description: Create a new organization scope with the given data.
"/api/organization-scopes/{id}":
get:
operationId: GetOrganizationScope
tags:
- Organization scopes
parameters:
- "$ref": "#/components/parameters/organizationScopeId-root"
responses:
'200':
description: The organization scope data for the given ID.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get organization scope
description: Get organization scope details by ID.
patch:
operationId: UpdateOrganizationScope
tags:
- Organization scopes
parameters:
- "$ref": "#/components/parameters/organizationScopeId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description: The updated name of the organization scope. It must
be unique within the organization template.
description:
type: string
maxLength: 256
nullable: true
description: The updated description of the organization scope.
responses:
'200':
description: The organization scope was updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: The organization scope name is already in use.
summary: Update organization scope
description: Update organization scope details by ID with the given data.
delete:
operationId: DeleteOrganizationScope
tags:
- Organization scopes
parameters:
- "$ref": "#/components/parameters/organizationScopeId-root"
responses:
'204':
description: The organization scope was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete organization scope
description: Delete organization scope by ID.
"/api/organization-invitations/{id}":
get:
operationId: GetOrganizationInvitation
tags:
- Organization invitations
parameters:
- "$ref": "#/components/parameters/organizationInvitationId-root"
responses:
'200':
description: The organization invitation, also contains the organization
roles to be assigned to the user when they accept the invitation.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- inviterId
- invitee
- acceptedUserId
- organizationId
- status
- createdAt
- updatedAt
- expiresAt
- organizationRoles
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
inviterId:
type: string
maxLength: 21
nullable: true
invitee:
type: string
minLength: 1
maxLength: 256
acceptedUserId:
type: string
maxLength: 21
nullable: true
organizationId:
type: string
minLength: 1
maxLength: 21
status:
type: string
enum:
- Pending
- Accepted
- Expired
- Revoked
createdAt:
type: number
updatedAt:
type: number
expiresAt:
type: number
organizationRoles:
type: array
items:
type: object
required:
- id
- name
properties:
id:
type: string
name:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get organization invitation
description: Get an organization invitation by ID.
delete:
operationId: DeleteOrganizationInvitation
tags:
- Organization invitations
parameters:
- "$ref": "#/components/parameters/organizationInvitationId-root"
responses:
'204':
description: The organization invitation was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete organization invitation
description: Delete an organization invitation by ID.
"/api/organization-invitations":
get:
operationId: ListOrganizationInvitations
tags:
- Organization invitations
parameters:
- name: organizationId
in: query
required: false
schema:
type: string
- name: inviterId
in: query
required: false
schema:
type: string
- name: invitee
in: query
required: false
schema:
type: string
responses:
'200':
description: A list of organization invitations, each item also contains
the organization roles to be assigned to the user when they accept the
invitation.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- inviterId
- invitee
- acceptedUserId
- organizationId
- status
- createdAt
- updatedAt
- expiresAt
- organizationRoles
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
inviterId:
type: string
maxLength: 21
nullable: true
invitee:
type: string
minLength: 1
maxLength: 256
acceptedUserId:
type: string
maxLength: 21
nullable: true
organizationId:
type: string
minLength: 1
maxLength: 21
status:
type: string
enum:
- Pending
- Accepted
- Expired
- Revoked
createdAt:
type: number
updatedAt:
type: number
expiresAt:
type: number
organizationRoles:
type: array
items:
type: object
required:
- id
- name
properties:
id:
type: string
name:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get organization invitations
description: Get organization invitations.
post:
operationId: CreateOrganizationInvitation
tags:
- Organization invitations
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- invitee
- organizationId
- expiresAt
- messagePayload
properties:
inviterId:
type: string
maxLength: 21
nullable: true
description: The ID of the user who is inviting the user to join
the organization.
invitee:
type: string
format: email
description: The email address of the user to invite to join the
organization.
organizationId:
type: string
minLength: 1
maxLength: 21
description: The ID of the organization to invite the user to join.
expiresAt:
type: number
description: The epoch time in milliseconds when the invitation
expires.
organizationRoleIds:
type: array
items:
type: string
description: The IDs of the organization roles to assign to the
user when they accept the invitation.
messagePayload:
default: false
oneOf:
- type: object
properties:
code:
type: string
link:
type: string
locale:
type: string
uiLocales:
type: string
- type: boolean
format: 'false'
description: The message payload for the "OrganizationInvitation"
template to use when sending the invitation via email. If it is
`false`, the invitation will not be sent via email.
description: The organization invitation to create.
responses:
'201':
description: The organization invitation was created successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- inviterId
- invitee
- acceptedUserId
- organizationId
- status
- createdAt
- updatedAt
- expiresAt
- organizationRoles
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
inviterId:
type: string
maxLength: 21
nullable: true
invitee:
type: string
minLength: 1
maxLength: 256
acceptedUserId:
type: string
maxLength: 21
nullable: true
organizationId:
type: string
minLength: 1
maxLength: 21
status:
type: string
enum:
- Pending
- Accepted
- Expired
- Revoked
createdAt:
type: number
updatedAt:
type: number
expiresAt:
type: number
organizationRoles:
type: array
items:
type: object
required:
- id
- name
properties:
id:
type: string
name:
type: string
'400':
description: The organization invitation could not be created. This can
happen if the input is invalid or if the expiration date is in the past.
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Unprocessable Content
'501':
description: No email connector is configured for the tenant.
summary: Create organization invitation
description: Create an organization invitation and optionally send it via email.
The tenant should have an email connector configured if you want to send the
invitation via email at this point.
"/api/organization-invitations/{id}/message":
post:
operationId: CreateOrganizationInvitationMessage
tags:
- Organization invitations
parameters:
- "$ref": "#/components/parameters/organizationInvitationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
code:
type: string
link:
type: string
locale:
type: string
uiLocales:
type: string
description: The message payload for the "OrganizationInvitation" template
to use when sending the invitation via email.
responses:
'204':
description: The invitation message was resent successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Resend invitation message
description: Resend the invitation message to the invitee.
"/api/organization-invitations/{id}/status":
put:
operationId: ReplaceOrganizationInvitationStatus
tags:
- Organization invitations
parameters:
- "$ref": "#/components/parameters/organizationInvitationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- status
properties:
acceptedUserId:
type: string
maxLength: 21
nullable: true
description: The ID of the user who accepted the organization invitation.
Required if the status is "Accepted".
status:
type: string
enum:
- Accepted
- Revoked
description: The status of the organization invitation.
description: The organization invitation status to update.
responses:
'200':
description: The organization invitation status was updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- inviterId
- invitee
- acceptedUserId
- organizationId
- status
- createdAt
- updatedAt
- expiresAt
- organizationRoles
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
inviterId:
type: string
maxLength: 21
nullable: true
invitee:
type: string
minLength: 1
maxLength: 256
acceptedUserId:
type: string
maxLength: 21
nullable: true
organizationId:
type: string
minLength: 1
maxLength: 21
status:
type: string
enum:
- Pending
- Accepted
- Expired
- Revoked
createdAt:
type: number
updatedAt:
type: number
expiresAt:
type: number
organizationRoles:
type: array
items:
type: object
required:
- id
- name
properties:
id:
type: string
name:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The organization invitation status could not be updated. This
can happen if the current status is not "Pending" or if the status is
"Accepted" and the accepted user ID is not provided.
summary: Update organization invitation status
description: Update the status of an organization invitation by ID.
"/api/organizations":
post:
operationId: CreateOrganization
tags:
- Organizations
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
properties:
tenantId:
type: string
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description: The name of the organization.
description:
type: string
maxLength: 256
nullable: true
description: The description of the organization.
customData:
type: object
description: arbitrary
isMfaRequired:
type: boolean
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
createdAt:
type: number
responses:
'201':
description: The organization was created successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- customData
- isMfaRequired
- color
- branding
- customCss
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
customData:
type: object
description: arbitrary
isMfaRequired:
type: boolean
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Create an organization
description: Create a new organization with the given data.
get:
operationId: ListOrganizations
tags:
- Organizations
parameters:
- name: q
in: query
required: false
schema:
type: string
description: |-
The query to filter organizations. It can be a partial ID or name.
If not provided, all organizations will be returned.
- name: showFeatured
in: query
required: false
schema:
type: string
description: |-
Whether to show featured users in the organization. Featured users are randomly selected from the organization members.
If not provided, `featuredUsers` will not be included in the response.
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of organizations.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
- customData
- isMfaRequired
- color
- branding
- customCss
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
customData:
type: object
description: arbitrary
isMfaRequired:
type: boolean
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
createdAt:
type: number
usersCount:
type: number
featuredUsers:
type: array
items:
type: object
required:
- id
- avatar
- name
properties:
id:
type: string
minLength: 1
maxLength: 12
avatar:
type: string
maxLength: 2048
nullable: true
name:
type: string
maxLength: 128
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get organizations
description: Get organizations that match the given query with pagination.
"/api/organizations/{id}":
get:
operationId: GetOrganization
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
responses:
'200':
description: Details of the organization.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- customData
- isMfaRequired
- color
- branding
- customCss
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
customData:
type: object
description: arbitrary
isMfaRequired:
type: boolean
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get organization
description: Get organization details by ID.
patch:
operationId: UpdateOrganization
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description: The updated name of the organization.
description:
type: string
maxLength: 256
nullable: true
description: The updated description of the organization.
customData:
type: object
description: arbitrary
isMfaRequired:
type: boolean
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
createdAt:
type: number
responses:
'200':
description: The organization was updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- customData
- isMfaRequired
- color
- branding
- customCss
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
customData:
type: object
description: arbitrary
isMfaRequired:
type: boolean
color:
type: object
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
customCss:
type: string
nullable: true
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update organization
description: Update organization details by ID with the given data.
delete:
operationId: DeleteOrganization
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
responses:
'204':
description: The organization was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete organization
description: Delete organization by ID.
"/api/organizations/{id}/users":
get:
operationId: ListOrganizationUsers
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- name: q
in: query
required: false
schema:
type: string
description: |-
The query to filter users. It will match multiple fields of users, including ID, name, username, email, and phone number.
If not provided, all users will be returned.
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of users that are members of the organization.
content:
application/json:
schema:
type: array
items:
type: object
required:
- id
- username
- primaryEmail
- primaryPhone
- name
- avatar
- customData
- identities
- lastSignInAt
- createdAt
- updatedAt
- profile
- applicationId
- isSuspended
- organizationRoles
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
organizationRoles:
type: array
items:
type: object
required:
- id
- name
properties:
id:
type: string
name:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get organization user members
description: Get users that are members of the specified organization for the
given query with pagination.
post:
operationId: AddOrganizationUsers
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- userIds
properties:
userIds:
type: array
items:
type: string
minLength: 1
description: An array of user IDs to be added to the organization.
Organization existed users assignment will be ignored.
responses:
'201':
description: Users were added to the organization successfully.
content:
application/json:
schema:
type: object
required:
- userIds
properties:
userIds:
type: array
items:
type: string
minLength: 1
description: An array of user IDs processed from the request.
This may include IDs that were already members of the organization.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: At least one of the IDs provided is not valid. For example,
the organization ID or user ID does not exist.
summary: Add user members to organization
description: Add users as members to the specified organization with the given
user IDs.
put:
operationId: ReplaceOrganizationUsers
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- userIds
properties:
userIds:
type: array
items:
type: string
minLength: 1
description: An array of user IDs to replace existing users.
responses:
'204':
description: Successfully replaced all users for the organization.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: At least one of the IDs provided is not valid. For example,
the organization ID or user ID does not exist.
summary: Replace organization user members
description: Replace all user members for the specified organization with the
given users. This effectively removing all existing user memberships in the
organization and adding the new users as members.
"/api/organizations/{id}/users/{userId}":
delete:
operationId: DeleteOrganizationUser
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/userId"
responses:
'204':
description: The user was removed from the organization members successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The user is not a member of the organization.
'422':
description: Unprocessable Content
summary: Remove user member from organization
description: Remove a user's membership from the specified organization.
"/api/organizations/{id}/users/roles":
post:
operationId: AssignOrganizationRolesToUsers
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- userIds
- organizationRoleIds
properties:
userIds:
type: array
items:
type: string
minLength: 1
description: An array of user IDs to assign roles.
organizationRoleIds:
type: array
items:
type: string
minLength: 1
description: An array of organization role IDs to assign. User existed
roles assignment will be ignored.
responses:
'201':
description: Roles were assigned to organization users successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: At least one of the IDs provided is not valid. For example,
the organization ID, user ID, or organization role ID does not exist;
the user is not a member of the organization; or the role type is not
assignable to the user.
summary: Assign roles to organization user members
description: Assign roles to user members of the specified organization.
"/api/organizations/{id}/users/{userId}/roles":
get:
operationId: ListOrganizationUserRoles
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/userId"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of roles assigned to the user.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
- type
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
type:
type: string
enum:
- User
- MachineToMachine
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The user is not a member of the organization.
summary: Get roles for a user in an organization
description: Get roles assigned to a user in the specified organization with
pagination.
post:
operationId: AssignOrganizationRolesToUser
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
organizationRoleIds:
type: array
items:
type: string
minLength: 1
description: An array of organization role IDs to assign to the
user. User existed roles assignment will be ignored.
organizationRoleNames:
type: array
items:
type: string
minLength: 1
description: An array of organization role names to assign to the
user. User existed roles assignment will be ignored.
responses:
'201':
description: Roles were assigned to the user successfully.
content:
application/json:
schema:
type: object
required:
- organizationRoleIds
properties:
organizationRoleIds:
type: array
items:
type: string
minLength: 1
description: An array of organization role IDs that were assigned
to the user, deduplicated and resolved from any provided role
names.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The user is not a member of the organization; or at least one
of the IDs provided is not valid. For example, the organization ID or
organization role ID does not exist; or at least one of the role names
provided is not valid. For example, the organization role name does not
exist.
summary: Assign roles to a user in an organization
description: Assign roles to a user in the specified organization with the provided
data.
put:
operationId: ReplaceOrganizationUserRoles
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/userId"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
organizationRoleIds:
type: array
items:
type: string
minLength: 1
description: An array of organization role IDs to update for the
user.
organizationRoleNames:
type: array
items:
type: string
minLength: 1
description: An array of organization role names to update for the
user.
responses:
'204':
description: Roles were updated for the user successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The user is not a member of the organization; or at least one
of the IDs provided is not valid. For example, the organization ID or
organization role ID does not exist; or at least one of the role names
provided is not valid. For example, the organization role name does not
exist.
summary: Update roles for a user in an organization
description: Update roles assigned to a user in the specified organization with
the provided data.
"/api/organizations/{id}/users/{userId}/roles/{organizationRoleId}":
delete:
operationId: DeleteOrganizationUserRole
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/userId"
- "$ref": "#/components/parameters/organizationRoleId"
responses:
'204':
description: The role was removed from the user successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Cannot find the record to delete.
'422':
description: The user is not a member of the organization.
summary: Remove a role from a user in an organization
description: Remove a role assignment from a user in the specified organization.
"/api/organizations/{id}/users/{userId}/scopes":
get:
operationId: ListOrganizationUserScopes
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/userId"
responses:
'200':
description: A list of scopes assigned to the user.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The user is not a member of the organization.
summary: Get scopes for a user in an organization tailored by the organization
roles
description: Get scopes assigned to a user in the specified organization tailored
by the organization roles. The scopes are derived from the organization roles
assigned to the user.
"/api/organizations/{id}/applications":
post:
operationId: AddOrganizationApplications
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- applicationIds
properties:
applicationIds:
type: array
items:
type: string
minLength: 1
description: The application IDs to add.
responses:
'201':
description: The application was added successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The application could not be added. Some of the applications
may not exist.
summary: Add organization application
description: Add an application to the organization.
put:
operationId: ReplaceOrganizationApplications
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- applicationIds
properties:
applicationIds:
type: array
items:
type: string
minLength: 1
description: An array of application IDs to replace existing applications.
responses:
'204':
description: The applications were replaced successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The applications could not be replaced. Some of the applications
may not exist.
summary: Replace organization applications
description: Replace all applications associated with the organization with
the given data.
get:
operationId: ListOrganizationApplications
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- name: q
in: query
required: false
schema:
type: string
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of applications.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- secret
- description
- type
- oidcClientMetadata
- customClientMetadata
- protectedAppMetadata
- customData
- isThirdParty
- createdAt
- organizationRoles
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
secret:
"$ref": "#/components/schemas/ApplicationLegacySecret"
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
oidcClientMetadata:
type: object
required:
- redirectUris
- postLogoutRedirectUris
properties:
redirectUris:
type: array
items:
type: object
description: Validator function
postLogoutRedirectUris:
type: array
items:
type: object
description: Validator function
backchannelLogoutUri:
type: string
format: url
backchannelLogoutSessionRequired:
type: boolean
logoUri:
type: string
customClientMetadata:
type: object
properties:
corsAllowedOrigins:
type: array
items:
type: string
minLength: 1
idTokenTtl:
type: number
refreshTokenTtl:
type: number
refreshTokenTtlInDays:
type: number
tenantId:
type: string
alwaysIssueRefreshToken:
type: boolean
rotateRefreshToken:
type: boolean
allowTokenExchange:
type: boolean
isDeviceFlow:
type: boolean
maxAllowedGrants:
type: number
protectedAppMetadata:
type: object
required:
- host
- origin
- sessionDuration
- pageRules
properties:
host:
type: string
origin:
type: string
sessionDuration:
type: number
pageRules:
type: array
items:
type: object
required:
- path
properties:
path:
type: string
customDomains:
type: array
items:
type: object
required:
- domain
- status
- errorMessage
- dnsRecords
- cloudflareData
properties:
domain:
type: string
status:
type: string
enum:
- PendingVerification
- PendingSsl
- Active
- Error
errorMessage:
type: string
nullable: true
dnsRecords:
type: array
items:
type: object
required:
- name
- type
- value
properties:
name:
type: string
type:
type: string
value:
type: string
cloudflareData:
type: object
required:
- id
- status
- ssl
properties:
id:
type: string
status:
type: string
ssl:
type: object
required:
- status
properties:
status:
type: string
validation_errors:
type: array
items:
type: object
required:
- message
properties:
message:
type: string
verification_errors:
type: array
items:
type: string
nullable: true
nullable: true
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
organizationRoles:
type: array
items:
type: object
required:
- id
- name
properties:
id:
type: string
name:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get organization applications
description: Get applications associated with the organization.
"/api/organizations/{id}/applications/{applicationId}":
delete:
operationId: DeleteOrganizationApplication
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/applicationId"
responses:
'204':
description: The application was removed from the organization successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Unprocessable Content
summary: Remove organization application
description: Remove an application from the organization.
"/api/organizations/{id}/applications/roles":
post:
operationId: AssignOrganizationRolesToApplications
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- applicationIds
- organizationRoleIds
properties:
applicationIds:
type: array
items:
type: string
minLength: 1
description: An array of application IDs to assign roles to.
organizationRoleIds:
type: array
items:
type: string
minLength: 1
description: An array of organization role IDs to assign to the
applications.
responses:
'201':
description: Roles were assigned to the applications successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: At least one of the IDs provided is not valid. For example,
the organization ID, application ID, or organization role ID does not
exist; the application is not a member of the organization; or the role
type is not assignable to the application.
summary: Assign roles to applications in an organization
description: Assign roles to applications in the specified organization.
"/api/organizations/{id}/applications/{applicationId}/roles":
get:
operationId: ListOrganizationApplicationRoles
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/applicationId"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of roles.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
- type
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
type:
type: string
enum:
- User
- MachineToMachine
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Unprocessable Content
summary: Get organization application roles
description: Get roles associated with the application in the organization.
post:
operationId: AssignOrganizationRolesToApplication
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/applicationId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- organizationRoleIds
properties:
organizationRoleIds:
type: array
items:
type: string
minLength: 1
description: The role ID to add.
responses:
'201':
description: The role was added successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The role could not be added. Some of the roles may not exist.
summary: Add organization application role
description: Add a role to the application in the organization.
put:
operationId: ReplaceOrganizationApplicationRoles
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/applicationId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- organizationRoleIds
properties:
organizationRoleIds:
type: array
items:
type: string
minLength: 1
description: An array of role IDs to replace existing roles.
responses:
'204':
description: The roles were replaced successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The roles could not be replaced. Some of the roles may not
exist.
summary: Replace organization application roles
description: Replace all roles associated with the application in the organization
with the given data.
"/api/organizations/{id}/applications/{applicationId}/roles/{organizationRoleId}":
delete:
operationId: DeleteOrganizationApplicationRole
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/applicationId"
- "$ref": "#/components/parameters/organizationRoleId"
responses:
'204':
description: The role was removed from the application in the organization
successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Cannot find the record to delete.
'422':
description: The application is not associated with the organization.
summary: Remove organization application role
description: Remove a role from the application in the organization.
"/api/organizations/{id}/jit/email-domains":
get:
operationId: ListOrganizationJitEmailDomains
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of email domains.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- organizationId
- emailDomain
properties:
tenantId:
type: string
maxLength: 21
organizationId:
type: string
minLength: 1
maxLength: 21
emailDomain:
type: string
minLength: 1
maxLength: 128
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get organization JIT email domains
description: Get email domains for just-in-time provisioning of users in the
organization.
post:
operationId: CreateOrganizationJitEmailDomain
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- emailDomain
properties:
emailDomain:
type: string
minLength: 1
description: The email domain to add.
responses:
'201':
description: The email domain was added successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- organizationId
- emailDomain
properties:
tenantId:
type: string
maxLength: 21
organizationId:
type: string
minLength: 1
maxLength: 21
emailDomain:
type: string
minLength: 1
maxLength: 128
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The email domain is already in use.
summary: Add organization JIT email domain
description: Add a new email domain for just-in-time provisioning of users in
the organization.
put:
operationId: ReplaceOrganizationJitEmailDomains
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- emailDomains
properties:
emailDomains:
type: array
items:
type: string
description: An array of email domains to replace existing email
domains.
responses:
'204':
description: The email domains were replaced successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Replace organization JIT email domains
description: Replace all just-in-time provisioning email domains for the organization
with the given data.
"/api/organizations/{id}/jit/email-domains/{emailDomain}":
delete:
operationId: DeleteOrganizationJitEmailDomain
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- name: emailDomain
in: path
required: true
schema:
type: string
minLength: 1
description: The email domain to remove.
responses:
'204':
description: The email domain was removed successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The email domain was not found.
summary: Remove organization JIT email domain
description: Remove an email domain for just-in-time provisioning of users in
the organization.
"/api/organizations/{id}/jit/roles":
get:
operationId: ListOrganizationJitRoles
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of organization roles.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- description
- type
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
type:
type: string
enum:
- User
- MachineToMachine
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get organization JIT default roles
description: Get organization roles that will be assigned to users during just-in-time
provisioning.
post:
operationId: CreateOrganizationJitRole
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- organizationRoleIds
properties:
organizationRoleIds:
type: array
items:
type: string
minLength: 1
description: The organization role IDs to add.
responses:
'201':
description: The organization roles were added successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The organization roles could not be added. Some of the organization
roles may not exist.
summary: Add organization JIT default roles
description: Add new organization roles that will be assigned to users during
just-in-time provisioning.
put:
operationId: ReplaceOrganizationJitRoles
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- organizationRoleIds
properties:
organizationRoleIds:
type: array
items:
type: string
minLength: 1
description: An array of organization role IDs to replace existing
organization roles.
responses:
'204':
description: The organization roles were replaced successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The organization roles could not be replaced. Some of the organization
roles may not exist.
summary: Replace organization JIT default roles
description: Replace all organization roles that will be assigned to users during
just-in-time provisioning with the given data.
