openapi: 3.0.1 info: title: SlashID API description: | This is the [OpenAPI](https://www.openapis.org/) specification for communicating with the [SlashID](https://www.slashid.dev/) service. The latest version of the OpenAPI API spec can be fetched from [our CDN](https://cdn.slashid.com/slashid-openapi-latest.yaml). We recommend you use an [OpenAPI SDK generator](https://openapi.tools/#sdk) to create a client library in your programming language, but you can also use this documentation to make HTTP calls directly. > **Compatibility note**: We aim to keep wire compatibility whenever we update the API, but parts of the specification may occasionally be refactored. If you use an SDK generator, your code may require minor changes between versions. version: "1.1" termsOfService: https://www.slashid.dev/terms-of-use/ contact: name: API Support email: contact@slashid.dev components: securitySchemes: ApiKeyAuth: description: Authorizes the request with the organization's API Key. x-svc-um-api: true type: apiKey in: header name: SlashID-API-Key OAuth2ClientIdSecret: description: Authorizes the request with a client ID/client secret pair type: http scheme: basic OAuth2AccessTokenBearer: description: Authorizes the request with an Access Token for the current user. type: http scheme: bearer bearerFormat: opaque parameters: OptionalSdkVersionHeader: name: SlashID-SdkVersion in: header schema: type: string required: false description: Optional SDK version example: 1.4.1 RequiredConsistencyHeader: name: SlashID-Required-Consistency in: header description: | The consistency level required for this request. If the consistency level is not achieved within the timeout, the request will fail with a 408 Request Timeout error. 408 Request Timeout error indicates that request was not handled within the timeout, but it may still be handled after request timeout. Allowed values: * `local_region`: Wait while the request executes in the local region. * `all_regions`: Wait while the request executes across all regions. You can learn more about our replication model on our [Cross-region Replication Model](/docs/access/concepts/replication) page. schema: type: string enum: - local_region - all_regions default: local_region RequiredConsistencyTimeoutHeader: name: SlashID-Required-Consistency-Timeout in: header description: | The maximum amount of seconds to wait for the requested consistency level to be achieved. If the consistency level is not achieved within this time, the request will fail with a 408 Request Timeout error. 408 Request Timeout error indicates that request was not handled within the timeout, but it may still be handled after request timeout. You can learn more about our replication model on our [Cross-region Replication Model](/docs/access/concepts/replication) page. schema: type: integer default: 30 maximum: 120 minimum: 1 OrgIDHeader: name: SlashID-OrgID in: header schema: type: string required: true description: The organization ID example: af5fbd30-7ce7-4548-8b30-4cd59cb2aba1 SAMLProviderCredentialsIDPathParam: name: saml_provider_credentials_id description: The SAML provider credentials ID in: path required: true schema: $ref: "#/components/schemas/SAMLProviderCredentialsID" SdkVersionHeader: name: SlashID-SdkVersion in: header schema: type: string required: false description: SDK version example: 1.4.1 RequiredTokenHeader: name: SlashID-Token in: header schema: type: string required: true description: A valid JWT issued by SlashID PersonIDPathParam: name: person_id description: The person ID example: 903c1ff9-f2cc-435c-b242-9d8a690fcf0a in: path required: true schema: type: string CredentialIDPathParam: name: credential_id description: The person's credential ID example: 903c1ff9-f2cc-435c-b242-9d8a690fcf0a in: path required: true schema: type: string AttributeBucketsQueryParam: in: query name: buckets description: A comma-separated list of attribute bucket names example: - person_pool-end_user_read_write,person_pool-end_user_no_access schema: type: array items: type: string style: form explode: false AttributeBucketNamePathParam: in: path name: bucket_name description: | The name of an attribute bucket. The bucket `end_user_read_write` exists for all organizations and is suitable for many common use cases. Please refer to our documentation for more information on attribute buckets. required: true schema: type: string AttributeNamesQueryParam: in: query name: attributes description: A comma-separated list of attribute names example: - address_line_1,address_line_2,city,zip_code schema: type: array items: type: string style: form explode: false PersonFieldsQueryParam: name: fields in: query description: Optional fields to include in the response schema: type: array items: $ref: "#/components/schemas/PersonFieldName" style: form explode: false HandlePathParam: name: handle description: | Handle in format [handle_type]:[handle]. Supported handle types are 'email_address', 'phone_number', and 'username'. This field should be URL-encoded. in: path required: true schema: type: string examples: email_address: $ref: "#/components/examples/emailHandleExample" phone_number: $ref: "#/components/examples/phoneNumberHandleExample" username: $ref: "#/components/examples/usernameHandleExample" IfMatchHeader: name: If-Match in: header description: | The value of the `ETag` header from the GET response. If the value of the `ETag` header from the last response does not match the value of this header, the server will respond with a `412 Precondition Failed` status code. If-Match is not required. If omitted, the server will not check the `ETag` header. schema: type: string GetPersonsPersonIdOrganizationsFilterQueryParam: in: query name: filter schema: type: string description: A filter to be applied to the result list, using the [SCIM 2.0 Filter syntax](https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2.2). examples: permission_write: summary: Returns only persons with 'write' permission. value: permission eq "write" HandleQueryParam: in: query name: handle schema: type: string description: Filter by handle in format [handle_type]:[handle]. This field should be url-encoded. examples: email_address: $ref: "#/components/examples/emailHandleExample" phone_number: $ref: "#/components/examples/phoneNumberHandleExample" username: $ref: "#/components/examples/usernameHandleExample" PersonsFilterQueryParam: in: query name: filter schema: type: string description: A filter to be applied to the result list, using the [SCIM 2.0 Filter syntax](https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2.2). examples: person_id: summary: Returns only the person with the specified ID value: person_id eq "063e2964-ea22-76a2-ae08-3a7173964ae5" handle_phone: summary: Returns only the person with the phone handle '+1 201 987-6543' value: handles eq "phone_number:+12019876543" handle_email: summary: Returns the person with the email handle 'john.smith@example.com' value: handles eq "email_address:john.smith@example.com" handle_username: summary: Returns the person with the username handle 'john_smith' value: handles eq "username:john_smith" active: summary: Returns only active persons value: active eq true admin_role: summary: Returns only persons with 'admin' role value: roles eq "admin" source_authoritative_status: summary: Returns only persons from a connection of a certain authoritative level (primary, secondary, none) value: source_authoritative_status eq "primary" permission_write: summary: Returns only persons with 'write' permission. Permission can be assigned permission on from person's role. value: permissions eq "write" additional_permission_write: summary: Returns only persons with 'write' permission. It works only with additionally assigned permissions. value: additional_permissions eq "write" groups_g1: summary: Returns only persons in the 'G1' group value: groups eq "G1" region_us: summary: Returns only persons located in the 'us-iowa' region value: region eq "us-iowa" region_not_us: summary: Returns only persons located outside of the 'us-iowa' region value: region ne "us-iowa" region_us_eu: summary: Returns only persons located in 'us-iowa' or 'europe-belgium' regions value: region eq "us-iowa" or region eq "europe-belgium" attribute_name: summary: Returns only persons with the attribute 'myconfig' (in any bucket) value: attributes eq "myconfig" attribute_prefix: summary: Returns only persons with the attribute names starting in 'myprefix' value: attributes sw "myprefix" attribute_bucket_and_name: summary: Returns only persons with the attribute 'myconfig' in the bucket 'mybucket' value: attribute_buckets[name eq "mybucket" and attributes eq "myconfig"] attribute_in_ro_buckets: summary: Returns only persons with any attribute in one of the user-read-only buckets value: attribute_buckets[end_user_permissions eq "read_only" and attributes pr] attribute_in_pool_buckets: summary: Returns only persons with any attribute in one of the person-pool scoped buckets value: attribute_buckets[sharing_scope eq "person_pool" and attributes pr] LimitQueryParam: in: query name: limit schema: type: integer maximum: 1000 description: The maximum number of items to return in the result. Maximum value is 1000. OffsetQueryParam: in: query name: offset schema: type: integer description: The number of the first item to be returned in the result PersonIDsQueryParam: in: query name: ids description: A comma-separated list of person IDs example: - 064d3697-4bf6-781e-9a08-303683b8a5e6,064d3f71-475e-7ea4-9808-6b72d038a43f schema: type: array items: type: string style: form explode: false GroupNamePathParam: in: path required: true name: group_name schema: $ref: "#/components/schemas/GroupName" description: The name of a group PermissionsNamePathParam: in: path required: true name: permission_name schema: $ref: "#/components/schemas/PermissionName" description: "The name of a permission. Permission name should be URL encoded (so for example: `3b0a8f7e-f26e-4a08-8dae-4d5360a72003%2Fperm_name`)." RolesNamePathParam: in: path required: true name: role_name schema: $ref: "#/components/schemas/RoleName" description: "The name of a role. Role name should be URL encoded (so for example: `3b0a8f7e-f26e-4a08-8dae-4d5360a72003%2Frole_name`)." OAuthProviderQueryParam: name: oauth_provider in: query description: The name of the OAuth provider required: false schema: $ref: "#/components/schemas/OAuthProvider" OAuthClientIDPathParam: name: oauth_client_id description: An OAuth client ID in: path required: true schema: $ref: "#/components/schemas/OAuthClientID" DeleteSuborganizationOptionalQueryParam: in: query name: delete_suborganizations schema: type: boolean description: Whether to delete suborganizations of the organization being deleted. If this option is provided a valid `confirmation_timestamp` param is also required for the operation to proceed. required: false ConfirmationTimestampQueryParam: in: query name: confirmation_timestamp schema: type: string description: RFC3339 timestamp. Must be between -60s and -10s from the current time to be accepted by the endpoint. format: date-time required: false OrganizationsFilterQueryParam: in: query name: filter schema: type: string description: A filter to be applied to the result list, using the [SCIM 2.0 Filter syntax](https://www.rfc-editor.org/rfc/rfc7644#section-3.4.2.2). examples: org_name_eq: summary: Returns only organizations named exactly "my_org" value: name eq "my_org" org_name_co: summary: Returns only organizations with the string "some_str" in the name value: name co "some_str" org_name_sw: summary: Returns only organizations with name starting in "my_prefix" value: name sw "my_prefix" org_id_eq: summary: Returns only the organization with the specified ID, if it exists value: id eq "0be15c7a-a72d-47c4-ab9a-9a88bac3416d" parent_org_id_eq: summary: Returns only organizations children of the org with the specified ID value: parent_org_id eq "0be15c7a-a72d-47c4-ab9a-9a88bac3416d" WebhookIDPathParam: in: path required: true name: webhook_id schema: type: string WebhookTriggerTypeQueryParam: in: query name: trigger_type description: The type of webhook trigger example: event schema: $ref: "#/components/schemas/TriggerType" required: true WebhookTriggerNameQueryParam: in: query name: trigger_name description: The webhook trigger name (for example, an event name) schema: type: string required: true ScopeQueryParam: in: query name: scope schema: type: string required: true ResponseTypeQueryParam: in: query name: response_type schema: type: string required: true ClientIDQueryParam: in: query name: client_id schema: type: string required: true RedirectURIQueryParam: in: query name: redirect_uri schema: type: string required: true StateQueryParam: in: query name: state schema: type: string required: false CodeChallengeQueryParam: in: query name: code_challenge schema: type: string required: false CodeChallengeMethodQueryParam: in: query name: code_challenge_method schema: type: string required: false ResponseModeQueryParam: in: query name: response_mode schema: type: string required: false NonceQueryParam: in: query name: nonce schema: type: string required: false DisplayQueryParam: in: query name: display schema: type: string enum: - page required: false PromptQueryParam: in: query name: prompt schema: type: string enum: - none - login required: false MaxAgeQueryParam: in: query name: max_age schema: type: integer format: int32 required: false UILocalesQueryParam: in: query name: ui_locales schema: type: string required: false LoginHintQueryParam: in: query name: login_hint schema: type: string required: false ACRValuesQueryParam: in: query name: acr_values schema: type: string required: false HandleTypesQueryParam: in: query name: handle_types schema: type: string required: false schemas: ValidateTokenReq: required: - token type: object properties: token: $ref: "#/components/schemas/TokenText" APIResponseBase: type: object properties: meta: $ref: "#/components/schemas/APIMeta" errors: type: array items: $ref: "#/components/schemas/APIResponseError" ValidateTokenResponse: type: object required: - valid properties: valid: description: True if token is genuine and has not expired yet, false otherwise. type: boolean invalidity_reason: description: If the token is invalid, this field contains the reason. type: string enum: - invalid_token_content - expired - invalid_issuer - not_enough_factors - person_not_active expires_in_seconds: description: JWT token validity. This value is not present if the token is not valid (valid field == false). type: integer expires_at: description: Token expiration time in UTC. This value is not present if token is not valid (valid field == false) or expired. type: string format: date-time RevokeTokenReq: required: - token type: object properties: token: $ref: "#/components/schemas/TokenText" SAMLProviderCredentialsGetResponse: $ref: "#/components/schemas/SAMLProviderCredentials" SAMLProviderCredentialsPostRequest: type: object description: Request to create a new SAML provider credential properties: label: description: A friendly free-form label to help you identify this set of SAML provider credentials. type: string idp_metadata_url: description: The SAML IdP's metadata URL. type: string email_claims: description: The names of the claims in the SAML response containing the users' email addresses. The first match is added to the person's set of handles. type: array items: type: string maxItems: 3 enable_in_slashid_oidc_authz_server: type: boolean description: Indicates whether these credentials can be used for SSO authentication during an OIDC flow in which SlashID acts as the Authorization Server. required: - idp_metadata_url SAMLProviderCredentialsPostResponse: $ref: "#/components/schemas/SAMLProviderCredentials" SAMLProviderCredentialsPatchRequest: type: object description: Request to modify an existing SAML provider credential properties: label: description: A friendly free-form label to help you identify this set of SAML provider credentials. type: string idp_metadata_url: description: The SAML IdP's metadata URL. type: string email_claims: description: The names of the claims in the SAML response containing the users' email addresses. The first match is added to the person's set of handles. type: array items: type: string maxItems: 3 enable_in_slashid_oidc_authz_server: type: boolean description: Indicates whether these credentials can be used for SSO authentication during an OIDC flow in which SlashID acts as the Authorization Server. OAuthTokenRevokeReq: required: - client_id - token - token_type type: object properties: client_id: description: The client ID originally used to obtain the token from the IdP type: string token: description: The token to be revoked type: string token_type: description: The type of token being revoked, either access or refresh type: string enum: - access_token - refresh_token SsoOidcTokensRevokeV2Req: required: - person_id - authentication_id type: object properties: person_id: $ref: "#/components/schemas/PersonID" authentication_id: type: string description: | The ID of the SSO OIDC authentication that issued the OIDC token(s) to be revoked. token_types: type: array description: | The type of OIDC token being revoked. If not provided, all OIDC tokens matching the provided authentication ID will be revoked. items: $ref: "#/components/schemas/OIDCTokenType" SsoOidcTokensGetResponse: type: array items: $ref: "#/components/schemas/SsoOidcTokenDetail" SsoOidcTokensQueryReq: required: - person_id type: object properties: person_id: $ref: "#/components/schemas/PersonID" authentication_ids: type: array description: | The IDs of the SSO OIDC authentications that issued the OIDC tokens. If not provided, all OIDC tokens for this person matching the specified types will be returned. items: type: string token_types: type: array description: | The types of tokens to be returned. If not provided, all OIDC tokens for this person issued during the specified authentication(s) will be returned. items: $ref: "#/components/schemas/OIDCTokenType" SsoOidcTokensQueryResp: type: array items: $ref: "#/components/schemas/SsoOidcTokenDetail" PersonDirectIDReq: required: - duration_secs type: object properties: duration_secs: description: How long (in seconds) the Direct-ID should be valid for. If unspecified, it is set to your organization's default value. type: integer DirectID: $ref: "#/components/schemas/Bytes" PostMintTokenRequest: type: object properties: custom_claims: description: | Set of custom claims to be added to the JWT payload, as key-value pairs. type: object additionalProperties: true example: custom_attribute_1: 42 custom_attribute_2: sub_attr: 24 UserTokenText: type: string ExportedCredential: oneOf: - $ref: "#/components/schemas/ExportedPublicKeyCredential" - $ref: "#/components/schemas/ExportedPasswordCredential" - $ref: "#/components/schemas/ExportedTOTPCredential" discriminator: propertyName: type mapping: public-key: "#/components/schemas/ExportedPublicKeyCredential" password: "#/components/schemas/ExportedPasswordCredential" totp: "#/components/schemas/ExportedTOTPCredential" Credential: type: object oneOf: - $ref: "#/components/schemas/PublicKeyCredential" - $ref: "#/components/schemas/PasswordCredential" - $ref: "#/components/schemas/TOTPCredential" discriminator: propertyName: type mapping: public-key: "#/components/schemas/PublicKeyCredential" password: "#/components/schemas/PasswordCredential" totp: "#/components/schemas/TOTPCredential" PasswordCredential: type: object properties: type: $ref: "#/components/schemas/CredentialType" params: $ref: "#/components/schemas/PasswordCredentialParams" label: type: string required: - type - params PasswordResetPostReq: type: object properties: force_change: type: boolean description: Delete the existing password for a person, forcing a new password to be set before the next password authentication. reset_handle: $ref: "#/components/schemas/PersonHandle" PasswordRotatePostResp: type: object properties: new_password: type: string PatchBucketedAttributesReq: $ref: "#/components/schemas/BucketedAttributes" PutBucketedAttributesReq: $ref: "#/components/schemas/BucketedAttributes" GetBucketedAttributesResp: $ref: "#/components/schemas/BucketedAttributes" PatchAttributesReq: $ref: "#/components/schemas/Attributes" PutAttributesReq: $ref: "#/components/schemas/Attributes" GetAttributesResp: $ref: "#/components/schemas/Attributes" GDPRConsentResponse: type: object required: - consents properties: consents: type: array items: $ref: "#/components/schemas/GDPRConsent" GDPRConsentRequest: type: object required: - consent_levels properties: consent_levels: type: array items: $ref: "#/components/schemas/GDPRConsentLevel" GDPRConsentLevel: type: string enum: - none - necessary - analytics - marketing - retargeting - tracking PersonRet: type: object properties: active: type: boolean description: A flag indicating whether the person is active or not person_id: type: string description: The ID of the person person_type: $ref: "#/components/schemas/PersonType" region: $ref: "#/components/schemas/Region" handles: $ref: "#/components/schemas/PersonHandlesResponse" groups: $ref: "#/components/schemas/PersonGroupsResponse" attributes: $ref: "#/components/schemas/BucketedAttributes" required: - active - person_id - person_type - region description: Abridged person structure PersonPatchReq: type: object properties: active: type: boolean description: A flag indicating whether the person should be active or not example: true description: Structure to modify a person PersonHandlesReq: type: array items: $ref: "#/components/schemas/PersonHandle" PersonHandlesResponse: type: array items: $ref: "#/components/schemas/PersonHandle" PersonGroupsResponse: type: array items: $ref: "#/components/schemas/GroupName" PutPersonGroupsReq: type: object properties: groups: type: array items: $ref: "#/components/schemas/GroupName" PersonPermissionsResponse: type: array items: $ref: "#/components/schemas/PermissionName" PutPersonPermissionsRequest: type: object properties: permissions: type: array items: $ref: "#/components/schemas/PermissionName" required: - permissions PersonRolesResponse: type: array items: $ref: "#/components/schemas/RoleName" PutPersonRolesRequest: type: object properties: roles: type: array items: $ref: "#/components/schemas/RoleName" required: - roles GetPersonOrganizationsResponse: type: array items: $ref: "#/components/schemas/OrganizationDetails" PersonCreateReq: allOf: - $ref: "#/components/schemas/PersonPatchReq" - type: object properties: attributes: $ref: "#/components/schemas/BucketedAttributes" handles: type: array description: the list of handles for the user items: $ref: "#/components/schemas/PersonHandle" groups: type: array description: A list of group names to assign the person to. Previous groups are overwritten. Groups must already exist. items: $ref: "#/components/schemas/GroupName" region: $ref: "#/components/schemas/Region" credentials: type: array items: $ref: "#/components/schemas/Credential" description: Structure to create a person PersonsPostResponse: $ref: "#/components/schemas/PersonRet" PersonsPutResponse: $ref: "#/components/schemas/PersonRet" PersonsBulkImportRequest: type: object properties: persons: description: File in CSV format that contains the persons to import. type: string format: binary required: - persons PersonsBulkImportResponse: type: object properties: successful_imports: description: Number of sucessfully imported persons. type: integer failed_imports: description: Number of persons that we failed to import. type: integer failed_csv: description: CSV containing the persons we failed to import and the reason behind the failure. type: string required: - successful_imports - failed_imports PostGroupReq: type: object properties: name: $ref: "#/components/schemas/GroupName" description: type: string required: - name ListGroupsResponse: type: array items: $ref: "#/components/schemas/GroupName" GetGroupResponse: type: object properties: name: $ref: "#/components/schemas/GroupName" description: type: string members_count: type: integer created: type: string format: date-time required: - name - members_count - created PostGroupPersonsReq: type: object properties: persons: type: array description: List of person IDs to add to the group items: $ref: "#/components/schemas/PersonID" required: - persons PostPermissionRequest: type: object properties: name: $ref: "#/components/schemas/PermissionName" description: type: string required: - name ListPermissionsResponse: type: array items: $ref: "#/components/schemas/PermissionName" GetPermissionResponse: type: object properties: name: $ref: "#/components/schemas/PermissionName" description: type: string created: type: string format: date-time required: - name - created PatchPermissionRequest: type: object properties: description: type: string PostRoleRequest: type: object properties: name: $ref: "#/components/schemas/RoleName" description: type: string permissions: type: array items: $ref: "#/components/schemas/PermissionName" required: - name ListRolesResponse: type: array items: $ref: "#/components/schemas/RoleName" GetRoleResponse: type: object properties: name: $ref: "#/components/schemas/RoleName" description: type: string created: type: string format: date-time permissions: type: array items: $ref: "#/components/schemas/PermissionName" required: - name - created - permissions PatchRoleRequest: type: object properties: description: type: string permissions: type: array items: $ref: "#/components/schemas/PermissionName" PostRBACCheckRequest: type: object properties: person_id: $ref: "#/components/schemas/PersonID" permission_name: $ref: "#/components/schemas/PermissionName" required: - person_id - permission_name PostRBACCheckResp: type: object properties: granted: type: boolean required: - granted ExternalCredential: type: object required: - external_cred_id - organization_id - extcred_provider - extcred_type - extcred_label properties: external_cred_id: $ref: "#/components/schemas/ExternalCredID" organization_id: $ref: "#/components/schemas/OrganizationID" extcred_provider: $ref: "#/components/schemas/ExternalProvider" extcred_label: type: string extcred_type: $ref: "#/components/schemas/ExternalCredTypes" json_blob: $ref: "#/components/schemas/ExternalCredentialContent" ExternalCredentialPostRequest: type: object description: Request to create a new external credential required: - extcred_provider - json_blob - extcred_type properties: extcred_provider: $ref: "#/components/schemas/ExternalProvider" extcred_type: $ref: "#/components/schemas/ExternalCredTypes" extcred_label: type: string json_blob: $ref: "#/components/schemas/ExternalCredentialContent" PatchExternalCredentialRequest: type: object properties: extcred_label: type: string json_blob: $ref: "#/components/schemas/ExternalCredentialContent" TemplateName: description: |- Identifier for an e-mail/SMS message template The following templates are available for customization: - `email_authn_challenge`: E-mail template with magic link; - `email_otp_message`: E-mail template with OTP code; - `text_authn_challenge`: SMS template with magic link; - `text_otp_message`: SMS template with OTP code; type: string enum: - email_authn_challenge - email_otp_message - text_authn_challenge - text_otp_message - email_password_reset - email_password_change_notify - text_password_reset - text_password_change_notify MessageTemplate: description: Template for E-mail or SMS messages. Empty fields fall back to default value. type: object properties: sender_name: type: string description: Sender name (not address). Must be empty for SMS templates. example: SlashID subject: type: string description: E-mail subject. Must be empty for SMS templates. example: Confirm Your Login with SlashID body: type: string description: Message body. Must be HTML for e-mail templates and plain text for SMS example: Your security code is {{otp_code}} OrganizationDomainsPatchRequest: type: object properties: domains: type: array description: List of domain patterns items: $ref: "#/components/schemas/OrganizationDomainPattern" example: domains: - ok.com - "*.ok.com" - my?site.org - a[0-9].my?site.org TokenTemplate: description: Template for user tokens emitted on authentication. type: object properties: content: type: string description: The token claims [mustache](https://mustache.github.io/mustache.5.html) template. Must render to a valid JSON object. example: '{ "my_custom_org_name": "custom_prefix-{{ organization.name }}" }' required: - content OAuthCredentialGetResponse: type: object description: Response when retrieving an OAuth credential properties: client_id: $ref: "#/components/schemas/OAuthClientID" provider: $ref: "#/components/schemas/OAuthProvider" label: type: string external_cred_id: $ref: "#/components/schemas/ExternalCredID" enable_in_slashid_oidc_authz_server: type: boolean description: Indicates whether these credentials can be used for SSO authentication during an OIDC flow in which SlashID acts as the Authorization Server. options: $ref: "#/components/schemas/OAuthProvidersOptions" required: - client_id - provider OAuthCredentialPostRequest: type: object required: - client_id - client_secret - provider description: Request to create a new OAuth credential properties: client_id: $ref: "#/components/schemas/OAuthClientID" client_secret: type: string provider: $ref: "#/components/schemas/OAuthProvider" label: type: string external_cred: $ref: "#/components/schemas/ExternalCredID" deprecated: true external_cred_id: $ref: "#/components/schemas/ExternalCredID" enable_in_slashid_oidc_authz_server: type: boolean description: Indicates whether these credentials can be used for SSO authentication during an OIDC flow in which SlashID acts as the Authorization Server. options: $ref: "#/components/schemas/OAuthProvidersOptions" OAuthCredentialPatchRequest: type: object description: Request to modify an existing OAuth credential properties: client_secret: type: string label: type: string external_cred: $ref: "#/components/schemas/ExternalCredID" deprecated: true external_cred_id: $ref: "#/components/schemas/ExternalCredID" options: $ref: "#/components/schemas/OAuthProvidersOptions" enable_in_slashid_oidc_authz_server: type: boolean description: Indicates whether these credentials can be used for SSO authentication during an OIDC flow in which SlashID acts as the Authorization Server. OrganizationResponse: allOf: - $ref: "#/components/schemas/Organization" - type: object required: - persons_pool_org_ids - group_pool_org_ids properties: parent_id: description: The ID of the parent organization. $ref: "#/components/schemas/OrganizationID" persons_pool_org_ids: description: The list of organizations or suborganizations that share user identities with this organization type: array items: $ref: "#/components/schemas/OrganizationID" group_pool_org_ids: description: The list of organizations or suborganizations that share user groups with this organization type: array items: $ref: "#/components/schemas/OrganizationID" inherits_rbac_pools: type: boolean OrganizationID: type: string SuborganizationCreateRequest: type: object properties: sub_org_name: type: string admins: type: array items: $ref: "#/components/schemas/PersonHandle" persons_org_id: $ref: "#/components/schemas/OrganizationID" groups_org_id: $ref: "#/components/schemas/OrganizationID" inherit_rbac_pools: type: boolean description: | This setting determines how permissions and roles are managed for a suborganization. When `inherit_rbac_pools` is set to false: - The suborganization has its own independent permissions and roles. - Permissions and roles can be fully customized for this suborganization. When `inherit_rbac_pools` is set to true: - Permissions: - Inherited from the nearest ancestor with 'inherit_rbac_pools' set to false. - Read-only for this suborganization. - Cannot be modified within this suborganization. - Roles: - Scoped to each organization, including this suborganization. - Visible across all organizations within the inheritance pool. - Roles from other organizations can be assigned to users in this suborganization. Note: - Individual role and permission assignments are not inherited. - This setting cannot be changed after the suborganization is created. required: - sub_org_name - admins OrganizationCreateResponse: allOf: - $ref: "#/components/schemas/Organization" - type: object required: - api_key properties: api_key: $ref: "#/components/schemas/Bytes" OrganizationsPutAPIKeyResponse: type: object required: - api_key properties: api_key: type: string OrganizationConfig: type: object description: Configuration values for an organization. Note that some values are read-only. properties: pricing_tier: $ref: "#/components/schemas/PricingTier" from_email: type: string description: | The email address from which authentication emails are sent. Empty means SlashID's default e-mail address will be used. This is set during onboarding. from_phone_number_sms: type: string description: | The phone number from which authentication SMS messages are sent. Empty means SlashID's default phone numbers will be used. This is set during onboarding. token_duration: type: integer description: The number of seconds before a token expires. groups_claim_name: type: string description: The name of the JWT claim holding the list of groups for the authenticated user identified in the token. example: dev.slashid.groups requires_manual_approval: type: boolean description: If true, new users are deactivated until the organization admin sets the person's `active` field. deny_self_registration: type: boolean description: If true, new users can only be created by the organization admin allowed_factor_methods: type: array description: | Only allow authentication using the specified factor methods. Empty means all supported factors are enabled. This configuration doesn't affect API and DirectID authentications. example: - sms_link - email_link - webauthn items: $ref: "#/components/schemas/FactorMethod" authn_link_allowed_redirect_uris: type: array maxItems: 8 description: | The URIs to which users can be redirected after authenticating with an email/SMS link. It can't be an IP, nor contain query parameters or fragments. We advise that it's an HTTPS URI but we don't require it. Custom schemes are allowed. example: - https://slashid.com - http://localhost:8080/a-path - com.slashid://example items: type: string new_person_handle_patterns: type: array description: Only allow registration of new persons with a handle matching one of the patterns. example: - "*@example.com" - +1* items: $ref: "#/components/schemas/GlobPattern" sudo_mode_duration: type: integer description: The number of seconds, after users authenticate, during which they can perform sensitive actions. authn_redirect_page_ui_config: $ref: "#/components/schemas/AuthnRedirectPageUIConfig" canonical_identity_ai_matching_enabled: type: boolean description: | If true (default), uses AI-based matching for canonical identities which provides higher accuracy through fuzzy matching and semantic analysis. If false, uses deterministic field-level matching based on exact email/identifier matches, which may result in more missed matches and require more manual management. default: true required: - from_email - from_phone_number_sms - token_duration - groups_claim_name - requires_manual_approval - deny_self_registration - allowed_factor_methods - authn_link_allowed_redirect_uris - new_person_handle_patterns - sudo_mode_duration OrganizationConfigPatchRequest: type: object description: Request for updating organization configuration values. properties: token_duration: type: integer description: The number of seconds before a token expires groups_claim_name: type: string description: The name of the JWT claim holding the list of groups for the authenticated user identified in the token example: dev.slashid.groups requires_manual_approval: type: boolean description: If true, new users are deactivated until the organization admin sets the person's `active` field. deny_self_registration: type: boolean description: If true, new users can only be created by the organization admin allowed_factor_methods: type: array description: | Only allow authentication using the specified factor methods. Empty means all supported factors are enabled. This configuration doesn't affect API and DirectID authentications. example: - sms_link - email_link - webauthn items: $ref: "#/components/schemas/FactorMethod" authn_link_allowed_redirect_uris: type: array description: | The URIs to where users can be redirected after authenticating with an email/SMS link. items: type: string new_person_handle_patterns: type: array description: Only allow registration of new persons with a handle matching one of the patterns example: - "*@example.com" - +1* items: $ref: "#/components/schemas/GlobPattern" sudo_mode_duration: type: integer description: The number of seconds, after users authenticate, during which they can perform sensitive actions. Negative values will revert this property to its default (15 minutes). authn_redirect_page_ui_config: $ref: "#/components/schemas/AuthnRedirectPageUIConfig" canonical_identity_ai_matching_enabled: type: boolean description: | Enable or disable AI-based canonical identity matching. When disabled, falls back to deterministic field-level matching. PricingTierConstraints: type: object description: | Details of the constraints applied to a specific pricing tier. required: - name - custom_templates_allowed - nhi_external_connections_allowed properties: name: $ref: "#/components/schemas/PricingTier" custom_templates_allowed: description: Indicates if custom email and SMS message templates are allowed type: boolean nhi_external_connections_allowed: description: Indicates if external connections to non-human identity sources are allowed type: boolean max_suborganizations: description: Indicates the maximum number of the suborganizations in the hierarchy, not including the root organization. `null` indicates no limit. type: integer format: int64 max_persons: description: Indicates the maximum number of persons allowed, including all suborganizations in the hierarchy. `null` indicates no limit. type: integer format: int64 max_groups: description: Indicates the maximum number of groups allowed, including all suborganizations in the hierarchy. `null` indicates no limit. type: integer format: int64 OrganizationUsageDetails: type: object description: | Details of how many suborganization/persons/groups have been used by this organization hierarchy. required: - num_suborganizations - num_persons - num_groups properties: pricing_tier_details: $ref: "#/components/schemas/PricingTierConstraints" num_suborganizations: description: Indicates the number of the suborganizations in the hierarchy, not including the root organization. type: integer format: int64 num_persons: description: Indicates the number of persons, including all suborganizations in the hierarchy. type: integer format: int64 num_groups: description: Indicates the groups, including all suborganizations in the hierarchy. type: integer format: int64 AttributeBucket: type: object description: An attribute bucket with access settings required: - name - sharing_scope - end_user_permissions properties: name: type: string description: The name of the attribute bucket sharing_scope: $ref: "#/components/schemas/AttributeSharingScope" owner_organization_id: $ref: "#/components/schemas/OrganizationID" end_user_permissions: $ref: "#/components/schemas/AttributePermissions" OrganizationKYCConfig: type: object description: Configuration values related to KYC for an organization. properties: mobile_redirect_base_url: type: string description: The base URL to redirect users to perform document upload/capture from mobile devices example: https://www.example.com/mobile-upload OrganizationKYCConfigPatchRequest: $ref: "#/components/schemas/OrganizationKYCConfig" WebhookPostRequest: $ref: "#/components/schemas/WebhookConfiguration" WebhookPostResponse: $ref: "#/components/schemas/Webhook" Webhook: type: object allOf: - type: object properties: id: type: string required: - id - $ref: "#/components/schemas/WebhookConfiguration" WebhookPatchRequest: type: object properties: name: type: string description: | Human-readable name for this webhook. This does not need to be unique, but it is recommended that you choose a name that can be used to distinguish this webhook from others. description: type: string description: | A description of this webhook. This can be used to associate additional information with this webhook for future reference. target_url: type: string description: | The target URL for this webhook. This URL must include the protocol, and the protocol must be HTTPS. A target URL can be registered at most once per organization, but each target URL can have multiple triggers. custom_headers: type: object additionalProperties: type: array items: type: string description: | A set of custom HTTP headers that will be included in requests to this webhook, provided as key-value pairs. If set, will overwrite existing custom headers. timeout: type: string description: The timeout that will be applied when calling this webhook. WebhookPatchResponse: $ref: "#/components/schemas/Webhook" WebhookTrigger: oneOf: - $ref: "#/components/schemas/EventTrigger" - $ref: "#/components/schemas/SyncHookTrigger" discriminator: propertyName: trigger_type mapping: event: "#/components/schemas/EventTrigger" sync_hook: "#/components/schemas/SyncHookTrigger" WebhookTriggerPostRequest: $ref: "#/components/schemas/WebhookTrigger" JWKS: type: object additionalProperties: true PostOAuth2ClientRequest: type: object required: - client_name - scopes - grant_types properties: client_name: $ref: "#/components/schemas/OAuth2ClientName" scopes: $ref: "#/components/schemas/OAuth2ClientScopes" grant_types: $ref: "#/components/schemas/OAuth2ClientGrantTypes" access_token_duration: $ref: "#/components/schemas/OAuth2ClientAccessTokenDuration" refresh_token_duration: $ref: "#/components/schemas/OAuth2ClientRefreshTokenDuration" redirect_uris: $ref: "#/components/schemas/OAuth2ClientRedirectURIs" public: $ref: "#/components/schemas/OAuth2ClientPublic" OAuth2ClientWithSecret: allOf: - $ref: "#/components/schemas/OAuth2Client" - $ref: "#/components/schemas/OAuth2ClientSecretResponse" OAuth2Client: type: object required: - client_id - client_name - grant_types - response_types - scopes - public properties: client_id: $ref: "#/components/schemas/OAuth2ClientID" client_name: $ref: "#/components/schemas/OAuth2ClientName" grant_types: $ref: "#/components/schemas/OAuth2ClientGrantTypes" response_types: $ref: "#/components/schemas/OAuth2ClientResponseTypes" scopes: $ref: "#/components/schemas/OAuth2ClientScopes" access_token_duration: $ref: "#/components/schemas/OAuth2ClientAccessTokenDuration" refresh_token_duration: $ref: "#/components/schemas/OAuth2ClientRefreshTokenDuration" public: $ref: "#/components/schemas/OAuth2ClientPublic" redirect_uris: $ref: "#/components/schemas/OAuth2ClientRedirectURIs" created_at: type: string format: date-time last_used: type: string format: date-time PatchOAuth2ClientRequest: type: object properties: client_name: $ref: "#/components/schemas/OAuth2ClientName" grant_types: $ref: "#/components/schemas/OAuth2ClientGrantTypes" scopes: $ref: "#/components/schemas/OAuth2ClientScopes" access_token_duration: $ref: "#/components/schemas/OAuth2ClientAccessTokenDuration" refresh_token_duration: $ref: "#/components/schemas/OAuth2ClientRefreshTokenDuration" redirect_uris: $ref: "#/components/schemas/OAuth2ClientRedirectURIs" OAuth2ClientSecretResponse: type: object required: - client_secret properties: client_secret: $ref: "#/components/schemas/OAuth2ClientSecret" OAuthClientUIConfigurationGetResponse: $ref: "#/components/schemas/OAuthClientUIConfiguration" OAuthClientUIConfigurationPutRequest: $ref: "#/components/schemas/OAuthClientUIConfiguration" OAuthClientUIConfigurationPutResponse: $ref: "#/components/schemas/OAuthClientUIConfiguration" PostOAuth2TokenRequest: oneOf: - $ref: "#/components/schemas/PostOAuth2TokenRequestClientCredentials" - $ref: "#/components/schemas/PostOAuth2TokenRequestAuthorizationCode" - $ref: "#/components/schemas/PostOAuth2TokenRequestRefreshToken" discriminator: propertyName: grant_type mapping: client_credentials: "#/components/schemas/PostOAuth2TokenRequestClientCredentials" authorization_code: "#/components/schemas/PostOAuth2TokenRequestAuthorizationCode" refresh_token: "#/components/schemas/PostOAuth2TokenRequestRefreshToken" PostOAuth2TokenResponse: oneOf: - $ref: "#/components/schemas/PostOAuth2TokenResponseClientCredentials" - $ref: "#/components/schemas/PostOAuth2TokenResponseAuthorizationCode" - $ref: "#/components/schemas/PostOAuth2TokenResponseRefreshToken" RevokeOAuth2TokenRequest: type: object required: - token properties: token: type: string token_type_hint: $ref: "#/components/schemas/OAuth2TokenType" RevokeAllOAuth2TokensRequest: type: object required: - person_id properties: person_id: $ref: "#/components/schemas/PersonID" until: type: string format: date-time IntrospectOAuth2TokenRequest: type: object required: - token properties: token: type: string token_type_hint: $ref: "#/components/schemas/OAuth2TokenType" scope: $ref: "#/components/schemas/OAuth2ScopesSpaceDelimited" IntrospectOAuth2TokenResponse: type: object required: - active properties: active: type: boolean description: Whether the token is active. False for invalid and expired tokens, and tokens that are not granted the scopes specified in the request. client_id: type: string description: The client ID used to create this token. Only included if `active` is `true`. exp: type: integer description: The expiration timestamp of the token. Only included if `active` is `true`. iat: type: integer description: The timestamp when the token was issued. Only included if `active` is `true`. scope: type: string description: The scope granted to the token. Only included if `active` is `true`. MintOAuth2TokensRequest: type: object required: - person_id - client_id properties: person_id: $ref: "#/components/schemas/PersonID" client_id: $ref: "#/components/schemas/OAuth2ClientID" scopes: type: array items: type: string custom_claims: type: object additionalProperties: true MintOAuth2TokensResponse: type: object required: - access_token properties: id_token: type: string access_token: type: string refresh_token: type: string UserinfoOAuth2Response: type: object required: - sub - iss - aud - org_id properties: sub: type: string description: The subject granted to the token, as a person ID. iss: type: string description: The access token issuer. aud: type: string description: The audience granted to th token, that is, the OAuth2 client ID. org_id: type: string description: The SlashID organization ID granted to the token. email: type: string description: The email address of the person. Only present if the authorization request included scope `email`. email_verified: type: boolean description: Is `true` if the ownership of the email address was verified. `false` otherwise. phone_number: type: string description: The phone number of the person. Only present if the authorization request included scope `phone`. phone_number_verified: type: boolean description: Is `true` if the ownership of the phone number was verified. `false` otherwise. username: type: string description: The username of the person. Only present if the authorization request included scope `username`. TestEventsPostReq: type: array items: $ref: "#/components/schemas/TestEventsSpecification" TestEventsPostResponse: type: array items: $ref: "#/components/schemas/TestEvent" OpenIDConfig: type: object required: - issuer - authorization_endpoint - token_endpoint - jwks_uri - response_types_supported - subject_types_supported - id_token_signing_alg_values_supported properties: issuer: type: string description: URL using the https scheme with no query or fragment components that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer. authorization_endpoint: type: string description: URL of the OP's OAuth 2.0 Authorization Endpoint. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. token_endpoint: type: string description: URL of the OP's OAuth 2.0 Token Endpoint [OpenID.Core]. This is REQUIRED unless only the Implicit Flow is used. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. userinfo_endpoint: type: string description: URL of the OP's UserInfo Endpoint [OpenID.Core]. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. jwks_uri: type: string description: URL of the OP's JWK Set [JWK] document, which MUST use the https scheme. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate. The JWK Set MUST NOT contain private or symmetric key values. registration_endpoint: type: string description: URL of the OP's Dynamic Client Registration Endpoint [OpenID.Registration], which MUST use the https scheme. scopes_supported: type: array items: type: string description: JSON array containing a list of the OAuth 2.0 scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used, although those defined in [OpenID.Core] SHOULD be listed, if supported. response_types_supported: type: array items: type: string description: JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the id_token token Response Type values. grant_types_supported: type: array items: type: string description: JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types. If omitted, the default value is ["authorization_code", "implicit"]. acr_values_supported: type: array items: type: string description: JSON array containing a list of the Authentication Context Class References that this OP supports. subject_types_supported: type: array items: type: string description: JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public. id_token_signing_alg_values_supported: type: array items: type: string description: JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow). token_endpoint_auth_methods_supported: type: array items: type: string description: JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. claims_supported: type: array items: type: string description: JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list. WorkflowCreateRequest: type: object required: - name properties: name: type: string description: Workflow name minLength: 1 maxLength: 255 description: type: string description: Workflow description maxLength: 1000 Workflow: type: object required: - kind - id - org_id - name - status - created_by - created_at - updated_by - updated_at - execution_count - success_count - failure_count - latest_configuration_version properties: kind: type: string enum: - workflow - workflow_with_configuration description: | Discriminator for the GET /workflows/{id} response variant. `workflow` is returned when `include_configuration=false`; `workflow_with_configuration` when the latest version is bundled into the response. The enum lists both values intentionally so the schema composition `WorkflowWithConfiguration = allOf [Workflow, WorkflowConfiguration]` doesn't produce an unsatisfiable enum constraint; the discriminator on the endpoint's `oneOf` does the runtime dispatch. Required so the typescript-fetch generator emits switch-based dispatch (needed since openapi-generator-cli v7 — see PR #5928) instead of order-sensitive `instanceOf` checks that silently drop the configuration fields when both schemas overlap. id: type: string description: Unique workflow identifier org_id: type: string description: Organization ID name: type: string description: Workflow name minLength: 1 maxLength: 255 description: type: string description: Workflow description maxLength: 1000 status: $ref: "#/components/schemas/WorkflowStatus" created_by: type: string description: User ID who created the workflow created_at: type: string format: date-time description: Workflow creation timestamp updated_by: type: string description: User ID who last updated the workflow updated_at: type: string format: date-time description: Last update timestamp activated_at: type: string format: date-time description: When workflow was first activated paused_at: type: string format: date-time description: When workflow was paused last_executed_at: type: string format: date-time description: Last execution timestamp execution_count: type: integer description: Total execution count minimum: 0 success_count: type: integer description: Successful execution count minimum: 0 failure_count: type: integer description: Failed execution count minimum: 0 latest_configuration_id: type: string description: ID of the latest configuration version latest_configuration_version: type: integer description: Latest configuration version number minimum: 0 WorkflowStatus: type: string enum: - draft - active - paused - deleted description: Current state of a workflow WorkflowDataInputType: type: string enum: - detection - lifecycle - uar_finding - cypher_query description: Type of data input for workflow WorkflowWithConfiguration: allOf: - $ref: "#/components/schemas/Workflow" - $ref: "#/components/schemas/WorkflowConfiguration" WorkflowUpdateRequest: type: object properties: name: type: string description: New workflow name minLength: 1 maxLength: 255 description: type: string description: New workflow description maxLength: 1000 data_input_config: $ref: "#/components/schemas/WorkflowDataInputConfiguration" description: | Updated data input configuration. If provided, creates a new version with new data retrieval settings. actions: type: object description: | Updated actions configuration. Map of action ID to action configuration. additionalProperties: $ref: "#/components/schemas/WorkflowActionConfiguration" starting_actions: type: array description: | IDs of actions to execute first after data input completes. Enables tree-based execution where only these actions start initially, and child actions are triggered via the children field. items: type: string WorkflowConfiguration: type: object required: - id - workflow_id - org_id - version - data_input_config - actions - created_by - created_at - is_latest properties: id: type: string description: Unique configuration identifier workflow_id: type: string description: Parent workflow ID org_id: type: string description: Organization ID version: type: integer description: Configuration version number minimum: 1 data_input_config: $ref: "#/components/schemas/WorkflowDataInputConfiguration" description: | Configuration for retrieving and filtering data that triggers workflow actions. Defines what data to query and how to filter it. actions: type: object description: | Actions configuration. Map of action ID to action configuration. additionalProperties: $ref: "#/components/schemas/WorkflowActionConfiguration" starting_actions: type: array description: | IDs of actions to execute first (after data input). items: type: string schedule: type: string description: | Optional cron expression (5-field, UTC). When non-empty, the workflow is registered with the scheduler and fires on each tick (cron parser: github.com/hashicorp/cronexpr). Must be empty when `data_input_config.type` is `lifecycle` — lifecycle workflows are event-driven and cannot be scheduled. example: 0 9 * * * created_by: type: string description: User ID who created this version created_at: type: string format: date-time description: Version creation timestamp is_latest: type: boolean description: Whether this is the latest version WorkflowCypherPreviewRequest: type: object required: - query properties: query: type: string minLength: 1 maxLength: 10000 description: Read-only Cypher query to execute against the org's graph. example: MATCH (u:User) WHERE u.active = true RETURN u.id, u.email parameters: type: object additionalProperties: true description: Parameters bound into the query (same as scheduled config). WorkflowCypherPreviewResponse: type: object required: - columns - rows - duration_ms - truncated properties: columns: type: array items: type: string description: Column names in declared order. rows: type: array items: type: array items: {} description: Row values, parallel to `columns`. Cell values are arbitrary JSON. duration_ms: type: integer minimum: 0 description: Server-measured query duration in milliseconds. truncated: type: boolean description: True when the query returned more than the preview cap (50 rows). WorkflowCypherPreviewError: type: object required: - code - message properties: code: type: string description: Stable error code (see backend cypher validator sentinels). example: cypher_write_keyword message: type: string description: Human-readable detail. May reference server-side context. SuperAdminCreateReq: type: object required: - person_id properties: person_id: $ref: "#/components/schemas/PersonID" SuperAdmin: type: object required: - person - created_at properties: person: $ref: "#/components/schemas/EntityLink" description: Link to the person with this super-admin access created_at: type: string format: date-time description: Timestamp when super-admin was created created_by: $ref: "#/components/schemas/EntityLink" description: Link to the person who created this super-admin (if available) SuperAdminAuditLog: type: object required: - audit_id - request_method - request_path - created_at properties: audit_id: type: string format: uuid description: Unique identifier for the audit log entry super_admin: $ref: "#/components/schemas/EntityLink" description: Super-admin who performed the action (may be null if the super-admin has been deleted) request_method: type: string description: HTTP method of the request request_path: type: string description: Path of the endpoint accessed organization_id: $ref: "#/components/schemas/OrganizationID" organization_name: type: string description: Name of the organization where the action was performed metadata: type: object description: Additional metadata about the request created_at: type: string format: date-time description: Timestamp of the action APIMeta: type: object properties: pagination: $ref: "#/components/schemas/APIPagination" cursor_pagination: $ref: "#/components/schemas/APICursorPagination" SAMLProviderCredentialsID: type: string PersonFieldName: type: string enum: - handles - groups - attributes GroupName: type: string pattern: ^[A-Za-z0-9]{1}[\w\.