"/api/organizations/{id}/jit/roles/{organizationRoleId}":
delete:
operationId: DeleteOrganizationJitRole
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/organizationRoleId"
responses:
'204':
description: The organization role was removed successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The organization role could not be removed. The organization
role may not exist.
summary: Remove organization JIT default role
description: Remove an organization role that will be assigned to users during
just-in-time provisioning.
"/api/organizations/{id}/jit/sso-connectors":
get:
operationId: ListOrganizationJitSsoConnectors
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of SSO connectors.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- providerName
- connectorName
- config
- domains
- branding
- syncProfile
- enableTokenStorage
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 128
providerName:
type: string
minLength: 1
maxLength: 128
connectorName:
type: string
minLength: 1
maxLength: 128
config:
type: object
description: arbitrary
domains:
type: array
items:
type: string
branding:
type: object
properties:
displayName:
type: string
logo:
type: string
darkLogo:
type: string
syncProfile:
type: boolean
enableTokenStorage:
type: boolean
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get organization JIT SSO connectors
description: Get enterprise SSO connectors for just-in-time provisioning of
users in the organization.
post:
operationId: CreateOrganizationJitSsoConnector
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- ssoConnectorIds
properties:
ssoConnectorIds:
type: array
items:
type: string
minLength: 1
description: The SSO connector IDs to add.
responses:
'201':
description: The SSO connectors were added successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The SSO connectors could not be added. Some of the SSO connectors
may not exist.
summary: Add organization JIT SSO connectors
description: Add new enterprise SSO connectors for just-in-time provisioning
of users in the organization.
put:
operationId: ReplaceOrganizationJitSsoConnectors
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- ssoConnectorIds
properties:
ssoConnectorIds:
type: array
items:
type: string
minLength: 1
description: An array of SSO connector IDs to replace existing SSO
connectors.
responses:
'204':
description: The SSO connectors were replaced successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The SSO connectors could not be replaced. Some of the SSO connectors
may not exist.
summary: Replace organization JIT SSO connectors
description: Replace all enterprise SSO connectors for just-in-time provisioning
of users in the organization with the given data.
"/api/organizations/{id}/jit/sso-connectors/{ssoConnectorId}":
delete:
operationId: DeleteOrganizationJitSsoConnector
tags:
- Organizations
parameters:
- "$ref": "#/components/parameters/organizationId-root"
- "$ref": "#/components/parameters/ssoConnectorId"
responses:
'204':
description: The SSO connector was removed successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The SSO connector could not be removed. The SSO connector may
not exist.
summary: Remove organization JIT SSO connector
description: Remove an enterprise SSO connector for just-in-time provisioning
of users in the organization.
"/api/sso-connector-providers":
get:
operationId: ListSsoConnectorProviders
tags:
- SSO connector providers
parameters: []
responses:
'200':
description: A list of SSO provider data.
content:
application/json:
schema:
type: array
items:
type: object
required:
- providerName
- providerType
- logo
- logoDark
- description
- name
properties:
providerName:
type: string
enum:
- OIDC
- SAML
- AzureAD
- GoogleWorkspace
- Okta
- AzureAdOidc
providerType:
type: string
enum:
- oidc
- saml
logo:
type: string
logoDark:
type: string
description:
type: string
name:
type: string
'401':
description: Unauthorized
'403':
description: Forbidden
summary: List all the supported SSO connector provider details
description: Get a complete list of supported SSO connector providers.
"/api/sso-connectors":
post:
operationId: CreateSsoConnector
tags:
- SSO connectors
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- providerName
- connectorName
properties:
config:
type: object
description: arbitrary
domains:
type: array
items:
type: string
branding:
type: object
properties:
displayName:
type: string
logo:
type: string
darkLogo:
type: string
syncProfile:
type: boolean
enableTokenStorage:
type: boolean
providerName:
type: string
minLength: 1
maxLength: 128
connectorName:
type: string
minLength: 1
maxLength: 128
responses:
'200':
description: The created SSO connector.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- providerName
- connectorName
- config
- domains
- branding
- syncProfile
- enableTokenStorage
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 128
providerName:
type: string
minLength: 1
maxLength: 128
connectorName:
type: string
minLength: 1
maxLength: 128
config:
type: object
description: arbitrary
domains:
type: array
items:
type: string
branding:
type: object
properties:
displayName:
type: string
logo:
type: string
darkLogo:
type: string
syncProfile:
type: boolean
enableTokenStorage:
type: boolean
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'409':
description: Conflict
'422':
description: At lease one of the given input fields is invalid or IdP connection
cannot be verified with the given config.
summary: Create SSO connector
description: Create an new SSO connector instance for a given provider.
get:
operationId: ListSsoConnectors
tags:
- SSO connectors
parameters:
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of SSO connectors.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- providerName
- connectorName
- config
- domains
- branding
- syncProfile
- enableTokenStorage
- createdAt
- name
- providerType
- providerLogo
- providerLogoDark
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 128
providerName:
type: string
enum:
- OIDC
- SAML
- AzureAD
- GoogleWorkspace
- Okta
- AzureAdOidc
connectorName:
type: string
minLength: 1
maxLength: 128
config:
type: object
description: arbitrary
domains:
type: array
items:
type: string
branding:
type: object
properties:
displayName:
type: string
logo:
type: string
darkLogo:
type: string
syncProfile:
type: boolean
enableTokenStorage:
type: boolean
createdAt:
type: number
name:
type: string
providerType:
type: string
enum:
- oidc
- saml
providerLogo:
type: string
providerLogoDark:
type: string
providerConfig:
type: object
additionalProperties:
example: {}
'401':
description: Unauthorized
'403':
description: Forbidden
summary: List SSO connectors
description: Get SSO connectors with pagination. In addition to the raw SSO
connector data, a copy of fetched or parsed IdP configs and a copy of connector
provider's data will be attached.
"/api/sso-connectors/{id}":
get:
operationId: GetSsoConnector
tags:
- SSO connectors
parameters:
- "$ref": "#/components/parameters/ssoConnectorId-root"
responses:
'200':
description: The SSO connector data with the given ID.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- providerName
- connectorName
- config
- domains
- branding
- syncProfile
- enableTokenStorage
- createdAt
- name
- providerType
- providerLogo
- providerLogoDark
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 128
providerName:
type: string
enum:
- OIDC
- SAML
- AzureAD
- GoogleWorkspace
- Okta
- AzureAdOidc
connectorName:
type: string
minLength: 1
maxLength: 128
config:
type: object
description: arbitrary
domains:
type: array
items:
type: string
branding:
type: object
properties:
displayName:
type: string
logo:
type: string
darkLogo:
type: string
syncProfile:
type: boolean
enableTokenStorage:
type: boolean
createdAt:
type: number
name:
type: string
providerType:
type: string
enum:
- oidc
- saml
providerLogo:
type: string
providerLogoDark:
type: string
providerConfig:
type: object
additionalProperties:
example: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: SSO connector not found.
summary: Get SSO connector
description: Get SSO connector data by ID. In addition to the raw SSO connector
data, a copy of fetched or parsed IdP configs and a copy of connector provider's
data will be attached.
delete:
operationId: DeleteSsoConnector
tags:
- SSO connectors
parameters:
- "$ref": "#/components/parameters/ssoConnectorId-root"
responses:
'204':
description: SSO connector deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: SSO connector not found.
summary: Delete SSO connector
description: Delete an SSO connector by ID.
patch:
operationId: UpdateSsoConnector
tags:
- SSO connectors
parameters:
- "$ref": "#/components/parameters/ssoConnectorId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
config:
type: object
description: arbitrary
domains:
type: array
items:
type: string
branding:
type: object
properties:
displayName:
type: string
logo:
type: string
darkLogo:
type: string
syncProfile:
type: boolean
connectorName:
type: string
minLength: 1
maxLength: 128
enableTokenStorage:
type: boolean
responses:
'200':
description: The updated SSO connector.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- providerName
- connectorName
- config
- domains
- branding
- syncProfile
- enableTokenStorage
- createdAt
- name
- providerType
- providerLogo
- providerLogoDark
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 128
providerName:
type: string
enum:
- OIDC
- SAML
- AzureAD
- GoogleWorkspace
- Okta
- AzureAdOidc
connectorName:
type: string
minLength: 1
maxLength: 128
config:
type: object
description: arbitrary
domains:
type: array
items:
type: string
branding:
type: object
properties:
displayName:
type: string
logo:
type: string
darkLogo:
type: string
syncProfile:
type: boolean
enableTokenStorage:
type: boolean
createdAt:
type: number
name:
type: string
providerType:
type: string
enum:
- oidc
- saml
providerLogo:
type: string
providerLogoDark:
type: string
providerConfig:
type: object
additionalProperties:
example: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: SSO connector not found.
'409':
description: Conflict
'422':
description: At lease one of the update fields is invalid or IdP connection
can not be verified with the given connection config.
summary: Update SSO connector
description: Update an SSO connector by ID. This method performs a partial update.
"/api/systems/application":
get:
operationId: GetSystemApplicationConfig
tags:
- Systems
parameters: []
responses:
'200':
description: The application constants.
content:
application/json:
schema:
type: object
required:
- protectedApps
properties:
protectedApps:
type: object
required:
- defaultDomain
properties:
defaultDomain:
type: string
'401':
description: Unauthorized
'403':
description: Forbidden
'501':
description: Not Implemented
summary: Get the application constants.
description: Get the application constants.
"/api/subject-tokens":
post:
operationId: CreateSubjectToken
tags:
- Subject tokens
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- userId
properties:
userId:
type: string
description: The ID of the user to impersonate.
context:
type: object
description: The additional context to be included in the token,
this can be used in custom JWT.
responses:
'201':
description: The subject token has been created successfully.
content:
application/json:
schema:
type: object
required:
- subjectToken
- expiresIn
properties:
subjectToken:
type: string
expiresIn:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The user does not exist.
summary: Create a new subject token.
description: Create a new subject token for the use of impersonating the user.
"/api/account-center":
get:
operationId: GetAccountCenterSettings
tags:
- Account center
parameters: []
responses:
'200':
description: Account center settings.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- enabled
- fields
- webauthnRelatedOrigins
- deleteAccountUrl
- customCss
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
enabled:
type: boolean
fields:
type: object
properties:
name:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
avatar:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
profile:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
email:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
phone:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
password:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
username:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
social:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
customData:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
mfa:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
session:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
webauthnRelatedOrigins:
type: array
items:
type: string
deleteAccountUrl:
type: string
maxLength: 2048
nullable: true
customCss:
type: string
nullable: true
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get account center settings
description: Get the account center settings.
patch:
operationId: UpdateAccountCenterSettings
tags:
- Account center
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
enabled:
type: boolean
description: Enable or disable the account API.
fields:
type: object
properties:
name:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
avatar:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
profile:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
email:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
phone:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
password:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
username:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
social:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
customData:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
mfa:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
session:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
description: The fields settings for the account API.
webauthnRelatedOrigins:
type: array
items:
type: string
description: The allowed domains for webauthn.
deleteAccountUrl:
type: object
description: The custom endpoint URL for account deletion.
nullable: true
customCss:
type: string
nullable: true
responses:
'200':
description: Updated account center settings.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- enabled
- fields
- webauthnRelatedOrigins
- deleteAccountUrl
- customCss
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
enabled:
type: boolean
fields:
type: object
properties:
name:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
avatar:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
profile:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
email:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
phone:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
password:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
username:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
social:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
customData:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
mfa:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
session:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
webauthnRelatedOrigins:
type: array
items:
type: string
deleteAccountUrl:
type: string
maxLength: 2048
nullable: true
customCss:
type: string
nullable: true
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Update account center settings
description: Update the account center settings with the provided settings.
"/api/saml-applications":
post:
operationId: CreateSamlApplication
tags:
- SAML applications
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
- nameIdFormat
properties:
name:
type: string
minLength: 1
maxLength: 256
description: The name of the SAML application.
description:
type: string
nullable: true
description: Optional description of the SAML application.
customData:
type: object
description: Optional custom data for the application.
attributeMapping:
type: object
properties:
sub:
type: string
name:
type: string
given_name:
type: string
family_name:
type: string
middle_name:
type: string
nickname:
type: string
preferred_username:
type: string
profile:
type: string
picture:
type: string
website:
type: string
email:
type: string
email_verified:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
phone_number:
type: string
phone_number_verified:
type: string
address:
type: string
updated_at:
type: string
username:
type: string
created_at:
type: string
custom_data:
type: string
identities:
type: string
sso_identities:
type: string
roles:
type: string
organizations:
type: string
organization_data:
type: string
organization_roles:
type: string
entityId:
type: string
maxLength: 128
nullable: true
acsUrl:
type: string
required:
- binding
- url
properties:
binding:
type: string
enum:
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
url:
type: string
format: url
nullable: true
description: The Assertion Consumer Service (ACS) URL where the
SAML response will be sent.
encryption:
type: object
description: Validator function
nullable: true
nameIdFormat:
default: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
type: string
enum:
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
responses:
'201':
description: The SAML application was created successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- type
- customData
- isThirdParty
- createdAt
- attributeMapping
- entityId
- acsUrl
- encryption
- nameIdFormat
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
attributeMapping:
type: object
properties:
sub:
type: string
name:
type: string
given_name:
type: string
family_name:
type: string
middle_name:
type: string
nickname:
type: string
preferred_username:
type: string
profile:
type: string
picture:
type: string
website:
type: string
email:
type: string
email_verified:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
phone_number:
type: string
phone_number_verified:
type: string
address:
type: string
updated_at:
type: string
username:
type: string
created_at:
type: string
custom_data:
type: string
identities:
type: string
sso_identities:
type: string
roles:
type: string
organizations:
type: string
organization_data:
type: string
organization_roles:
type: string
entityId:
type: string
maxLength: 128
nullable: true
acsUrl:
type: object
required:
- binding
- url
properties:
binding:
type: string
enum:
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
url:
type: string
format: url
nullable: true
encryption:
type: object
description: Validator function
nullable: true
nameIdFormat:
type: string
enum:
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
'400':
description: Invalid request body.
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Validation error. The ACS URL is invalid or other validation
errors.
summary: Create SAML application
description: Create a new SAML application with the given configuration. A default
signing certificate with 3 years lifetime will be automatically created.
"/api/saml-applications/{id}":
get:
operationId: GetSamlApplication
tags:
- SAML applications
parameters:
- "$ref": "#/components/parameters/samlApplicationId-root"
responses:
'200':
description: The SAML application details.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- type
- customData
- isThirdParty
- createdAt
- attributeMapping
- entityId
- acsUrl
- encryption
- nameIdFormat
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
attributeMapping:
type: object
properties:
sub:
type: string
name:
type: string
given_name:
type: string
family_name:
type: string
middle_name:
type: string
nickname:
type: string
preferred_username:
type: string
profile:
type: string
picture:
type: string
website:
type: string
email:
type: string
email_verified:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
phone_number:
type: string
phone_number_verified:
type: string
address:
type: string
updated_at:
type: string
username:
type: string
created_at:
type: string
custom_data:
type: string
identities:
type: string
sso_identities:
type: string
roles:
type: string
organizations:
type: string
organization_data:
type: string
organization_roles:
type: string
entityId:
type: string
maxLength: 128
nullable: true
acsUrl:
type: object
required:
- binding
- url
properties:
binding:
type: string
enum:
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
url:
type: string
format: url
nullable: true
encryption:
type: object
description: Validator function
nullable: true
nameIdFormat:
type: string
enum:
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The SAML application was not found.
'422':
description: Unprocessable Content
summary: Get SAML application
description: Get SAML application details by ID.
patch:
operationId: UpdateSamlApplication
tags:
- SAML applications
parameters:
- "$ref": "#/components/parameters/samlApplicationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
name:
type: string
minLength: 1
maxLength: 256
description: The name of the SAML application.
description:
type: string
nullable: true
description: Description of the SAML application.
customData:
type: object
description: Custom data for the application.
attributeMapping:
type: object
properties:
sub:
type: string
name:
type: string
given_name:
type: string
family_name:
type: string
middle_name:
type: string
nickname:
type: string
preferred_username:
type: string
profile:
type: string
picture:
type: string
website:
type: string
email:
type: string
email_verified:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
phone_number:
type: string
phone_number_verified:
type: string
address:
type: string
updated_at:
type: string
username:
type: string
created_at:
type: string
custom_data:
type: string
identities:
type: string
sso_identities:
type: string
roles:
type: string
organizations:
type: string
organization_data:
type: string
organization_roles:
type: string
entityId:
type: string
maxLength: 128
nullable: true
acsUrl:
type: string
required:
- binding
- url
properties:
binding:
type: string
enum:
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
url:
type: string
format: url
nullable: true
description: The Assertion Consumer Service (ACS) URL.
encryption:
type: object
description: Validator function
nullable: true
nameIdFormat:
type: string
enum:
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
responses:
'200':
description: The SAML application was updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- description
- type
- customData
- isThirdParty
- createdAt
- attributeMapping
- entityId
- acsUrl
- encryption
- nameIdFormat
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 256
description:
type: string
nullable: true
type:
type: string
enum:
- Native
- SPA
- Traditional
- MachineToMachine
- Protected
- SAML
customData:
type: object
description: arbitrary
isThirdParty:
type: boolean
createdAt:
type: number
attributeMapping:
type: object
properties:
sub:
type: string
name:
type: string
given_name:
type: string
family_name:
type: string
middle_name:
type: string
nickname:
type: string
preferred_username:
type: string
profile:
type: string
picture:
type: string
website:
type: string
email:
type: string
email_verified:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
phone_number:
type: string
phone_number_verified:
type: string
address:
type: string
updated_at:
type: string
username:
type: string
created_at:
type: string
custom_data:
type: string
identities:
type: string
sso_identities:
type: string
roles:
type: string
organizations:
type: string
organization_data:
type: string
organization_roles:
type: string
entityId:
type: string
maxLength: 128
nullable: true
acsUrl:
type: object
required:
- binding
- url
properties:
binding:
type: string
enum:
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
url:
type: string
format: url
nullable: true
encryption:
type: object
description: Validator function
nullable: true
nameIdFormat:
type: string
enum:
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The SAML application was not found.
'422':
description: Validation error.
summary: Update SAML application
description: Update SAML application details by ID.
delete:
operationId: DeleteSamlApplication
tags:
- SAML applications
parameters:
- "$ref": "#/components/parameters/samlApplicationId-root"
responses:
'204':
description: The SAML application was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The SAML application was not found.
'422':
description: The specified application is not a SAML application.
summary: Delete SAML application
description: Delete a SAML application by ID.
"/api/saml-applications/{id}/secrets":
post:
operationId: CreateSamlApplicationSecret
tags:
- SAML applications
parameters:
- "$ref": "#/components/parameters/samlApplicationId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- lifeSpanInYears
properties:
lifeSpanInYears:
type: integer
minimum: 1
description: The lifetime of the certificate in years (minimum 1
year).
responses:
'201':
description: The signing certificate was created successfully.
content:
application/json:
schema:
type: object
required:
- id
- certificate
- createdAt
- expiresAt
- active
- fingerprints
properties:
id:
type: string
minLength: 1
maxLength: 21
certificate:
type: string
minLength: 1
createdAt:
type: number
expiresAt:
type: number
active:
type: boolean
fingerprints:
type: object
required:
- sha256
properties:
sha256:
type: object
required:
- formatted
- unformatted
properties:
formatted:
type: string
unformatted:
type: string
'400':
description: Invalid request body.
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The SAML application was not found.
summary: Create SAML application secret
description: Create a new signing certificate for the SAML application.
get:
operationId: ListSamlApplicationSecrets
tags:
- SAML applications
parameters:
- "$ref": "#/components/parameters/samlApplicationId-root"
responses:
'200':
description: A list of signing certificates.
content:
application/json:
schema:
type: array
items:
type: object
required:
- id
- certificate
- createdAt
- expiresAt
- active
- fingerprints
properties:
id:
type: string
minLength: 1
maxLength: 21
description: The ID of the signing certificate.
certificate:
type: string
minLength: 1
description: The X.509 certificate in PEM format.
createdAt:
type: number
expiresAt:
type: string
format: date-time
description: The expiration time of the certificate.
active:
type: boolean
fingerprints:
type: object
required:
- sha256
properties:
sha256:
type: object
required:
- formatted
- unformatted
properties:
formatted:
type: string
unformatted:
type: string
fingerprint:
type: string
description: The SHA-256 fingerprint of the certificate.
isActive:
type: boolean
description: Whether this certificate is currently active.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The SAML application was not found.
summary: List SAML application secrets
description: Get all signing certificates of the SAML application.
"/api/saml-applications/{id}/secrets/{secretId}":
delete:
operationId: DeleteSamlApplicationSecret
tags:
- SAML applications
parameters:
- "$ref": "#/components/parameters/samlApplicationId-root"
- "$ref": "#/components/parameters/secretId"
responses:
'204':
description: The signing certificate was deleted successfully.
'400':
description: Cannot delete an active certificate.
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The SAML application or certificate was not found.
summary: Delete SAML application secret
description: Delete a signing certificate of the SAML application. Active certificates
cannot be deleted.
patch:
operationId: UpdateSamlApplicationSecret
tags:
- SAML applications
parameters:
- "$ref": "#/components/parameters/samlApplicationId-root"
- "$ref": "#/components/parameters/secretId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- active
properties:
active:
type: boolean
description: Whether the certificate is active.
responses:
'200':
description: The signing certificate was updated successfully.
content:
application/json:
schema:
type: object
required:
- id
- certificate
- createdAt
- expiresAt
- active
- fingerprints
properties:
id:
type: string
minLength: 1
maxLength: 21
certificate:
type: string
minLength: 1
createdAt:
type: number
expiresAt:
type: number
active:
type: boolean
fingerprints:
type: object
required:
- sha256
properties:
sha256:
type: object
required:
- formatted
- unformatted
properties:
formatted:
type: string
unformatted:
type: string
'400':
description: Invalid request body.
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The SAML application or certificate was not found.
summary: Update SAML application secret
description: Update the status of a signing certificate.
"/api/email-templates":
put:
operationId: ReplaceEmailTemplates
tags:
- Email templates
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- templates
properties:
templates:
type: array
items:
type: object
required:
- languageTag
- templateType
- details
properties:
languageTag:
type: string
minLength: 1
maxLength: 16
description: The language tag of the email template, e.g.,
`en` or `fr`.
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
description: The type of the email template, e.g. `SignIn`
or `ForgotPassword`
details:
type: object
required:
- subject
- content
properties:
subject:
type: string
description: The template of the email subject.
content:
type: string
description: The template of the email body.
contentType:
oneOf:
- type: string
format: '"text/html"'
- type: string
format: '"text/plain"'
description: The content type of the email body. (Only
required by some specific email providers.)
replyTo:
type: string
description: The reply name template of the email. If
not provided, the target email address will be used.
(The render logic may differ based on the email provider.)
sendFrom:
type: string
description: The send from name template of the email.
If not provided, the default Logto email address will
be used. (The render logic may differ based on the email
provider.)
description: The details of the email template.
responses:
'200':
description: The list of newly created or replaced email templates.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- languageTag
- templateType
- details
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
languageTag:
type: string
minLength: 1
maxLength: 16
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
details:
type: object
required:
- subject
- content
properties:
subject:
type: string
content:
type: string
contentType:
oneOf:
- type: string
format: '"text/html"'
- type: string
format: '"text/plain"'
replyTo:
type: string
sendFrom:
type: string
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Unprocessable Content
summary: Replace email templates
description: Create or replace a list of email templates. If an email template
with the same language tag and template type already exists, its details will
be updated.
get:
operationId: ListEmailTemplates
tags:
- Email templates
parameters:
- name: languageTag
in: query
required: false
schema:
type: string
minLength: 1
maxLength: 16
description: The language tag of the email template, e.g., `en` or `fr`.
- name: templateType
in: query
required: false
schema:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
description: The type of the email template, e.g. `SignIn` or `ForgotPassword`
responses:
'200':
description: The list of matched email templates. Returns empty list, if
no email template is found.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- languageTag
- templateType
- details
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
languageTag:
type: string
minLength: 1
maxLength: 16
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
details:
type: object
required:
- subject
- content
properties:
subject:
type: string
content:
type: string
contentType:
oneOf:
- type: string
format: '"text/html"'
- type: string
format: '"text/plain"'
replyTo:
type: string
sendFrom:
type: string
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get email templates
description: Get the list of email templates.
delete:
operationId: DeleteEmailTemplates
tags:
- Email templates
parameters:
- name: languageTag
in: query
required: false
schema:
type: string
minLength: 1
maxLength: 16
description: The language tag of the email template, e.g., `en` or `fr`.
- name: templateType
in: query
required: false
schema:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
description: The type of the email template, e.g. `SignIn` or `ForgotPassword`
responses:
'200':
description: The email templates were deleted successfully.
content:
application/json:
schema:
type: object
required:
- rowCount
properties:
rowCount:
type: number
description: The number of email templates deleted.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: No filter query parameters were provided. This bulk deletion
API requires at least one filter query parameter.
summary: Delete email templates
description: Bulk delete email templates by their language tag and template
type.
"/api/email-templates/{id}":
get:
operationId: GetEmailTemplate
tags:
- Email templates
parameters:
- "$ref": "#/components/parameters/emailTemplateId-root"
responses:
'200':
description: The email template.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- languageTag
- templateType
- details
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
languageTag:
type: string
minLength: 1
maxLength: 16
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
details:
type: object
required:
- subject
- content
properties:
subject:
type: string
content:
type: string
contentType:
oneOf:
- type: string
format: '"text/html"'
- type: string
format: '"text/plain"'
replyTo:
type: string
sendFrom:
type: string
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The email template was not found.
summary: Get email template by ID
description: Get the email template by its ID.
delete:
operationId: DeleteEmailTemplate
tags:
- Email templates
parameters:
- "$ref": "#/components/parameters/emailTemplateId-root"
responses:
'204':
description: The email template was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The email template was not found.
summary: Delete an email template
description: Delete an email template by its ID.
"/api/email-templates/{id}/details":
patch:
operationId: UpdateEmailTemplateDetails
tags:
- Email templates
parameters:
- "$ref": "#/components/parameters/emailTemplateId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
subject:
type: string
description: The template of the email subject.
content:
type: string
description: The template of the email body.
contentType:
oneOf:
- type: string
format: '"text/html"'
- type: string
format: '"text/plain"'
description: The content type of the email body. (Only required
by some specific email providers.)
replyTo:
type: string
description: The reply name template of the email. If not provided,
the target email address will be used. (The render logic may differ
based on the email provider.)
sendFrom:
type: string
description: The send from name template of the email. If not provided,
the default Logto email address will be used. (The render logic
may differ based on the email provider.)
responses:
'200':
description: The updated email template.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- languageTag
- templateType
- details
- createdAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
languageTag:
type: string
minLength: 1
maxLength: 16
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
details:
type: object
required:
- subject
- content
properties:
subject:
type: string
content:
type: string
contentType:
oneOf:
- type: string
format: '"text/html"'
- type: string
format: '"text/plain"'
replyTo:
type: string
sendFrom:
type: string
createdAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The email template was not found.
summary: Update email template details
description: Update the details of an email template by its ID.
"/api/one-time-tokens":
get:
operationId: ListOneTimeTokens
tags:
- One-time tokens
parameters:
- name: email
in: query
required: false
schema:
type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
description: Filter one-time tokens by email address.
- name: status
in: query
required: false
schema:
type: string
enum:
- active
- consumed
- revoked
- expired
description: Filter one-time tokens by status.
- name: page
in: query
description: Page number (starts from 1).
required: false
schema:
type: integer
minimum: 1
default: 1
- name: page_size
in: query
description: Entries per page.
required: false
schema:
type: integer
minimum: 1
default: 20
responses:
'200':
description: A list of one-time tokens.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- email
- token
- context
- status
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
email:
type: string
minLength: 1
maxLength: 128
token:
type: string
minLength: 1
maxLength: 256
context:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
status:
type: string
enum:
- active
- consumed
- revoked
- expired
createdAt:
type: number
expiresAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get one-time tokens
description: Get a list of one-time tokens, filtering by email and status, with
optional pagination.
post:
operationId: AddOneTimeTokens
tags:
- One-time tokens
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- email
properties:
email:
type: string
minLength: 1
maxLength: 128
description: The email address to associate with the one-time token.
context:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
description: Additional context to store with the one-time token.
This can be used to store arbitrary data that will be associated
with the token.
expiresIn:
type: number
description: The expiration time in seconds. If not provided, defaults
to 10 mins (600 seconds).
responses:
'201':
description: The one-time token was created successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- email
- token
- context
- status
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
email:
type: string
minLength: 1
maxLength: 128
token:
type: string
minLength: 1
maxLength: 256
context:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
status:
type: string
enum:
- active
- consumed
- revoked
- expired
createdAt:
type: number
expiresAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Create one-time token
description: Create a new one-time token associated with an email address. The
token can be used for verification purposes and has an expiration time.
"/api/one-time-tokens/{id}":
get:
operationId: GetOneTimeToken
tags:
- One-time tokens
parameters:
- "$ref": "#/components/parameters/oneTimeTokenId-root"
responses:
'200':
description: The one-time token found by ID.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- email
- token
- context
- status
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
email:
type: string
minLength: 1
maxLength: 128
token:
type: string
minLength: 1
maxLength: 256
context:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
status:
type: string
enum:
- active
- consumed
- revoked
- expired
createdAt:
type: number
expiresAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get one-time token by ID
description: Get a one-time token by its ID.
delete:
operationId: DeleteOneTimeToken
tags:
- One-time tokens
parameters:
- "$ref": "#/components/parameters/oneTimeTokenId-root"
responses:
'204':
description: The one-time token was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete one-time token by ID
description: Delete a one-time token by its ID.
"/api/one-time-tokens/verify":
post:
operationId: VerifyOneTimeToken
tags:
- One-time tokens
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- token
- email
properties:
token:
type: string
minLength: 1
maxLength: 256
description: The one-time token to verify.
email:
type: string
minLength: 1
maxLength: 128
description: The email address associated with the one-time token.
responses:
'200':
description: The one-time token was verified successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- email
- token
- context
- status
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
email:
type: string
minLength: 1
maxLength: 128
token:
type: string
minLength: 1
maxLength: 256
context:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
status:
type: string
enum:
- active
- consumed
- revoked
- expired
createdAt:
type: number
expiresAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Verify one-time token
description: Verify a one-time token associated with an email address. If the
token is valid and not expired, it will be marked as consumed.
"/api/one-time-tokens/{id}/status":
put:
operationId: ReplaceOneTimeTokenStatus
tags:
- One-time tokens
parameters:
- "$ref": "#/components/parameters/oneTimeTokenId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- status
properties:
status:
type: string
enum:
- active
- consumed
- revoked
- expired
description: The new status of the one-time token.
responses:
'200':
description: The one-time token status was updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- email
- token
- context
- status
- createdAt
- expiresAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
email:
type: string
minLength: 1
maxLength: 128
token:
type: string
minLength: 1
maxLength: 256
context:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
status:
type: string
enum:
- active
- consumed
- revoked
- expired
createdAt:
type: number
expiresAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update one-time token status
description: Update the status of a one-time token by its ID. This can be used
to mark the token as consumed or expired.
"/api/captcha-provider":
get:
operationId: GetCaptchaProvider
tags:
- Captcha provider
parameters: []
responses:
'200':
description: Captcha provider.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- config
- createdAt
- updatedAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 128
config:
oneOf:
- type: object
required:
- type
- siteKey
- secretKey
properties:
type:
type: string
format: '"Turnstile"'
siteKey:
type: string
secretKey:
type: string
- type: object
required:
- type
- siteKey
- secretKey
- projectId
properties:
type:
type: string
format: '"RecaptchaEnterprise"'
siteKey:
type: string
secretKey:
type: string
projectId:
type: string
domain:
type: string
mode:
type: string
enum:
- invisible
- checkbox
createdAt:
type: number
updatedAt:
type: number
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Captcha provider not found.
summary: Get captcha provider
description: Get the captcha provider, you can only have one captcha provider.
put:
operationId: UpdateCaptchaProvider
tags:
- Captcha provider
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- config
properties:
config:
oneOf:
- type: object
required:
- type
- siteKey
- secretKey
properties:
type:
type: string
format: '"Turnstile"'
siteKey:
type: string
secretKey:
type: string
- type: object
required:
- type
- siteKey
- secretKey
- projectId
properties:
type:
type: string
format: '"RecaptchaEnterprise"'
siteKey:
type: string
secretKey:
type: string
projectId:
type: string
domain:
type: string
mode:
type: string
enum:
- invisible
- checkbox
description: The captcha provider config.
responses:
'200':
description: Updated captcha provider.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- config
- createdAt
- updatedAt
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 128
config:
oneOf:
- type: object
required:
- type
- siteKey
- secretKey
properties:
type:
type: string
format: '"Turnstile"'
siteKey:
type: string
secretKey:
type: string
- type: object
required:
- type
- siteKey
- secretKey
- projectId
properties:
type:
type: string
format: '"RecaptchaEnterprise"'
siteKey:
type: string
secretKey:
type: string
projectId:
type: string
domain:
type: string
mode:
type: string
enum:
- invisible
- checkbox
createdAt:
type: number
updatedAt:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Update captcha provider
description: Update the captcha provider with the provided settings.
delete:
operationId: DeleteCaptchaProvider
tags:
- Captcha provider
parameters: []
responses:
'204':
description: Captcha provider deleted.
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete captcha provider
description: Delete the captcha provider.
"/api/sentinel-activities/delete":
post:
operationId: DeleteSentinelActivities
tags:
- Sentinel activities
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- targetType
- targets
properties:
targetType:
type: string
enum:
- User
- App
targets:
type: array
items:
type: string
responses:
'204':
description: Activities deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Bulk delete sentinel activities
description: Remove sentinel activity reports based on the provided target value(identifier).Use
this endpoint to unblock users who may be locked out due to too many failed
authentication attempts.
"/api/custom-profile-fields":
get:
operationId: ListCustomProfileFields
tags:
- Custom profile fields
parameters: []
responses:
'200':
description: Custom profile fields ordered by sieOrder (Sign-in Experience
order).
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- type
- label
- description
- required
- config
- createdAt
- sieOrder
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
parts:
type: array
items:
type: object
required:
- enabled
- name
- type
- required
properties:
enabled:
type: boolean
name:
type: string
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
createdAt:
type: number
sieOrder:
type: number
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get all custom profile fields
description: Get all custom profile fields.
post:
operationId: CreateCustomProfileField
tags:
- Custom profile fields
parameters: []
requestBody:
required: true
content:
application/json:
schema:
oneOf:
- type: object
required:
- name
- type
- required
properties:
name:
type: string
type:
type: string
format: '"Text"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
minLength:
type: number
maxLength:
type: number
- type: object
required:
- name
- type
- required
properties:
name:
type: string
type:
type: string
format: '"Number"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
minValue:
type: number
maxValue:
type: number
- type: object
required:
- name
- type
- required
properties:
name:
type: string
type:
type: string
format: '"Date"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- format
properties:
placeholder:
type: string
format:
type: string
customFormat:
type: string
- type: object
required:
- name
- type
- required
properties:
name:
type: string
type:
type: string
format: '"Checkbox"'
label:
type: string
minLength: 1
required:
type: boolean
format: 'false'
config:
type: object
required:
- defaultValue
properties:
defaultValue:
oneOf:
- type: string
format: '"true"'
- type: string
format: '"false"'
- type: object
required:
- name
- type
- required
- config
properties:
name:
type: string
type:
type: string
format: '"Select"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- options
properties:
placeholder:
type: string
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
- type: object
required:
- name
- type
- required
properties:
name:
type: string
type:
type: string
format: '"Url"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
- type: object
required:
- name
- type
- required
- config
properties:
name:
type: string
type:
type: string
format: '"Regex"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- format
properties:
placeholder:
type: string
format:
type: string
- type: object
required:
- name
- type
- required
- config
properties:
name:
type: string
type:
type: string
format: '"Address"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- parts
properties:
parts:
type: array
items:
type: object
required:
- enabled
- type
- required
- name
properties:
enabled:
type: boolean
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
name:
type: string
enum:
- formatted
- streetAddress
- locality
- region
- postalCode
- country
- type: object
required:
- name
- type
- required
- config
properties:
name:
type: string
type:
type: string
format: '"Fullname"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- parts
properties:
parts:
type: array
items:
type: object
required:
- enabled
- type
- required
- name
properties:
enabled:
type: boolean
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
name:
type: string
enum:
- givenName
- middleName
- familyName
responses:
'201':
description: Created
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- type
- label
- description
- required
- config
- createdAt
- sieOrder
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
parts:
type: array
items:
type: object
required:
- enabled
- name
- type
- required
properties:
enabled:
type: boolean
name:
type: string
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
createdAt:
type: number
sieOrder:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Create a custom profile field
description: Create a custom profile field.
"/api/custom-profile-fields/{name}":
get:
operationId: GetCustomProfileFieldByName
tags:
- Custom profile fields
parameters:
- name: name
in: path
required: true
schema:
type: string
minLength: 1
responses:
'200':
description: Custom profile field found successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- type
- label
- description
- required
- config
- createdAt
- sieOrder
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
parts:
type: array
items:
type: object
required:
- enabled
- name
- type
- required
properties:
enabled:
type: boolean
name:
type: string
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
createdAt:
type: number
sieOrder:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Get a custom profile field by name
description: Get a custom profile field by name.
put:
operationId: UpdateCustomProfileFieldByName
tags:
- Custom profile fields
parameters:
- name: name
in: path
required: true
schema:
type: string
minLength: 1
requestBody:
required: true
content:
application/json:
schema:
oneOf:
- type: object
required:
- type
- required
properties:
type:
type: string
format: '"Text"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
minLength:
type: number
maxLength:
type: number
- type: object
required:
- type
- required
properties:
type:
type: string
format: '"Number"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
minValue:
type: number
maxValue:
type: number
- type: object
required:
- type
- required
properties:
type:
type: string
format: '"Date"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- format
properties:
placeholder:
type: string
format:
type: string
customFormat:
type: string
- type: object
required:
- type
- required
properties:
type:
type: string
format: '"Checkbox"'
label:
type: string
minLength: 1
required:
type: boolean
format: 'false'
config:
type: object
required:
- defaultValue
properties:
defaultValue:
oneOf:
- type: string
format: '"true"'
- type: string
format: '"false"'
- type: object
required:
- type
- required
- config
properties:
type:
type: string
format: '"Select"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- options
properties:
placeholder:
type: string
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
- type: object
required:
- type
- required
properties:
type:
type: string
format: '"Url"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
- type: object
required:
- type
- required
- config
properties:
type:
type: string
format: '"Regex"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- format
properties:
placeholder:
type: string
format:
type: string
- type: object
required:
- type
- required
- config
properties:
type:
type: string
format: '"Address"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- parts
properties:
parts:
type: array
items:
type: object
required:
- enabled
- type
- required
- name
properties:
enabled:
type: boolean
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
name:
type: string
enum:
- formatted
- streetAddress
- locality
- region
- postalCode
- country
- type: object
required:
- type
- required
- config
properties:
type:
type: string
format: '"Fullname"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- parts
properties:
parts:
type: array
items:
type: object
required:
- enabled
- type
- required
- name
properties:
enabled:
type: boolean
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
name:
type: string
enum:
- givenName
- middleName
- familyName
responses:
'200':
description: Custom profile field updated successfully.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- name
- type
- label
- description
- required
- config
- createdAt
- sieOrder
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
parts:
type: array
items:
type: object
required:
- enabled
- name
- type
- required
properties:
enabled:
type: boolean
name:
type: string
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
createdAt:
type: number
sieOrder:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Update a custom profile field by name
description: Update a custom profile field by name.
delete:
operationId: DeleteCustomProfileFieldByName
tags:
- Custom profile fields
parameters:
- name: name
in: path
required: true
schema:
type: string
minLength: 1
responses:
'204':
description: Custom profile field deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Delete a custom profile field by name
description: Delete a custom profile field by name.
"/api/custom-profile-fields/batch":
post:
operationId: CreateCustomProfileFieldsBatch
tags:
- Custom profile fields
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: array
items:
oneOf:
- type: object
required:
- name
- type
- required
properties:
name:
type: string
type:
type: string
format: '"Text"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
minLength:
type: number
maxLength:
type: number
- type: object
required:
- name
- type
- required
properties:
name:
type: string
type:
type: string
format: '"Number"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
minValue:
type: number
maxValue:
type: number
- type: object
required:
- name
- type
- required
properties:
name:
type: string
type:
type: string
format: '"Date"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- format
properties:
placeholder:
type: string
format:
type: string
customFormat:
type: string
- type: object
required:
- name
- type
- required
properties:
name:
type: string
type:
type: string
format: '"Checkbox"'
label:
type: string
minLength: 1
required:
type: boolean
format: 'false'
config:
type: object
required:
- defaultValue
properties:
defaultValue:
oneOf:
- type: string
format: '"true"'
- type: string
format: '"false"'
- type: object
required:
- name
- type
- required
- config
properties:
name:
type: string
type:
type: string
format: '"Select"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- options
properties:
placeholder:
type: string
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
- type: object
required:
- name
- type
- required
properties:
name:
type: string
type:
type: string
format: '"Url"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
- type: object
required:
- name
- type
- required
- config
properties:
name:
type: string
type:
type: string
format: '"Regex"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- format
properties:
placeholder:
type: string
format:
type: string
- type: object
required:
- name
- type
- required
- config
properties:
name:
type: string
type:
type: string
format: '"Address"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- parts
properties:
parts:
type: array
items:
type: object
required:
- enabled
- type
- required
- name
properties:
enabled:
type: boolean
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
name:
type: string
enum:
- formatted
- streetAddress
- locality
- region
- postalCode
- country
- type: object
required:
- name
- type
- required
- config
properties:
name:
type: string
type:
type: string
format: '"Fullname"'
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
required:
- parts
properties:
parts:
type: array
items:
type: object
required:
- enabled
- type
- required
- name
properties:
enabled:
type: boolean
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
name:
type: string
enum:
- givenName
- middleName
- familyName
responses:
'201':
description: Custom profile fields created successfully.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- type
- label
- description
- required
- config
- createdAt
- sieOrder
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
parts:
type: array
items:
type: object
required:
- enabled
- name
- type
- required
properties:
enabled:
type: boolean
name:
type: string
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
createdAt:
type: number
sieOrder:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Batch create custom profile fields
description: Create multiple custom profile fields in a single request (max
20 items).
"/api/custom-profile-fields/properties/sie-order":
post:
operationId: UpdateCustomProfileFieldsSieOrder
tags:
- Custom profile fields
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- order
properties:
order:
type: array
items:
type: object
required:
- name
- sieOrder
properties:
name:
type: string
sieOrder:
type: number
responses:
'200':
description: Custom profile fields updated successfully.
content:
application/json:
schema:
type: array
items:
type: object
required:
- tenantId
- id
- name
- type
- label
- description
- required
- config
- createdAt
- sieOrder
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
parts:
type: array
items:
type: object
required:
- enabled
- name
- type
- required
properties:
enabled:
type: boolean
name:
type: string
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
createdAt:
type: number
sieOrder:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Update the display order of the custom profile fields in Sign-in Experience.
description: Update the display order of the custom profile fields in Sign-in
Experience.
"/api/secrets/{id}":
delete:
operationId: DeleteSecret
tags:
- Secrets
parameters:
- "$ref": "#/components/parameters/secretId-root"
responses:
'204':
description: The secret was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The secret with the specified ID was not found.
summary: Delete secret
description: Delete a secret by its ID.