\-]*[A-Za-z0-9]$ maxLength: 100 PermissionName: type: string pattern: ^[A-Za-z0-9]{1}[\w./\\\-:]*[A-Za-z0-9]$ description: | The permission name must be unique within your organization; is case-sensitive; and must conform to the following: - must be at least 2 characters long - may be at most 1024 characters long - may contain only the characters `A-Z a-z 0-9 - _ . : / \` - must start and end with an alphanumeric character (`A-Z a-z 0-9`) example: billing.invoices.list maxLength: 1024 RoleName: type: string pattern: ^[A-Za-z0-9]{1}[\w.\-:]*[A-Za-z0-9]$ maxLength: 100 description: | The Role name must be unique within your organization; is case-sensitive; and must conform to the following: - must be at least 2 characters long - may be at most 100 characters long - may contain only the characters `A-Z a-z 0-9 - _ . :` - must start and end with an alphanumeric character (`A-Z a-z 0-9`) Roles needs to have their name prefixed with `{org_id}/`. Organization ID is not counted to the length limit. example: 064b7b63-ea43-76e5-b208-1900795bc5b7/billing-viewer OAuthProvider: type: string enum: - google - github - bitbucket - gitlab - facebook - line - azuread - okta - apple OAuthClientID: type: string TriggerType: type: string enum: - event - sync_hook TokenText: description: A JWT token. Can be either a User token (`UserTokenText`) or a Token Container (`TokenContainerText`) type: string APIResponseError: type: object properties: httpcode: type: integer message: type: string SAMLProviderCredentials: type: object description: A SAML provider credential properties: id: $ref: "#/components/schemas/SAMLProviderCredentialsID" label: description: A friendly free-form label to help you identify this set of SAML provider credentials. type: string idp_metadata_url: description: The SAML IdP's metadata URL. type: string email_claims: description: The names of the claims in the SAML response containing the users' email addresses. The first match is added to the person's set of handles. type: array items: type: string maxItems: 3 enable_in_slashid_oidc_authz_server: type: boolean description: Indicates whether these credentials can be used for SSO authentication during an OIDC flow in which SlashID acts as the Authorization Server. required: - id - idp_metadata_url PersonID: type: string description: Person ID example: 064b7b63-ea43-76e5-b208-1900795bc5b7 OIDCTokenType: type: string enum: - access - refresh - id SsoOidcTokenDetail: type: object properties: token: type: string description: OIDC token value token_type: $ref: "#/components/schemas/OIDCTokenType" expiry: type: string format: date-time description: Token expiry date provider: $ref: "#/components/schemas/OAuthProvider" client_id: type: string description: The client ID used to obtain the token authentication_id: type: string description: Authentication ID person_id: $ref: "#/components/schemas/PersonID" organization_id: $ref: "#/components/schemas/OrganizationID" extra_callback_values: description: | Set of additional key-value pairs passed by the provider on callback, together with the authorization code. type: object additionalProperties: true required: - token - token_type - expiry - provider - client_id - authentication_id - person_id - organization_id Bytes: type: string ExportedPublicKeyCredential: type: object allOf: - $ref: "#/components/schemas/ExportedCredentialBase" - $ref: "#/components/schemas/PublicKeyCredential" ExportedPasswordCredential: type: object allOf: - $ref: "#/components/schemas/ExportedCredentialBase" - $ref: "#/components/schemas/PasswordCredential" ExportedTOTPCredential: type: object allOf: - $ref: "#/components/schemas/ExportedCredentialBase" - type: object properties: type: $ref: "#/components/schemas/CredentialType" params: $ref: "#/components/schemas/ExportedTOTPCredentialParams" label: type: string required: - type - params PublicKeyCredential: type: object properties: type: $ref: "#/components/schemas/CredentialType" params: $ref: "#/components/schemas/PublicKeyCredentialParams" label: type: string required: - type - params TOTPCredential: type: object properties: type: $ref: "#/components/schemas/CredentialType" params: $ref: "#/components/schemas/TOTPCredentialParams" label: type: string required: - type - params CredentialType: type: string description: The type of the credential enum: - public-key - password - totp PasswordCredentialParams: type: object required: - password_hash properties: password_hash: type: string description: | A hash of a password, in the one of the formats accepts by SlashID. SlashID supports the following hashing functions: - pbkdf2 - bcrypt - argon2i - argon2id Hashes created using a function not listed here will be rejected. In all of these cases, SlashID accepts hashes in the format described [here](https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md). The only departure from the specification described is that the hashing function version can include the characters [a-z0-9], to accommodate bcrypt versions (2, 2a, 2b, 2x, 2y). SlashID also accepts password hashes in the format used by [bcrypt](https://www.usenix.org/legacy/events/usenix99/provos/provos.pdf). If a password hash matches this format, it is assumed that the hashing function used was bcrypt. If any other hashing function was used to hash the password, the hash must be in the SlashID hash format. PersonHandle: required: - type - value type: object properties: type: $ref: "#/components/schemas/PersonHandleType" value: type: string example: user@user.com BucketedAttributes: type: object description: | Attributes divided into named buckets. Bucket names are top level keys; attributes are values. Attributes consist of key-value pairs. Attribute names (keys) may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. additionalProperties: $ref: "#/components/schemas/Attributes" example: person_pool-end_user_read_write: card_number: "1234" expiry: 07/25 end_user_read_only: address_line_1: New Street city: New York Attributes: type: object additionalProperties: true description: | Clear-text person attributes as key-value pairs. Attribute names (keys) may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. example: attr1: value1 attr2: 2 attr3: true attr_4: - 1 - 2 - 3 - 4 attr_5: nested: 5 GDPRConsent: type: object required: - consent_level - created_at properties: consent_level: $ref: "#/components/schemas/GDPRConsentLevel" created_at: type: string format: date-time description: Time when this consent was first created for this person PersonType: type: string enum: - regular - anonymous Region: type: string enum: - us-iowa - europe-belgium - asia-japan - europe-england - australia-sydney OrganizationDetails: allOf: - $ref: "#/components/schemas/Organization" - type: object properties: managed_organizations: type: array items: $ref: "#/components/schemas/Organization" ExternalCredID: description: External credential ID type: string ExternalProvider: type: string enum: - google - onfido - shopify - generic ExternalCredTypes: type: string enum: - api_key - client_credentials - user_pass - api_id_access - access_token - json_credentials ExternalCredentialContent: type: object properties: {} description: Free form object for implicit server to server authentication credentials, different schema for provider. example: client_id: my-client-id client_secret: my-client-secret webhook_token: my-web-hook-token OrganizationDomainPattern: type: string OAuthProvidersOptions: type: object description: Options for supported third-party providers. properties: google: $ref: "#/components/schemas/OAuthGoogleProviderOptions" github: $ref: "#/components/schemas/OAuthGithubProviderOptions" bitbucket: $ref: "#/components/schemas/OAuthBitbucketProviderOptions" gitlab: $ref: "#/components/schemas/OAuthGitlabProviderOptions" facebook: $ref: "#/components/schemas/OAuthFacebookProviderOptions" line: $ref: "#/components/schemas/OAuthLineProviderOptions" azuread: $ref: "#/components/schemas/OAuthAzureADProviderOptions" okta: $ref: "#/components/schemas/OAuthOktaProviderOptions" apple: $ref: "#/components/schemas/OAuthAppleProviderOptions" Organization: type: object properties: id: $ref: "#/components/schemas/OrganizationID" parent_id: $ref: "#/components/schemas/OrganizationID" org_name: type: string tenant_name: type: string required: - id - org_name - tenant_name PricingTier: type: string description: | The tier associated with a root organization. Your organization may be subject to various constraints depending on its tier, such as maximum number of users, rate-limits, etc. enum: - free-trial - professional - enterprise - enterprise-with-nhi - identity-protection FactorMethod: type: string description: Allowed login factor enum: - webauthn - email_link - sms_link - otp_via_sms - otp_via_email - totp - oidc - saml - api - direct_id - password - impersonate - anonymous GlobPattern: type: string description: A glob pattern example: "*@example.com" AuthnRedirectPageUIConfig: type: object additionalProperties: true description: UI configuration for the hosted page users are redirected to after clicking a magic link or password reset link. AttributeSharingScope: type: string description: The scope in which attributes in this bucket are available enum: - organization - person_pool AttributePermissions: type: string description: The access level for end-users to attributes in this bucket. enum: - no_access - read_only - read_write WebhookConfiguration: type: object properties: name: type: string description: | Human-readable name for this webhook. This does not need to be unique, but it is recommended that you choose a name that can be used to distinguish this webhook from others. description: type: string description: | A description of this webhook. This can be used to associate additional information with this webhook for future reference. target_url: type: string description: | The target URL for this webhook. This URL must include the protocol, and the protocol must be HTTPS. A target URL can be registered at most once per organization, but each target URL can have multiple triggers. custom_headers: type: object additionalProperties: type: array items: type: string description: | A set of custom HTTP headers that will be included in requests to this webhook, provided as key-value pairs. timeout: type: string description: The timeout that will be applied when calling this webhook. required: - name - target_url EventTrigger: type: object properties: trigger_type: $ref: "#/components/schemas/TriggerType" trigger_name: $ref: "#/components/schemas/EventName" required: - trigger_type - trigger_name SyncHookTrigger: type: object properties: trigger_type: $ref: "#/components/schemas/TriggerType" trigger_name: $ref: "#/components/schemas/SyncHookName" required: - trigger_type - trigger_name OAuth2ClientName: description: Human-friendly name to identify this client. type: string example: My Awesome Application OAuth2ClientScopes: description: The scopes this client is allowed to request. type: array items: $ref: "#/components/schemas/OAuth2Scope" example: - admin - user OAuth2ClientGrantTypes: description: The client's allowed grant types. type: array items: $ref: "#/components/schemas/OAuth2GrantType" example: - client_credentials - authorization_code OAuth2ClientAccessTokenDuration: description: | How long (in seconds) access tokens should be valid for. If unspecified, this defaults to 24 hours (86,400 seconds). For OIDC flows, this value is also used as the ID token duration. type: integer example: 3600 OAuth2ClientRefreshTokenDuration: description: How long (in seconds) refresh tokens should be valid for. If unspecified, this defaults to 10 days (864,000 seconds). type: integer example: 36000 OAuth2ClientRedirectURIs: description: The client's allowed redirect URIs. type: array items: type: string format: uri example: - https://example.com/redirect OAuth2ClientPublic: description: | Indicates if this client is marked as public. Public clients are unable to use registered client secrets, such as applications running in a browser or on a mobile device. Defaults to false. type: boolean example: false OAuth2ClientID: description: The client identifier. type: string example: b9a747fb-150e-44e5-b2d6-afa69e671853 OAuth2ClientResponseTypes: description: The client's allowed response types. All allowed combinations of response types have to be listed. type: array items: type: array items: $ref: "#/components/schemas/OAuth2ResponseType" example: - - code - - token - - code - token OAuth2ClientSecret: description: The client secret key. type: string example: LQZzYPf8h/7Tpf9I+lCSulcOYMo= OAuthClientUIConfiguration: type: object additionalProperties: true properties: dynamicFlowConfig: type: object description: Configuration for dynamic flow additionalProperties: true dynamicFlowEnabled: type: boolean description: Whether dynamic flow is enabled handleTypes: type: array description: The types of handles that can be used to authenticate items: type: string logoUrl: type: string description: The URL of the logo to display in the login form pageBackgroundColor: type: string description: The background color of the page showBadge: type: boolean description: Whether to show the SlashID badge storeLastFactor: type: boolean description: Whether to store the last factor used for authentication supportURL: type: string description: If set, the support link will be displayed in the error state alternativeAuthURL: type: string description: If set, the alternative auth link will be displayed in the self-registration-not-allowed error state faviconUrl: type: string description: The URL of the favicon to display in the browser tab pageTitle: type: string description: The title of the page themeVars: type: object description: The SlashID theme CSS variables additionalProperties: type: string textOverrides: type: object description: Text keys and overriden values additionalProperties: type: string PostOAuth2TokenRequestClientCredentials: type: object required: - grant_type properties: scope: $ref: "#/components/schemas/OAuth2ScopesSpaceDelimited" grant_type: $ref: "#/components/schemas/OAuth2GrantType" PostOAuth2TokenRequestAuthorizationCode: type: object required: - grant_type - code - redirect_uri - client_id properties: grant_type: $ref: "#/components/schemas/OAuth2GrantType" code: type: string redirect_uri: type: string client_id: $ref: "#/components/schemas/OAuth2ClientID" client_secret: $ref: "#/components/schemas/OAuth2ClientSecret" code_challenge: type: string PostOAuth2TokenRequestRefreshToken: type: object required: - grant_type - refresh_token properties: grant_type: $ref: "#/components/schemas/OAuth2GrantType" refresh_token: type: string scope: $ref: "#/components/schemas/OAuth2ScopesSpaceDelimited" PostOAuth2TokenResponseClientCredentials: type: object required: - access_token - token_type - expires_in properties: access_token: type: string expires_in: type: integer description: Number of seconds until the token expires. scope: $ref: "#/components/schemas/OAuth2ScopesSpaceDelimited" token_type: $ref: "#/components/schemas/OAuth2AuthTokenType" PostOAuth2TokenResponseAuthorizationCode: type: object required: - access_token - token_type - expires_in properties: access_token: type: string refresh_token: type: string id_token: type: string expires_in: type: integer description: Number of seconds until the token expires. scope: $ref: "#/components/schemas/OAuth2ScopesSpaceDelimited" token_type: $ref: "#/components/schemas/OAuth2AuthTokenType" PostOAuth2TokenResponseRefreshToken: type: object required: - access_token - token_type - expires_in properties: access_token: type: string refresh_token: type: string id_token: type: string expires_in: type: integer description: Number of seconds until the token expires. scope: $ref: "#/components/schemas/OAuth2ScopesSpaceDelimited" token_type: $ref: "#/components/schemas/OAuth2AuthTokenType" OAuth2TokenType: type: string enum: - access_token - refresh_token - authorize_code - id_token OAuth2ScopesSpaceDelimited: description: List of OAuth2 scopes, delimited with spaces. type: string example: admin user TestEventsSpecification: type: object required: - event_name properties: event_name: $ref: "#/components/schemas/EventName" count: type: integer default: 1 duplicates: type: boolean default: false analytics_correlation_id: type: string default: "" TestEvent: oneOf: - $ref: "#/components/schemas/Test_AuthenticationSucceeded_v1" - $ref: "#/components/schemas/Test_AuthenticationFailed_v1" - $ref: "#/components/schemas/Test_PersonCreated_v1" - $ref: "#/components/schemas/Test_AnonymousPersonCreated_v1" - $ref: "#/components/schemas/Test_PersonDeleted_v1" - $ref: "#/components/schemas/Test_VirtualPageLoaded_v1" - $ref: "#/components/schemas/Test_SlashIDSDKLoaded_v1" - $ref: "#/components/schemas/Test_PersonIdentified_v1" - $ref: "#/components/schemas/Test_PersonLoggedOut_v1" - $ref: "#/components/schemas/Test_TokenMinted_v1" - $ref: "#/components/schemas/Test_AnonymousTokenMinted_v1" - $ref: "#/components/schemas/Test_PasswordChanged_v1" - $ref: "#/components/schemas/Test_GdprConsentsChanged_v1" - $ref: "#/components/schemas/Test_GateServerStarted_v1" - $ref: "#/components/schemas/Test_GateRequestCredentialFound_v1" - $ref: "#/components/schemas/Test_GateRequestHandled_v1" discriminator: propertyName: event_name mapping: AuthenticationSucceeded_v1: "#/components/schemas/Test_AuthenticationSucceeded_v1" AuthenticationFailed_v1: "#/components/schemas/Test_AuthenticationFailed_v1" PersonCreated_v1: "#/components/schemas/Test_PersonCreated_v1" AnonymousPersonCreated_v1: "#/components/schemas/Test_AnonymousPersonCreated_v1" PersonDeleted_v1: "#/components/schemas/Test_PersonDeleted_v1" VirtualPageLoaded_v1: "#/components/schemas/Test_VirtualPageLoaded_v1" SlashIDSDKLoaded_v1: "#/components/schemas/Test_SlashIDSDKLoaded_v1" PersonIdentified_v1: "#/components/schemas/Test_PersonIdentified_v1" PersonLoggedOut_v1: "#/components/schemas/Test_PersonLoggedOut_v1" TokenMinted_v1: "#/components/schemas/Test_TokenMinted_v1" AnonymousTokenMinted_v1: "#/components/schemas/Test_AnonymousTokenMinted_v1" PasswordChanged_v1: "#/components/schemas/Test_PasswordChanged_v1" GdprConsentsChanged_v1: "#/components/schemas/Test_GdprConsentsChanged_v1" GateServerStarted_v1: "#/components/schemas/Test_GateServerStarted_v1" GateRequestHandled_v1: "#/components/schemas/Test_GateRequestHandled_v1" GateRequestCredentialFound_v1: "#/components/schemas/Test_GateRequestCredentialFound_v1" WorkflowDataInputConfiguration: oneOf: - $ref: "#/components/schemas/WorkflowDataInputDetectionConfiguration" - $ref: "#/components/schemas/WorkflowDataInputLifecycleConfiguration" - $ref: "#/components/schemas/WorkflowDataInputUarFindingConfiguration" - $ref: "#/components/schemas/WorkflowDataInputCypherConfiguration" discriminator: propertyName: type mapping: detection: "#/components/schemas/WorkflowDataInputDetectionConfiguration" lifecycle: "#/components/schemas/WorkflowDataInputLifecycleConfiguration" uar_finding: "#/components/schemas/WorkflowDataInputUarFindingConfiguration" cypher_query: "#/components/schemas/WorkflowDataInputCypherConfiguration" WorkflowActionConfiguration: oneOf: - $ref: "#/components/schemas/RemediationActionConfiguration" - $ref: "#/components/schemas/TicketActionConfiguration" - $ref: "#/components/schemas/DataSinkActionConfiguration" - $ref: "#/components/schemas/WebhookActionConfiguration" - $ref: "#/components/schemas/NotificationActionConfiguration" - $ref: "#/components/schemas/ConditionActionConfiguration" discriminator: propertyName: type mapping: remediation: "#/components/schemas/RemediationActionConfiguration" ticket: "#/components/schemas/TicketActionConfiguration" data_sink: "#/components/schemas/DataSinkActionConfiguration" webhook: "#/components/schemas/WebhookActionConfiguration" notification: "#/components/schemas/NotificationActionConfiguration" condition: "#/components/schemas/ConditionActionConfiguration" EntityLink: type: object required: - entity_class - entity_id properties: entity_class: $ref: "#/components/schemas/EntityClass" entity_id: type: string identifier: type: string APIPagination: type: object required: - limit - offset - total_count properties: limit: type: integer offset: type: integer total_count: type: integer format: int64 APICursorPagination: type: object required: - limit - cursor - total_count properties: limit: type: integer cursor: type: string total_count: type: integer format: int64 ExportedCredentialBase: type: object properties: id: type: string description: The ID of the credential last_used: type: string format: date-time description: The time when the credential was last used to authenticate successfully required: - id ExportedTOTPCredentialParams: type: object required: - recovery_codes_total - recovery_codes_unused properties: recovery_codes_total: type: integer minimum: 0 description: The total number of recovery codes originally issued to the given person. recovery_codes_unused: type: integer minimum: 0 description: The total number of recovery codes still unused by the given person. PublicKeyCredentialParams: type: object required: - webauthn_credential_id - public_key - attestation_type - authenticator properties: webauthn_credential_id: type: string description: The ID of the webauthn credential public_key: type: string description: Base64-encoded public key attestation_type: type: string description: The attestation type for the public key (defaults to "none") authenticator: $ref: "#/components/schemas/PublicKeyAuthenticator" TOTPCredentialParams: type: object required: - key_uri - recovery_codes_total - unused_recovery_codes properties: key_uri: type: string description: | The TOTP key URI of the authenticator you wish to import, in Google Authenticator / Yubico format: ``` otpauth://totp/[Issuer]:[Account name]?secret=[Secret key]&issuer=[Issuer]&algorithm=[Algorithm]&digits=[Digits number]&period=[Period in seconds] ``` where: - `Issuer`: a string value indicating the provider or service this account is associated with, URL-encoded according to RFC 3986. When users register TOTP authenticators with SlashID this value is the Organization name. It is **strongly recommended** that the same value is used in both the `Account name` prefix and in the `issuer` parameter to maximize compatibility across different authenticator apps/devices. - `Account name`: a string value usually diplayed by authenticators to end users to help them distinguish between their TOTP keys. When users register TOTP authenticators with SlashID this value is the handle (e-mail address or phone number) the user authenticated with when they registered the TOTP credential. - `Secret key`: an arbitrary key value encoded in Base32 according to RFC 3548. The padding specified in RFC 3548 section 2.2 is not required and should be omitted. - `Algorithm` (optional): the hashing algorithm to use. Valid values are `SHA1`, `SHA256`, `SHA512`. Defaults to `SHA1`. - `Digits number` (optional): determines the length of the one-time passcode displayed to the user. Valid values are `6`, `8`. Defaults to `6`. - `Period in seconds` (optional): defines the period that a TOTP code will be valid for, in seconds. Defaults to `30`. An example with all optional parameters supplied: ``` otpauth://totp/ACME%20Co:john.doe@email.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30 ``` example: otpauth://totp/ACME%20Co:john.doe@email.