"/api/.well-known/sign-in-exp":
get:
operationId: GetSignInExperienceConfig
tags:
- Well-known
parameters:
- name: organizationId
in: query
required: false
schema:
type: string
- name: appId
in: query
required: false
schema:
type: string
responses:
'200':
description: The full sign-in experience configuration.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- color
- branding
- hideLogtoBranding
- languageInfo
- termsOfUseUrl
- privacyPolicyUrl
- agreeToTermsPolicy
- signIn
- signUp
- socialSignIn
- socialSignInConnectorTargets
- signInMode
- customCss
- customContent
- customUiAssets
- passwordPolicy
- mfa
- adaptiveMfa
- singleSignOnEnabled
- supportEmail
- supportWebsiteUrl
- unknownSessionRedirectUrl
- captchaPolicy
- sentinelPolicy
- emailBlocklistPolicy
- passkeySignIn
- signUpProfileFields
- socialConnectors
- ssoConnectors
- forgotPassword
- isDevelopmentTenant
- customProfileFields
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
color:
type: object
required:
- primaryColor
- isDarkModeEnabled
- darkPrimaryColor
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
hideLogtoBranding:
type: boolean
languageInfo:
type: object
required:
- autoDetect
- fallbackLanguage
properties:
autoDetect:
type: boolean
fallbackLanguage:
type: string
enum:
- af-ZA
- am-ET
- ar
- ar-AR
- as-IN
- az-AZ
- be-BY
- bg-BG
- bn-IN
- br-FR
- bs-BA
- ca-ES
- cb-IQ
- co-FR
- cs
- cs-CZ
- cx-PH
- cy-GB
- da-DK
- de
- de-DE
- el-GR
- en
- en-GB
- en-US
- eo-EO
- es
- es-ES
- es-419
- et-EE
- eu-ES
- fa-IR
- ff-NG
- fi
- fi-FI
- fo-FO
- fr
- fr-CA
- fr-FR
- fy-NL
- ga-IE
- gl-ES
- gn-PY
- gu-IN
- ha-NG
- he-IL
- hi-IN
- hr-HR
- ht-HT
- hu-HU
- hy-AM
- id-ID
- ik-US
- is-IS
- it
- it-IT
- iu-CA
- ja
- ja-JP
- ja-KS
- jv-ID
- ka-GE
- kk-KZ
- km-KH
- kn-IN
- ko
- ko-KR
- ku-TR
- ky-KG
- lo-LA
- lt-LT
- lv-LV
- mg-MG
- mk-MK
- ml-IN
- mn-MN
- mr-IN
- ms-MY
- mt-MT
- my-MM
- nb-NO
- ne-NP
- nl
- nl-BE
- nl-NL
- nn-NO
- or-IN
- pa-IN
- pl-PL
- ps-AF
- pt
- pt-BR
- pt-PT
- ro-RO
- ru
- ru-RU
- rw-RW
- sc-IT
- si-LK
- sk-SK
- sl-SI
- sn-ZW
- sq-AL
- sr-RS
- sv
- sv-SE
- sw-KE
- sy-SY
- sz-PL
- ta-IN
- te-IN
- tg-TJ
- th
- th-TH
- tl-PH
- tr
- tr-TR
- tt-RU
- tz-MA
- uk-UA
- ur-PK
- uz-UZ
- vi-VN
- zh
- zh-CN
- zh-HK
- zh-MO
- zh-TW
- zz-TR
termsOfUseUrl:
type: string
maxLength: 2048
nullable: true
privacyPolicyUrl:
type: string
maxLength: 2048
nullable: true
agreeToTermsPolicy:
type: string
enum:
- Automatic
- ManualRegistrationOnly
- Manual
signIn:
type: object
required:
- methods
properties:
methods:
type: array
items:
type: object
required:
- identifier
- password
- verificationCode
- isPasswordPrimary
properties:
identifier:
type: string
enum:
- username
- email
- phone
password:
type: boolean
verificationCode:
type: boolean
isPasswordPrimary:
type: boolean
signUp:
type: object
required:
- identifiers
- password
- verify
properties:
identifiers:
type: array
items:
type: string
enum:
- username
- email
- phone
password:
type: boolean
verify:
type: boolean
secondaryIdentifiers:
type: array
items:
type: object
required:
- identifier
properties:
identifier:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- emailOrPhone
verify:
type: boolean
socialSignIn:
type: object
properties:
automaticAccountLinking:
type: boolean
skipRequiredIdentifiers:
type: boolean
socialSignInConnectorTargets:
type: array
items:
type: string
signInMode:
type: string
enum:
- SignIn
- Register
- SignInAndRegister
customCss:
type: string
nullable: true
customContent:
type: object
additionalProperties:
type: string
customUiAssets:
type: object
required:
- id
- createdAt
properties:
id:
type: string
createdAt:
type: number
nullable: true
passwordPolicy:
type: object
properties:
length:
default: {}
type: object
required:
- min
- max
properties:
min:
default: 8
type: number
max:
default: 256
type: number
characterTypes:
default: {}
type: object
required:
- min
properties:
min:
default: 1
type: number
rejects:
default: {}
type: object
required:
- pwned
- repetitionAndSequence
- userInfo
- words
properties:
pwned:
default: true
type: boolean
repetitionAndSequence:
default: true
type: boolean
userInfo:
default: true
type: boolean
words:
default: []
type: array
items:
type: string
mfa:
type: object
required:
- factors
- policy
properties:
factors:
type: array
items:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
policy:
type: string
enum:
- UserControlled
- Mandatory
- PromptOnlyAtSignIn
- PromptAtSignInAndSignUp
- NoPrompt
- PromptAtSignInAndSignUpMandatory
- PromptOnlyAtSignInMandatory
organizationRequiredMfaPolicy:
type: string
enum:
- NoPrompt
- Mandatory
adaptiveMfa:
type: object
properties:
enabled:
type: boolean
singleSignOnEnabled:
type: boolean
supportEmail:
type: string
nullable: true
supportWebsiteUrl:
type: string
nullable: true
unknownSessionRedirectUrl:
type: string
nullable: true
captchaPolicy:
type: object
properties:
enabled:
type: boolean
sentinelPolicy:
type: object
properties:
maxAttempts:
type: number
lockoutDuration:
type: number
emailBlocklistPolicy:
type: object
properties:
blockDisposableAddresses:
type: boolean
blockSubaddressing:
type: boolean
customBlocklist:
type: array
items:
type: string
passkeySignIn:
type: object
properties:
enabled:
type: boolean
showPasskeyButton:
type: boolean
allowAutofill:
type: boolean
signUpProfileFields:
type: array
items:
type: object
required:
- name
properties:
name:
type: string
nullable: true
socialConnectors:
type: array
items:
type: object
required:
- id
- target
- name
- logo
- logoDark
- platform
properties:
id:
type: string
target:
type: string
name:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
fromEmail:
type: string
platform:
type: string
enum:
- Native
- Universal
- Web
nullable: true
isStandard:
type: boolean
isTokenStorageSupported:
type: boolean
ssoConnectors:
type: array
items:
type: object
required:
- id
- connectorName
- logo
properties:
id:
type: string
connectorName:
type: string
logo:
type: string
darkLogo:
type: string
forgotPassword:
type: object
required:
- phone
- email
properties:
phone:
type: boolean
email:
type: boolean
isDevelopmentTenant:
type: boolean
googleOneTap:
type: object
required:
- clientId
- connectorId
properties:
isEnabled:
type: boolean
autoSelect:
type: boolean
closeOnTapOutside:
type: boolean
itpSupport:
type: boolean
clientId:
type: string
connectorId:
type: string
captchaConfig:
type: object
required:
- type
- siteKey
properties:
type:
type: string
enum:
- RecaptchaEnterprise
- Turnstile
siteKey:
type: string
domain:
type: string
mode:
type: string
enum:
- invisible
- checkbox
customProfileFields:
type: array
items:
type: object
required:
- tenantId
- id
- name
- type
- label
- description
- required
- config
- createdAt
- sieOrder
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
parts:
type: array
items:
type: object
required:
- enabled
- name
- type
- required
properties:
enabled:
type: boolean
name:
type: string
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
createdAt:
type: number
sieOrder:
type: number
'400':
description: Bad Request
security: []
deprecated: true
summary: Get full sign-in experience
description: Get the full sign-in experience configuration.
"/api/.well-known/phrases":
get:
operationId: GetSignInExperiencePhrases
tags:
- Well-known
parameters:
- name: lng
in: query
required: false
schema:
type: string
description: The language tag for localization.
responses:
'200':
description: Localized phrases for the specified language.
content:
application/json:
schema:
type: object
additionalProperties:
oneOf:
- type: string
- type: object
additionalProperties:
example: {}
'400':
description: Bad Request
security: []
summary: Get localized phrases
description: Get localized phrases based on the specified language.
"/api/.well-known/experience":
get:
operationId: GetWellKnownExperience
tags:
- Well-known
parameters:
- name: organizationId
in: query
required: false
schema:
type: string
- name: appId
in: query
required: false
schema:
type: string
responses:
'200':
description: The full sign-in experience configuration.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- color
- branding
- hideLogtoBranding
- languageInfo
- termsOfUseUrl
- privacyPolicyUrl
- agreeToTermsPolicy
- signIn
- signUp
- socialSignIn
- socialSignInConnectorTargets
- signInMode
- customCss
- customContent
- customUiAssets
- passwordPolicy
- mfa
- adaptiveMfa
- singleSignOnEnabled
- supportEmail
- supportWebsiteUrl
- unknownSessionRedirectUrl
- captchaPolicy
- sentinelPolicy
- emailBlocklistPolicy
- passkeySignIn
- signUpProfileFields
- socialConnectors
- ssoConnectors
- forgotPassword
- isDevelopmentTenant
- customProfileFields
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
color:
type: object
required:
- primaryColor
- isDarkModeEnabled
- darkPrimaryColor
properties:
primaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
isDarkModeEnabled:
type: boolean
darkPrimaryColor:
type: string
format: regex
pattern: "/^#[\\da-f]{3}([\\da-f]{3})?$/i"
branding:
type: object
properties:
logoUrl:
type: string
format: url
darkLogoUrl:
type: string
format: url
favicon:
type: string
format: url
darkFavicon:
type: string
format: url
hideLogtoBranding:
type: boolean
languageInfo:
type: object
required:
- autoDetect
- fallbackLanguage
properties:
autoDetect:
type: boolean
fallbackLanguage:
type: string
enum:
- af-ZA
- am-ET
- ar
- ar-AR
- as-IN
- az-AZ
- be-BY
- bg-BG
- bn-IN
- br-FR
- bs-BA
- ca-ES
- cb-IQ
- co-FR
- cs
- cs-CZ
- cx-PH
- cy-GB
- da-DK
- de
- de-DE
- el-GR
- en
- en-GB
- en-US
- eo-EO
- es
- es-ES
- es-419
- et-EE
- eu-ES
- fa-IR
- ff-NG
- fi
- fi-FI
- fo-FO
- fr
- fr-CA
- fr-FR
- fy-NL
- ga-IE
- gl-ES
- gn-PY
- gu-IN
- ha-NG
- he-IL
- hi-IN
- hr-HR
- ht-HT
- hu-HU
- hy-AM
- id-ID
- ik-US
- is-IS
- it
- it-IT
- iu-CA
- ja
- ja-JP
- ja-KS
- jv-ID
- ka-GE
- kk-KZ
- km-KH
- kn-IN
- ko
- ko-KR
- ku-TR
- ky-KG
- lo-LA
- lt-LT
- lv-LV
- mg-MG
- mk-MK
- ml-IN
- mn-MN
- mr-IN
- ms-MY
- mt-MT
- my-MM
- nb-NO
- ne-NP
- nl
- nl-BE
- nl-NL
- nn-NO
- or-IN
- pa-IN
- pl-PL
- ps-AF
- pt
- pt-BR
- pt-PT
- ro-RO
- ru
- ru-RU
- rw-RW
- sc-IT
- si-LK
- sk-SK
- sl-SI
- sn-ZW
- sq-AL
- sr-RS
- sv
- sv-SE
- sw-KE
- sy-SY
- sz-PL
- ta-IN
- te-IN
- tg-TJ
- th
- th-TH
- tl-PH
- tr
- tr-TR
- tt-RU
- tz-MA
- uk-UA
- ur-PK
- uz-UZ
- vi-VN
- zh
- zh-CN
- zh-HK
- zh-MO
- zh-TW
- zz-TR
termsOfUseUrl:
type: string
maxLength: 2048
nullable: true
privacyPolicyUrl:
type: string
maxLength: 2048
nullable: true
agreeToTermsPolicy:
type: string
enum:
- Automatic
- ManualRegistrationOnly
- Manual
signIn:
type: object
required:
- methods
properties:
methods:
type: array
items:
type: object
required:
- identifier
- password
- verificationCode
- isPasswordPrimary
properties:
identifier:
type: string
enum:
- username
- email
- phone
password:
type: boolean
verificationCode:
type: boolean
isPasswordPrimary:
type: boolean
signUp:
type: object
required:
- identifiers
- password
- verify
properties:
identifiers:
type: array
items:
type: string
enum:
- username
- email
- phone
password:
type: boolean
verify:
type: boolean
secondaryIdentifiers:
type: array
items:
type: object
required:
- identifier
properties:
identifier:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- emailOrPhone
verify:
type: boolean
socialSignIn:
type: object
properties:
automaticAccountLinking:
type: boolean
skipRequiredIdentifiers:
type: boolean
socialSignInConnectorTargets:
type: array
items:
type: string
signInMode:
type: string
enum:
- SignIn
- Register
- SignInAndRegister
customCss:
type: string
nullable: true
customContent:
type: object
additionalProperties:
type: string
customUiAssets:
type: object
required:
- id
- createdAt
properties:
id:
type: string
createdAt:
type: number
nullable: true
passwordPolicy:
type: object
properties:
length:
default: {}
type: object
required:
- min
- max
properties:
min:
default: 8
type: number
max:
default: 256
type: number
characterTypes:
default: {}
type: object
required:
- min
properties:
min:
default: 1
type: number
rejects:
default: {}
type: object
required:
- pwned
- repetitionAndSequence
- userInfo
- words
properties:
pwned:
default: true
type: boolean
repetitionAndSequence:
default: true
type: boolean
userInfo:
default: true
type: boolean
words:
default: []
type: array
items:
type: string
mfa:
type: object
required:
- factors
- policy
properties:
factors:
type: array
items:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
policy:
type: string
enum:
- UserControlled
- Mandatory
- PromptOnlyAtSignIn
- PromptAtSignInAndSignUp
- NoPrompt
- PromptAtSignInAndSignUpMandatory
- PromptOnlyAtSignInMandatory
organizationRequiredMfaPolicy:
type: string
enum:
- NoPrompt
- Mandatory
adaptiveMfa:
type: object
properties:
enabled:
type: boolean
singleSignOnEnabled:
type: boolean
supportEmail:
type: string
nullable: true
supportWebsiteUrl:
type: string
nullable: true
unknownSessionRedirectUrl:
type: string
nullable: true
captchaPolicy:
type: object
properties:
enabled:
type: boolean
sentinelPolicy:
type: object
properties:
maxAttempts:
type: number
lockoutDuration:
type: number
emailBlocklistPolicy:
type: object
properties:
blockDisposableAddresses:
type: boolean
blockSubaddressing:
type: boolean
customBlocklist:
type: array
items:
type: string
passkeySignIn:
type: object
properties:
enabled:
type: boolean
showPasskeyButton:
type: boolean
allowAutofill:
type: boolean
signUpProfileFields:
type: array
items:
type: object
required:
- name
properties:
name:
type: string
nullable: true
socialConnectors:
type: array
items:
type: object
required:
- id
- target
- name
- logo
- logoDark
- platform
properties:
id:
type: string
target:
type: string
name:
type: object
description: Validator function
logo:
type: string
logoDark:
type: string
nullable: true
fromEmail:
type: string
platform:
type: string
enum:
- Native
- Universal
- Web
nullable: true
isStandard:
type: boolean
isTokenStorageSupported:
type: boolean
ssoConnectors:
type: array
items:
type: object
required:
- id
- connectorName
- logo
properties:
id:
type: string
connectorName:
type: string
logo:
type: string
darkLogo:
type: string
forgotPassword:
type: object
required:
- phone
- email
properties:
phone:
type: boolean
email:
type: boolean
isDevelopmentTenant:
type: boolean
googleOneTap:
type: object
required:
- clientId
- connectorId
properties:
isEnabled:
type: boolean
autoSelect:
type: boolean
closeOnTapOutside:
type: boolean
itpSupport:
type: boolean
clientId:
type: string
connectorId:
type: string
captchaConfig:
type: object
required:
- type
- siteKey
properties:
type:
type: string
enum:
- RecaptchaEnterprise
- Turnstile
siteKey:
type: string
domain:
type: string
mode:
type: string
enum:
- invisible
- checkbox
customProfileFields:
type: array
items:
type: object
required:
- tenantId
- id
- name
- type
- label
- description
- required
- config
- createdAt
- sieOrder
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
name:
type: string
minLength: 1
maxLength: 128
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
maxLength: 128
description:
type: string
maxLength: 256
nullable: true
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
parts:
type: array
items:
type: object
required:
- enabled
- name
- type
- required
properties:
enabled:
type: boolean
name:
type: string
type:
type: string
enum:
- Text
- Number
- Date
- Checkbox
- Select
- Url
- Regex
- Address
- Fullname
label:
type: string
minLength: 1
description:
type: string
required:
type: boolean
config:
type: object
properties:
placeholder:
type: string
maxLength: 256
minLength:
type: number
maxLength:
type: number
minValue:
type: number
maxValue:
type: number
format:
type: string
maxLength: 128
customFormat:
type: string
maxLength: 128
options:
type: array
items:
type: object
required:
- value
properties:
label:
type: string
value:
type: string
defaultValue:
type: string
createdAt:
type: number
sieOrder:
type: number
'400':
description: Bad Request
security: []
summary: Get full sign-in experience
description: Get the full sign-in experience configuration.
"/api/.well-known/account-center":
get:
operationId: GetWellKnownAccountCenter
tags:
- Well-known
parameters: []
responses:
'200':
description: The default account center configuration.
content:
application/json:
schema:
type: object
required:
- tenantId
- id
- enabled
- fields
- webauthnRelatedOrigins
- deleteAccountUrl
- customCss
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
enabled:
type: boolean
fields:
type: object
properties:
name:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
avatar:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
profile:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
email:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
phone:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
password:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
username:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
social:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
customData:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
mfa:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
session:
type: string
enum:
- 'Off'
- ReadOnly
- Edit
webauthnRelatedOrigins:
type: array
items:
type: string
deleteAccountUrl:
type: string
maxLength: 2048
nullable: true
customCss:
type: string
nullable: true
security: []
summary: Get default account center
description: Get the default account center configuration.
"/api/status":
get:
operationId: GetStatus
tags:
- Status
parameters: []
responses:
'204':
description: The Logto core service is healthy.
security: []
summary: Health check
description: |-
The traditional health check API. No authentication needed.
> **Note**
> Even if 204 is returned, it does not guarantee all the APIs are working properly since they may depend on additional resources or external services.
"/api/authn/hasura":
get:
operationId: GetHasuraAuth
tags:
- Authn
parameters:
- name: resource
in: query
required: true
schema:
type: string
minLength: 1
- name: unauthorizedRole
in: query
required: false
schema:
type: string
responses:
'200':
description: The authenticated user claims in Hasura format. See [Hasura
docs](https://hasura.io/docs/latest/auth/authentication/webhook/#webhook-response)
for more information.
content:
application/json:
schema:
type: object
properties:
X-Hasura-User-Id:
type: string
X-Hasura-Role:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
security: []
summary: Hasura auth hook endpoint
description: The `HASURA_GRAPHQL_AUTH_HOOK` endpoint for Hasura auth. Use this
endpoint to integrate Hasura's [webhook authentication flow](https://hasura.io/docs/latest/auth/authentication/webhook/).
"/api/authn/saml/{connectorId}":
post:
operationId: AssertSaml
tags:
- Authn
parameters:
- "$ref": "#/components/parameters/connectorId"
requestBody:
required: true
content:
application/json:
schema:
type: object
description: arbitrary
responses:
'302':
description: Redirect to the endpoint to complete the authentication flow.
'400':
description: Bad Request
'404':
description: Not Found
security: []
summary: SAML ACS endpoint (social)
description: |-
The Assertion Consumer Service (ACS) endpoint for Simple Assertion Markup Language (SAML) social connectors.
SAML social connectors are deprecated. Use the SSO SAML connector instead.
deprecated: true
"/api/authn/single-sign-on/saml/{connectorId}":
post:
operationId: AssertSingleSignOnSaml
tags:
- Authn
parameters:
- "$ref": "#/components/parameters/connectorId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- SAMLResponse
properties:
RelayState:
type: string
description: SAML standard parameter that will be transmitted between
the identity provider and the service provider. It will be used
as the session ID (jti) of the user's Logto authentication session.
This API will use this session ID to retrieve the SSO connector
authentication session from the database.
SAMLResponse:
type: string
description: The SAML assertion response from the identity provider
(IdP).
responses:
'302':
description: Redirect to the endpoint to complete the authentication flow.
'400':
description: Invalid SAML assertion response.
'404':
description: Invalid SSO connector ID or SSO connector authentication session
not found.
security: []
summary: SAML ACS endpoint (SSO)
description: |-
The Assertion Consumer Service (ACS) endpoint for Simple Assertion Markup Language (SAML) single sign-on (SSO) connectors.
This endpoint is used to complete the SAML SSO authentication flow. It receives the SAML assertion response from the identity provider (IdP) and redirects the user to complete the authentication flow.
"/api/saml-applications/{id}/metadata":
get:
operationId: ListSamlApplicationMetadata
tags:
- SAML applications
parameters:
- "$ref": "#/components/parameters/samlApplicationId-root"
responses:
'200':
description: The SAML metadata XML.
content:
application/json:
schema:
type: string
text/xml:
schema:
type: string
'400':
description: Bad Request
'404':
description: The SAML application was not found.
summary: Get SAML application metadata
description: Get the SAML metadata XML for the application.
"/api/saml-applications/{id}/callback":
get:
operationId: GetSamlApplicationCallback
tags:
- SAML applications
parameters:
- "$ref": "#/components/parameters/samlApplicationId-root"
- name: code
in: query
required: false
schema:
type: string
description: The authorization code from OIDC callback.
- name: state
in: query
required: false
schema:
type: string
description: The state parameter from OIDC callback.
- name: redirectUri
in: query
required: false
schema:
type: string
description: The redirect URI for the callback.
- name: error
in: query
required: false
schema:
type: string
- name: error_description
in: query
required: false
schema:
type: string
responses:
'200':
description: Returns an HTML form that automatically submits the SAML response.
content:
application/json: {}
'400':
description: Invalid request or OIDC error.
'404':
description: The SAML application was not found.
summary: SAML application callback
description: Handle the OIDC callback for SAML application and generate SAML
response.
"/api/saml/{id}/authn":
get:
operationId: GetSamlAuthn
tags:
- SAML applications auth flow
parameters:
- "$ref": "#/components/parameters/samlId-root"
- name: SAMLRequest
in: query
required: true
schema:
type: string
minLength: 1
description: The SAML request message.
- name: Signature
in: query
required: false
schema:
type: string
description: The signature of the request.
- name: SigAlg
in: query
required: false
schema:
type: string
description: The signature algorithm.
- name: RelayState
in: query
required: false
schema:
type: string
maxLength: 512
nullable: true
description: The relay state parameter.
responses:
'200':
description: OK
content:
application/json: {}
'302':
description: Redirects to the sign-in page.
'400':
description: Invalid SAML request.
'404':
description: The SAML application was not found.
summary: Handle SAML authentication request (Redirect binding)
description: Process SAML authentication request using HTTP Redirect binding.
post:
operationId: CreateSamlAuthn
tags:
- SAML applications auth flow
parameters:
- "$ref": "#/components/parameters/samlId-root"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- SAMLRequest
properties:
SAMLRequest:
type: string
minLength: 1
RelayState:
type: string
maxLength: 512
nullable: true
application/x-www-form-urlencoded:
schema:
type: object
required:
- SAMLRequest
properties:
SAMLRequest:
type: string
description: Base64-encoded SAML request message.
RelayState:
type: string
description: Optional state parameter to be returned in the response.
responses:
'200':
description: OK
content:
application/json: {}
'302':
description: Redirects to the sign-in page.
'400':
description: Invalid SAML request.
'404':
description: The SAML application was not found.
summary: Handle SAML authentication request (POST binding)
description: Process SAML authentication request using HTTP POST binding.
"/api/.well-known/management.openapi.json":
get:
operationId: GetWellKnownManagementOpenapiJson
tags:
- Well-known
parameters: []
responses:
'200':
description: The JSON document.
content:
application/json: {}
security: []
summary: Get Management API swagger JSON
description: The endpoint for the Management API JSON document. The JSON conforms
to the [OpenAPI v3.0.1](https://spec.openapis.org/oas/v3.0.1) (a.k.a. Swagger)
specification.
"/api/.well-known/experience.openapi.json":
get:
operationId: GetWellKnownExperienceOpenapiJson
tags:
- Well-known
parameters: []
responses:
'200':
description: The JSON document.
content:
application/json: {}
security: []
summary: Get Experience API swagger JSON
description: The endpoint for the Experience API JSON document. The JSON conforms
to the [OpenAPI v3.0.1](https://spec.openapis.org/oas/v3.0.1) (a.k.a. Swagger)
specification.
"/api/.well-known/user.openapi.json":
get:
operationId: GetWellKnownUserOpenapiJson
tags:
- Well-known
parameters: []
responses:
'200':
description: The JSON document.
content:
application/json: {}
security: []
summary: Get User API swagger JSON
description: The endpoint for the User API JSON document. The JSON conforms
to the [OpenAPI v3.0.1](https://spec.openapis.org/oas/v3.0.1) (a.k.a. Swagger)
specification.
"/api/swagger.json":
get:
operationId: GetSwaggerJson
tags:
- Swagger.json
parameters: []
responses:
'200':
description: The JSON document.
content:
application/json: {}
security: []
summary: Get Swagger JSON
description: The endpoint for the current JSON document. The JSON conforms to
the [OpenAPI v3.0.1](https://spec.openapis.org/oas/v3.0.1) (a.k.a. Swagger)
specification.
"/api/experience":
put:
operationId: InitInteraction
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- interactionEvent
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
captchaToken:
type: string
responses:
'204':
description: A new experience interaction has been successfully initiated.
'400':
description: Bad Request
'422':
description: Unprocessable Content
security: []
summary: Init new interaction
description: Init a new experience interaction with the given interaction type.
Any existing interaction data will be cleared.
"/api/experience/interaction-event":
put:
operationId: UpdateInteractionEvent
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- interactionEvent
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
description: The type of the interaction event. Only `SignIn` and
`Register` are supported.
responses:
'204':
description: The interaction event has been successfully updated.
'400':
description: The interaction event is invalid or cannot be updated. Only
`SignIn` and `Register` are interchangeable. If the current interaction
event is `ForgotPassword`, it cannot be updated.
'403':
description: The given interaction event is not enabled in the sign-in experience
settings.
security: []
summary: Update interaction event
description: Update the current experience interaction event to the given event
type. This API is used to switch the interaction event between `SignIn` and
`Register`, while keeping all the verification records data.
"/api/experience/identification":
post:
operationId: IdentifyUser
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
verificationId:
type: string
description: 'The ID of the verification record used to identify
the user.
- For `SignIn` and `ForgotPassword` interactions:
Required to verify the user''s identity.
- For `Register`
interaction: Optional. If provided, new profile(s) will be attached
to the registration session using the information from the verification
record and trigger the account creation attempt. If not provided,
the user account creation attempt will be triggered using the
existing profile data in the interaction.'
linkSocialIdentity:
type: boolean
description: Applies only to the SignIn interaction and is used
when a SocialVerification type verification ID is provided.
-
If `true`, the user is identified using the verified email or
phone number from the social identity provider, and the social
identity is linked to the user's account.
- If `false` or
not provided, the API identifies the user solely through the social
identity.
This parameter is used to link a non-existing social
identity to a related user account identified by the verified
email or phone number.
responses:
'201':
description: "`Register` interaction: The user account has been successfully
created and identified."
content:
application/json: {}
'204':
description: "`SignIn` and `ForgotPassword` interactions: The user has been
successfully identified."
'400':
description: The provided verificationId is invalid, not verified, or cannot
be used to identify the user.
- `session.verification_failed:` The
verification is not verified or can not be used to identify the user.
- `guard.invalid_target:` The `verificationId` is missing, but required
for the `SignIn` and `ForgotPassword` interactions.
'401':
description: The user is suspended or banned from the service. (SignIn and
ForgotPassword only)
'403':
description: The `SignIn` or `Register` interaction is disabled in the experience
settings.
'404':
description: 'Entity not found.
- `session.verification_session_not_found:`
The verification record is not found.
- `user.user_not_exist:` The
user account is not found (SignIn and ForgotPassword only). '
'409':
description: The interaction has already been identified with a different
user account.
'422':
description: The user account cannot be created due to validation errors,
check error message for more details (Register only).
- `user._already_in_use:`
The given identifier is already in use by another user account.
-
`user.missing_profile:` Sign-in experience required user identifier or
profile data is missing. (Register only)
security: []
summary: Identify user for the current interaction
description: 'This API identifies the user based on the verificationId within
the current experience interaction:
- `SignIn` and `ForgotPassword` interactions:
Verifies the user''s identity using the provided `verificationId`.
-
`Register` interaction: Creates a new user account using the profile data
from the current interaction. If a verificationId is provided, the profile
data will first be updated with the verification record before creating the
account. If not, the account is created directly from the stored profile data.'
"/api/experience/submit":
post:
operationId: SubmitInteraction
tags:
- Experience
parameters: []
responses:
'200':
description: The interaction has been successfully submitted.
content:
application/json:
schema:
type: object
required:
- redirectTo
properties:
redirectTo:
type: string
'400':
description: Bad Request
'403':
description: Multi-Factor Authentication (MFA) is enabled for the user but
has not been verified.
'404':
description: 'The user has not been identified. '
'422':
description: The user profile can not been processed, check error message
for more details.
- The profile data is invalid or conflicts with
existing user data.
- Required profile data is missing.
- The
profile data is already in use by another user account.
security: []
summary: Submit interaction
description: Submit the current interaction.
- Submit the verified user
identity to the OIDC provider for further authentication (SignIn and Register).
- Update the user's profile data if any (SignIn and Register).
-
Reset the password and clear all the interaction records (ForgotPassword).
"/api/experience/interaction":
get:
operationId: GetInteraction
tags:
- Experience
parameters: []
responses:
'200':
description: The public interaction data has been successfully retrieved.
content:
application/json:
schema:
type: object
required:
- interactionEvent
- profile
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
userId:
type: string
profile:
type: object
properties:
avatar:
type: string
maxLength: 2048
nullable: true
name:
type: string
maxLength: 128
nullable: true
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
customData:
type: object
description: arbitrary
socialIdentity:
type: object
required:
- target
- userInfo
properties:
target:
type: string
userInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
enterpriseSsoIdentity:
type: object
required:
- identityId
- ssoConnectorId
- issuer
- detail
properties:
identityId:
type: string
minLength: 1
maxLength: 128
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
issuer:
type: string
minLength: 1
maxLength: 256
detail:
type: object
description: arbitrary
syncedEnterpriseSsoIdentity:
type: object
required:
- identityId
- issuer
- detail
properties:
identityId:
type: string
minLength: 1
maxLength: 128
issuer:
type: string
minLength: 1
maxLength: 256
detail:
type: object
description: arbitrary
jitOrganizationIds:
type: array
items:
type: string
submitted:
type: boolean
verificationRecords:
type: array
items:
oneOf:
- type: object
required:
- id
- type
- identifier
- verified
properties:
id:
type: string
type:
type: string
format: '"Password"'
identifier:
type: object
required:
- type
- value
properties:
type:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- userId
value:
type: string
verified:
type: boolean
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"EmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"PhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaEmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaPhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"Social"'
socialUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"EnterpriseSso"'
enterpriseSsoUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
issuer:
type: string
- type: object
required:
- id
- type
- userId
- verified
properties:
id:
type: string
type:
type: string
format: '"Totp"'
userId:
type: string
verified:
type: boolean
- type: object
required:
- id
- type
- userId
properties:
id:
type: string
type:
type: string
format: '"BackupCode"'
userId:
type: string
code:
type: string
- type: object
required:
- id
- verified
- type
- userId
properties:
id:
type: string
verified:
type: boolean
type:
type: string
format: '"WebAuthn"'
userId:
type: string
- type: object
required:
- id
- verified
- type
properties:
id:
type: string
verified:
type: boolean
type:
type: string
format: '"SignInPasskey"'
userId:
type: string
- type: object
required:
- id
- type
- identifier
properties:
id:
type: string
type:
type: string
format: '"NewPasswordIdentity"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
- type: object
required:
- id
- type
- verified
- identifier
properties:
id:
type: string
type:
type: string
format: '"OneTimeToken"'
verified:
type: boolean
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
oneTimeTokenContext:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
mfa:
type: object
properties:
mfaEnabled:
type: boolean
mfaSkipped:
type: boolean
passkeySkipped:
type: boolean
totp:
type: object
required:
- type
properties:
type:
type: string
format: '"Totp"'
webAuthn:
type: array
items:
type: object
required:
- type
- rpId
- credentialId
- publicKey
- transports
- counter
- agent
properties:
type:
type: string
format: '"WebAuthn"'
rpId:
type: string
credentialId:
type: string
publicKey:
type: string
transports:
type: array
items:
type: string
enum:
- usb
- nfc
- ble
- internal
- cable
- hybrid
- smart-card
counter:
type: number
agent:
type: string
name:
type: string
backupCode:
type: object
required:
- type
properties:
type:
type: string
format: '"BackupCode"'
signInContext:
type: object
additionalProperties:
type: string
captcha:
type: object
required:
- verified
- skipped
properties:
verified:
type: boolean
skipped:
type: boolean
security: []
summary: Get public interaction data
description: Get the public interaction data.
"/api/experience/verification/password":
post:
operationId: CreatePasswordVerification
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- identifier
- password
properties:
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
description: The unique identifier of the user that will be used
to identify the user along with the provided password.
password:
type: string
minLength: 1
description: The user password.
responses:
'200':
description: The Password verification record has been successfully created
and verified.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique verification ID of the newly created Password
verification record. The `verificationId` is required when verifying
the user's identity via the `Identification` API.
'400':
description: The verification attempts have exceeded the maximum limit.
'401':
description: The user is suspended or banned from the service.
'422':
description: "`session.invalid_credentials:` Either the user is not found
or the provided password is incorrect."
security: []
summary: Create password verification record
description: Create and verify a new Password verification record. The verification
record can only be created if the provided user credentials are correct.
"/api/experience/verification/verification-code":
post:
operationId: CreateAndSendVerificationCode
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- identifier
- interactionEvent
properties:
identifier:
oneOf:
- type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
- type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
format: regex
pattern: "/^\\d+$/"
description: The identifier (email address or phone number) to send
the verification code to.
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
description: The interaction event for which the verification code
will be used. Supported values are `SignIn`, `Register`, and `ForgotPassword`.
This determines the template for the verification code.
responses:
'200':
description: The verification code has been successfully sent.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique ID of the verification record. Required
to verify the code.
'400':
description: An invalid identifier was provided.
'404':
description: Not Found
'422':
description: Unprocessable Content
'501':
description: The connector for sending the verification code is not configured.
security: []
summary: Create and send verification code
description: Create a new `CodeVerification` record and sends the code to the
specified identifier. The code verification can be used to verify the given
identifier.
"/api/experience/verification/verification-code/verify":
post:
operationId: VerifyVerificationCodeVerification
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- identifier
- verificationId
- code
properties:
identifier:
oneOf:
- type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
- type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
format: regex
pattern: "/^\\d+$/"
description: The identifier (email address or phone number) to verify
the code against. Must match the identifier used to send the verification
code.
verificationId:
type: string
description: The verification ID of the CodeVerification record.
code:
type: string
description: The verification code to be verified.
responses:
'200':
description: The verification code was successfully verified.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique ID of the verification record. Required
for user identification via the `Identification` API or to bind
the identifier to the user's account via the `Profile` API.
'400':
description: The verification code is invalid or the maximum number of attempts
has been exceeded. Check the error message for details.
'404':
description: Verification record not found.
'501':
description: The connector for sending the verification code is not configured.
security: []
summary: Verify verification code
description: Verify the provided verification code against the user's identifier.
If successful, the verification record will be marked as verified.
"/api/experience/verification/mfa-verification-code":
post:
operationId: CreateAndSendMfaVerificationCode
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- identifierType
properties:
identifierType:
type: string
enum:
- email
- phone
- Email
- Phone
description: The type of identifier to use for MFA verification.
Must be either 'Email' or 'Phone'. The endpoint will automatically
use the user's bound identifier of this type.
responses:
'200':
description: The MFA verification code has been successfully sent to the
user's bound identifier.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique ID of the verification record. Required
to verify the code.
'400':
description: Bad request. The user is not identified or does not have the
specified identifier type bound for MFA.
'404':
description: User not found.
'501':
description: The connector for the specified identifier type is not configured.
security: []
summary: Create and send MFA verification code
description: Create a new MFA verification code and send it to the user's bound
identifier (email or phone). This endpoint automatically uses the user's bound
email address or phone number from their profile for MFA verification. The
user must be identified before calling this endpoint.
"/api/experience/verification/mfa-verification-code/verify":
post:
operationId: VerifyMfaVerificationCode
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- verificationId
- code
- identifierType
properties:
verificationId:
type: string
description: The verification ID returned from the MFA verification
code send endpoint.
code:
type: string
description: The verification code received by the user.
identifierType:
type: string
enum:
- email
- phone
- Email
- Phone
description: The type of identifier used for MFA verification. Must
match the type used when sending the verification code.
responses:
'200':
description: The MFA verification code was successfully verified.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique ID of the verification record. This can
be used for subsequent MFA operations.
'400':
description: Bad request. The verification code is invalid, expired, or
the user is not identified.
'404':
description: Verification record not found.
'501':
description: The connector for the verification method is not configured.
security: []
summary: Verify MFA verification code
description: Verify the provided MFA verification code. The verification code
must have been sent using the MFA verification code endpoint. This endpoint
verifies the code against the user's bound identifier and marks the verification
as complete if successful.
"/api/experience/verification/social/{connectorId}/authorization-uri":
post:
operationId: CreateSocialVerification
tags:
- Experience
parameters:
- "$ref": "#/components/parameters/connectorId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- state
- redirectUri
properties:
state:
type: string
description: The state parameter to pass to the social connector.
redirectUri:
type: string
description: The URI to redirect the user after the social authorization
is completed.
responses:
'200':
description: The social authorization URI has been successfully generated.
content:
application/json:
schema:
type: object
required:
- authorizationUri
- verificationId
properties:
authorizationUri:
type: string
description: The social authorization URI.
verificationId:
type: string
description: The unique verification ID of the newly created SocialVerification
record. The `verificationId` is required when verifying the
social authorization response.
'400':
description: Bad Request
'404':
description: The social connector is not found.
'500':
description: Connector error. Failed to generate the social authorization
URI.
security: []
summary: Create social verification
description: Create a new SocialVerification record and return the provider's
authorization URI for the given connector.
"/api/experience/verification/social/{connectorId}/verify":
post:
operationId: VerifySocialVerification
tags:
- Experience
parameters:
- "$ref": "#/components/parameters/connectorId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- connectorData
properties:
connectorData:
type: object
description: Arbitrary data returned by the social provider to complete
the verification process.
verificationId:
type: string
description: The ID of the social verification record. Optional
for Google one tap login, as it does not have a pre-created social
verification record in session.
responses:
'200':
description: The social authorization response has been successfully verified.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique verification ID of the SocialVerification
record. This ID is required when identifying the user in the
current interaction.
'400':
description: The social authorization response is invalid or cannot be verified.
'404':
description: The social connector is not found.
'500':
description: Connector error. Failed to verify the social authorization
response or fetch the user info from the social provider.
security: []
summary: Verify social verification
description: Verify the social authorization response data and get the user's
identity data from the social provider.
"/api/experience/verification/sso/{connectorId}/authorization-uri":
post:
operationId: CreateEnterpriseSsoVerification
tags:
- Experience
parameters:
- "$ref": "#/components/parameters/connectorId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- state
- redirectUri
properties:
state:
type: string
description: The state parameter to pass to the SSO connector.
redirectUri:
type: string
description: The URI to redirect the user after the SSO authorization
is completed.
responses:
'200':
description: The SSO authorization URI has been successfully generated.
content:
application/json:
schema:
type: object
required:
- authorizationUri
- verificationId
properties:
authorizationUri:
type: string
description: The SSO authorization URI.
verificationId:
type: string
description: The unique verification ID of the newly created EnterpriseSSO
verification record. The `verificationId` is required when verifying
the SSO authorization response.
'400':
description: Bad Request
'404':
description: The SSO connector is not found.
'500':
description: Connector error. Failed to generate the SSO authorization URI.
security: []
summary: Create enterprise SSO verification
description: Create a new EnterpriseSSO verification record and return the provider's
authorization URI for the given connector.
"/api/experience/verification/sso/{connectorId}/verify":
post:
operationId: VerifyEnterpriseSsoVerification
tags:
- Experience
parameters:
- "$ref": "#/components/parameters/connectorId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- connectorData
- verificationId
properties:
connectorData:
type: object
description: Arbitrary data returned by the SSO provider to complete
the verification process.
verificationId:
type: string
description: The ID of the EnterpriseSSO verification record.
responses:
'200':
description: The SSO authorization response has been successfully verified.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The current verified EnterpriseSSO verification record
ID. This ID is required when identifying the user in the current
interaction.
'400':
description: The SSO authorization response is invalid or cannot be verified.
'404':
description: The verification record or the SSO connector is not found.
'500':
description: Connector error. Failed to verify the SSO authorization response
or fetch the user info from the SSO provider.
security: []
summary: Verify enterprise SSO verification
description: Verify the SSO authorization response data and get the user's identity
from the SSO provider.
"/api/experience/verification/totp/secret":
post:
operationId: CreateTotpSecret
tags:
- Experience
parameters: []
responses:
'200':
description: TOTP secret successfully generated.
content:
application/json:
schema:
type: object
required:
- verificationId
- secret
- secretQrCode
properties:
verificationId:
type: string
description: The unique verification ID for the TOTP record. This
ID is required to verify the TOTP code.
secret:
type: string
description: The newly generated TOTP secret.
secretQrCode:
type: string
description: A QR code image data URL for the TOTP secret. The
user can scan this QR code with their TOTP authenticator app.
'400':
description: Bad Request
'404':
description: Entity not found.
- `session.identifier_not_found:` The
current interaction is not identified yet. All MFA verification records
must be associated with a identified user.
security: []
summary: Create TOTP secret
description: Create a new TOTP verification record and generate a new TOTP secret
for the user. This secret can be used to bind a new TOTP verification to the
user's profile. The verification record must be verified before the secret
can be used to bind a new TOTP verification to the user's profile.
"/api/experience/verification/totp/verify":
post:
operationId: VerifyTotpVerification
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- code
properties:
code:
type: string
minLength: 1
description: The TOTP code to be verified.
verificationId:
type: string
description: The verification ID of the newly created TOTP secret.
This ID is required to verify a newly created TOTP secret that
needs to be bound to the user account. If not provided, the API
will create a new TOTP verification record and verify the code
against the user's existing TOTP secret.
responses:
'200':
description: The TOTP code has been successfully verified.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique verification ID of the TOTP verification
record. For newly created TOTP secret verification record, this
ID is required to bind the TOTP secret to the user account through
`Profile` API.
'400':
description: Invalid TOTP code.
'404':
description: Verification record not found.
security: []
summary: Verify TOTP verification
description: Verifies the provided TOTP code against the new created TOTP secret
or the existing TOTP secret. If a verificationId is provided, this API will
verify the code against the TOTP secret that is associated with the verification
record. Otherwise, a new TOTP verification record will be created and verified
against the user's existing TOTP secret.
"/api/experience/verification/web-authn/registration":
post:
operationId: CreateWebAuthnRegistrationVerification
tags:
- Experience
parameters: []
responses:
'200':
description: WebAuthn registration successfully created.
content:
application/json:
schema:
type: object
required:
- verificationId
- registrationOptions
properties:
verificationId:
type: string
description: The unique verification ID for the WebAuthn registration
record. This ID is required to verify the WebAuthn registration
challenge.
registrationOptions:
type: object
required:
- rp
- user
- challenge
- pubKeyCredParams
properties:
rp:
type: object
required:
- name
properties:
name:
type: string
id:
type: string
user:
type: object
required:
- id
- name
- displayName
properties:
id:
type: string
name:
type: string
displayName:
type: string
challenge:
type: string
pubKeyCredParams:
type: array
items:
type: object
required:
- type
- alg
properties:
type:
type: string
format: '"public-key"'
alg:
type: number
timeout:
type: number
excludeCredentials:
type: array
items:
type: object
required:
- type
- id
properties:
type:
type: string
format: '"public-key"'
id:
type: string
transports:
type: array
items:
type: string
enum:
- usb
- nfc
- ble
- internal
- cable
- hybrid
- smart-card
authenticatorSelection:
type: object
properties:
authenticatorAttachment:
type: string
enum:
- platform
- cross-platform
requireResidentKey:
type: boolean
residentKey:
type: string
enum:
- discouraged
- preferred
- required
userVerification:
type: string
enum:
- required
- preferred
- discouraged
attestation:
type: string
enum:
- none
- indirect
- direct
- enterprise
extensions:
type: object
properties:
appid:
type: string
credProps:
type: boolean
hmacCreateSecret:
type: boolean
description: The WebAuthn registration options that the user needs
to create a new WebAuthn credential.
'400':
description: Bad Request
'404':
description: Entity not found.
- `session.identifier_not_found:` The
current interaction is not identified yet. All MFA verification records
must be associated with a identified user.
security: []
summary: Create WebAuthn registration verification
description: Create a new WebAuthn registration verification record. The verification
record can be used to bind a new WebAuthn credential to the user's profile.
"/api/experience/verification/web-authn/registration/verify":
post:
operationId: VerifyWebAuthnRegistrationVerification
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- verificationId
- payload
properties:
verificationId:
type: string
description: The verification ID of the WebAuthn registration record.
payload:
type: object
required:
- type
- id
- rawId
- response
- clientExtensionResults
properties:
type:
type: string
format: '"WebAuthn"'
id:
type: string
rawId:
type: string
response:
type: object
required:
- clientDataJSON
- attestationObject
properties:
clientDataJSON:
type: string
attestationObject:
type: string
authenticatorData:
type: string
transports:
type: array
items:
type: string
enum:
- usb
- nfc
- ble
- internal
- cable
- hybrid
- smart-card
publicKeyAlgorithm:
type: number
publicKey:
type: string
authenticatorAttachment:
type: string
enum:
- cross-platform
- platform
clientExtensionResults:
type: object
properties:
appid:
type: boolean
crepProps:
type: object
properties:
rk:
type: boolean
hmacCreateSecret:
type: boolean
description: The WebAuthn attestation response from the user's WebAuthn
credential.
responses:
'200':
description: The WebAuthn registration has been successfully verified.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique verification ID of the WebAuthn registration
record. This `verificationId` is required to bind the WebAuthn
credential to the user account via the `Profile` API.
'400':
description: Invalid request.
- `session.mfa.pending_info_not_found:`
The WebAuthn registration challenge is missing from the current verification
record.
- `session.mfa.webauthn_verification_failed:` The WebAuthn
attestation response is invalid or cannot be verified.
'404':
description: Verification record not found.
security: []
summary: Verify WebAuthn registration verification
description: Verify the WebAuthn registration response against the user's WebAuthn
registration challenge. If the response is valid, the WebAuthn registration
record will be marked as verified.
"/api/experience/verification/web-authn/authentication":
post:
operationId: CreateWebAuthnAuthenticationVerification
tags:
- Experience
parameters: []
responses:
'200':
description: WebAuthn authentication successfully initiated.
content:
application/json:
schema:
type: object
required:
- verificationId
- authenticationOptions
properties:
verificationId:
type: string
description: The unique ID for the WebAuthn authentication record,
required to verify the WebAuthn authentication challenge.
authenticationOptions:
type: object
required:
- challenge
properties:
challenge:
type: string
timeout:
type: number
rpId:
type: string
allowCredentials:
type: array
items:
type: object
required:
- type
- id
properties:
type:
type: string
format: '"public-key"'
id:
type: string
transports:
type: array
items:
type: string
enum:
- usb
- nfc
- ble
- internal
- cable
- hybrid
- smart-card
userVerification:
type: string
enum:
- required
- preferred
- discouraged
extensions:
type: object
properties:
appid:
type: string
credProps:
type: boolean
hmacCreateSecret:
type: boolean
description: Options for the user to authenticate with their WebAuthn
credential.
'400':
description: The user does not have a verified WebAuthn credential.