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30 recovery_codes_total: type: integer minimum: 0 description: The total number of recovery codes originally issued to the given person. unused_recovery_codes: type: array items: type: string description: The list of recovery codes the given person can still use in the future in place of TOTP codes. Once imported these codes will be treated as single-use. PersonHandleType: type: string enum: - email_address - phone_number - username example: email_address OAuthGoogleProviderOptions: type: object properties: authorize_scopes: type: array items: type: string default: - openid - email - profile description: |- The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings. Read [Google's documentation](https://developers.google.com/identity/protocols/oauth2/scopes) to know more. Note: scopes `openid`, `email`, and `profile` are always requested. OAuthGithubProviderOptions: type: object properties: authorize_scopes: type: array items: type: string default: - read:user - user:email description: |- The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings. Read [GitHub's documentation](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps) to know more. Note: scopes `read:user` and `user:email` are always requested. OAuthBitbucketProviderOptions: type: object properties: authorize_scopes: type: array items: type: string default: - account description: |- The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings. Read [Bitbucket's documentation](https://developer.atlassian.com/cloud/bitbucket/rest/intro#scopes) to know more. Note: scope `account` is always requested. OAuthGitlabProviderOptions: type: object properties: authorize_scopes: type: array items: type: string default: - read_user description: |- The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings. Read [GitLab's documentation](https://docs.gitlab.com/ee/integration/oauth_provider.html#view-all-authorized-applications) to know more. Note: scope `read_user` is always requested. OAuthFacebookProviderOptions: type: object properties: authorize_scopes: type: array items: type: string default: - email - public_profile description: |- The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings. Read [Facebook's documentation](https://developers.facebook.com/docs/permissions/reference) to know more. Note: scopes `email` and `public_profile` are always requested. OAuthLineProviderOptions: type: object properties: authorize_scopes: type: array items: type: string default: - openid - email - profile description: |- The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings. Read [Line's documentation](https://developers.line.biz/en/docs/line-login/integrate-line-login/#scopes) to know more. Note: scopes `openid`, `email`, and `profile` are always requested. OAuthAzureADProviderOptions: type: object properties: authorize_scopes: type: array items: type: string default: - openid - email - profile - User.Read description: |- The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings. Read [Azure AD's documentation](https://learn.microsoft.com/en-us/graph/permissions-reference) to know more. Note: scopes `openid`, `email`, `profile`, and `User.Read` are always requested. tenant: type: string default: common description: |- The tenant ID of the Azure AD tenant (a GUID), its tenant domain, or one of the pseudo tenants: `common`, `organizations` or `consumer`. Read [Azure AD's documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-client-application-configuration#authority) to know more. OAuthOktaProviderOptions: type: object properties: authorize_scopes: type: array items: type: string default: - openid - email - profile description: |- The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings. Read [Okta's documentation]https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm) to know more. Note: scopes `openid`, `email`, `profile` are always requested. organization_url: type: string default: "" description: |- The organization URL for Okta. Read [Okta's documentation](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm) to know more. OAuthAppleProviderOptions: type: object description: See https://developer.apple.com/documentation/accountorganizationaldatasharing/creating-a-client-secret required: - private_key - team_id - key_id - secret_lifetime properties: authorize_scopes: type: array items: type: string default: - openid - email - name description: |- The scopes of access granted by the access_token expressed as a list of space-delimited, case-sensitive strings. Note: scopes `openid`, `email`, `name` are always requested. private_key: type: string description: An ES256 private key downloaded from your Apple developer account in PKCS8 format. team_id: type: string description: The 10-character Team ID associated with your Apple developer account. This will be used as the issuer claim in client secret JWTs. key_id: type: string description: A 10-character key identifier generated for the Account and Organizational Data Sharing private key associated with your developer account. secret_lifetime: type: string description: | The lifetime of each generated client secret. The value provided should be a string that can be parsed as a [Golang `time.Duration`](https://pkg.go.dev/time#Duration); for example, "1m" (one minute), "24h" (24 hours). The lifetime may not be less than 5 minutes (300 seconds), and may not be more than 15,777,000 seconds (6 months). If not set, defaults to 30 days. EventName: type: string enum: - AuthenticationSucceeded_v1 - AuthenticationFailed_v1 - PersonCreated_v1 - AnonymousPersonCreated_v1 - PersonDeleted_v1 - VirtualPageLoaded_v1 - SlashIDSDKLoaded_v1 - PersonIdentified_v1 - PersonLoggedOut_v1 - TokenMinted_v1 - AnonymousTokenMinted_v1 - PasswordChanged_v1 - GdprConsentsChanged_v1 - GateServerStarted_v1 - GateRequestHandled_v1 - GateRequestCredentialFound_v1 - PermissionCreated_InRegion_v1 - PermissionCreated_v1 - PermissionDeleted_InRegion_v1 - PermissionDeleted_v1 - RoleCreated_InRegion_v1 - RoleCreated_v1 - RoleDeleted_InRegion_v1 - RoleDeleted_v1 - RoleUpdated_InRegion_v1 - RoleUpdated_v1 - RolesSetToPerson_InRegion_v1 - RolesSetToPerson_v1 - PermissionsSetToPerson_InRegion_v1 - PermissionsSetToPerson_v1 - MitmAttackDetected_v1 - PermissionUpdated_InRegion_v1 - PermissionUpdated_v1 - SuborganizationCreated_InRegion_v1 - SuborganizationCreated_v1 - OAuth2ClientCreated_InRegion_v1 - OAuth2ClientCreated_v1 - AWSIAMUserCreated_v1 - AWSIAMRoleCreated_v1 - AWSIAMRoleInlinePoliciesUpdated_v1 - AWSIAMRoleManagedPoliciesUpdated_v1 - AWSIAMRoleAssumeRolePolicyUpdated_v1 - AWSIAMRolePermissionsBoundaryUpdated_v1 - AWSIAMRoleDeleted_v1 - GCPServiceAccountCreated_v1 - GCPRoleCreated_v1 - GCPIAMPolicyBindingUpdated_v1 - GCPServiceAccountDeleted_v1 - ActiveDirectorySPNCreated_v1 - ActiveDirectorySPNRoleUpdated_v1 - ActiveDirectorySPNDeleted_v1 - ActiveDirectoryUserCreated_v1 SyncHookName: type: string enum: - token_minted - identify_user - threat_detection - posture_detection OAuth2Scope: description: OAuth2 scope type: string example: - admin OAuth2GrantType: type: string enum: - client_credentials - authorization_code - refresh_token OAuth2ResponseType: type: string enum: - code - id_token - token OAuth2AuthTokenType: type: string enum: - bearer Test_AuthenticationSucceeded_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" - type: object properties: person_id: $ref: "#/components/schemas/PersonID" authn_method: $ref: "#/components/schemas/FactorMethod" Test_AuthenticationFailed_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" - type: object properties: failed_authn_method: $ref: "#/components/schemas/FactorMethod" failure_reason: type: string Test_PersonCreated_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" - type: object properties: person_id: $ref: "#/components/schemas/PersonID" Test_AnonymousPersonCreated_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" - type: object properties: person_id: $ref: "#/components/schemas/PersonID" Test_PersonDeleted_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" - type: object properties: person_id: $ref: "#/components/schemas/PersonID" Test_VirtualPageLoaded_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" - $ref: "#/components/schemas/BaseTestSDKEvent" Test_SlashIDSDKLoaded_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" - $ref: "#/components/schemas/BaseTestSDKEvent" Test_PersonIdentified_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" - $ref: "#/components/schemas/BaseTestSDKEvent" Test_PersonLoggedOut_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" - $ref: "#/components/schemas/BaseTestSDKEvent" Test_TokenMinted_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" Test_AnonymousTokenMinted_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" Test_PasswordChanged_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" Test_GdprConsentsChanged_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" Test_GateServerStarted_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" Test_GateRequestCredentialFound_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" Test_GateRequestHandled_v1: allOf: - $ref: "#/components/schemas/BaseTestEvent" WorkflowDataInputDetectionConfiguration: type: object required: - type - scim_filter properties: type: type: string enum: - detection description: Data input type discriminator scim_filter: type: string description: | SCIM filter string to apply when querying detections. Examples: - `severity eq "critical"` - `type eq "aws_identity_unused" and status eq "new"` - `entity_type eq "aws_iam_user"` - `severity eq "critical" or severity eq "high"` minLength: 1 example: severity eq "critical" limit: type: integer description: Maximum number of detections to retrieve (0 for no limit) default: 0 minimum: 0 maximum: 10000 sorting: type: array description: Sorting configuration for results items: type: object required: - field - direction properties: field: type: string description: Field to sort by example: created_at direction: type: string enum: - asc - desc description: Sort direction default: desc WorkflowDataInputLifecycleConfiguration: type: object required: - type - event_types properties: type: type: string enum: - lifecycle description: Data input type discriminator event_types: type: array items: $ref: "#/components/schemas/LifecycleEventType" minItems: 1 description: Lifecycle events that trigger this workflow example: - created - deleted entity_types: type: array items: type: string description: Filter by entity types (e.g., aws_iam_user, entra_user). If empty, all entity types are matched. example: - aws_iam_user - entra_user source_types: type: array items: type: string description: Filter by identity source types (e.g., aws_account, entra). If empty, all source types are matched. example: - aws_account - entra connection_ids: type: array items: type: string description: Filter by specific connection IDs. If empty, all connections are matched. min_risk_score: type: integer minimum: 0 maximum: 100 description: Only trigger for entities with risk score >= this value max_risk_score: type: integer minimum: 0 maximum: 100 description: Only trigger for entities with risk score <= this value include_relationships: type: boolean default: false description: Fetch manager, groups, direct reports from Neo4j include_permissions: type: boolean default: false description: Fetch permission assignments from Neo4j include_access_history: type: boolean default: false description: Fetch recent access records from Neo4j relationship_depth: type: integer minimum: 0 maximum: 3 default: 1 description: How deep to traverse relationships in Neo4j (default 1, max 3) scim_filter: type: string description: Additional SCIM-style filter criteria for the entity WorkflowDataInputUarFindingConfiguration: type: object required: - type description: | Filters which UarFindingV1 events this workflow should run on. In v1 the only emitted trigger is `manual`; other trigger values (decision_revoked, decision_effective, level_completed, campaign_completed) are accepted for forward-compat with the auto-trigger work but never match an event until those triggers ship. Backed by backend/modules/workflows/entities/workflow_data_input_uar_finding_configuration.go. properties: type: type: string enum: - uar_finding description: Data input type discriminator triggers: type: array items: type: string description: | UarFindingV1 trigger reasons that fire this workflow (ANY match). Defaults to `["manual"]` when empty. campaign_ids: type: array items: type: string format: uuid description: Filter by specific campaign IDs. Empty matches all. campaign_template_ids: type: array items: type: string format: uuid description: Filter by campaign template IDs. Empty matches all. campaign_types: type: array items: type: string description: | Filter by campaign type (e.g. `user`, `resource`, `non_human_identity`). Empty matches all. classification_tags: type: array items: type: string description: Filter by classification tags on the finding. Empty matches all. outcomes: type: array items: type: string description: Filter by reviewer decision outcome (e.g. `approve`, `revoke`). Empty matches all. only_effective: type: boolean default: false description: | Match only when `effective_outcome == outcome` — the decision survived multi-tier escalation rather than being overridden. min_level: type: integer minimum: 0 description: Filter by decision level >= this value. only_high_privilege: type: boolean default: false description: Restrict to findings flagged as high-privilege. user_source_types: type: array items: type: string description: Filter by user identity source type. Empty matches all. user_entity_types: type: array items: type: string description: Filter by user entity type. Empty matches all. asset_source_types: type: array items: type: string description: Filter by asset source type. Empty matches all. asset_entity_types: type: array items: type: string description: Filter by asset entity type. Empty matches all. granting_entity_types: type: array items: type: string description: Filter by granting entity type (e.g. role, group). Empty matches all. scim_filter: type: string description: | Optional SCIM-style filter over the flattened finding payload, applied after the structured filters above. WorkflowDataInputCypherConfiguration: type: object required: - type - query properties: type: type: string enum: - cypher_query description: Data input type discriminator query: type: string description: | Read-only Cypher query whose rows feed downstream workflow actions. Must contain MATCH and RETURN clauses. Write operations and the USE clause are rejected by the validator. Comments and strings are tokenized before validation, so a write keyword inside a string literal is allowed. minLength: 1 maxLength: 10000 example: MATCH (u:User) WHERE u.active = true RETURN u.id, u.email parameters: type: object additionalProperties: true description: | Parameters bound into the query at execution time. Keys must match the `$name` placeholders in `query`. Values are passed verbatim to the Neo4j driver. example: min_age: 7 max_rows: type: integer description: | Maximum rows returned by a scheduled execution (NOT the preview). Capped server-side at 10000. default: 1000 minimum: 1 maximum: 10000 timeout_seconds: type: integer description: | Per-execution query timeout (NOT the preview). Capped server-side at 300. default: 30 minimum: 1 maximum: 300 on_limit_exceeded: type: string enum: - fail - truncate default: fail description: | Behavior when the query returns more than `max_rows`. `fail` aborts the execution with an error; `truncate` returns the first `max_rows` rows and marks the execution as truncated. primary_entity_column: type: string description: | Optional. Name of a query result column whose value is the primary entity ID for each row. When set, downstream remediation actions can target this entity. Must match one of the column aliases in the query's RETURN clause. example: u.id RemediationActionConfiguration: allOf: - $ref: "#/components/schemas/BaseActionConfiguration" - type: object required: - action - target_type properties: action: $ref: "#/components/schemas/RemediationActionType" target_type: $ref: "#/components/schemas/RemediationTargetType" parameters: type: object additionalProperties: true description: Action-specific parameters example: group_name: suspended_users reason: Suspicious activity detected dry_run: type: boolean description: If true, action is simulated but not executed (logs what would happen) default: false TicketActionConfiguration: allOf: - $ref: "#/components/schemas/BaseActionConfiguration" - type: object required: - ticket_system properties: ticket_system: type: string enum: - jira - servicenow - linear - github description: Target ticket system project_key: type: string description: Project or board identifier issue_type: type: string description: Type of ticket to create example: Incident title_template: type: string description: Template for ticket title example: "Security Alert: {{detection.name}}" description_template: type: string description: Template for ticket description labels: type: array items: type: string description: Labels to apply to the ticket assignee: type: string description: Default assignee for the ticket priority: type: string description: Ticket priority example: High DataSinkActionConfiguration: allOf: - $ref: "#/components/schemas/BaseActionConfiguration" - type: object required: - sink_type properties: sink_type: type: string enum: - s3 - gcs - bigquery - snowflake - splunk - elasticsearch description: Target data sink type connection_config: type: object additionalProperties: true description: Connection configuration for the data sink data_format: type: string enum: - json - csv - parquet description: Format for exported data default: json include_fields: type: array items: type: string description: Fields to include in export transform_rules: type: array items: type: object description: Data transformation rules WebhookActionConfiguration: allOf: - $ref: "#/components/schemas/BaseActionConfiguration" - type: object required: - url - method properties: url: type: string format: uri description: Webhook endpoint URL method: type: string enum: - POST - PUT - PATCH description: HTTP method to use default: POST headers: type: object additionalProperties: type: string description: Custom headers to send body_template: type: string description: Template for request body timeout_seconds: type: integer description: Request timeout in seconds default: 30 minimum: 1 maximum: 300 retry_config: type: object properties: max_retries: type: integer default: 3 minimum: 0 maximum: 10 backoff_seconds: type: integer default: 5 minimum: 1 NotificationActionConfiguration: allOf: - $ref: "#/components/schemas/BaseActionConfiguration" - type: object required: - notification_type - recipients properties: notification_type: type: string enum: - email - slack - teams - pagerduty - sms description: Type of notification to send recipients: type: array items: type: string description: Notification recipients example: - security-team@example.com - "#security-alerts" subject_template: type: string description: Template for notification subject message_template: type: string description: Template for notification message severity: type: string enum: - info - warning - error - critical description: Notification severity level default: warning include_data: type: boolean description: Whether to include detection data in notification default: true ConditionActionConfiguration: allOf: - $ref: "#/components/schemas/BaseActionConfiguration" - type: object required: - type - predicate - on_true properties: type: type: string enum: - condition predicate: $ref: "#/components/schemas/Predicate" on_true: type: array items: type: string minItems: 1 description: Action IDs to run for items where the predicate evaluates to true. on_false: type: array items: type: string description: | Action IDs to run for items where the predicate evaluates to false. If empty, items routed to this branch are dropped from the subtree. debug: type: boolean default: false description: When true, the evaluator emits per-leaf traces into ResultData. EntityClass: type: string enum: - unknown - identity - credential - policy - resource - application - canonical_application - canonical_identity - sensor - person PublicKeyAuthenticator: type: object required: - aaguid properties: aaguid: type: string description: Base64-encoded AAGUID of the authenticator device sign_count: type: integer clone_warning: type: boolean BaseTestEvent: type: object required: - event_id - event_name - timestamp - organization_id properties: event_id: type: string format: uuid event_name: $ref: "#/components/schemas/EventName" timestamp: type: string organization_id: $ref: "#/components/schemas/OrganizationID" BaseTestSDKEvent: type: object properties: window_location: type: string format: url LifecycleEventType: type: string enum: - created - deleted - suspended - modified - reactivated - role_changed - group_added - group_removed - risk_score_changed - inactive_threshold description: | Type of user lifecycle event that triggers the workflow. Phase 1 (Core): created, deleted, suspended Phase 2 (Extended): modified, reactivated, role_changed, group_added, group_removed, risk_score_changed, inactive_threshold BaseActionConfiguration: type: object required: - id - type - enabled properties: id: type: string description: Unique identifier for this action type: $ref: "#/components/schemas/WorkflowActionType" name: type: string description: Human-readable name for this action description: type: string description: Description of what this action does enabled: type: boolean description: Whether this action is enabled default: true integration_id: type: string description: Optional integration ID to use for this action (e.g., specific ticketing system integration) children: type: array description: IDs of child actions to execute after this action completes items: type: string default: [] RemediationActionType: type: string enum: - suspend - quarantine - delete - rotate - revoke - remove_from - enable - add_to - update_permissions - force_mfa description: Type of remediation action to perform RemediationTargetType: type: string enum: - user - session - credential - api_key - group_membership - role - permission - entity - group description: Target of the remediation action Predicate: oneOf: - $ref: "#/components/schemas/AndPredicate" - $ref: "#/components/schemas/OrPredicate" - $ref: "#/components/schemas/NotPredicate" - $ref: "#/components/schemas/ScimPredicate" - $ref: "#/components/schemas/PgQueryPredicate" - $ref: "#/components/schemas/PgTemplatePredicate" - $ref: "#/components/schemas/Neo4jQueryPredicate" - $ref: "#/components/schemas/Neo4jTemplatePredicate" - $ref: "#/components/schemas/EventCountOverWindowPredicate" discriminator: propertyName: kind mapping: and: "#/components/schemas/AndPredicate" or: "#/components/schemas/OrPredicate" not: "#/components/schemas/NotPredicate" scim: "#/components/schemas/ScimPredicate" pg_query: "#/components/schemas/PgQueryPredicate" pg_template: "#/components/schemas/PgTemplatePredicate" neo4j_query: "#/components/schemas/Neo4jQueryPredicate" neo4j_template: "#/components/schemas/Neo4jTemplatePredicate" event_count_over_window: "#/components/schemas/EventCountOverWindowPredicate" WorkflowActionType: type: string enum: - remediation - ticket - data_sink - webhook - notification - condition description: Type of workflow action AndPredicate: type: object required: - kind - predicates properties: kind: type: string enum: - and predicates: type: array items: $ref: "#/components/schemas/Predicate" minItems: 1 OrPredicate: type: object required: - kind - predicates properties: kind: type: string enum: - or predicates: type: array items: $ref: "#/components/schemas/Predicate" minItems: 1 NotPredicate: type: object required: - kind - predicate properties: kind: type: string enum: - not predicate: $ref: "#/components/schemas/Predicate" ScimPredicate: type: object required: - kind - filter properties: kind: type: string enum: - scim filter: type: string description: SCIM 2.0 filter string evaluated in-memory against the WorkflowDataItem. PgQueryPredicate: type: object required: - kind - sql properties: kind: type: string enum: - pg_query sql: type: string params: type: object additionalProperties: $ref: "#/components/schemas/ParamValue" expect: type: boolean description: For bool-returning queries — matches this value. count_operator: type: string enum: - gt - gte - lt - lte - eq - neq count_threshold: type: integer format: int64 timeout_sec: type: integer minimum: 0 maximum: 30 PgTemplatePredicate: type: object required: - kind - template properties: kind: type: string enum: - pg_template template: type: string params: type: object additionalProperties: $ref: "#/components/schemas/ParamValue" expect: type: boolean count_operator: type: string enum: - gt - gte - lt - lte - eq - neq count_threshold: type: integer format: int64 Neo4jQueryPredicate: type: object required: - kind - cypher properties: kind: type: string enum: - neo4j_query cypher: type: string params: type: object additionalProperties: $ref: "#/components/schemas/ParamValue" expect: type: boolean count_operator: type: string enum: - gt - gte - lt - lte - eq - neq count_threshold: type: integer format: int64 timeout_sec: type: integer minimum: 0 maximum: 30 Neo4jTemplatePredicate: type: object required: - kind - template properties: kind: type: string enum: - neo4j_template template: type: string params: type: object additionalProperties: $ref: "#/components/schemas/ParamValue" expect: type: boolean count_operator: type: string enum: - gt - gte - lt - lte - eq - neq count_threshold: type: integer format: int64 EventCountOverWindowPredicate: type: object required: - kind - source - window - operator - threshold properties: kind: type: string enum: - event_count_over_window source: $ref: "#/components/schemas/EventCountSource" window: type: string example: 1h description: Duration string (e.g. "1h", "24h", "7d"). operator: type: string enum: - gt - gte - lt - lte - eq - neq threshold: type: integer format: int64 minimum: 0 ParamValue: type: object description: Exactly one of literal or path must be set. properties: literal: {} path: type: string description: JSONPath expression resolved against the WorkflowDataItem at evaluation time. EventCountSource: oneOf: - $ref: "#/components/schemas/PgDetectionSource" - $ref: "#/components/schemas/BigQueryAnalyticsSource" discriminator: propertyName: kind mapping: pg_detection: "#/components/schemas/PgDetectionSource" bigquery_analytics: "#/components/schemas/BigQueryAnalyticsSource" PgDetectionSource: type: object required: - kind - match properties: kind: type: string enum: - pg_detection match: type: object additionalProperties: $ref: "#/components/schemas/ParamValue" BigQueryAnalyticsSource: type: object required: - kind - view - match properties: kind: type: string enum: - bigquery_analytics view: type: string description: Fully-qualified BigQuery view name (project.dataset.view). match: type: object additionalProperties: $ref: "#/components/schemas/ParamValue" staleness_ok_seconds: type: integer minimum: 0 default: 300 responses: NoContent: description: No content BadRequest: description: Bad Request content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" Timeout: description: |- Request Timeout - operation exceeded the timeout limit from SlashID-Required-Consistency-Timeout. The operation may still be in progress, and will be completed eventually. content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" NotFound: description: Not Found content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" Unauthorized: description: Unauthorized content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" Forbidden: description: Forbidden content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" Accepted: description: Accepted - Request was accepted and will be processed in the background PreconditionFailed: description: Precondition Failed content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" PaymentRequired: description: Pricing Tier Violation - operation violated the limits specified in its pricing tier. content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" Conflict: description: Conflict content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" OK: description: OK examples: personHandlesExample: value: - type: email_address value: user@user.com - type: phone_number value: "+13475043201" - type: username value: john_smith summary: Example person handles emailHandleExample: value: email_address:user@user.com phoneNumberHandleExample: value: phone_number:+13475043201 usernameHandleExample: value: username:john_smith headers: ETagHeader: schema: type: string description: An ETag header. Can be passed as an If-Match header in a subsequent request to avoid lost updates. paths: /token/validate: parameters: - $ref: "#/components/parameters/OptionalSdkVersionHeader" post: operationId: PostTokenValidate tags: - Identity Management - Tokens summary: Validate a user token description: | This endpoint validates a SlashID user token. The response indicates whether the token is valid and its expiration time if so. If the token is not valid, the reason is returned. requestBody: content: application/json: schema: $ref: "#/components/schemas/ValidateTokenReq" required: true responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/ValidateTokenResponse" /token/revoke: parameters: - $ref: "#/components/parameters/OptionalSdkVersionHeader" post: operationId: PostTokenRevoke tags: - Tokens - Identity Management summary: Revoke a user token description: | This endpoint revokes a SlashID user token. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/RevokeTokenReq" required: true responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "408": $ref: "#/components/responses/Timeout" /organizations/sso/saml/provider-credentials: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsSamlProviderCredentials x-rbac-enabled: true x-rbac-allowed-groups: admin,member,saml-admin x-manager-rbac-allowed-groups: admin,member tags: - Organization SSO config - Identity Management summary: List SAML credentials for SSO description: | Returns a list of existing SAML provider credentials for SSO for your organization. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/SAMLProviderCredentialsGetResponse" required: - result "400": $ref: "#/components/responses/BadRequest" post: operationId: PostOrganizationsSamlProviderCredentials x-rbac-enabled: true x-rbac-allowed-groups: admin,saml-admin x-manager-rbac-allowed-groups: admin tags: - Organization SSO config - Identity Management summary: Create a new set of SAML provider credentials for SSO description: | Create a new set of SAML provider credentials for your organization to use with SSO. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/SAMLProviderCredentialsPostRequest" responses: "201": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/SAMLProviderCredentialsPostResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "/organizations/sso/saml/provider-credentials/{saml_provider_credentials_id}": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/SAMLProviderCredentialsIDPathParam" get: operationId: GetOrganizationsSsoSamlProviderCredentialsSamlProviderCredentialsId x-rbac-enabled: true x-rbac-allowed-groups: admin,member,saml-admin x-manager-rbac-allowed-groups: admin,member tags: - Organization SSO config - Identity Management summary: Get an existing set of SAML provider credentials for SSO description: | Returns an existing set of SAML provider for SSO, specified by the provider credential ID. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/SAMLProviderCredentialsGetResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeleteOrganizationsSsoSamlProviderCredentialsSamlProviderCredentialsId x-rbac-enabled: true x-rbac-allowed-groups: admin,saml-admin x-manager-rbac-allowed-groups: admin tags: - Organization SSO config - Identity Management summary: Delete an existing set of SAML provider credentials for SSO description: | Deletes an existing set of SAML provider credentials for SSO, specified by the provider credential ID. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" patch: operationId: PatchOrganizationsSsoSamlProviderCredentialsSamlProviderCredentialsId x-rbac-enabled: true x-rbac-allowed-groups: admin,saml-admin x-manager-rbac-allowed-groups: admin tags: - Organization SSO config - Identity Management summary: Modify an existing set of SAML provider credentials for SSO description: Modifies an existing set of SAML provider credentials for SSO, specified by the provider credential ID. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/SAMLProviderCredentialsPatchRequest" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /sso/oidc/tokens/revoke: parameters: - $ref: "#/components/parameters/SdkVersionHeader" post: operationId: PostSsoOidcTokensRevoke deprecated: true tags: - Identity Management - SSO summary: (Deprecated) Revoke an OAuth token obtained through SSO with OIDC description: | Revoke a previously obtained OAuth access or refresh token for an IdP. This endpoint is deprecated. Please use /sso/oidc/tokens/revoke/v2 instead. requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/OAuthTokenRevokeReq" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" /sso/oidc/tokens/revoke/v2: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostSsoOidcTokensRevokeV2 x-rbac-enabled: true tags: - Identity Management - SSO summary: Revoke an OAuth token obtained through SSO with OIDC description: Revoke a previously obtained OAuth access or refresh token for an IdP requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/SsoOidcTokensRevokeV2Req" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /sso/oidc/tokens: parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/RequiredTokenHeader" get: operationId: GetSsoOidcTokens x-rbac-enabled: true tags: - Identity Management - SSO summary: Retrieve OIDC tokens description: | Retrieve tokens issued by an OIDC provider as part of an SSO authentication. This endpoint expects a valid SlashID token container issued after an SSO authentication. The response will include all of the OIDC tokens that were issued by that SSO authentication. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/SsoOidcTokensGetResponse" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" /sso/oidc/tokens/query: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostSsoOidcTokensQuery tags: - Identity Management - SSO summary: Query tokens obtained through SSO with OIDC description: Query the OIDC tokens for a person issued during SSO authentications. requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/SsoOidcTokensQueryReq" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/SsoOidcTokensQueryResp" "400": $ref: "#/components/responses/BadRequest" "/persons/{person_id}/direct-id": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostPersonsPersonIdDirectId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Persons summary: Get Direct-ID value for a person description: | This endpoint creates a one-time Direct-ID for a specific user. The returned Direct-ID string can embedded in a URL in the `challenges` query parameter to let your users land on a target page already authenticated. requestBody: content: application/json: schema: $ref: "#/components/schemas/PersonDirectIDReq" required: true responses: "201": description: The result string is a Direct-ID you can include in your links in the `challenges` query parameter. content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/DirectID" required: - result "401": $ref: "#/components/responses/Unauthorized" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/mint-token": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostPersonsPersonIdMintToken tags: - Identity Management - Tokens - Persons summary: Mint a token for a person description: | This endpoint creates a token for a specific user. Custom claims can be specified in the request body which will be added to the token's payload. Custom claims are added to the token's payload. Tokens created with this endpoint will have an `authenticated_methods` claim equal to ["api"]. The following claims are reserved and cannot be specified: - aud - exp - jti - iat - iss - nbf - sub - prev_token_id - oid - org_id - user_id - person_id - first_token - authenticated_methods - oidc_tokens - user_token - groups - roles - access_token - refresh_token - id - id_token - gdpr - gdpr_consent - gdpr_consent_level - parent_user_id - parent_person_id - parent_org_id - parent_oid - attributes - custom_claims - slashid - slashid.dev - slashid.com - slashid.me - sid With the following request body: ``` { "custom_claims": { "foo": "bar", "baz": {"everything": 42} } } ``` the token in the response will have the following payload: ``` { "authenticated_methods": [ "api" ], "baz": { "everything": 42 }, "exp": , "first_token": false, "foo": "bar", "iat": , "iss": , "jti": , "oid": , "person_id": } ``` requestBody: content: application/json: schema: $ref: "#/components/schemas/PostMintTokenRequest" required: true responses: "201": description: The result string is a newly-minted SlashID token. content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/UserTokenText" required: - result "401": $ref: "#/components/responses/Unauthorized" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/credentials": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetPersonsPersonIdCredentials x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Person Credentials summary: Retrieve a person's credentials description: | Retrieves credentials linked to the specified person in your organization. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/ExportedCredential" required: - result "401": $ref: "#/components/responses/Unauthorized" "404": $ref: "#/components/responses/NotFound" post: operationId: PostPersonsPersonIdCredentials x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Person Credentials summary: Create a new credential description: | Creates a new credential linked to the specified person in your organization. This credential will then be available for use in future authentication challenges. requestBody: description: The credential creation request content: application/json: schema: $ref: "#/components/schemas/Credential" required: true responses: "201": description: Created content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/ExportedCredential" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeletePersonsPersonIdCredentials x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Person Credentials summary: Delete all credentials description: | Deletes all credentials from a person. Note that deletion is irreversible and the credentials will no longer be usable for authentication. responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/credentials/{credential_id}": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/CredentialIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" delete: operationId: DeletePersonsPersonIdCredentialsCredentialId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Person Credentials summary: Delete a credential object description: | Deletes the specified credential from a person,organization pair. Note that deletion is irreversible and the credential will no longer be usable for authentication. responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/credentials/password": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" put: operationId: PutPersonsPersonIdCredentialsPassword x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Person Credentials summary: Create or overwrite a password credential. description: | Creates or overwrites the password credential linked to the specified person in your organization. This credential will then be available for use in future authentication challenges. requestBody: description: The password credential creation/overwrite request content: application/json: schema: $ref: "#/components/schemas/PasswordCredential" required: true responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" "201": description: Created content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/credentials/password-reset": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostPersonsPersonIdCredentialsPasswordReset x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Person Credentials summary: Trigger a password reset flow description: | Triggers a password reset flow for the specified person and credential. The specified person must then take action to complete the flow and set a new password. Optionally, you can specify which of the person's handles will be used to send the password reset link. requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PasswordResetPostReq" responses: "202": $ref: "#/components/responses/Accepted" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/credentials/password-rotate": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostPersonsPersonIdCredentialsPasswordRotate x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Person Credentials summary: Rotate a person's password description: | Rotates a person's password. The specified person does not need to have an existing password credential. A new password credential will be created regardless and returned in the response. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PasswordRotatePostResp" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/attributes": patch: operationId: PatchPersonsPersonIdAttributes x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Create or modify attributes for a person in multiple buckets description: | Create new attributes or modify existing attributes for a person in one or more attribute buckets. The request body should be a nested object, with bucket names as top-level keys, and key-value pair attributes as values, as shown in the example request body. The buckets must exist and must be accessible by the organization identified in the request header. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Any existing attribute that isn't referenced by key in the request is left untouched. tags: - Identity Management - Person Attributes parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PatchBucketedAttributesReq" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" put: operationId: PutPersonsPersonIdAttributes x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Create or modify attributes for a person in multiple buckets description: | Create new attributes or modify existing attributes for a person in one or more attribute buckets. The request body should be a nested object, with bucket names as top-level keys, and key-value pair attributes as values, as shown in the example request body. The buckets must exist and must be accessible by the organization identified in the request header. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Replaces the set of existing attributes with those present in the request. In other words, it deletes any existing attributes that aren't referenced by key in the request. tags: - Identity Management - Person Attributes parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PutBucketedAttributesReq" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" get: operationId: GetPersonsPersonIdAttributes x-rbac-enabled: true x-rbac-allowed-groups: admin,member summary: Retrieve attributes for a person from multiple buckets description: | Retrieve attributes for a person from one or more buckets. If no buckets are specified, attributes from all buckets will be retrieved. Bucket names can be specified as a comma-separated list in the `buckets` query parameter. All buckets specified must exist, and the organization specified in the header must be able to access them. Empty bucket names are not permitted. tags: - Identity Management - Person Attributes parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/AttributeBucketsQueryParam" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GetBucketedAttributesResp" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/attributes/{bucket_name}": patch: operationId: PatchPersonsPersonIdAttributesBucketName x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Create or modify attributes for a person in a single bucket description: | Create new attributes or modify existing attributes for a person in a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. The request body should be an object consisting of key-value pair attributes. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Any existing attribute that isn't referenced by key in the request is left untouched. tags: - Identity Management - Person Attributes parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/AttributeBucketNamePathParam" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PatchAttributesReq" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" put: operationId: PutPersonsPersonIdAttributesBucketName x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Create or modify attributes for a person in a single bucket description: | Create new attributes or modify existing attributes for a person in a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. The request body should be an object consisting of key-value pair attributes. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Replaces the set of existing attributes with those present in the request. In other words, it deletes any existing attributes that aren't referenced by key in the request. tags: - Identity Management - Person Attributes parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/AttributeBucketNamePathParam" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PutAttributesReq" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" get: operationId: GetPersonsPersonIdAttributesBucketName x-rbac-enabled: true x-rbac-allowed-groups: admin,member summary: Retrieve attributes for a person from a single bucket description: | Retrieve attributes for a person from a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. If no attribute names are specified, all attributes in the bucket will be retrieved. Attribute names can be provided as a comma-separated list in the `attributes` query parameter. Empty attribute names are not permitted. tags: - Identity Management - Person Attributes parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/AttributeBucketNamePathParam" required: true - $ref: "#/components/parameters/AttributeNamesQueryParam" required: true responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GetAttributesResp" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeletePersonsPersonIdAttributesBucketName x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Delete attributes for a person from a single bucket description: | Delete attributes for a person from a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. Attribute names can be provided as a comma-separated list in the `attributes` query parameter. Empty attribute names are not permitted. If no attribute names are specified, all attributes in the bucket will be deleted. WARNING: this action is permanent and cannot be undone. tags: - Identity Management - Person Attributes parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/AttributeBucketNamePathParam" - $ref: "#/components/parameters/AttributeNamesQueryParam" required: true responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/consent/gdpr": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetPersonsPersonIdConsentGdpr x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Person Consents summary: Get GDPR consent description: | Takes an organization ID and a person ID and returns the GDPR consent levels and timestamp for that person, if it exists. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GDPRConsentResponse" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" post: operationId: PostPersonsPersonIdConsentGdpr x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Person Consents summary: Store GDPR consent description: | Takes the organization ID, the person ID, and GDPR consent levels, and stores the GDPR consent levels and timestamp. Returns the consent levels and the timestamp at which the consent information was received. This will overwrite existing GDPR consent levels for the specified person. The consent levels indicate the types of data classes the person has allowed during their use of your services, in accordance with GDPR. requestBody: description: The GDPR consent level for the person content: application/json: schema: $ref: "#/components/schemas/GDPRConsentRequest" required: true responses: "201": description: Created content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GDPRConsentResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" put: operationId: PutPersonsPersonIdConsentGdpr x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Person Consents summary: Set GDPR consent description: | Takes the organization ID, the person ID, and GDPR consent levels, and stores the GDPR consent levels and timestamp. Returns the consent levels and the timestamp at which the consent information was received. This will overwrite existing GDPR consent levels for the specified person. The consent levels indicate the types of data classes the person has allowed during their use of your services, in accordance with GDPR. requestBody: description: The GDPR consent level for the person content: application/json: schema: $ref: "#/components/schemas/GDPRConsentRequest" required: true responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GDPRConsentResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeletePersonsPersonIdConsentGdpr x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Person Consents summary: Remove GDPR consent description: The function takes the organization ID and person ID and removes the specified GDPR consent, or all consents. parameters: - name: consent_levels in: query description: The names of the consent levels to remove from the person required: false schema: type: array items: $ref: "#/components/schemas/GDPRConsentLevel" - name: deleteAll in: query description: Whether to delete all GDPR consents for this person required: false schema: type: boolean responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /consent/gdpr: parameters: - $ref: "#/components/parameters/SdkVersionHeader" get: operationId: GetConsentGdpr x-rbac-enabled: false tags: - Identity Management - Person Consents summary: Get GDPR consent of current user description: | Returns the GDPR consent levels and timestamp for current person, if it exists. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GDPRConsentResponse" "400": $ref: "#/components/responses/BadRequest" post: operationId: PostConsentGdpr x-rbac-enabled: false tags: - Identity Management - Person Consents summary: Store GDPR consent of current user description: | Stores the GDPR consent levels and timestamp. Returns the consent levels and the timestamp at which the consent information was received. This will overwrite existing GDPR consent levels for the specified person. The consent levels indicate the types of data classes the person has allowed during their use of your services, in accordance with GDPR. requestBody: description: The GDPR consent level content: application/json: schema: $ref: "#/components/schemas/GDPRConsentRequest" required: true responses: "201": description: Created content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GDPRConsentResponse" required: - result "400": $ref: "#/components/responses/BadRequest" put: operationId: PutConsentGdpr x-rbac-enabled: false tags: - Identity Management - Person Consents summary: Set GDPR consent of current user description: | Stores the GDPR consent levels and timestamp. Returns the consent levels and the timestamp at which the consent information was received. This will overwrite existing GDPR consent levels for the specified person. The consent levels indicate the types of data classes the person has allowed during their use of your services, in accordance with GDPR. requestBody: description: The GDPR consent level for the person content: application/json: schema: $ref: "#/components/schemas/GDPRConsentRequest" required: true responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GDPRConsentResponse" required: - result "400": $ref: "#/components/responses/BadRequest" delete: operationId: DeleteConsentGdpr x-rbac-enabled: false tags: - Identity Management - Person Consents summary: Remove GDPR consent of current user description: Removes the specified GDPR consent, or all consents. parameters: - name: consent_levels in: query description: The names of the consent levels to remove from the person required: false schema: type: array items: $ref: "#/components/schemas/GDPRConsentLevel" - name: deleteAll in: query description: Whether to delete all GDPR consents for this person required: false schema: type: boolean responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "/persons/{person_id}": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetPersonsPersonId x-rbac-enabled: true x-rbac-allowed-groups: admin,member,impersonator x-manager-rbac-allowed-groups: admin,member,impersonator tags: - Identity Management - Persons summary: Retrieve a person description: |- Get a person object by its ID. The function returns the decrypted, abridged person record. Please use the Attributes API to retrieve custom person attributes. parameters: - $ref: "#/components/parameters/PersonFieldsQueryParam" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonRet" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeletePersonsPersonId x-rbac-enabled: true x-rbac-allowed-groups: admin x-manager-rbac-allowed-groups: admin tags: - Identity Management - Persons - Organizations summary: Delete a person from an organization description: |- Remove the person, specified by its ID, from the organization. Note that access to all the attributes associated with this person will be permanently revoked. responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" patch: operationId: PatchPersonsPersonId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Persons summary: Modify an existing person description: | Modify configuration for an existing specific person associated with your organization. This includes the list of roles for the person and whether the person is active or not. requestBody: description: The person patch request content: application/json: schema: $ref: "#/components/schemas/PersonPatchReq" required: true responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonRet" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/handles": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostPersonsPersonIdHandles x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Person handles summary: Add handles to a person description: Add one or more handles to an existing person linked to your organization. requestBody: description: The person handles POST request content: application/json: schema: $ref: "#/components/schemas/PersonHandlesReq" examples: personHandlesExample: $ref: "#/components/examples/personHandlesExample" required: true responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" get: operationId: GetPersonsPersonIdHandles x-rbac-enabled: true x-rbac-allowed-groups: admin,member,impersonator tags: - Identity Management - Person handles summary: Get handles for a person description: Retrieve the list of handles associated with an existing person responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonHandlesResponse" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/handles/{handle}": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/HandlePathParam" delete: operationId: DeletePersonsPersonIdHandlesHandle x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Person handles summary: Delete a handle from a person description: Remove a handle associated with an existing person responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/groups": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetPersonsPersonIdGroups x-rbac-enabled: true x-rbac-allowed-groups: admin,member,impersonator,saml-admin,uar-certifier,uar-campaign-manager,cs-id-verifier x-manager-rbac-allowed-groups: admin,member,impersonator,saml-admin,uar-certifier,uar-campaign-manager,cs-id-verifier tags: - Identity Management - Groups - Persons summary: Get groups for a person description: Retrieve the list of groups the specified person belongs to responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonGroupsResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" put: operationId: PutPersonsPersonIdGroups x-rbac-enabled: true x-rbac-allowed-groups: admin x-manager-rbac-allowed-groups: admin tags: - Identity Management - Groups - Persons summary: Set the groups for a person description: | Add the person to the groups specified in the request body, and remove the person from any other existing groups. All groups in the request body must already exist. Duplicate groups in the request body will be ignored. If an empty list is supplied in the request body, the person will be removed from all groups they are currently a member of, and will not be added to any others. New groups can be created with the [POST /groups](/docs/api/post-groups) endpoint. requestBody: content: application/json: schema: $ref: "#/components/schemas/PutPersonGroupsReq" required: true responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonGroupsResponse" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/permissions": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetPersonsPersonIdPermissions x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - RBAC - Persons summary: Get permissions for a person description: Retrieve the list of permissions granted to the specified person. It contains both assigned permissions and permissions from roles. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonPermissionsResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/persons/{person_id}/additional-permissions": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetPersonsPersonIdAdditionalPermissions x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - RBAC - Persons summary: Get additional permissions for a person description: Retrieve the list of additional permissions assigned to person. This endpoint doesn't return permissions from roles. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonPermissionsResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" put: operationId: PutPersonsPersonIdPermissions x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - RBAC - Persons summary: Set the permissions for a person description: | Grant the person the permissions specified in the request body, and revoke the person any other existing permissions. All permissions in the request body must already exist. Duplicate permissions in the request body will be ignored. If an empty list is supplied in the request body, the person will be revoked all permissions they currently have. parameters: - $ref: "#/components/parameters/IfMatchHeader" - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/PutPersonPermissionsRequest" required: true responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "412": $ref: "#/components/responses/PreconditionFailed" "/persons/{person_id}/roles": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetPersonsPersonIdRoles x-rbac-enabled: true x-rbac-allowed-groups: admin,member x-manager-rbac-allowed-groups: admin,member tags: - Identity Management - RBAC - Persons summary: Get roles for a person description: Retrieve the list of roles granted to the specified person responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonRolesResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" put: operationId: PutPersonsPersonIdRoles x-rbac-enabled: true x-rbac-allowed-groups: admin x-manager-rbac-allowed-groups: admin tags: - Identity Management - RBAC - Persons summary: Set the roles for a person description: | Grant the person the roles specified in the request body, and revoke the person any other existing roles. All roles in the request body must already exist. Duplicate roles in the request body will be ignored. If an empty list is supplied in the request body, the person will be revoked all roles they currently have. parameters: - $ref: "#/components/parameters/IfMatchHeader" - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/PutPersonRolesRequest" required: true responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "412": $ref: "#/components/responses/PreconditionFailed" "/persons/{person_id}/organizations": parameters: - $ref: "#/components/parameters/PersonIDPathParam" - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetPersonsPersonIdOrganizations x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Persons - Organizations summary: Retrieve the list of person's organizations description: | Retrieve details of all the organizations a person belongs to, including: - The organization of the request: the person must be a member of the organization you authenticate with for you to be allowed to retrieve this list - Any sub- and super-organizations that share the person pool with the organization of the request: A hierarchy of organizations can be created using [this API endpoint](/docs/api/post-organizations-suborganizations). When organizations are configured to share a person pool, if the same person registers with multiple organizations in the pool using the same handle, all organizations will see the same person ID for that person. parameters: - $ref: "#/components/parameters/GetPersonsPersonIdOrganizationsFilterQueryParam" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GetPersonOrganizationsResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" /persons: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostPersons x-rbac-enabled: true x-rbac-allowed-groups: admin x-manager-rbac-allowed-groups: admin tags: - Identity Management - Persons summary: Create new person description: | Create a new person linked to your organization. The request must contain at least one handle for the person (email address, phone number, or username). Optionally, you can specify a list of roles, a geographical region and attributes. Attributes are a map from attribute bucket names to key-value pairs. If a person with the specified handles already exists, an error will be returned. If the region is not specified, the person will be created in the region closest to the region of your backend. If you explicitly specify the region and a person with the provided handle already exists in a different region, this endpoint will return an error. A person's region association is eventually consistent between regions. Because of that, creating a person between regions within the time frame of data replication can result in a person being created in multiple regions. You can learn more on the [Cross-region replication model](/docs/access/concepts/replication) page. requestBody: description: The person creation request content: application/json: schema: $ref: "#/components/schemas/PersonCreateReq" required: true responses: "201": description: Created content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonsPostResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "402": $ref: "#/components/responses/PaymentRequired" "404": $ref: "#/components/responses/NotFound" "409": $ref: "#/components/responses/Conflict" put: operationId: PutPersons x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Persons summary: Create or update a person (idempotent) description: | This endpoint works as the [`POST /persons`](/docs/api/post-persons) endpoint, except that it is idempotent. If the person already exists, it will be updated with the new data and 200 status code will be returned. requestBody: description: The person creation request content: application/json: schema: $ref: "#/components/schemas/PersonCreateReq" required: true responses: "200": description: OK - person already exists and was updated content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonsPutResponse" required: - result "201": description: Created - person was created content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonsPutResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "402": $ref: "#/components/responses/PaymentRequired" "404": $ref: "#/components/responses/NotFound" get: operationId: GetPersons x-rbac-enabled: true x-rbac-allowed-groups: admin,member,impersonator x-manager-rbac-allowed-groups: admin,member,impersonator tags: - Identity Management - Persons - RBAC summary: Retrieve a list of persons description: Retrieve the full list of persons in your organization. parameters: - $ref: "#/components/parameters/HandleQueryParam" - $ref: "#/components/parameters/PersonsFilterQueryParam" - $ref: "#/components/parameters/LimitQueryParam" - $ref: "#/components/parameters/OffsetQueryParam" - $ref: "#/components/parameters/PersonIDsQueryParam" - $ref: "#/components/parameters/PersonFieldsQueryParam" - in: query name: all_regions schema: type: boolean default: true description: If true, users from all regions will be returned. Defaults to true. - in: query name: all_person_types schema: type: boolean default: false description: If true, also returns non-regular users. Defaults to false. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/PersonRet" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /persons/bulk-import: get: operationId: GetPersonsBulkImport x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Persons Bulk Import summary: Fetch the import CSV template parameters: - $ref: "#/components/parameters/OrgIDHeader" responses: "200": description: OK content: text/csv: schema: type: string headers: Content-Disposition: schema: type: string "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" post: operationId: PostPersonsBulkImport x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Persons Bulk Import summary: Bulk import persons description: |- Bulk import persons into your organization by uploading a CSV file. The import will take the following CSV column headers into consideration: "slashid:emails","slashid:phone_numbers","slashid:usernames","slashid:region","slashid:groups","slashid:attributes" Each row in the CSV must contain at least one handle for the person (email address, phone number, or a username). Optionally, you can specify a list of roles, a geographical region and attributes. Attributes are a JSON-encoded map from attribute bucket names to key-value pairs. Email addresses, phone numbers, and usernames must be comma-separated. parameters: - $ref: "#/components/parameters/OrgIDHeader" requestBody: content: multipart/form-data: schema: $ref: "#/components/schemas/PersonsBulkImportRequest" required: true responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PersonsBulkImportResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "402": $ref: "#/components/responses/PaymentRequired" /groups: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostGroups x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Groups summary: Create a group description: | This endpoint creates a new persons group with the given name. If the group exists already, no action will be taken. The group name must be unique within your organization; is case-sensitive; and must conform to the following: - must be at least 2 characters long - may be at most 100 characters long - may contain only the characters `A-Z a-z 0-9 - _ .` - must start and end with an alphanumeric character (`A-Z a-z 0-9`) A person can be added to a group through the [`POST /persons/:person_id/groups`](/docs/api/put-persons-person-id-groups) endpoint. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/PostGroupReq" required: true responses: "201": description: The group was successfully created content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" "400": $ref: "#/components/responses/BadRequest" "402": $ref: "#/components/responses/PaymentRequired" get: operationId: GetGroups x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Groups summary: Get a list of groups description: List the names of all groups that exist for your organization responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/ListGroupsResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/groups/{group_name}": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/GroupNamePathParam" get: operationId: GetGroupsGroupName x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Groups summary: Get a group description: Get the named group responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GetGroupResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeleteGroupsGroupName x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Groups summary: Delete a group description: Remove all persons from a group and permanently delete the group. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" responses: "200": description: OK content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/groups/{group_name}/persons": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/GroupNamePathParam" post: operationId: PostGroupsGroupNamePersons x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Groups - Persons summary: Add persons to a group description: | This endpoint adds one or more persons to an existing group. The group and all of the persons must exist. The persons to be added to the group must always be an array in the request body, even if only one user is being added. All persons needs to be in the same region. A new group can be created with the [POST /groups](/docs/api/post-groups) endpoint. requestBody: content: application/json: schema: $ref: "#/components/schemas/PostGroupPersonsReq" required: true responses: "201": description: The persons were successfully added to the group content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" get: operationId: GetGroupsGroupNamePersons x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Groups - Persons summary: List the persons in a group description: Lists all the persons in the named group. Returns an array of person IDs. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: type: string required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/groups/{group_name}/persons/{person_id}": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/GroupNamePathParam" - $ref: "#/components/parameters/PersonIDPathParam" delete: operationId: DeleteGroupsGroupNamePersonsPersonId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Groups - Persons summary: Delete a person from a group description: | Removes the identified person from the named group. Returns an error if the person is not in the group. responses: "200": description: OK content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /rbac/permissions: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostRBACPermissions x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - RBAC summary: Create a permission description: | This endpoint creates a new permission with the given name. If the permission exists already, no action will be taken. A person can be assigned a permission through the [`POST /persons/:person_id/permissions`](/docs/api/put-persons-person-id-permissions) endpoint. Sub-organization can create permissions only when [`inherit_rbac_pools` is disabled](/docs/api/post-organizations-suborganizations). If `inherit_rbac_pools` is enabled, the permissions from the root organization will be inherited. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/PostPermissionRequest" required: true responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "402": $ref: "#/components/responses/PaymentRequired" "409": $ref: "#/components/responses/Conflict" get: operationId: GetRBACPermissions x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - RBAC summary: Get a list of permissions description: List the names of all permissions that exist for your organization responses: "200": description: OK headers: ETagHeader: $ref: "#/components/headers/ETagHeader" content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/ListPermissionsResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "/rbac/permissions/{permission_name}": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/PermissionsNamePathParam" get: operationId: GetRBACPermissionsPermissionName x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - RBAC summary: Get a permission description: Get the named permission responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GetPermissionResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" patch: operationId: PatchRBACPermissionsPermissionName x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - RBAC summary: Update a permission parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" - $ref: "#/components/parameters/IfMatchHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/PatchPermissionRequest" required: true responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeleteRBACPermissionsPermissionName x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - RBAC summary: Delete a permission description: | Remove a permission and revoke it for all users. A permission cannot be deleted as long as it's included in a role. Sub-organization can delete roles only when [`inherit_rbac_pools` is disabled](/docs/api/post-organizations-suborganizations). parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /rbac/roles: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostRBACRoles x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - RBAC summary: Create a role description: | This endpoint creates a new role with the given name. If the Role exists already, no action will be taken. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/PostRoleRequest" required: true responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "402": $ref: "#/components/responses/PaymentRequired" "409": $ref: "#/components/responses/Conflict" get: operationId: GetRBACRoles x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - RBAC summary: Get a list of roles description: List the names of all roles that exist for your organization responses: "200": description: OK headers: ETagHeader: $ref: "#/components/headers/ETagHeader" content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/ListRolesResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "/rbac/roles/{role_name}": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/RolesNamePathParam" get: operationId: GetRBACRolesRoleName x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - RBAC summary: Get a role description: Get the named role responses: "200": description: OK headers: ETagHeader: $ref: "#/components/headers/ETagHeader" content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GetRoleResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" patch: operationId: PatchRBACRolesRoleName x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - RBAC summary: Update a role description: Update an existing role. parameters: - $ref: "#/components/parameters/IfMatchHeader" - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/PatchRoleRequest" required: true responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "402": $ref: "#/components/responses/PaymentRequired" "412": $ref: "#/components/responses/PreconditionFailed" delete: operationId: DeleteRBACRolesRoleName x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - RBAC summary: Delete a role description: Remove a role and revoke it for all users. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /rbac/check: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostRBACCheck tags: - Identity Management - RBAC summary: Check whether a person has a permission description: Check whether the given person has the given permission. The service automatically takes into account permissions included in granted roles as well as permissions granted individually. requestBody: content: application/json: schema: $ref: "#/components/schemas/PostRBACCheckRequest" required: true responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PostRBACCheckResp" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /organizations/config/external-credentials: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsConfigExternalCredentials x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organization External Credentials summary: List available external credentials description: | Lists the all available external credentials for third party services. The call doesn't return any key material, credential IDs can be used to retrieve the credential. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/ExternalCredential" "400": $ref: "#/components/responses/BadRequest" post: operationId: PostOrganizationsConfigExternalCredentials x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization External Credentials summary: Create a new set of external credentials description: | Create a new set of credentials for your organization to use with third party services. Includes a provider name and a content whose body is a key value pair of the data needed to authenticate with the third party service - currently only API Key, API ID/API Key, Client Credentials, Access Token and username/password combinations are supported. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/ExternalCredentialPostRequest" responses: "201": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: type: string required: - result "400": $ref: "#/components/responses/BadRequest" delete: operationId: DeleteOrganizationsConfigExternalCredentials x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization External Credentials summary: Remove an external credential by id description: | Remove the specified external credential by id or delete all external credentials. If a credential id is specified, it takes precedence over the deleteAll parameter, so a request with a credentialId specified and deleteAll=true will delete only the specified credential from the list of external credentials. If the specified credential id does not exist in the list of allowed origin credentials, no action will be taken, and a 200 status code will be returned. parameters: - name: credentialId in: query description: The id of the credential to delete required: true schema: type: string - name: deleteAll in: query description: Whether to delete all credentials required: false schema: type: boolean - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/organizations/config/external-credentials/{cred_id}": parameters: - $ref: "#/components/parameters/OrgIDHeader" - in: path name: cred_id schema: type: string required: true description: ID of the credential to retrieve, modify or delete get: operationId: GetOrganizationsConfigExternalCredentialsCredId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization External Credentials summary: Get the specified credential description: | Returns the credential specified by the ID. The returned object contains the name of the provider, the credential type and an object which contains the credential material necessary to access a third-party provider (API Key, API ID/API Key, Client Credentials, Access Token and username/password) responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/ExternalCredential" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" patch: operationId: PatchOrganizationsConfigExternalCredentialsCredId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization External Credentials summary: Modify the selected credential description: |- Set the content of the selected credential to be the request body. If the content or name for this credential had previously been created for your organization, it will be overwritten and cannot be retrieved. Otherwise, the new content will be set. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: description: The new content of the selected credential content: application/json: schema: $ref: "#/components/schemas/PatchExternalCredentialRequest" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /organizations/config/templates: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsConfigTemplates x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organization Email Templates summary: List available templates description: |- Lists the names of all available templates for communicating with users. Template names can be used to retrieve the template body for your organization. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/TemplateName" "/organizations/config/templates/{template_name}": parameters: - $ref: "#/components/parameters/OrgIDHeader" - in: path name: template_name schema: $ref: "#/components/schemas/TemplateName" required: true description: Name of the template to retrieve or modify get: operationId: GetOrganizationsConfigTemplatesTemplateName x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organization Email Templates summary: Get the named template description: |- Retrieves the message template named in the path. If a custom template was previously created, it will be returned. Otherwise the default template is returned Likewise, any template fields were left empty during creation will be set to their default values. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/MessageTemplate" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" put: operationId: PutOrganizationsConfigTemplatesTemplateName x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization Email Templates summary: Modify the named template description: |- Sets the named message template for your organization. If a template already exists it will be overwritten and cannot be retrieved. The following templates are available for customization: - `email_authn_challenge`: E-mail template with magic link; - `text_authn_challenge`: SMS template with magic link; - `text_otp_message`: SMS template with OTP code; - `email_password_reset_challenge`: E-mail template with a password reset link; - `text_password_reset_challenge`: SMS template with a password reset link. All templates must conform to the [mustache template syntax](https://mustache.github.io/mustache.5.html). The following tags are available: - `{{attestation_url}}`: Magic link URL (at least one of `attestation_url` and `attestation_query_string` are required on `email_authn_challenge` and `text_authn_challenge`) - `{{attestation_query_string}}`: Magic link URL query string (at least one of `attestation_query_string` and `attestation_url` are required on `email_authn_challenge` and `text_authn_challenge`) - `{{password_reset_url}}`: Password reset URL (required on `email_password_reset_challenge` and `text_password_reset_challenge`) - `{{otp_code}}`: OTP code (Required on `text_otp_message`) - `{{org_name}}`: Organization name (Optional) - `{{new_user}}`: `true` for new signups, false for returning users (Optional) Constraints: - Email templates: - Sender name must be at most 128B in size - Subject must be at most 128B in size - Body must be HTML and at most 50KB in size. - SMS: - Body must be at most 140 bytes in size. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: description: The new content of the named template content: application/json: schema: $ref: "#/components/schemas/MessageTemplate" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" /organizations/config/domains: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsConfigDomains x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organization Allowed Domains summary: List the allowed domains description: Returns a list of the allowed origin domains for your organization. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: type: string "400": $ref: "#/components/responses/BadRequest" delete: operationId: DeleteOrganizationsConfigDomains x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization Allowed Domains summary: Remove allowed domains description: | Remove the specified domain from the list of allowed origin domains, or delete all domains. origin domains. If the specified domain does not exist in the list of allowed origin domains, no action will be taken, and a 200 status code will be returned. If both domain and deleteAll query parameters are specified, API will return 400 (Bad Request) status code. parameters: - name: domain in: query description: The name of the domain to delete required: false schema: type: string - name: deleteAll in: query description: Whether to delete all domains required: false schema: type: boolean - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" post: operationId: PostOrganizationsConfigDomains x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization Allowed Domains summary: Add allowed domains description: |- Add the specified domain patterns to the list of allowed origin domains, or overwrite the existing list. Domains may be specified exactly, or as patterns using asterisk wildcards '*'. The '*' wildcard will match zero or more characters. If a pattern is used, any origin domain matching the pattern will be treated as an allowed domain. Otherwise, the origin domain must match the allowed domain exactly. Matching is case-insensitive. For example, to specify that domain 'xyz.com' and all of its subdomains are allowed, use ['xyz.com', '*.xyz.com']. This would allow requests with origins 'xyz.com', 'a.xyz.com', 'b.c.xyz.com', and so on (but would not allow requests from 'xyz.net'). If overwrite is set to true, all existing allowed domains/patterns will be removed and replaced with the provided list. If overwrite is set to false, the provided list of domain patterns will be appended to the existing list of allowed origin domains. Adding a domain pattern that already exists in the list of allowed origin domains will have no effect. parameters: - name: overwrite in: query description: If true, the current list of domains will be replaced with the provided list required: false schema: type: boolean - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/OrganizationDomainsPatchRequest" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "402": $ref: "#/components/responses/PaymentRequired" "404": $ref: "#/components/responses/NotFound" "408": $ref: "#/components/responses/Timeout" /organizations/config/token-template: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsConfigTokenTemplate x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organization Token Template summary: Get the organization's token template description: |- Retrieves the token template for the given organization. If a custom token template was previously created, it will be returned. Otherwise the default template is returned. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/TokenTemplate" required: - result "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" put: operationId: PutOrganizationsConfigTokenTemplate x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization Token Template - RBAC parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" summary: Modify the organization's token template description: | Sets the token template for your organization. If a template already exists it will be overwritten and cannot be retrieved. The template must conform to the [mustache template syntax](https://mustache.github.io/mustache.5.html). The following tags are available: - `{{ organization }}`: provides information on the organization. Renders to ```json { "id": "00000000-0000-0000-0000-000000000000", "name": "Your Org Name", "ancestors": [ { "id": "00000000-0000-0000-0000-111111111111", "name": "Parent Name" }, ... ] } ``` The following sub-tags are available: - `{{ organization.id }}`: the ID of the organization. Renders to `00000000-0000-0000-0000-000000000000` - `{{ organization.name }}`: the name of the organization. Renders to `Your Org Name` - `{{ organization.ancestors }}`: the list of ancestor organizations, starting from the parent up to the root. Renders to ```json [{"id": "00000000-0000-0000-0000-111111111111", "name": "Parent Name"}, ...] ``` - `{{ person.permissions }}`: provides information on the person's permissions (additional and from roles). Renders to ```json [ "permission1", "permission2" ] ``` requestBody: description: The new content of the token template content: application/json: schema: $ref: "#/components/schemas/TokenTemplate" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "408": $ref: "#/components/responses/Timeout" /organizations/sso/oidc/provider-credentials: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsSsoOidcProviderCredentials x-rbac-enabled: true x-rbac-allowed-groups: admin,member x-manager-rbac-allowed-groups: admin,member tags: - Identity Management - Organization SSO config summary: List OIDC credentials for SSO description: | Returns a list of existing OIDC provider credentials for SSO for your organization. Optionally, a provider can be specified to return only credentials for that provider. parameters: - $ref: "#/components/parameters/OAuthProviderQueryParam" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/OAuthCredentialGetResponse" required: - result "400": $ref: "#/components/responses/BadRequest" post: operationId: PostOrganizationsSsoOidcProviderCredentials x-rbac-enabled: true x-rbac-allowed-groups: admin x-manager-rbac-allowed-groups: admin tags: - Identity Management - Organization SSO config summary: Create a new set of OIDC provider credentials for SSO description: | Create a new set of OIDC provider credentials for your organization to use with SSO. Includes a client ID, client secret, and the name of the provider. The client ID and client secret should be generated separately using the third-party identity provider you wish to integrate with (such as Google). Not all identity providers are currently supported. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/OAuthCredentialPostRequest" responses: "201": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" "400": $ref: "#/components/responses/BadRequest" "/organizations/sso/oidc/provider-credentials/{oauth_client_id}": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/OAuthClientIDPathParam" get: operationId: GetOrganizationsSsoOidcProviderCredentialsOauthClientId x-rbac-enabled: true x-rbac-allowed-groups: admin,member x-manager-rbac-allowed-groups: admin,member tags: - Identity Management - Organization SSO config summary: Get an existing set of OIDC provider credentials for SSO description: | Returns an existing set of OIDC provider for SSO, specified by the client ID. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/OAuthCredentialGetResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeleteOrganizationsSsoOidcProviderCredentialsOauthClientId x-rbac-enabled: true x-rbac-allowed-groups: admin x-manager-rbac-allowed-groups: admin tags: - Identity Management - Organization SSO config summary: Delete an existing set of OIDC provider credentials for SSO description: | Deletes an existing set of OIDC provider credentials for SSO, specified by the client ID. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" responses: "200": description: OK content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" patch: operationId: PatchOrganizationsSsoOidcProviderCredentialsOauthClientId x-rbac-enabled: true x-rbac-allowed-groups: admin x-manager-rbac-allowed-groups: admin tags: - Identity Management - Organization SSO config summary: Modify an existing set of OIDC provider credentials for SSO description: Modifies the client secret and/or label of an existing set of OIDC provider credentials for SSO, specified by the client ID. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/OAuthCredentialPatchRequest" responses: "200": description: OK content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /organizations: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizations x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organizations summary: Retrieve information about an organization description: | Retrieve information about which other organizations the given shares persons and groups with. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/OrganizationResponse" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeleteOrganizations x-rbac-enabled: false tags: - Identity Management - Organizations summary: Delete an organization description: | Delete a non-root, leaf organization, including all its persons memberships and their groups memberships and attributes. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" - $ref: "#/components/parameters/DeleteSuborganizationOptionalQueryParam" - $ref: "#/components/parameters/ConfirmationTimestampQueryParam" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "409": $ref: "#/components/responses/Conflict" /organizations/attributes: patch: operationId: PatchOrganizationsAttributes x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Create or modify attributes for the organization in multiple buckets description: | Create new attributes or modify existing attributes for the organization in one or more attribute buckets. The request body should be a nested object, with bucket names as top-level keys, and key-value pair attributes as values, as shown in the example request body. The buckets must exist and must be accessible by the organization identified in the request header. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Any existing attribute that isn't referenced by key in the request is left untouched. tags: - Identity Management - Organization Attributes parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PatchBucketedAttributesReq" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" put: operationId: PutOrganizationsAttributes x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Create or modify attributes for the organization in multiple buckets description: | Create new attributes or modify existing attributes for the organization in one or more attribute buckets. The request body should be a nested object, with bucket names as top-level keys, and key-value pair attributes as values, as shown in the example request body. The buckets must exist and must be accessible by the organization identified in the request header. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Replaces the set of existing attributes with those present in the request. In other words, it deletes any existing attributes that aren't referenced by key in the request. tags: - Identity Management - Organization Attributes parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PutBucketedAttributesReq" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" get: operationId: GetOrganizationsAttributes x-rbac-enabled: true x-rbac-allowed-groups: admin,member summary: Retrieve attributes for the organization from multiple buckets description: | Retrieve attributes for the organization from one or more buckets. If no buckets are specified, attributes from all buckets will be retrieved. Bucket names can be specified as a comma-separated list in the `buckets` query parameter. All buckets specified must exist, and the organization specified in the header must be able to access them. Empty bucket names are not permitted. tags: - Identity Management - Organization Attributes parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/AttributeBucketsQueryParam" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GetBucketedAttributesResp" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" "/organizations/attributes/{bucket_name}": patch: operationId: PatchOrganizationsAttributesBucketName x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Create or modify attributes for the organization in a single bucket description: | Create new attributes or modify existing attributes for the organization in a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. The request body should be an object consisting of key-value pair attributes. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Any existing attribute that isn't referenced by key in the request is left untouched. tags: - Identity Management - Organization Attributes parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/AttributeBucketNamePathParam" - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PatchAttributesReq" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" put: operationId: PutOrganizationsAttributesBucketName x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Create or modify attributes for the organization in a single bucket description: | Create new attributes or modify existing attributes for the organization in a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. The request body should be an object consisting of key-value pair attributes. Attribute names may be at most 70 bytes long. Attribute values must be JSON-serializable and are limited to 64KiB. Replaces the set of existing attributes with those present in the request. In other words, it deletes any existing attributes that aren't referenced by key in the request. tags: - Identity Management - Organization Attributes parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/AttributeBucketNamePathParam" - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/PutAttributesReq" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" get: operationId: GetOrganizationsAttributesBucketName x-rbac-enabled: true x-rbac-allowed-groups: admin,member summary: Retrieve attributes for the organization from a single bucket description: | Retrieve attributes for the organization from a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. If no attribute names are specified, all attributes in the bucket will be retrieved. Attribute names can be provided as a comma-separated list in the `attributes` query parameter. Empty attribute names are not permitted. tags: - Identity Management - Organization Attributes parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/AttributeBucketNamePathParam" required: true - $ref: "#/components/parameters/AttributeNamesQueryParam" required: true responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/GetAttributesResp" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeleteOrganizationsAttributesBucketName x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Delete attributes for the organization from a single bucket description: | Delete attributes for the organization from a single attribute bucket. The bucket must exist and must be accessible by the organization identified in the request header. Attribute names can be provided as a comma-separated list in the `attributes` query parameter. Empty attribute names are not permitted. If no attribute names are specified, all attributes in the bucket will be deleted. WARNING: this action is permanent and cannot be undone. tags: - Identity Management - Organization Attributes parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/AttributeBucketNamePathParam" - $ref: "#/components/parameters/AttributeNamesQueryParam" required: true - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "401": $ref: "#/components/responses/Unauthorized" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" /organizations/suborganizations: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsSuborganizations x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organizations summary: List suborganizations description: | Retrieve a list of all descendant organizations. parameters: - $ref: "#/components/parameters/OrganizationsFilterQueryParam" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/OrganizationID" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" post: operationId: PostOrganizationsSuborganizations x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organizations - RBAC summary: Create a suborganization description: | Create a new organization subordinate to your organization. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: required: false content: application/json: schema: $ref: "#/components/schemas/SuborganizationCreateRequest" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/OrganizationCreateResponse" "402": $ref: "#/components/responses/PaymentRequired" "412": $ref: "#/components/responses/PreconditionFailed" /organizations/api-keys: parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" put: operationId: PutOrganizationsApiKeys x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organizations summary: Generate a new API key for the specified organization description: A new API key is created and returned. The previous API key will no longer be valid after this. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/OrganizationsPutAPIKeyResponse" "400": $ref: "#/components/responses/BadRequest" /organizations/config: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsConfig x-rbac-enabled: true x-rbac-allowed-groups: admin,member,impersonator,saml-admin,uar-certifier,uar-campaign-manager,cs-id-verifier tags: - Identity Management - Organizations summary: Get organization config description: Get the current configuration for your organization responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/OrganizationConfig" required: - result "400": $ref: "#/components/responses/BadRequest" patch: operationId: PatchOrganizationsConfig x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organizations summary: Update organization config description: | Modify the configuration for your organization. The token duration determines the number of seconds a token issued by SlashID will be valid for. If not set, or set to 0, the default duration of 24 hours will be used for all tokens. The groups claim name determines the name of the claim in the token payload where a user's groups are found. If not set, or set to the empty string, the default claim name `groups` will be used for all tokens. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/OrganizationConfigPatchRequest" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /organizations/quota/current-tier: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsQuotaCurrentTier x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organizations summary: Get current pricing tier details. description: This returns the quotas associated with your organization's current pricing tier. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/PricingTierConstraints" required: - result "400": $ref: "#/components/responses/BadRequest" /organizations/quota/all-tiers: get: operationId: GetOrganizationsQuotaAllTiers tags: - Identity Management - Organizations summary: Get details on all pricing tiers. description: This returns the quotas for each available pricing tier. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/PricingTierConstraints" required: - result "400": $ref: "#/components/responses/BadRequest" /organizations/quota/usage: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsQuotaUsage x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organizations summary: Get resource usage for the organization hierarchy. description: This returns the resources used by your organization and its suborganizations. This can be used to evaluate the need for a tier upgrade. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/OrganizationUsageDetails" required: - result "400": $ref: "#/components/responses/BadRequest" /organizations/attribute-buckets: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsAttributeBuckets x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organizations - Person Attributes summary: List organization's attribute buckets description: Get a list of available attribute buckets for your organization responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/AttributeBucket" required: - result "400": $ref: "#/components/responses/BadRequest" /organizations/config/kyc: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsConfigKyc x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organization KYC config summary: Get organization KYC config description: Get the current KYC configuration for your organization responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/OrganizationKYCConfig" "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" patch: operationId: PatchOrganizationsConfigKyc x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization KYC config summary: Update KYC organization config description: | Modify the KYC configuration for your organization. The mobile redirect base URL determines where a user will be redirected to when temporarily switching to a mobile device in order to upload/capture document pictures. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/OrganizationKYCConfigPatchRequest" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" /organizations/webhooks: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostOrganizationsWebhooks x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization Webhooks summary: Create a new webhook description: | Create a new webhook for your organization. Webhooks will be called in response to triggers, and you can use the `/organizations/webhooks/{webhook_id}/triggers` endpoint to specify which trigger(s) should call each webhook. The request body must contain the target URL for the webhook, and this must be unique for your organization (you cannot have two webhooks with the same target URL). The target URL must use the HTTPS protocol, and must have a host. The host cannot be `localhost` or an IP address. The target URL may have a path element, but may not contain query parameters or fragments. Additionally, you can specify custom headers that will be sent in the HTTP header of each request to your webhook's target URL. These are encrypted when stored, so can be used for sensitive data. You can also choose the webhook's timeout value. This will determine how long your webhook server has to respond to a request before it is considered failed. If you do not set a value, defaults will be used: for synchronous webhook calls, this is 2 seconds; for asynchronous calls, 10 seconds. When choosing a timeout, you should consider how long your webhook will typically need to process a request, and how this may affect user experience (in the case of sychronous webhooks). The value provided should be a string that can be parsed as a [Golang `time.Duration`](https://pkg.go.dev/time#Duration); for example, "10s", "500ms". The timeout may not be more than 20 seconds, and cannot be negative. If you do not set a timeout, when retrieving the webhook you will see a timeout set to 0s, indicating that the defaults will be used when the webhook is called. You may also specify a name and description for the webhook. The response will contain a webhook ID, which uniquely identifies the newly created webhook. This ID can be used to modify or delete the webhook, and to add triggers for it. For more information on using webhooks with SlashID, see our [dedicated guide](/docs/access/guides/webhooks). parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/WebhookPostRequest" responses: "201": description: Created content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/WebhookPostResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" get: operationId: GetOrganizationsWebhooks x-rbac-enabled: true x-rbac-allowed-groups: admin,member x-manager-rbac-allowed-groups: admin,member tags: - Identity Management - Organization Webhooks summary: List all webhooks description: Retrieve a list of all webhooks for your organization. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/Webhook" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/organizations/webhooks/{webhook_id}": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/WebhookIDPathParam" get: operationId: GetOrganizationsWebhooksWebhookId x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organization Webhooks summary: Get a webhook description: Retrieve information about a specific webhook, identified by its ID. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/Webhook" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" patch: operationId: PatchOrganizationsWebhooksWebhookId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization Webhooks summary: Update a webhook description: | Update an existing webhook, identified by its ID. This endpoint can be used to modify the target URL, custom headers, name, or description of the webhook. Note that the target URL cannot be changed to a URL already in use by another webhook for your organization. Modifying the custom headers will overwrite any existing custom headers for this webhook. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/WebhookPatchRequest" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/WebhookPatchResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeleteOrganizationsWebhooksWebhookId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization Webhooks summary: Delete a webhook description: | Delete the specified webhook. This will also delete all triggers associated with this webhook. This action cannot be undone. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/organizations/webhooks/{webhook_id}/triggers": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/WebhookIDPathParam" get: operationId: GetOrganizationsWebhooksWebhookIdTriggers x-rbac-enabled: true x-rbac-allowed-groups: admin,member x-manager-rbac-allowed-groups: admin,member tags: - Identity Management - Organization Webhooks summary: List webhook triggers description: List all the triggers for a specific webhook. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/WebhookTrigger" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" post: operationId: PostOrganizationsWebhooksWebhookIdTriggers x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization Webhooks summary: Create a webhook trigger description: | Create a new trigger for an existing webhook. Each webhook can have multiple triggers, and will be called on each of them. The trigger type specifies what kind of trigger will cause the webhook to be called. The trigger name specifies the exact trigger that will cause the webhook to be called, amongst all triggers of this type. For a full list of trigger types and names, refer to our [webhooks guide](/docs/access/guides/webhooks). parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/WebhookTriggerPostRequest" responses: "201": description: Created content: application/json: schema: $ref: "#/components/schemas/APIResponseBase" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeleteOrganizationsWebhooksWebhookIdTriggers x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - Organization Webhooks summary: Delete a webhook trigger description: | Delete a trigger for a specific webhook. The webhook will no longer be called on this trigger. Note that for a short period after the delete request has successfully returned, triggers in flight may still cause the webhook to be called. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" - $ref: "#/components/parameters/WebhookTriggerTypeQueryParam" - $ref: "#/components/parameters/WebhookTriggerNameQueryParam" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /organizations/webhooks/verification-jwks: parameters: - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetOrganizationsWebhooksVerificationJwks x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - Organization Webhooks summary: Retrieve verification JWKS for webhooks description: | Endpoint to retrieve a JSON Web Key Set (JWKS) for webhook body verification. When SlashID calls your webhooks in response to a trigger, the body of the request is a signed and encoded JSON Web Token (JWT). The public part of the signing key can be retrieved from this endpoint and used to verify that the request body comes from SlashID, is intended for your webhook, and has not been modified. SlashID uses the ES256 JSON Web Algorithm (JWA), which is the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and SHA256. Support for JWTs and JWKS is available for many languages - [jwt.io](https://jwt.io/libraries) maintains an extensive (but not exhaustive) list of libraries for popular languages. Note that this endpoint is rate-limited to 30 requests per minute per organization, with bursts of 60. It is therefore recommended that you cache the keyset locally in your webhook handlers. responses: "200": description: OK content: application/json: schema: $ref: "#/components/schemas/JWKS" /oauth2/clients: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostOauth2Clients x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - OAuth2 summary: Create a new OAuth2 client description: |- Create a new client ID/secret pair that can be used with the client credentials grant type. A valid SlashID organization ID and API key must be used to authenticate and authorize the request. The client credentials can be configured. SlashID currently supports the following OAuth 2.0 grants: - client credentials - authorization code - refresh token The `grant_types` field may contain only the values `client_credentials` and `authorization_code`. Other values will return a `400` error code. The client credentials grant requires a client secret, and so all clients allowing that grant should be regarded as confidential, as defined in the OAuth 2.0 specification (https://oauth.net/2/client-types/). The response body will include the client ID and client secret. For the client credentials grant, these can be used with the `/oauth2/tokens` endpoints to obtain an access token. For the authorization code grant, these can be used as described in the [OAuth 2.0 specification](https://datatracker.ietf.org/doc/html/rfc6749). The client secret must be stored securely, and cannot be retrieved in subsequent API calls. If you lose the client secret, a new secret can be generated using the `PUT /oauth2/clients/{oauth_client_id}/secret` endpoint. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/PostOAuth2ClientRequest" responses: "201": description: Created content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object required: - result properties: result: $ref: "#/components/schemas/OAuth2ClientWithSecret" "400": $ref: "#/components/responses/BadRequest" get: operationId: GetOauth2Clients x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - OAuth2 summary: Retrieve a list of OAuth2 clients description: | Retrieve a list of existing OAuth 2.0 clients for your organization. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object required: - result properties: result: type: array items: $ref: "#/components/schemas/OAuth2Client" "400": $ref: "#/components/responses/BadRequest" "/oauth2/clients/{oauth_client_id}": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/OAuthClientIDPathParam" get: operationId: GetOauth2ClientsOauthClientId x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Identity Management - OAuth2 summary: Retrieve an OAuth2 client description: | Get details on the identified client. Authenticated with a SlashID organization ID and API key; the organization ID must match or be a parent of the client owner. responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object required: - result properties: result: $ref: "#/components/schemas/OAuth2Client" "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeleteOauth2ClientsOauthClientId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - OAuth2 summary: Delete an existing OAuth2 client description: | Delete the identified client. Authenticated with a SlashID organization ID and API key; the organization ID must match or be a parent of the client owner. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" responses: "204": $ref: "#/components/responses/NoContent" "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" patch: operationId: PatchOauth2ClientsOauthClientId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - OAuth2 summary: Modify an existing OAuth2 client description: | Update the identified client. Authenticated with a SlashID organization ID and API key; the organization ID must match or be a parent of the client owner. SlashID currently only supported a subset of OAuth clients, therefore we enforce that grant_types must be ["client_credentials"]. Setting this field to any other value will result in an error response with a `400` status code. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/PatchOAuth2ClientRequest" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object required: - result properties: result: $ref: "#/components/schemas/OAuth2Client" "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" "/oauth2/clients/{oauth_client_id}/secret": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/OAuthClientIDPathParam" put: operationId: PutOauth2ClientsOauthClientIdSecret x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Identity Management - OAuth2 summary: Generate a new client secret description: | A new client secret is created and returned. The previous secret will no longer be valid after this. parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object required: - result properties: result: $ref: "#/components/schemas/OAuth2ClientSecretResponse" "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" "/oauth2/clients/{oauth_client_id}/ui-configuration": parameters: - $ref: "#/components/parameters/OrgIDHeader" - $ref: "#/components/parameters/OAuthClientIDPathParam" get: operationId: GetOauth2UiConfiguration x-rbac-enabled: true x-rbac-allowed-groups: admin,member summary: Retrieve the configuration for the hosted UI description: | The configuration is used to theme the hosted UI. tags: - Identity Management - OAuth2 responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object required: - result properties: result: $ref: "#/components/schemas/OAuthClientUIConfigurationGetResponse" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" put: operationId: PutOauth2UiConfiguration x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Modify the configuration for the hosted UI description: | The configuration is used to theme the hosted UI. tags: - Identity Management - OAuth2 parameters: - $ref: "#/components/parameters/RequiredConsistencyHeader" - $ref: "#/components/parameters/RequiredConsistencyTimeoutHeader" requestBody: content: application/json: schema: $ref: "#/components/schemas/OAuthClientUIConfigurationPutRequest" responses: "201": description: Created content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object required: - result properties: result: $ref: "#/components/schemas/OAuthClientUIConfigurationPutResponse" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" /oauth2/authorize: get: operationId: GetOauth2Authorize summary: Request an authorization code description: | Used to initiate an authorization code flow. SlashID is an OAuth 2.0 and OpenID Connect 1.0 provider. tags: - Identity Management - OAuth2 parameters: - $ref: "#/components/parameters/ScopeQueryParam" - $ref: "#/components/parameters/ResponseTypeQueryParam" - $ref: "#/components/parameters/ClientIDQueryParam" - $ref: "#/components/parameters/RedirectURIQueryParam" - $ref: "#/components/parameters/StateQueryParam" - $ref: "#/components/parameters/CodeChallengeQueryParam" - $ref: "#/components/parameters/CodeChallengeMethodQueryParam" - $ref: "#/components/parameters/ResponseModeQueryParam" - $ref: "#/components/parameters/NonceQueryParam" - $ref: "#/components/parameters/DisplayQueryParam" - $ref: "#/components/parameters/PromptQueryParam" - $ref: "#/components/parameters/MaxAgeQueryParam" - $ref: "#/components/parameters/UILocalesQueryParam" - $ref: "#/components/parameters/LoginHintQueryParam" - $ref: "#/components/parameters/ACRValuesQueryParam" - $ref: "#/components/parameters/HandleTypesQueryParam" responses: "200": description: OK content: text/html: schema: type: string "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" /oauth2/tokens: post: operationId: PostOauth2Tokens tags: - Identity Management - OAuth2 security: - OAuth2ClientIdSecret: [] summary: Obtain an access token description: | Obtain a new OAuth 2.0 access token using an OAuth 2.0 client ID/secret pair. requestBody: content: application/x-www-form-urlencoded: schema: $ref: "#/components/schemas/PostOAuth2TokenRequest" responses: "200": description: OK content: application/json: schema: $ref: "#/components/schemas/PostOAuth2TokenResponse" "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" /oauth2/tokens/revoke: post: operationId: PostOauth2TokensRevoke tags: - Identity Management - OAuth2 security: - OAuth2ClientIdSecret: [] summary: Revoke a token description: | Revoke an OAuth 2.0 token using an OAuth 2.0 client ID/secret pair. requestBody: content: application/x-www-form-urlencoded: schema: $ref: "#/components/schemas/RevokeOAuth2TokenRequest" responses: "200": $ref: "#/components/responses/OK" "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" /oauth2/tokens/revoke-all: post: operationId: PostOauth2TokensRevokeAll tags: - Identity Management - OAuth2 security: - OAuth2ClientIdSecret: [] summary: Revoke tokens description: | Revoke OAuth 2.0 tokens using an OAuth 2.0 client ID/secret pair. requestBody: content: application/x-www-form-urlencoded: schema: $ref: "#/components/schemas/RevokeAllOAuth2TokensRequest" responses: "200": $ref: "#/components/responses/OK" "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" /oauth2/tokens/introspect: post: operationId: PostOauth2TokensIntrospect tags: - Identity Management - OAuth2 security: - OAuth2ClientIdSecret: [] summary: Introspect an access token description: | Introspect an OAuth 2.0 access or refresh token using an OAuth 2.0 client ID/secret pair. Note: there is a know issue for this endpoint, whereby the expiry for refresh tokens in the response is incorrect. However, expired refresh tokens will still return a response with `active: false`. requestBody: content: application/x-www-form-urlencoded: schema: $ref: "#/components/schemas/IntrospectOAuth2TokenRequest" responses: "200": description: OK content: application/json: schema: $ref: "#/components/schemas/IntrospectOAuth2TokenResponse" "400": $ref: "#/components/responses/BadRequest" /oauth2/tokens/mint: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostOauth2TokensMint tags: - Identity Management - OAuth2 security: - ApiKeyAuth: [] summary: Mint OAuth 2.0 & OIDC tokens description: | This endpoint creates a set of OAuth 2.0 tokens for a specific user. To generate a refresh token request scope `offline_access`. To generate an ID token request scope `openid`. Custom claims can be specified in the request body which will be added to the token's payload. Custom claims are added to the token's payload. Tokens created with this endpoint will have an `authenticated_methods` claim equal to ["api"]. The following claims are reserved and cannot be specified: - aud - exp - jti - iat - iss - nbf - sub - prev_token_id - oid - org_id - user_id - person_id - first_token - authenticated_methods - oidc_tokens - user_token - groups - roles - access_token - refresh_token - id - id_token - gdpr - gdpr_consent - gdpr_consent_level - parent_user_id - parent_person_id - parent_org_id - parent_oid - attributes - custom_claims - slashid - slashid.dev - slashid.com - slashid.me - sid With the following request body: ``` { "custom_claims": { "foo": "bar", "baz": {"everything": 42} } } ``` the token in the response will have the following payload: ``` { "authenticated_methods": [ "api" ], "baz": { "everything": 42 }, "exp": , "first_token": false, "foo": "bar", "iat": , "iss": , "jti": , "oid": , "person_id": } ``` requestBody: content: application/json: schema: $ref: "#/components/schemas/MintOAuth2TokensRequest" responses: "200": description: OK content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object required: - result properties: result: $ref: "#/components/schemas/MintOAuth2TokensResponse" "400": $ref: "#/components/responses/BadRequest" /oauth2/userinfo: get: operationId: GetOauth2Userinfo tags: - Identity Management - OAuth2 summary: Retrieve a person's profile description: | Given the SlashID Access Token obtained during signin, this endpoint returns a person's profile. This endpoint will work only if `openid` was granted as a scope for the Access Token. The information included in the response depends on the scopes requested. For example, a scope of just `openid` may return less information than a scope of `openid profile email`. security: - OAuth2AccessTokenBearer: [] responses: "200": description: OK content: application/json: schema: $ref: "#/components/schemas/UserinfoOAuth2Response" "401": $ref: "#/components/responses/Unauthorized" post: operationId: PostOauth2Userinfo tags: - Identity Management - OAuth2 summary: Retrieve a person's profile description: | Given the SlashID Access Token obtained during signin, this endpoint returns a person's profile. This endpoint will work only if `openid` was granted as a scope for the Access Token. The information included in the response depends on the scopes requested. For example, a scope of just `openid` may return less information than a scope of `openid profile email`. security: - OAuth2AccessTokenBearer: [] responses: "200": description: OK content: application/json: schema: $ref: "#/components/schemas/UserinfoOAuth2Response" "401": $ref: "#/components/responses/Unauthorized" /test-events: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostTestEvents x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Organization Webhooks summary: Generate events for testing description: | Generate events for testing analytics flows, such as webhooks. This endpoint can be used to create one or more SlashID events. The request body is a list of test event descriptions, including the type of event to generate, the number of events of that type to generate, and whether those events should be duplicates. The contents of the events will be randomly generated, and will have the `is_test_event` flag set to true, so they can be distinguished from real events. Please refer to our [events guide](/docs/access/concepts/events) for a full list of SlashID events and their contents. Note that this endpoint is rate-limited to 10 test events per minute, with a burst of 50. If your tests require a higher rate, please contact us. requestBody: description: The events to be generated content: application/json: schema: $ref: "#/components/schemas/TestEventsPostReq" required: true responses: "201": description: Created content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/TestEventsPostResponse" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /.well-known/openid-configuration: get: operationId: GetWellKnownOpenidConfiguration tags: - OIDC discovery summary: Retrieve OpenID configuration values description: Endpoint to retrieve OpenID configuration values for SlashID in JSON format, as per the [OpenID specification](https://openid.net/specs/openid-connect-discovery-1_0.html) responses: "200": description: OK content: application/json: schema: $ref: "#/components/schemas/OpenIDConfig" /.well-known/jwks.json: get: operationId: GetWellKnownJwksJson tags: - OIDC discovery summary: Retrieve public key JWKS for user tokens description: Endpoint to retrieve a JSON Web Key Set for JWT validation, as per the [OpenID specification](https://openid.net/specs/openid-connect-discovery-1_0.html) responses: "200": description: OK content: application/json: schema: $ref: "#/components/schemas/JWKS" /workflows: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostWorkflows x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Workflows summary: Create a new workflow description: Creates a new workflow for automated response actions requestBody: description: Workflow creation request required: true content: application/json: schema: $ref: "#/components/schemas/WorkflowCreateRequest" examples: critical_detections_workflow: summary: Workflow for critical detections description: Create a workflow with just name and description. Actions and data input can be added via UPDATE endpoint. value: name: Critical Detection Response description: Automated response workflow for critical severity detections responses: "201": description: Workflow created successfully content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/Workflow" required: - result "400": $ref: "#/components/responses/BadRequest" "409": $ref: "#/components/responses/Conflict" get: operationId: GetWorkflows x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Workflows summary: List workflows description: Retrieve a list of workflows for the organization parameters: - name: status in: query description: Filter by workflow status schema: $ref: "#/components/schemas/WorkflowStatus" - name: limit in: query description: Maximum number of workflows to return schema: type: integer default: 50 minimum: 1 maximum: 100 - name: offset in: query description: Offset for pagination schema: type: integer default: 0 minimum: 0 - name: sort in: query description: | Sort parameter in format "field:order". Valid fields: created_at, updated_at, name. Valid orders: asc, desc. Example: "created_at:desc" (default) schema: type: string example: created_at:desc - name: type in: query description: Filter by workflow data input type schema: $ref: "#/components/schemas/WorkflowDataInputType" responses: "200": description: List of workflows content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: object properties: workflows: type: array items: $ref: "#/components/schemas/Workflow" required: - workflows required: - result "400": $ref: "#/components/responses/BadRequest" "/workflows/{workflow_id}": parameters: - name: workflow_id in: path required: true description: Workflow identifier schema: type: string - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetWorkflowsWorkflowId x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Workflows summary: Get workflow details description: | Retrieve details of a specific workflow. When include_configuration=true, the response also includes the latest workflow configuration (data_input_config, actions, version, etc.). parameters: - name: include_configuration in: query description: Include latest workflow configuration in response required: false schema: type: boolean default: false responses: "200": description: Workflow details content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: oneOf: - $ref: "#/components/schemas/Workflow" - $ref: "#/components/schemas/WorkflowWithConfiguration" discriminator: propertyName: kind mapping: workflow: "#/components/schemas/Workflow" workflow_with_configuration: "#/components/schemas/WorkflowWithConfiguration" required: - result "404": $ref: "#/components/responses/NotFound" patch: operationId: PatchWorkflowsWorkflowId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Workflows summary: Update workflow description: Update a workflow and create a new version requestBody: description: Workflow update request required: true content: application/json: schema: $ref: "#/components/schemas/WorkflowUpdateRequest" responses: "200": description: Workflow updated successfully content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/WorkflowWithConfiguration" required: - result "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" delete: operationId: DeleteWorkflowsWorkflowId x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Workflows summary: Delete workflow description: Soft delete a workflow (marks as deleted) responses: "204": $ref: "#/components/responses/NoContent" "404": $ref: "#/components/responses/NotFound" "/workflows/{workflow_id}/versions": parameters: - name: workflow_id in: path required: true description: Workflow identifier schema: type: string - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetWorkflowsWorkflowIdVersions x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Workflows summary: List workflow versions description: Retrieve all versions of a workflow responses: "200": description: List of workflow versions content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: object properties: versions: type: array items: $ref: "#/components/schemas/WorkflowConfiguration" required: - versions required: - result "404": $ref: "#/components/responses/NotFound" "/workflows/{workflow_id}/versions/{version}": parameters: - name: workflow_id in: path required: true description: Workflow identifier schema: type: string - name: version in: path required: true description: Workflow version number schema: type: integer minimum: 1 - $ref: "#/components/parameters/OrgIDHeader" get: operationId: GetWorkflowsWorkflowIdVersionsVersion x-rbac-enabled: true x-rbac-allowed-groups: admin,member tags: - Workflows summary: Get specific workflow version description: Retrieve a specific version of a workflow responses: "200": description: Workflow version details content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/WorkflowConfiguration" required: - result "404": $ref: "#/components/responses/NotFound" post: operationId: PostWorkflowsWorkflowIdVersionsVersionRestore x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Workflows summary: Restore workflow version description: Restore a previous version of a workflow as the latest version responses: "200": description: Workflow version restored successfully content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/WorkflowConfiguration" required: - result "404": $ref: "#/components/responses/NotFound" "/workflows/{workflow_id}/activate": parameters: - name: workflow_id in: path required: true description: Workflow identifier schema: type: string - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostWorkflowsWorkflowIdActivate x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Workflows summary: Activate workflow description: Activate a workflow to make it operational responses: "204": description: Workflow activated successfully "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/workflows/{workflow_id}/pause": parameters: - name: workflow_id in: path required: true description: Workflow identifier schema: type: string - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostWorkflowsWorkflowIdPause x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Workflows summary: Pause workflow description: Pause an active workflow responses: "204": description: Workflow paused successfully "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/workflows/{workflow_id}/resume": parameters: - name: workflow_id in: path required: true description: Workflow identifier schema: type: string - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostWorkflowsWorkflowIdResume x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Workflows summary: Resume workflow description: Resume a paused workflow responses: "204": description: Workflow resumed successfully "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/workflows/{workflow_id}/execute": parameters: - name: workflow_id in: path required: true description: Workflow identifier schema: type: string - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostWorkflowsWorkflowIdExecute x-rbac-enabled: true x-rbac-allowed-groups: admin tags: - Workflows summary: Execute workflow description: Manually trigger workflow execution responses: "204": description: Workflow execution triggered successfully "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" "/workflows/{workflow_id}/scheduled-execute": parameters: - name: workflow_id in: path required: true description: Workflow identifier schema: type: string - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostWorkflowsWorkflowIdScheduledExecute tags: - Workflows summary: Internal endpoint for scheduled workflow execution description: | Internal endpoint invoked by the workflow scheduler (GCP Cloud Scheduler in production, the docker-scheduler in dev) on each cron tick. Publishes a workflow execute event with trigger_source=scheduled. Not intended for external callers. responses: "200": description: Tick accepted (or skipped if the workflow is not active) content: application/json: schema: type: object properties: skipped: type: string status: type: string "400": $ref: "#/components/responses/BadRequest" "404": $ref: "#/components/responses/NotFound" /workflows/cypher-preview: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostWorkflowsCypherPreview tags: - Workflows x-rbac-enabled: true x-rbac-allowed-groups: admin summary: Run a read-only Cypher query and return the first 50 rows description: | Synchronous preview for the Query Workflows UI. Validates the query (same validator as scheduled runs), runs it against the caller's org graph with a 10-second timeout and a hard 50-row cap. Read-only — write keywords are rejected. Not intended for batch use; use the scheduled-execute path for production reads. requestBody: required: true content: application/json: schema: $ref: "#/components/schemas/WorkflowCypherPreviewRequest" responses: "200": description: Preview results. content: application/json: schema: $ref: "#/components/schemas/WorkflowCypherPreviewResponse" "400": description: Validation error (query empty, missing MATCH/RETURN, write keyword, etc.). content: application/json: schema: $ref: "#/components/schemas/WorkflowCypherPreviewError" "504": description: Query exceeded the 10-second preview timeout. content: application/json: schema: $ref: "#/components/schemas/WorkflowCypherPreviewError" /super-admins: parameters: - $ref: "#/components/parameters/OrgIDHeader" post: operationId: PostSuperAdmins x-super-admin: true tags: - Super Admin Management summary: Create a super-admin description: | Add a person to the super-admins table. Only existing super-admins can create new super-admins. The person must already exist in the system. requestBody: description: Super-admin creation request required: true content: application/json: schema: $ref: "#/components/schemas/SuperAdminCreateReq" responses: "201": description: Super-admin created successfully content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: $ref: "#/components/schemas/SuperAdmin" required: - result "400": $ref: "#/components/responses/BadRequest" "403": $ref: "#/components/responses/Forbidden" "409": $ref: "#/components/responses/Conflict" get: operationId: GetSuperAdmins x-super-admin: true tags: - Super Admin Management summary: List all super-admins description: Retrieve a list of all super-admins in the system. Only super-admins can view this list responses: "200": description: List of super-admins content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/SuperAdmin" required: - result "403": $ref: "#/components/responses/Forbidden" "/super-admins/{person_id}": parameters: - name: person_id in: path required: true description: External person ID (UUID) schema: type: string format: uuid - $ref: "#/components/parameters/OrgIDHeader" delete: operationId: DeleteSuperAdminsPersonId x-super-admin: true tags: - Super Admin Management summary: Remove super-admin access description: | Remove a person from the super-admins table by their external person ID. Only existing super-admins can revoke super-admin access. responses: "204": $ref: "#/components/responses/NoContent" "403": $ref: "#/components/responses/Forbidden" "404": $ref: "#/components/responses/NotFound" /super-admins/audit-logs: parameters: - $ref: "#/components/parameters/OrgIDHeader" - name: limit in: query description: Maximum number of audit log entries to return schema: type: integer default: 100 minimum: 1 maximum: 1000 - name: offset in: query description: Number of audit log entries to skip schema: type: integer default: 0 minimum: 0 - name: person_id in: query description: Filter by super-admin person ID schema: type: string format: uuid - name: organization_id in: query description: Filter by organization ID schema: type: string format: uuid get: operationId: GetSuperAdminsAuditLogs x-super-admin: true tags: - Super Admin Management summary: Get super-admin audit logs description: | Retrieve audit logs of super-admin actions. Only super-admins can view audit logs. responses: "200": description: List of audit log entries content: application/json: schema: allOf: - $ref: "#/components/schemas/APIResponseBase" - type: object properties: result: type: array items: $ref: "#/components/schemas/SuperAdminAuditLog" meta: $ref: "#/components/schemas/APIMeta" required: - result "403": $ref: "#/components/responses/Forbidden" security: - ApiKeyAuth: [] servers: - url: https://api.slashid.com description: Production - url: https://api.sandbox.slashid.com description: Sandbox