'404':
description: The current interaction is not yet identified. All MFA verification
records must be associated with an identified user.
security: []
summary: Create WebAuthn authentication verification
description: Create a new WebAuthn authentication verification record based
on the user's existing WebAuthn credential. This verification record can be
used to verify the user's WebAuthn credential.
"/api/experience/verification/web-authn/authentication/verify":
post:
operationId: VerifyWebAuthnAuthenticationVerification
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- verificationId
- payload
properties:
verificationId:
type: string
description: The verification ID of the WebAuthn authentication
verification record.
payload:
type: object
required:
- type
- id
- rawId
- clientExtensionResults
- response
properties:
type:
type: string
format: '"WebAuthn"'
id:
type: string
rawId:
type: string
authenticatorAttachment:
type: string
enum:
- cross-platform
- platform
clientExtensionResults:
type: object
properties:
appid:
type: boolean
crepProps:
type: object
properties:
rk:
type: boolean
hmacCreateSecret:
type: boolean
response:
type: object
required:
- clientDataJSON
- authenticatorData
- signature
properties:
clientDataJSON:
type: string
authenticatorData:
type: string
signature:
type: string
userHandle:
type: string
description: The WebAuthn assertion response from the user's WebAuthn
credential.
responses:
'200':
description: The WebAuthn authentication has been successfully verified.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique verification ID of the WebAuthn authentication
verification record.
'400':
description: Invalid request.
- `session.mfa.pending_info_not_found:`
The WebAuthn authentication challenge is missing in the current verification
record.
- `session.mfa.webauthn_verification_failed:` The WebAuthn
assertion response is invalid or cannot be verified.
'404':
description: Verification record not found.
security: []
summary: Verify WebAuthn authentication verification
description: Verifies the WebAuthn authentication response against the user's
authentication challenge. Upon successful verification, the verification record
will be marked as verified.
"/api/experience/verification/sign-in-passkey/authentication":
post:
operationId: CreateSignInPasskeyAuthenticationWithIdentifier
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- identifier
properties:
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
description: The identifier used to look up the user.
responses:
'200':
description: Passkey sign-in WebAuthn authentication options have been successfully
created.
content:
application/json:
schema:
type: object
required:
- verificationId
- authenticationOptions
properties:
verificationId:
type: string
description: The unique verification ID of the passkey sign-in
WebAuthn authentication record.
authenticationOptions:
type: object
required:
- challenge
properties:
challenge:
type: string
timeout:
type: number
rpId:
type: string
allowCredentials:
type: array
items:
type: object
required:
- type
- id
properties:
type:
type: string
format: '"public-key"'
id:
type: string
transports:
type: array
items:
type: string
enum:
- usb
- nfc
- ble
- internal
- cable
- hybrid
- smart-card
userVerification:
type: string
enum:
- required
- preferred
- discouraged
extensions:
type: object
properties:
appid:
type: string
credProps:
type: boolean
hmacCreateSecret:
type: boolean
description: The WebAuthn authentication options for initiating
passkey sign-in.
'400':
description: Invalid request.
'404':
description: User not found.
security: []
summary: Create passkey sign-in WebAuthn authentication with identifier
description: Create WebAuthn authentication options for passkey sign-in with
an identifier. The identifier is used to look up the user's WebAuthn credentials
and generate non-discoverable authentication options.
"/api/experience/verification/sign-in-passkey/authentication/verify":
post:
operationId: VerifySignInPasskeyAuthentication
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- payload
properties:
verificationId:
type: string
description: The verification ID of the passkey sign-in WebAuthn
authentication record. Optional when using discoverable passkey
flow with preflight authentication options.
payload:
type: object
required:
- type
- id
- rawId
- clientExtensionResults
- response
properties:
type:
type: string
format: '"WebAuthn"'
id:
type: string
rawId:
type: string
authenticatorAttachment:
type: string
enum:
- cross-platform
- platform
clientExtensionResults:
type: object
properties:
appid:
type: boolean
crepProps:
type: object
properties:
rk:
type: boolean
hmacCreateSecret:
type: boolean
response:
type: object
required:
- clientDataJSON
- authenticatorData
- signature
properties:
clientDataJSON:
type: string
authenticatorData:
type: string
signature:
type: string
userHandle:
type: string
description: The WebAuthn assertion response from the user's passkey
credential.
responses:
'200':
description: The passkey sign-in WebAuthn authentication has been successfully
verified.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique verification ID of the passkey sign-in
WebAuthn authentication verification record.
'400':
description: Invalid request.
- `session.mfa.pending_info_not_found:`
The WebAuthn authentication challenge is missing in the current verification
record.
- `session.mfa.webauthn_verification_failed:` The WebAuthn
assertion response is invalid or cannot be verified.
'404':
description: Verification session not found.
'409':
description: Identity conflict.
- `session.identity_conflict:` The
user associated with the verified WebAuthn credential does not match the
identified user in the current interaction.
security: []
summary: Verify passkey sign-in WebAuthn authentication
description: Verify the passkey sign-in WebAuthn authentication response against
the stored authentication challenge. When `verificationId` is provided, it
verifies against the challenge generated by the identifier-based authentication
endpoint. When omitted, it verifies against the preflight authentication options
stored in the interaction. Upon successful verification, the verification
record will be marked as verified and the user will be resolved by the credential
if not provided earlier.
"/api/experience/verification/backup-code/generate":
post:
operationId: GenerateBackupCodes
tags:
- Experience
parameters: []
responses:
'200':
description: Backup codes have been successfully generated.
content:
application/json:
schema:
type: object
required:
- verificationId
- codes
properties:
verificationId:
type: string
description: The unique verification ID of the newly created BackupCode
verification record. This ID is required when adding the backup
codes to the user profile via the Profile API.
codes:
type: array
items:
type: string
description: The generated backup codes.
'400':
description: Bad Request
'404':
description: The current interaction is not identified yet. All MFA verification
records must be associated with a identified user.
security: []
summary: Generate backup codes
description: Create a new BackupCode verification record with new backup codes
generated. This verification record will be used to bind the backup codes
to the user's profile.
"/api/experience/verification/backup-code/verify":
post:
operationId: VerifyBackupCode
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- code
properties:
code:
type: string
minLength: 1
description: The backup code to verify.
responses:
'200':
description: The backup code has been successfully verified.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique verification ID of the BackupCode verification
record.
'400':
description: The provided backup code is invalid.
'404':
description: Entity not found.
- `session.identifier_not_found:` The
current interaction is not identified yet. All MFA verification records
must be associated with a identified user.
security: []
summary: Verify backup code
description: Create a new BackupCode verification record and verify the provided
backup code against the user's backup codes. The verification record will
be marked as verified if the code is correct.
"/api/experience/verification/new-password-identity":
post:
operationId: CreateNewPasswordIdentityVerification
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- identifier
- password
properties:
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"username"'
value:
type: string
format: regex
pattern: "/^[A-Z_a-z]\\w*$/"
description: The unique user identifier.
Currently, only
`username` is accepted. For `email` or `phone` registration, a
`CodeVerification` record must be created and used to verify the
user's email or phone number identifier.
password:
type: string
description: The new user password. (A password digest will be created
and stored securely in the verification record.)
responses:
'200':
description: The NewPasswordIdentity verification record has been successfully
created.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique verification ID of the newly created NewPasswordIdentity
verification record. The `verificationId` is required when creating
a new user account via the `Identification` API.
'400':
description: Bad Request
'422':
description: Unable to process the request.
- `user.username_already_in_use:`
The provided username is already in use.
- `password.rejected:` The
provided password is rejected by the password policy. Detailed password
violation information is included in the response.
security: []
summary: Create new password identity verification
description: Create a NewPasswordIdentity verification record for the new user
registration use. The verification record includes a unique user identifier
and a password that can be used to create a new user account.
"/api/experience/verification/one-time-token/verify":
post:
operationId: VerifyOneTimeTokenVerification
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- identifier
- token
properties:
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
description: The unique user identifier.
Currently, only
`email` is accepted.
token:
type: string
minLength: 1
description: The one-time token to be verified.
responses:
'200':
description: The one-time token was successfully verified.
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The unique ID of the verification record. Required
for user identification via the `Identification` API or to bind
the identifier to the user's account via the `Profile` API.
'400':
description: The one-time token is invalid or the maximum number of attempts
has been exceeded. Check the error message for details.
'404':
description: Verification record not found.
security: []
summary: Verify one-time token
description: Verify the provided one-time token against the user's email. If
successful, the verification record will be marked as verified.
"/api/experience/profile":
post:
operationId: AddUserProfile
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
oneOf:
- type: object
required:
- type
- value
properties:
type:
type: string
format: '"username"'
value:
type: string
format: regex
pattern: "/^[A-Z_a-z]\\w*$/"
- type: object
required:
- type
- value
properties:
type:
type: string
format: '"password"'
value:
type: string
- type: object
required:
- type
- verificationId
properties:
type:
type: string
format: '"email"'
verificationId:
type: string
- type: object
required:
- type
- verificationId
properties:
type:
type: string
format: '"phone"'
verificationId:
type: string
- type: object
required:
- type
- verificationId
properties:
type:
type: string
format: '"social"'
verificationId:
type: string
- type: object
required:
- type
- values
properties:
type:
type: string
format: '"extraProfile"'
values:
type: object
additionalProperties:
example: {}
properties:
type:
description: 'The type of profile data to add. Available options:
`email`, `phone`, `username`, `password`, `social`, or `extraProfile`.'
value:
description: The plain text value of the profile data. Only supported
for profile data types that does not require verification, such
as `username` and `password`.
values:
description: The extra profile data to add. Only supported for `extraProfile`
type. The data will be validated and split into standard user
profile attributes and custom user profile attributes. The standard
user profile attributes will be set to the user profile, whereas
the custom user profile attributes will be set to the user custom
data.
verificationId:
description: The ID of the verification record used to verify the
profile data. Required for profile data types that require verification,
such as `email`, `phone` and `social`.
responses:
'204':
description: The profile data has been successfully added to the current
experience interaction.
'400':
description: 'Invalid request.
- `session.not_supported_for_forgot_password:`
This API can not be used in the `ForgotPassword` interaction.
- `session.verification_failed:`
The verification record is not verified. '
'403':
description: "`SignIn` interaction only: MFA is enabled for the user but
has not been verified. The user must verify MFA before updating non-social
profile data."
'404':
description: Entity not found.
- `session.identifier_not_found:` (`SignIn`
interaction only) The current interaction is not identified yet. All profile
data must be associated with a identified user.
- `session.verification_session_not_found:`
The verification record is not found.
'422':
description: The user profile can not been processed, check error message
for more details.
- The profile data is invalid or conflicts with
existing user data.
- The profile data is already in use by another
user account.
- The email address is enterprise SSO enabled, can
only be linked through the SSO connector.
security: []
summary: Add user profile
description: 'Adds user profile data to the current experience interaction.
- For `Register`: The profile data provided before the identification
request will be used to create a new user account.
- For `SignIn` and
`Register`: The profile data provided after the user is identified will be
used to update the user''s profile when the interaction is submitted.
-
`ForgotPassword`: Not supported.'
"/api/experience/profile/password":
put:
operationId: ResetUserPassword
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- password
properties:
password:
type: string
description: The new password to update. The password must meet
the password policy requirements and can not be the same as the
current password.
responses:
'204':
description: The password has been successfully updated.
'400':
description: The current interaction event is not `ForgotPassword`. The
password can only be updated through the `ForgotPassword` interaction.
'404':
description: The user has not been identified yet. The user must be identified
before updating the password.
'422':
description: The password can not be updated due to validation errors, check
error message for more details.
- `user.password_policy_violation:`
The password does not meet the password policy requirements.
- `user.same_password:`
The new password is the same as the current password.
security: []
summary: Reset user password
description: Reset the user's password. (`ForgotPassword` interaction only)
"/api/experience/profile/mfa/mfa-enabled":
post:
operationId: MarkMfaEnabled
tags:
- Experience
parameters: []
responses:
'204':
description: The MFA has been successfully marked as enabled. This is typically
useful for optional MFA scenarios as the client can prompt an MFA enrollment
flow if the user has not enabled MFA yet, for added security.
'400':
description: Not supported for the current interaction event. The MFA profile
API can only be used in the `SignIn` or `Register` interaction.
'403':
description: MFA verification is required but has not been completed. The
user must verify the existing MFA before updating MFA settings.
'404':
description: The user has not been identified yet. The `mfa-enabled` configuration
must be associated with an identified user.
security: []
summary: Mark MFA as enabled
description: Mark the user's MFA as enabled for the current interaction and
persist in DB user configs upon successful submission.
"/api/experience/profile/mfa/mfa-skipped":
post:
operationId: SkipMfaBindingFlow
tags:
- Experience
parameters: []
responses:
'204':
description: The MFA verification has been successfully skipped.
'400':
description: Not supported for the current interaction event. The MFA profile
API can only be used in the `SignIn` or `Register` interaction.
'403':
description: Some MFA factors has already been enabled for the user. The
user must verify the MFA before updating the MFA settings.
'404':
description: The user has not been identified yet. The `mfa-skipped` configuration
must be associated with an identified user.
'422':
description: The MFA verification binding is `Mandatory`, user can not skip
the MFA verification binding flow.
security: []
summary: Skip MFA binding flow
description: Skip MFA verification binding flow. If the MFA is enabled in the
sign-in experience settings and marked as `UserControlled`, the user can skip
the MFA verification binding flow by calling this API.
"/api/experience/profile/mfa/mfa-suggestion-skipped":
post:
operationId: SkipMfaSuggestion
tags:
- Experience
parameters: []
responses:
'204':
description: The suggestion was successfully skipped.
'400':
description: Not supported for the current interaction event. The MFA profile
API can only be used in the `SignIn` or `Register` interaction.
'403':
description: Some MFA factors have already been enabled for the user. The
user must verify MFA before updating related settings.
'404':
description: The user has not been identified yet. The suggestion state
must be associated with an identified user.
'422':
description: The suggestion is not skippable under current policy.
security: []
summary: Skip additional MFA suggestion
description: Mark the optional additional MFA binding suggestion as skipped
for the current interaction. When multiple MFA factors are enabled and only
an email/phone factor is configured, a suggestion to add another factor may
be shown; this endpoint records the choice to skip.
"/api/experience/profile/mfa/passkey-skipped":
post:
operationId: SkipPasskeyBinding
tags:
- Experience
parameters: []
responses:
'204':
description: The passkey binding flow has been permanently skipped.
'400':
description: Not supported for the current interaction event. This API can
only be used in the `SignIn` or `Register` interaction.
'404':
description: The user has not been identified yet. The `passkey-skipped`
configuration must be associated with a identified user.
security: []
summary: Skip passkey binding
description: Skip passkey binding flow. The users can temporarily skip the passkey
binding flow by calling this API during sign-up. On sign-in, the skip flag
will be persisted to user config.
"/api/experience/profile/mfa/passkey":
post:
operationId: BindPasskey
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- verificationId
properties:
verificationId:
type: string
description: The ID of the WebAuthn verification record to bind
as a passkey.
responses:
'204':
description: The passkey has been successfully bound to the user profile.
'400':
description: Invalid request.
- `session.verification_failed:` The
WebAuthn verification record is invalid or not verified.
- `session.mfa.pending_info_not_found:`
The verification record does not have the required registration data.
'404':
description: Entity not found.
- `session.identifier_not_found:` The
user has not been identified yet.
- `session.verification_session_not_found:`
The WebAuthn verification record is not found.
security: []
summary: Bind passkey for sign-in
description: 'Bind a WebAuthn credential as a passkey for sign-in purposes.
Unlike `POST /api/experience/profile/mfa` with `type: WebAuthn`, this endpoint
is exclusively for adding a passkey as a sign-in method and does NOT mark
the user''s optional MFA as enabled.'
"/api/experience/profile/mfa":
post:
operationId: BindMfaVerification
tags:
- Experience
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- type
- verificationId
properties:
type:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
description: The type of MFA.
verificationId:
type: string
description: The ID of the MFA verification record.
responses:
'204':
description: The MFA verification has been successfully added to the user
profile.
'400':
description: Invalid request.
- `session.verification_failed:` The
MFA verification record is invalid or not verified.
- `session.mfa.mfa_factor_not_enabled:`
The MFA factor is not enabled in the sign-in experience settings.
-
`session.mfa.pending_info_not_found:` The MFA verification record does
not have the required information to bind the MFA verification.
'403':
description: Forbidden
'404':
description: Entity not found.
- `session.identifier_not_found:` The
user has not been identified yet. The MFA verification can only be added
to a identified user.
- `session.verification_session_not_found:`
The MFA verification record is not found.
'422':
description: 'The MFA verification can not been processed, check error message
for more details.
- `user.totp_already_in_use`: A TOTP MFA secret
is already in use in the current user profile.
- `session.mfa.backup_code_can_not_be_alone`:
The backup code can not be the only MFA factor in the user profile.'
security: []
summary: Bind MFA verification by verificationId
description: Bind new MFA verification to the user profile using the verificationId.
"/api/experience/sso-connectors":
get:
operationId: GetEnabledSsoConnectors
tags:
- Experience
parameters:
- name: email
in: query
required: true
schema:
type: string
format: email
description: The email address to find the enabled SSO connectors.
responses:
'200':
description: The enabled SSO connectors have been successfully retrieved.
content:
application/json:
schema:
type: object
required:
- connectorIds
properties:
connectorIds:
type: array
items:
type: string
description: The list of enabled SSO connectorIds. Returns an
empty array if no enabled SSO connectors are found.
'400':
description: The email address is invalid, can not extract a valid domain
from it.
security: []
summary: Get enabled SSO connectors by the given email's domain
description: Extract the email domain from the provided email address. Returns
all the enabled SSO connectors that match the email domain.
"/api/experience/preflight/sign-in-passkey/authentication":
post:
operationId: CreateSignInPasskeyAuthentication
tags:
- Experience
parameters: []
responses:
'200':
description: Passkey sign-in WebAuthn authentication options have been successfully
created.
content:
application/json:
schema:
type: object
required:
- authenticationOptions
properties:
authenticationOptions:
type: object
required:
- challenge
properties:
challenge:
type: string
timeout:
type: number
rpId:
type: string
allowCredentials:
type: array
items:
type: object
required:
- type
- id
properties:
type:
type: string
format: '"public-key"'
id:
type: string
transports:
type: array
items:
type: string
enum:
- usb
- nfc
- ble
- internal
- cable
- hybrid
- smart-card
userVerification:
type: string
enum:
- required
- preferred
- discouraged
extensions:
type: object
properties:
appid:
type: string
credProps:
type: boolean
hmacCreateSecret:
type: boolean
description: The WebAuthn authentication options for initiating
passkey sign-in.
'400':
description: Invalid request.
'404':
description: Verification session not found.
security: []
summary: Create passkey sign-in WebAuthn authentication
description: Create WebAuthn authentication options for passkey sign-in. The
user will be resolved later by the credential during verification.
"/api/my-account":
get:
operationId: GetProfile
tags:
- My account
parameters: []
responses:
'200':
description: The profile was retrieved successfully.
content:
application/json:
schema:
type: object
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get profile
description: Get profile for the user.
patch:
operationId: UpdateProfile
tags:
- My account
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
name:
type: string
nullable: true
description: The new name for the user.
avatar:
type: string
format: url
nullable: true
description: The new avatar for the user, must be a URL.
username:
type: string
format: regex
pattern: "/^[A-Z_a-z]\\w*$/"
nullable: true
description: The new username for the user, must be a valid username
and unique.
customData:
type: object
description: The new custom data for the user. This will completely
replace the existing customData. Requires CustomData scope.
responses:
'200':
description: The profile was updated successfully.
content:
application/json:
schema:
type: object
properties:
id:
type: string
minLength: 1
maxLength: 12
username:
type: string
maxLength: 128
nullable: true
primaryEmail:
type: string
maxLength: 128
nullable: true
primaryPhone:
type: string
maxLength: 128
nullable: true
name:
type: string
maxLength: 128
nullable: true
avatar:
type: string
maxLength: 2048
nullable: true
customData:
type: object
description: arbitrary
identities:
type: object
additionalProperties:
type: object
required:
- userId
properties:
userId:
type: string
details:
type: object
description: arbitrary
lastSignInAt:
type: number
nullable: true
createdAt:
type: number
updatedAt:
type: number
profile:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
applicationId:
type: string
maxLength: 21
nullable: true
isSuspended:
type: boolean
hasPassword:
type: boolean
ssoIdentities:
type: array
items:
type: object
required:
- tenantId
- id
- userId
- issuer
- identityId
- detail
- createdAt
- updatedAt
- ssoConnectorId
properties:
tenantId:
type: string
maxLength: 21
id:
type: string
minLength: 1
maxLength: 21
userId:
type: string
minLength: 1
maxLength: 12
issuer:
type: string
minLength: 1
maxLength: 256
identityId:
type: string
minLength: 1
maxLength: 128
detail:
type: object
description: arbitrary
createdAt:
type: number
updatedAt:
type: number
ssoConnectorId:
type: string
minLength: 1
maxLength: 128
'400':
description: The request body is invalid.
'401':
description: Permission denied, the verification record is invalid.
'403':
description: Forbidden
'422':
description: The username is already in use.
summary: Update profile
description: Update profile for the user, only the fields that are passed in
will be updated. Updating or deleting username requires a logto-verification-id
header for checking sensitive permissions. Removing any sign-in identifier,
including username, is rejected if it would remove the user's last identifier.
"/api/my-account/profile":
patch:
operationId: UpdateOtherProfile
tags:
- My account
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
familyName:
type: string
description: The new family name for the user.
givenName:
type: string
description: The new given name for the user.
middleName:
type: string
description: The new middle name for the user.
nickname:
type: string
description: The new nickname for the user.
preferredUsername:
type: string
description: The new preferred username for the user.
profile:
type: string
description: The new profile for the user.
website:
type: string
description: The new website for the user.
gender:
type: string
description: The new gender for the user.
birthdate:
type: string
description: The new birthdate for the user.
zoneinfo:
type: string
description: The new zoneinfo for the user.
locale:
type: string
description: The new locale for the user.
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
description: The new address for the user.
responses:
'200':
description: The profile was updated successfully.
content:
application/json:
schema:
type: object
properties:
familyName:
type: string
givenName:
type: string
middleName:
type: string
nickname:
type: string
preferredUsername:
type: string
profile:
type: string
website:
type: string
gender:
type: string
birthdate:
type: string
zoneinfo:
type: string
locale:
type: string
address:
type: object
properties:
formatted:
type: string
streetAddress:
type: string
locality:
type: string
region:
type: string
postalCode:
type: string
country:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Update other profile
description: Update other profile for the user, only the fields that are passed
in will be updated, to update the address, the user must have the address
scope.
"/api/my-account/password":
post:
operationId: UpdatePassword
tags:
- My account
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- password
properties:
password:
type: string
minLength: 1
description: The new password for the user.
responses:
'204':
description: The password was updated successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Permission denied, the verification record is invalid.
'422':
description: Unprocessable Content
summary: Update password
description: Update password for the user, a logto-verification-id in header
is required for checking sensitive permissions.
"/api/my-account/mfa-settings":
get:
operationId: GetMfaSettings
tags:
- My account
parameters: []
responses:
'200':
description: The MFA settings were retrieved successfully.
content:
application/json:
schema:
type: object
required:
- skipMfaOnSignIn
properties:
skipMfaOnSignIn:
type: boolean
'400':
description: Bad Request
'401':
description: Permission denied, insufficient scope or MFA field not enabled.
'403':
description: Forbidden
summary: Get MFA settings
description: Get MFA settings for the user. This endpoint requires the Identities
scope. Returns current MFA configuration preferences.
patch:
operationId: UpdateMfaSettings
tags:
- My account
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- skipMfaOnSignIn
properties:
skipMfaOnSignIn:
type: boolean
responses:
'200':
description: The MFA settings were updated successfully.
content:
application/json:
schema:
type: object
required:
- skipMfaOnSignIn
properties:
skipMfaOnSignIn:
type: boolean
'400':
description: The request body is invalid.
'401':
description: Permission denied, identity verification is required or insufficient
scope.
'403':
description: Forbidden
summary: Update MFA settings
description: Update MFA settings for the user. This endpoint requires identity
verification and the Identities scope. Controls whether MFA verification is
required during sign-in when the user has MFA configured.
"/api/my-account/logto-configs":
get:
operationId: GetLogtoConfig
tags:
- My account
parameters: []
responses:
'200':
description: The exposed logto config fields were retrieved successfully.
content:
application/json:
schema:
type: object
required:
- mfa
- passkeySignIn
properties:
mfa:
type: object
required:
- skipped
- skipMfaOnSignIn
properties:
enabled:
type: boolean
skipped:
type: boolean
skipMfaOnSignIn:
type: boolean
passkeySignIn:
type: object
required:
- skipped
properties:
skipped:
type: boolean
'400':
description: MFA is not available in the account center.
'401':
description: Permission denied due to insufficient scope.
'403':
description: Forbidden
summary: Get logto config
description: Retrieve the exposed portion of the current user's logto config.
This includes MFA states (enabled, skipped, skipMfaOnSignIn) and passkey sign-in
binding states (skipped). Passkey is a WebAuthn MFA factor and shares the
same account center field access control as MFA.
patch:
operationId: UpdateLogtoConfig
tags:
- My account
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
mfa:
type: object
properties:
enabled:
type: boolean
description: Set whether MFA is enabled for the user.
skipped:
type: boolean
description: Set whether the user is marked as having skipped
MFA binding.
additionalBindingSuggestionSkipped:
type: boolean
skipMfaOnSignIn:
type: boolean
description: Set whether the user has opted to skip MFA verification
on sign-in. This is ignored when the MFA policy is mandatory.
passkeySignIn:
type: object
properties:
skipped:
type: boolean
description: Set whether the user has persistently skipped binding
a passkey for sign-in.
responses:
'200':
description: The exposed logto_config fields were updated successfully.
content:
application/json:
schema:
type: object
required:
- mfa
- passkeySignIn
properties:
mfa:
type: object
required:
- skipped
- skipMfaOnSignIn
properties:
enabled:
type: boolean
skipped:
type: boolean
skipMfaOnSignIn:
type: boolean
passkeySignIn:
type: object
required:
- skipped
properties:
skipped:
type: boolean
'400':
description: The request body is invalid.
'401':
description: Permission denied due to insufficient scope.
'403':
description: Forbidden
summary: Update logto config
description: Update the exposed portion of the current user's logto config.
Supports updating MFA states (enabled, skipped, skipMfaOnSignIn) and passkey
sign-in binding states (skipped). Passkey is a WebAuthn MFA factor and shares
the same account center field access control as MFA.
"/api/my-account/identities/{target}/access-token":
get:
operationId: GetSocialIdentityAccessToken
tags:
- My account
parameters:
- name: target
in: path
required: true
schema:
type: string
minLength: 1
responses:
'200':
description: The access token was retrieved successfully.
content:
application/json:
schema:
type: object
required:
- access_token
properties:
access_token:
type: string
scope:
type: string
token_type:
type: string
expires_in:
oneOf:
- type: number
- type: string
'400':
description: Bad Request
'401':
description: Permission denied, the access_token is expired and the offline_access
scope is not granted or expired.
'403':
description: Forbidden
'404':
description: The social identity does not exist or the access token is not
available.
'422':
description: Unprocessable Content
summary: Retrieve the access token issued by a third-party social provider
description: "This API retrieves the access token issued by a third-party social
provider for a given social target. \nAccess is only available if token storage
is enabled for the corresponding social connector.\nWhen a user authenticates
through a social provider, Logto automatically stores the provider’s tokens
in an encrypted form.\nYou can use this API to securely retrieve the stored
access token and use it to access third-party APIs on behalf of the user."
put:
operationId: UpdateSocialIdentityAccessTokenByVerificationId
tags:
- My account
parameters:
- name: target
in: path
required: true
schema:
type: string
minLength: 1
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- verificationRecordId
properties:
verificationRecordId:
type: string
minLength: 1
responses:
'200':
description: The token storage was updated successfully. The new access
token is returned in the response body.
content:
application/json:
schema:
type: object
required:
- access_token
properties:
access_token:
type: string
scope:
type: string
token_type:
type: string
expires_in:
oneOf:
- type: number
- type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The verification record is invalid; the social identity does
not exist; or the access token is not available.
summary: Update the access token for a social identity by verification ID
description: "This API updates the token storage for a social identity by a
given social verification ID. \nIt is used to fetch a new access token from
the social provider and store it securely in Logto."
"/api/my-account/sso-identities/{connectorId}/access-token":
get:
operationId: GetEnterpriseSsoIdentityAccessToken
tags:
- My account
parameters:
- "$ref": "#/components/parameters/connectorId"
responses:
'200':
description: The access token was retrieved successfully.
content:
application/json:
schema:
type: object
required:
- access_token
properties:
access_token:
type: string
scope:
type: string
token_type:
type: string
expires_in:
oneOf:
- type: number
- type: string
'400':
description: Bad Request
'401':
description: Permission denied, the access_token is expired and the offline_access
scope is not granted or expired.
'403':
description: Forbidden
'404':
description: The SSO connector does not exist or the access token is not
available.
summary: Retrieve the access token issued by a third-party enterprise SSO provider
description: "This API retrieves the access token issued by a third-party enterprise
SSO provider for a given SSO connector ID. \nAccess is only available if token
storage is enabled for the corresponding connector.\nWhen a user authenticates
through a SSO provider, Logto automatically stores the provider’s tokens in
an encrypted form.\nYou can use this API to securely retrieve the stored access
token and use it to access third-party APIs on behalf of the user."
"/api/my-account/primary-email":
post:
operationId: UpdatePrimaryEmail
tags:
- My account
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- email
- newIdentifierVerificationRecordId
properties:
email:
type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
description: The new email for the user.
newIdentifierVerificationRecordId:
type: string
description: The identifier verification record ID for the new email
ownership verification.
responses:
'204':
description: The primary email was updated successfully.
'400':
description: The new verification record is invalid.
'401':
description: Unauthorized
'403':
description: Permission denied, the verification record is invalid.
'422':
description: Unprocessable Content
summary: Update primary email
description: Update primary email for the user, a logto-verification-id in header
is required for checking sensitive permissions, and a new identifier verification
record is required for the new email ownership verification.
delete:
operationId: DeletePrimaryEmail
tags:
- My account
parameters: []
responses:
'204':
description: The primary email was deleted successfully.
'400':
description: The request would remove the user's last identifier.
'401':
description: Permission denied, the verification record is invalid.
'403':
description: Forbidden
summary: Delete primary email
description: Delete primary email for the user, a logto-verification-id header
is required for checking sensitive permissions. The request is rejected if
it would remove the user's last identifier.
"/api/my-account/primary-phone":
post:
operationId: UpdatePrimaryPhone
tags:
- My account
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- phone
- newIdentifierVerificationRecordId
properties:
phone:
type: string
format: regex
pattern: "/^\\d+$/"
description: The new phone for the user.
newIdentifierVerificationRecordId:
type: string
description: The identifier verification record ID for the new phone
ownership verification.
responses:
'204':
description: The primary phone was updated successfully.
'400':
description: The new verification record is invalid.
'401':
description: Unauthorized
'403':
description: Permission denied, the verification record is invalid.
'422':
description: Unprocessable Content
summary: Update primary phone
description: Update primary phone for the user, a logto-verification-id in header
is required for checking sensitive permissions, and a new identifier verification
record is required for the new phone ownership verification.
delete:
operationId: DeletePrimaryPhone
tags:
- My account
parameters: []
responses:
'204':
description: The primary phone was deleted successfully.
'400':
description: The request would remove the user's last identifier.
'401':
description: Permission denied, the verification record is invalid.
'403':
description: Forbidden
summary: Delete primary phone
description: Delete primary phone for the user, a logto-verification-id header
is required for checking sensitive permissions. The request is rejected if
it would remove the user's last identifier.
"/api/my-account/identities":
post:
operationId: AddUserIdentities
tags:
- My account
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- newIdentifierVerificationRecordId
properties:
newIdentifierVerificationRecordId:
type: string
description: The identifier verification record ID for the new social
identity ownership verification.
responses:
'204':
description: The identity was added successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Add a user identity
description: Add an identity (social identity) to the user, a logto-verification-id
in header is required for checking sensitive permissions, and a verification
record for the social identity is required.
"/api/my-account/identities/{target}":
delete:
operationId: DeleteIdentity
tags:
- My account
parameters:
- name: target
in: path
required: true
schema:
type: string
responses:
'204':
description: The identity was deleted successfully.
'400':
description: The request would remove the user's last identifier.
'401':
description: Permission denied, the verification record is invalid.
'403':
description: Forbidden
'404':
description: The identity does not exist.
summary: Delete a user identity
description: Delete an identity (social identity) from the user, a logto-verification-id
in header is required for checking sensitive permissions. The request is rejected
if it would remove the user's last identifier.
"/api/my-account/mfa-verifications":
get:
operationId: GetMfaVerifications
tags:
- My account
parameters: []
responses:
'200':
description: The MFA verifications were retrieved successfully.
content:
application/json:
schema:
type: array
items:
type: object
required:
- id
- createdAt
- type
properties:
id:
type: string
createdAt:
type: string
lastUsedAt:
type: string
type:
type: string
enum:
- Totp
- WebAuthn
- BackupCode
- EmailVerificationCode
- PhoneVerificationCode
agent:
type: string
name:
type: string
remainCodes:
type: number
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Get MFA verifications
description: Get MFA verifications for the user.
post:
operationId: AddMfaVerification
tags:
- My account
parameters: []
requestBody:
required: true
content:
application/json:
schema:
oneOf:
- type: object
required:
- type
- newIdentifierVerificationRecordId
properties:
type:
type: string
format: '"WebAuthn"'
newIdentifierVerificationRecordId:
type: string
name:
type: string
- type: object
required:
- type
- secret
properties:
type:
type: string
format: '"Totp"'
secret:
type: string
code:
type: string
- type: object
required:
- type
- codes
properties:
type:
type: string
format: '"BackupCode"'
codes:
type: array
items:
type: string
- type: object
properties:
type:
type: string
enum:
- WebAuthn
description: The type of the MFA verification.
newIdentifierVerificationRecordId:
type: string
description: The identifier verification record ID for the new
WebAuthn registration verification.
name:
type: string
description: The name of the MFA verification, if not provided,
the name will be generated from user agent.
required:
- type
- newIdentifierVerificationRecordId
- type: object
properties:
type:
type: string
enum:
- TOTP
description: The type of the MFA verification, for TOTP, one user
can only bind one TOTP factor.
secret:
type: string
description: The TOTP secret for the MFA verification. Use the
generate endpoint to create a secret, and verify the generated
code with the user before binding to make sure the user has
setup the secret in their authenticator app.
code:
type: string
description: Optional. The TOTP code generated by the secret to
verify the binding.
required:
- type
- secret
- type: object
properties:
type:
type: string
enum:
- BackupCode
description: The type of the MFA verification, for backup codes,
one user can only bind one set of backup codes and requires
at least one other MFA factor.
codes:
type: array
items:
type: string
description: Array of backup codes. Use the generate endpoint
to create codes.
required:
- type
- codes
responses:
'204':
description: No Content
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: Unprocessable Content
summary: Add a MFA verification
description: Add a MFA verification to the user, a logto-verification-id in
header is required for checking sensitive permissions.
"/api/my-account/mfa-verifications/totp":
put:
operationId: CreateOrReplaceTotpMfaVerification
tags:
- My account
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- secret
- code
properties:
secret:
type: string
description: The TOTP secret for the authenticator app.
code:
type: string
description: The TOTP code generated from the secret to confirm
the binding.
responses:
'204':
description: The authenticator app was created or replaced successfully.
'400':
description: The provided secret or TOTP code is invalid.
'401':
description: Permission denied, identity verification is required or insufficient
scope.
'403':
description: Forbidden
summary: Create or replace the authenticator app
description: Create or replace the user's TOTP MFA verification with a new authenticator
app binding. If the user already has a TOTP verification, it will be replaced;
otherwise, a new one will be created. Requires a logto-verification-id header
for sensitive permission checks, a valid TOTP secret, and a valid TOTP code
generated from the secret.
"/api/my-account/mfa-verifications/totp-secret/generate":
post:
operationId: GenerateTotpSecret
tags:
- My account
parameters: []
responses:
'200':
description: The TOTP secret was generated successfully.
content:
application/json: {}
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Generate a TOTP secret
description: Generate a TOTP secret for the user.
"/api/my-account/mfa-verifications/backup-codes/generate":
post:
operationId: GenerateMyAccountBackupCodes
tags:
- My account
parameters: []
responses:
'200':
description: The backup codes were generated successfully.
content:
application/json: {}
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Generate backup codes
description: Generate backup codes for the user.
"/api/my-account/mfa-verifications/backup-codes":
get:
operationId: GetBackupCodes
tags:
- My account
parameters: []
responses:
'200':
description: The backup codes were retrieved successfully.
content:
application/json: {}
'401':
description: Unauthorized or identity verification required.
'403':
description: Forbidden
'404':
description: No backup codes found for the user.
summary: Get backup codes
description: Get all backup codes for the user with their usage status. Requires
identity verification.
"/api/my-account/mfa-verifications/{verificationId}/name":
patch:
operationId: UpdateMfaVerificationName
tags:
- My account
parameters:
- "$ref": "#/components/parameters/verificationId"
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
properties:
name:
type: string
description: The name of the MFA verification.
responses:
'200':
description: The MFA verification name was updated successfully.
content:
application/json: {}
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Update a MFA verification name
description: Update a MFA verification name, a logto-verification-id in header
is required for checking sensitive permissions. Only WebAuthn is supported
for now.
"/api/my-account/mfa-verifications/{verificationId}":
delete:
operationId: DeleteMfaVerification
tags:
- My account
parameters:
- "$ref": "#/components/parameters/verificationId"
responses:
'204':
description: The MFA verification was deleted successfully.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Delete an MFA verification
description: Delete an MFA verification, a logto-verification-id in header is
required for checking sensitive permissions.
"/api/my-account/sessions":
get:
operationId: GetSessions
tags:
- My account
parameters: []
responses:
'200':
description: Return a list of non-expired sessions of the user.
content:
application/json:
schema:
type: object
required:
- sessions
properties:
sessions:
type: array
items:
type: object
required:
- payload
- lastSubmission
- clientId
- accountId
- expiresAt
properties:
payload:
type: object
required:
- exp
- iat
- jti
- uid
- kind
- loginTs
- accountId
properties:
exp:
type: number
iat:
type: number
jti:
type: string
uid:
type: string
kind:
type: string
format: '"Session"'
loginTs:
type: number
accountId:
type: string
authorizations:
type: object
additionalProperties:
type: object
properties:
sid:
type: string
grantId:
type: string
persistsLogout:
type: boolean
lastSubmission:
type: object
required:
- interactionEvent
- userId
- verificationRecords
properties:
interactionEvent:
type: string
enum:
- SignIn
- Register
- ForgotPassword
userId:
type: string
verificationRecords:
type: array
items:
oneOf:
- type: object
required:
- id
- type
- identifier
- verified
properties:
id:
type: string
type:
type: string
format: '"Password"'
identifier:
type: object
required:
- type
- value
properties:
type:
oneOf:
- type: string
enum:
- username
- email
- phone
- type: string
enum:
- userId
value:
type: string
verified:
type: boolean
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"EmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"PhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaEmailVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
- type: object
required:
- id
- templateType
- verified
- type
- identifier
properties:
id:
type: string
templateType:
type: string
enum:
- SignIn
- Register
- ForgotPassword
- OrganizationInvitation
- Generic
- UserPermissionValidation
- BindNewIdentifier
- MfaVerification
- BindMfa
verified:
type: boolean
type:
type: string
format: '"MfaPhoneVerificationCode"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"Social"'
socialUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
- type: object
required:
- id
- connectorId
- type
properties:
id:
type: string
connectorId:
type: string
type:
type: string
format: '"EnterpriseSso"'
enterpriseSsoUserInfo:
type: object
required:
- id
properties:
id:
type: string
email:
type: string
phone:
type: string
name:
type: string
avatar:
type: string
rawData:
type: object
oneOf:
- type: object
description: arbitrary JSON object
- type: array
items:
oneOf:
- type: string
- type: number
- type: boolean
- type: string
nullable: true
description: null value
- type: object
description: arbitrary JSON object
- type: string
- type: number
- type: boolean
nullable: true
issuer:
type: string
- type: object
required:
- id
- type
- userId
- verified
properties:
id:
type: string
type:
type: string
format: '"Totp"'
userId:
type: string
verified:
type: boolean
- type: object
required:
- id
- type
- userId
properties:
id:
type: string
type:
type: string
format: '"BackupCode"'
userId:
type: string
code:
type: string
- type: object
required:
- id
- verified
- type
- userId
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"WebAuthn"'
userId:
type: string
- type: object
required:
- id
- verified
- type
properties:
id:
type: string
verified:
type: boolean
registrationRpId:
type: string
type:
type: string
format: '"SignInPasskey"'
userId:
type: string
- type: object
required:
- id
- type
- verified
- identifier
properties:
id:
type: string
type:
type: string
format: '"OneTimeToken"'
verified:
type: boolean
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
oneTimeTokenContext:
type: object
properties:
jitOrganizationIds:
type: array
items:
type: string
- type: object
required:
- id
- type
- identifier
properties:
id:
type: string
type:
type: string
format: '"NewPasswordIdentity"'
identifier:
type: object
required:
- type
- value
properties:
type:
type: string
enum:
- username
- email
- phone
value:
type: string
signInContext:
type: object
additionalProperties:
type: string
nullable: true
clientId:
type: string
nullable: true
accountId:
type: string
nullable: true
expiresAt:
type: number
'400':
description: Bad Request
'401':
description: Permission denied, the verification record is invalid or the
session does not have the required scope to access session details.
'403':
description: Forbidden
'500':
description: Internal Server Error
summary: Get all active sessions
description: Retrieve all non-expired sessions for the user, including session
metadata and interaction details when available. A logto-verification-id in
header is required for checking sensitive session details.
"/api/my-account/sessions/{sessionId}":
delete:
operationId: DeleteSessionById
tags:
- My account
parameters:
- "$ref": "#/components/parameters/sessionId"
- name: revokeGrantsTarget
in: query
required: false
schema:
type: string
enum:
- all
- firstParty
description: Optional target for revoking associated grants and tokens. 'all'
revokes grants for every application authorized by this session. 'firstParty'
revokes only first-party app grants; third-party app grants remain active.
If omitted, grants remain active when the session authorizations include
offline_access; otherwise they are revoked.
responses:
'204':
description: The session was revoked successfully.
'400':
description: The field is not editable.
'401':
description: Permission denied, the verification record is invalid or the
session does not have the required scope to revoke sessions.
'403':
description: Forbidden
'404':
description: The session does not exist.
'500':
description: Internal Server Error
summary: Revoke a session by ID
description: Revoke a specific user session by its ID, optionally revoking target
associated grants and tokens. A logto-verification-id in header is required
for revoking sessions.
"/api/my-account/grants":
get:
operationId: GetGrants
tags:
- My account
parameters:
- name: appType
in: query
required: false
schema:
type: string
enum:
- firstParty
- thirdParty
description: Optional application type filter. Use 'firstParty' to return
grants from first-party applications only, or 'thirdParty' for third-party
applications only.
responses:
'200':
description: Return a list of active application grants of the user.
content:
application/json:
schema:
type: object
required:
- grants
properties:
grants:
type: array
items:
type: object
required:
- id
- payload
- expiresAt
properties:
id:
type: string
payload:
type: object
required:
- exp
- iat
- jti
- kind
- clientId
- accountId
properties:
exp:
type: number
iat:
type: number
jti:
type: string
kind:
type: string
format: '"Grant"'
clientId:
type: string
accountId:
type: string
expiresAt:
type: number
'400':
description: Bad Request
'401':
description: Permission denied, the verification record is invalid or the
session does not have the required scope to access grant details.
'403':
description: Forbidden
'500':
description: Internal Server Error
summary: Get all active grants
description: Retrieve all active application grants for the user. A logto-verification-id
in header is required for checking grant details.
"/api/my-account/grants/{grantId}":
delete:
operationId: DeleteGrantById
tags:
- My account
parameters:
- "$ref": "#/components/parameters/grantId"
responses:
'204':
description: The grant was revoked successfully.
'400':
description: The field is not editable.
'401':
description: Permission denied, the verification record is invalid or the
session does not have the required scope to revoke grants.
'403':
description: Forbidden
'404':
description: The grant does not exist.
'500':
description: Internal Server Error
summary: Revoke a grant by ID
description: Revoke a specific user application grant by grant ID and remove
the related session authorization. A logto-verification-id in header is required
for revoking grants.
"/api/verifications/password":
post:
operationId: CreateVerificationByPassword
tags:
- Verifications
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- password
properties:
password:
type: string
minLength: 1
description: The password of the user.
responses:
'201':
description: The verification record was created successfully.
content:
application/json:
schema:
type: object
required:
- verificationRecordId
- expiresAt
properties:
verificationRecordId:
type: string
expiresAt:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'422':
description: The password is invalid.
summary: Create a record by password
description: Create a verification record by verifying the password.
"/api/verifications/verification-code":
post:
operationId: CreateVerificationByVerificationCode
tags:
- Verifications
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- identifier
properties:
identifier:
oneOf:
- type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
- type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
format: regex
pattern: "/^\\d+$/"
description: The identifier (email address or phone number) to send
the verification code to.
templateType:
oneOf:
- type: string
format: '"BindMfa"'
- type: string
format: '"UserPermissionValidation"'
description: Optional override for the template type used to send
the verification code. If the identifier is new, BindNewIdentifier
will be used regardless.
responses:
'201':
description: The verification code has been successfully sent.
content:
application/json:
schema:
type: object
required:
- verificationRecordId
- expiresAt
properties:
verificationRecordId:
type: string
expiresAt:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'501':
description: The connector for sending the verification code is not configured.
summary: Create a record by verification code
description: Create a verification record and send the code to the specified
identifier. The code verification can be used to verify the given identifier.
"/api/verifications/verification-code/verify":
post:
operationId: VerifyVerificationByVerificationCode
tags:
- Verifications
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- identifier
- verificationId
- code
properties:
identifier:
oneOf:
- type: object
required:
- type
- value
properties:
type:
type: string
format: '"email"'
value:
type: string
format: regex
pattern: "/^\\S+@\\S+\\.\\S+$/"
- type: object
required:
- type
- value
properties:
type:
type: string
format: '"phone"'
value:
type: string
format: regex
pattern: "/^\\d+$/"
description: The identifier (email address or phone number) to verify
the code against. Must match the identifier used to send the verification
code.
verificationId:
type: string
description: The verification ID of the CodeVerification record.
code:
type: string
description: The verification code to be verified.
responses:
'200':
description: The verification code has been successfully verified.
content:
application/json:
schema:
type: object
required:
- verificationRecordId
properties:
verificationRecordId:
type: string
'400':
description: The verification code is invalid or the maximum number of attempts
has been exceeded. Check the error message for details.
'401':
description: Unauthorized
'403':
description: Forbidden
'501':
description: The connector for sending the verification code is not configured.
summary: Verify verification code
description: Verify the provided verification code against the identifier. If
successful, the verification record will be marked as verified.
"/api/verifications/social":
post:
operationId: CreateVerificationBySocial
tags:
- Verifications
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- state
- redirectUri
- connectorId
properties:
state:
type: string
description: A random string generated on the client side to prevent
CSRF (Cross-Site Request Forgery) attacks.
redirectUri:
type: string
description: The URI to navigate back to after the user is authenticated
by the connected social identity provider and has granted access
to the connector.
scope:
type: string
description: The custom scopes of the social verification. It can
be used to request specific permissions from the social identity
provider. If provided, it will override the scope configured in
the connector settings.
connectorId:
type: string
description: The Logto connector ID.
responses:
'201':
description: Successfully created the social verification record and returned
the authorization URI.
content:
application/json:
schema:
type: object
required:
- verificationRecordId
- authorizationUri
- expiresAt
properties:
verificationRecordId:
type: string
description: The ID of the verification record.
authorizationUri:
type: string
description: The authorization URI to navigate to for authentication
and authorization in the connected social identity provider.
expiresAt:
type: string
description: The expiration date and time of the verification
record.
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: The connector specified by connectorId is not found.
'422':
description: The connector specified by connectorId is not a valid social
connector.
summary: Create a social verification record
description: Create a social verification record and return the authorization
URI.
"/api/verifications/social/verify":
post:
operationId: VerifyVerificationBySocial
tags:
- Verifications
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- connectorData
- verificationRecordId
properties:
connectorData:
type: object
description: A json object constructed from the url query params
returned by the social platform. Typically it contains `code`,
`state` and `redirectUri` fields.
verificationRecordId:
type: string
verificationId:
description: The verification ID of the SocialVerification record.
responses:
'200':
description: The social verification record has been successfully verified
and the user information has been saved.
content:
application/json:
schema:
type: object
required:
- verificationRecordId
properties:
verificationRecordId:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
'422':
description: Unprocessable Content
summary: Verify a social verification record
description: Verify a social verification record by callback connector data,
and save the user information to the record.
"/api/verifications/web-authn/registration":
post:
operationId: GenerateWebAuthnRegistrationOptions
tags:
- Verifications
parameters: []
responses:
'200':
description: Successfully generated the WebAuthn registration options.
content:
application/json:
schema:
type: object
required:
- verificationRecordId
- registrationOptions
- expiresAt
properties:
verificationRecordId:
type: string
registrationOptions:
type: object
required:
- rp
- user
- challenge
- pubKeyCredParams
properties:
rp:
type: object
required:
- name
properties:
name:
type: string
id:
type: string
user:
type: object
required:
- id
- name
- displayName
properties:
id:
type: string
name:
type: string
displayName:
type: string
challenge:
type: string
pubKeyCredParams:
type: array
items:
type: object
required:
- type
- alg
properties:
type:
type: string
format: '"public-key"'
alg:
type: number
timeout:
type: number
excludeCredentials:
type: array
items:
type: object
required:
- type
- id
properties:
type:
type: string
format: '"public-key"'
id:
type: string
transports:
type: array
items:
type: string
enum:
- usb
- nfc
- ble
- internal
- cable
- hybrid
- smart-card
authenticatorSelection:
type: object
properties:
authenticatorAttachment:
type: string
enum:
- platform
- cross-platform
requireResidentKey:
type: boolean
residentKey:
type: string
enum:
- discouraged
- preferred
- required
userVerification:
type: string
enum:
- required
- preferred
- discouraged
attestation:
type: string
enum:
- none
- indirect
- direct
- enterprise
extensions:
type: object
properties:
appid:
type: string
credProps:
type: boolean
hmacCreateSecret:
type: boolean
expiresAt:
type: string
'401':
description: Unauthorized
'403':
description: Forbidden
summary: Generate WebAuthn registration options
description: Generate WebAuthn registration options for the user to register
a new WebAuthn device.
"/api/verifications/web-authn/registration/verify":
post:
operationId: VerifyWebAuthnRegistration
tags:
- Verifications
parameters: []
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- verificationRecordId
- payload
properties:
verificationRecordId:
type: string
description: The ID of the verification record.
payload:
type: object
required:
- type
- id
- rawId
- response
- clientExtensionResults
properties:
type:
type: string
format: '"WebAuthn"'
id:
type: string
rawId:
type: string
response:
type: object
required:
- clientDataJSON
- attestationObject
properties:
clientDataJSON:
type: string
attestationObject:
type: string
authenticatorData:
type: string
transports:
type: array
items:
type: string
enum:
- usb
- nfc
- ble
- internal
- cable
- hybrid
- smart-card
publicKeyAlgorithm:
type: number
publicKey:
type: string
authenticatorAttachment:
type: string
enum:
- cross-platform
- platform
clientExtensionResults:
type: object
properties:
appid:
type: boolean
crepProps:
type: object
properties:
rk:
type: boolean
hmacCreateSecret:
type: boolean
description: The payload of the WebAuthn device.
responses:
'200':
description: The WebAuthn registration has been successfully verified.
content:
application/json:
schema:
type: object
required:
- verificationRecordId
properties:
verificationRecordId:
type: string
'400':
description: Bad Request
'401':
description: Unauthorized
'403':
description: Forbidden
'404':
description: Not Found
summary: Verify WebAuthn registration
description: Verify the WebAuthn registration by the user's response.
security:
- OAuth2:
- all
components:
securitySchemes:
OAuth2:
type: oauth2
description: |-
Logto Management API is a comprehensive set of REST APIs that gives you the full control over Logto to suit your product needs and tech stack. To see the full guide on Management API interactions, visit [Interact with Management API](https://docs.logto.io/docs/recipes/interact-with-management-api/).
### Get started
The API follows the same authentication principles as other API resources in Logto, with some slight differences. To use Logto Management API:
1. A machine-to-machine (M2M) application needs to be created.
2. A machine-to-machine (M2M) role with Management API permission `all` needs to be assigned to the application.
Once you have them set up, you can use the `client_credentials` grant type to fetch an access token and use it to authenticate your requests to the Logto Management API.
### Fetch an access token
To fetch an access token, you need to make a `POST` request to the `/oidc/token` endpoint of your Logto tenant.
For Logto Cloud users, the base URL is your Logto endpoint, i.e. `https://[tenant-id].logto.app`. The tenant ID can be found in the following places:
- The first path segment of the URL when you are signed in to Logto Cloud. For example, if the URL is `https://cloud.logto.io/foo/get-started`, the tenant ID is `foo`.
- In the "Settings" tab of Logto Cloud.
The request should follow the OAuth 2.0 [client credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) grant type. Here is a non-normative example of how to fetch an access token:
```bash
curl --location \
--request POST 'https://[tenant-id].logto.app/oidc/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=[app-id]' \
--data-urlencode 'client_secret=[app-secret]' \
--data-urlencode 'resource=https://[tenant-id].logto.app/api' \
--data-urlencode 'scope=all'
```
Replace `[tenant-id]`, `[app-id]`, and `[app-secret]` with your Logto tenant ID, application ID, and application secret, respectively.
The response will be like:
```json
{
"access_token": "eyJhbG...2g", // Use this value for accessing the Logto Management API
"expires_in": 3600, // Token expiration in seconds
"token_type": "Bearer", // Token type for your request when using the access token
"scope": "all" // Scope `all` for Logto Management API
}
```
### Use the access token
Once you have the access token, you can use it to authenticate your requests to the Logto Management API. The access token should be included in the `Authorization` header of your requests with the `Bearer` authentication scheme.
Here is an example of how to list the first page of users in your Logto tenant:
```bash
curl --location \
--request GET 'https://[tenant-id].logto.app/api/users' \
--header 'Authorization: Bearer eyJhbG...2g'
```
Replace `[tenant-id]` with your Logto tenant ID and `eyJhbG...2g` with the access token you fetched earlier.
flows:
clientCredentials:
tokenUrl: "/oidc/token"
scopes:
all: All scopes
schemas:
TranslationObject:
type: object
properties:
"[translationKey]":
"$ref": "#/components/schemas/Translation"
example:
input:
username: Username
password: Password
action:
sign_in: Sign In
continue: Continue
Translation:
oneOf:
- type: string
ApplicationLegacySecret:
type: string
deprecated: true
description: The internal client secret. Note it is only used for internal validation,
and the actual secrets should be retrieved from `/api/applications/{id}/secrets`
endpoints.
SamlApplicationResponse:
type: object
properties:
id:
type: string
description: The ID of the SAML application.
name:
type: string
description: The name of the SAML application.
description:
type: string
description: Description of the SAML application.
customData:
type: object
description: Custom data for the application.
acsUrl:
type: string
description: The Assertion Consumer Service (ACS) URL.
entityId:
type: string
description: The SAML entity ID.
createdAt:
type: string
format: date-time
description: The creation time of the SAML application.
SamlRequest:
type: string
description: Base64-encoded SAML request message.
SamlSignature:
type: string
description: Base64-encoded signature of the request.
SamlSignatureAlgorithm:
type: string
description: The signature algorithm used to sign the request.
RelayState:
type: string
description: Optional state parameter to be returned in the response.
parameters:
tenantId-root:
name: id
in: path
description: The unique identifier of the tenant.
required: true
schema:
type: string
tenantId:
name: tenantId
in: path
description: The unique identifier of the tenant.
required: true
schema:
type: string
keyId-root:
in: path
description: The unique identifier of the key.
required: true
schema:
type: string
name: id
keyId:
in: path
description: The unique identifier of the key.
required: true
schema:
type: string
name: keyId
connectorFactoryId-root:
in: path
description: The unique identifier of the connector factory.
required: true
schema:
type: string
name: id
connectorFactoryId:
in: path
description: The unique identifier of the connector factory.
required: true
schema:
type: string
name: connectorFactoryId
factoryId-root:
in: path
description: The unique identifier of the factory.
required: true
schema:
type: string
name: id
factoryId:
in: path
description: The unique identifier of the factory.
required: true
schema:
type: string
name: factoryId
applicationId-root:
in: path
description: The unique identifier of the application.
required: true
schema:
type: string
name: id
applicationId:
in: path
description: The unique identifier of the application.
required: true
schema:
type: string
name: applicationId
connectorId-root:
in: path
description: The unique identifier of the connector.
required: true
schema:
type: string
name: id
connectorId:
in: path
description: The unique identifier of the connector.
required: true
schema:
type: string
name: connectorId
ssoConnectorId-root:
in: path
description: The unique identifier of the sso connector.
required: true
schema:
type: string
name: id
ssoConnectorId:
in: path
description: The unique identifier of the sso connector.
required: true
schema:
type: string
name: ssoConnectorId
resourceId-root:
in: path
description: The unique identifier of the resource.
required: true
schema:
type: string
name: id
resourceId:
in: path
description: The unique identifier of the resource.
required: true
schema:
type: string
name: resourceId
userId-root:
in: path
description: The unique identifier of the user.
required: true
schema:
type: string
name: id
userId:
in: path
description: The unique identifier of the user.
required: true
schema:
type: string
name: userId
logId-root:
in: path
description: The unique identifier of the log.
required: true
schema:
type: string
name: id
logId:
in: path
description: The unique identifier of the log.
required: true
schema:
type: string
name: logId
roleId-root:
in: path
description: The unique identifier of the role.
required: true
schema:
type: string
name: id
roleId:
in: path
description: The unique identifier of the role.
required: true
schema:
type: string
name: roleId
scopeId-root:
in: path
description: The unique identifier of the scope.
required: true
schema:
type: string
name: id
scopeId:
in: path
description: The unique identifier of the scope.
required: true
schema:
type: string
name: scopeId
hookId-root:
in: path
description: The unique identifier of the hook.
required: true
schema:
type: string
name: id
hookId:
in: path
description: The unique identifier of the hook.
required: true
schema:
type: string
name: hookId
domainId-root:
in: path
description: The unique identifier of the domain.
required: true
schema:
type: string
name: id
domainId:
in: path
description: The unique identifier of the domain.
required: true
schema:
type: string
name: domainId
verificationId-root:
in: path
description: The unique identifier of the verification.
required: true
schema:
type: string
name: id
verificationId:
in: path
description: The unique identifier of the verification.
required: true
schema:
type: string
name: verificationId
organizationId-root:
in: path
description: The unique identifier of the organization.
required: true
schema:
type: string
name: id
organizationId:
in: path
description: The unique identifier of the organization.
required: true
schema:
type: string
name: organizationId
organizationRoleId-root:
in: path
description: The unique identifier of the organization role.
required: true
schema:
type: string
name: id
organizationRoleId:
in: path
description: The unique identifier of the organization role.
required: true
schema:
type: string
name: organizationRoleId
organizationScopeId-root:
in: path
description: The unique identifier of the organization scope.
required: true
schema:
type: string
name: id
organizationScopeId:
in: path
description: The unique identifier of the organization scope.
required: true
schema:
type: string
name: organizationScopeId
organizationInvitationId-root:
in: path
description: The unique identifier of the organization invitation.
required: true
schema:
type: string
name: id
organizationInvitationId:
in: path
description: The unique identifier of the organization invitation.
required: true
schema:
type: string
name: organizationInvitationId
samlApplicationId-root:
in: path
description: The unique identifier of the saml application.
required: true
schema:
type: string
name: id
samlApplicationId:
in: path
description: The unique identifier of the saml application.
required: true
schema:
type: string
name: samlApplicationId
secretId-root:
in: path
description: The unique identifier of the secret.
required: true
schema:
type: string
name: id
secretId:
in: path
description: The unique identifier of the secret.
required: true
schema:
type: string
name: secretId
emailTemplateId-root:
in: path
description: The unique identifier of the email template.
required: true
schema:
type: string
name: id
emailTemplateId:
in: path
description: The unique identifier of the email template.
required: true
schema:
type: string
name: emailTemplateId
oneTimeTokenId-root:
in: path
description: The unique identifier of the one time token.
required: true
schema:
type: string
name: id
oneTimeTokenId:
in: path
description: The unique identifier of the one time token.
required: true
schema:
type: string
name: oneTimeTokenId
sessionId-root:
in: path
description: The unique identifier of the session.
required: true
schema:
type: string
name: id
sessionId:
in: path
description: The unique identifier of the session.
required: true
schema:
type: string
name: sessionId
grantId-root:
in: path
description: The unique identifier of the grant.
required: true
schema:
type: string
name: id
grantId:
in: path
description: The unique identifier of the grant.
required: true
schema:
type: string
name: grantId
samlId-root:
name: id
in: path
required: true
description: The ID of the SAML application.
schema:
type: string
tags:
- name: Account center
description: Customize your account API settings.
- name: Applications
description: "Application represents your registered software program or service
that has been authorized to access user information and perform actions on behalf
of users within the system. Currently, Logto supports four types of applications:\n\n-
Traditional web\n\n- Single-page app\n- Native app\n- Machine-to-machine app.\n\nDepending
on the application type, it may have different authentication flows and access
to the system. See [\U0001F517 Integrate Logto in your application](https://docs.logto.io/docs/recipes/integrate-logto/)
to learn more about how to integrate Logto into your application.\n\nRole-based
access control (RBAC) is supported for machine-to-machine applications. See [\U0001F510
Role-based access control (RBAC)](https://docs.logto.io/docs/recipes/rbac/) to
get started with role-based access control."
- name: Audit logs
description: Audit logs are used to track end-user activities in Logto sign-in experience
and other flows. It does not include activities in Logto Console.
- name: Authn
description: Authentication endpoints for third-party integrations and identity
providers.
- name: Captcha provider
description: Setup the captcha provider.
- name: Cloud only
- name: Configs
description: "Endpoints for managing Logto global configurations for the tenant,
such as admin console config and OIDC signing keys.\n\nSee [\U0001F511 Signing
keys](https://docs.logto.io/docs/recipes/signing-keys-rotation/) to learn more
about signing keys and key rotation."
- name: Connector factories
description: Connector factories are used to create connectors. They can be treated
as preconfigured templates for connectors.
- name: Connectors
description: "Connectors are the bridge between Logto and other third-party vendors
who provide short message service (SMS), email service, or user information on
wildly accepted social media.\n\nTo learn more about connectors, please see [\U0001FA9B
Configure connectors](https://docs.logto.io/docs/recipes/configure-connectors/)."
- name: Custom phrases
description: |-
Endpoints for managing custom phrases that allow you to customize the phrases displayed in the sign-in experience.
See [Localized language](https://docs.logto.io/docs/recipes/customize-sie/localized-language/) to learn more about custom phrases for localization.
- name: Custom profile fields
description: An admin feature used to create a customized user profile form, which
is used to collect additional user information upon successful registrations.
- name: Custom UI assets
description: Endpoints for uploading custom UI assets for the sign-in experience.
Users can upload a zip file containing custom HTML, CSS, and JavaScript files
to replace and fully customize the sign-in experience.
- name: Dashboard
description: Endpoints that power the dashboard page of Console to show the statistics
of the current tenant.
- name: Domains
description: "Custom domain lets you present a consistent brand by having your own
domain name on the sign-in and registration pages. See [\U0001F30D Custom domain](https://docs.logto.io/docs/recipes/custom-domain/)
for more details."
- name: Email templates
description: Manage custom i18n email templates for various types of emails, such
as sign-in verification codes and password resets.
- name: Experience
description: The Experience endpoints allow end-users to interact with Logto for
identity verification and profile completion.
- name: Hooks
description: "Hook enables you to effortlessly receive real-time updates regarding
specific events, such as user registration, sign-in, or password reset. See [\U0001FA9D
Webhooks] to get started and learn more."
- name: My account
description: Account routes provide functionality for managing user profile for
the end user to interact directly with access tokens.
- name: One-time tokens
description: One-time tokens are used for various authentication and verification
purposes. They are typically sent via email and have an expiration time.
- name: Organization applications
description: |-
Manage organization - application relationships. An application can be associated with one or more organizations in order to get access to the organization resources.
Currently, only machine-to-machine applications can be associated with organizations.
- name: Organization invitations
description: Organization invitations are used to invite users to join an organization.
They are sent via email and contain a link that the user can click to accept the
invitation and join the organization.
- name: Organization roles
description: "Organization roles are used to define a set of organization scopes
that can be assigned to users. Every organization role is a part of the organization
template.\n\nOrganization roles will only be meaningful within an organization
context. For example, a user may have an `admin` role for organization A, but
not for organization B. See [\U0001F3E2 Organizations (Multi-tenancy)](https://docs.logto.io/docs/recipes/organizations/)
to get started with organizations and organization template."
- name: Organization scopes
description: "Organization scopes (permissions) are used to define actions that
can be performed on a organization. Every organization scope is a part of the
organization template.\n\nOrganization scopes will only be meaningful within an
organization context. For example, a user may have a `read` scope for organization
A, but not for organization B. See [\U0001F3E2 Organizations (Multi-tenancy)](https://docs.logto.io/docs/recipes/organizations/)
to get started with organizations and organization template."
- name: Organization users
description: |-
Manage organization - user relationships. A user can be a member of one or more organizations in order to get access to the organization resources.
Users can be assigned roles in organizations to grant them permissions to perform certain actions in the organization.
- name: Organizations
description: "Organization is a concept that brings together multiple identities
(mostly users). Logto supports multiple organizations, and each organization can
have multiple users.\n\nEvery organization shares the same set (organization template)
of roles and permissions. Each user can have different roles in different organizations.
See [\U0001F3E2 Organizations (Multi-tenancy)](https://docs.logto.io/docs/recipes/organizations/)
to get started with organizations and organization template."
- name: Resources
description: |-
Resources (API resources) represent the APIs that you want to protect with Logto. Each resource has a unique indicator (URI) and a set of scopes (permissions). The resources will be used in the authorization process which conforms to [RFC 8707: Resource Indicators for OAuth 2.0](https://www.rfc-editor.org/rfc/rfc8707.html).
See [⚔️ Protect your API](https://docs.logto.io/docs/recipes/protect-your-api/) to learn more about how to define API resources and protect your APIs with Logto.
- name: Roles
description: "Role management for API resource RBAC (role-based access control).
See [\U0001F510 Role-based access control (RBAC)](https://docs.logto.io/docs/recipes/rbac/)
to get started with role-based access control."
- name: SAML applications
description: SAML (Security Assertion Markup Language) applications represent applications
that use SAML protocol for single sign-on (SSO). These endpoints allow you to
manage SAML applications, including their configurations and signing certificates.
- name: SAML applications auth flow
description: Endpoints for SAML (Security Assertion Markup Language) applications
auth flow.
- name: Secrets
description: Secrets are used to store sensitive information such as API keys, third-party
tokens, and other confidential data in Logto's Secret Vault.
- name: Sentinel activities
description: 'Sentinel activities are used to track and manage user authentication
attempts, including successful and failed attempts. Based on your sentinel policy
settings, Logto will automatically block users after a certain number of failed
attempts. This helps to prevent unauthorized access and protect sensitive data. '
- name: Sign-in experience
description: "Endpoints for customizing Logto sign-in experience. See [\U0001F3A8
Customize sign-in experience](https://docs.logto.io/docs/recipes/customize-sie/)
to learn more about how the configuration works and reflects on the user interface."
- name: SSO connector providers
description: |-
Endpoints for SSO (single sign-on) connector providers.
SSO connector providers provide the metadata and configuration templates for creating SSO connectors.
- name: SSO connectors
description: |-
Endpoints for managing single sign-on (SSO) connectors. Your sign-in experience can use these well-configured SSO connectors to authenticate users and sync user attributes from external identity providers (IdPs).
SSO connectors are created by SSO connector provider factories.
- name: Status
description: Endpoints for health check.
- name: Subject tokens
description: The subject token API provides the ability to create a new subject
token for the use of impersonating the user.
- name: Swagger.json
description: Endpoints for the Swagger JSON document.
- name: Systems
description: Endpoints for system constants and information.
- name: User assets
description: Endpoints for managing user uploaded assets.
- name: Users
description: "Endpoints for user management. Including creating, updating, deleting,
and querying users with flexible filters. In addition to the endpoints, see [\U0001F9D1\U0001F680
Manage users](https://docs.logto.io/docs/recipes/manage-users/) for more insights."
- name: Verification codes
description: "Endpoints for handling verification codes. It is helpful when building
a custom profile page in your app. See [\U0001F464 User profile](https://docs.logto.io/docs/recipes/user-profile/#optional-validate-verification-code)
for more details.\n\nNote: Before you call the endpoints, you need to setup your
email/SMS connector first."
- name: Verifications
description: Endpoints for creating and validating verification records, which can
be used in Profile routes.
- name: Well-known
description: Well-Known routes provide information and resources that can be discovered
by clients without the need for authentication.