{ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://developer.transmitsecurity.com/schemas/platform-administration", "title": "Transmit Security Applications Schemas", "description": "JSON Schema definitions for Transmit Security platform-administration API", "definitions": { "BadRequestHttpError": { "type": "object", "properties": { "message": { "example": "Bad request", "type": "array", "items": { "type": "string" } }, "error_code": { "type": "number", "example": 400 } }, "required": [ "message", "error_code" ] }, "ApiOidcClient": { "type": "object", "properties": { "app_id": { "type": "string", "description": "Application ID" }, "tenant_id": { "type": "string", "description": "Tenant ID" }, "client_id": { "type": "string", "description": "Client ID used for API requests" }, "client_secret": { "type": "string", "description": "Client secret used to obtain tokens for API authorization" }, "name": { "type": "string", "description": "Client name displayed in the Admin Portal" }, "description": { "type": "string", "description": "Short description of your client, displayed in the Admin Portal" }, "resources": { "description": "List of resources this client is allowed to explicitly request access to", "type": "array", "items": { "type": "string" } }, "created_at": { "format": "date-time", "type": "string", "description": "Date the client was created" }, "updated_at": { "format": "date-time", "type": "string", "description": "Date the client was last updated" }, "authentication_protocol": { "type": "string", "description": "Authentication protocol used by the client", "enum": [ "oidc", "saml" ] }, "client_group_id": { "type": "string", "description": "Id of client group where client is assigned" }, "default_custom_claims": { "type": "array", "description": "List of all the custom claims the client wants to receive by default", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "default_user_info_claims": { "type": "array", "description": "List of client default custom claims returned by the UserInfo endpoint", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "sync_id_token_claims_to_userinfo": { "type": "boolean", "description": "When true, UserInfo custom claims are kept in sync with default_custom_claims", "default": false }, "short_cookies_samesite_type": { "type": "string", "enum": [ "lax", "none" ], "description": "Short cookies samesite type. Possible values: \"none\", \"lax\", \"strict\". Default: \"lax\"", "default": "lax" }, "redirect_uris": { "description": "List of URIs approved for redirects for your client", "type": "array", "items": { "type": "string" } }, "client_type": { "type": "string", "enum": [ "web", "native" ], "description": "Type of client", "default": "web" }, "response_types": { "type": "array", "default": [ "code", "id_token", "none" ], "example": [ "code" ], "items": { "type": "string", "enum": [ "code", "id_token" ] } }, "token_endpoint_auth_method": { "type": "string", "enum": [ "client_secret_basic", "self_signed_tls_client_auth", "tls_client_auth", "none", "private_key_jwt" ], "description": "This field is deprecated- to configure pkce use \"pkce\" field instead", "deprecated": true }, "pkce": { "type": "string", "enum": [ "enforcePkceInsteadOfClientCredentials", "enforcePkceAlongsideClientCredentials", "allowPkceAlongsideClientCredentials" ], "description": "PKCE configuration" }, "device_authorization": { "description": "Configuration for an [OAuth Device Authorization Flow](https://www.rfc-editor.org/rfc/rfc8628)", "allOf": [ { "$ref": "#/components/schemas/ApiDeviceAuthConfiguration" } ] }, "ciba_authorization": { "description": "CIBA authorization flow configuration", "allOf": [ { "$ref": "#/components/schemas/ApiCibaAuthConfiguration" } ] }, "supported_prompts": { "type": "array", "description": "Supported prompts for oidc authentication flow", "items": { "type": "string", "enum": [ "login", "consent", "none" ] } }, "authentication_configuration": { "description": "JWKS configuration for mTLS authentication", "allOf": [ { "$ref": "#/components/schemas/ApiClientAuthenticationConfiguration" } ] }, "token_expiration": { "description": "Token expiration configuration", "allOf": [ { "$ref": "#/components/schemas/ApiTokenExpirationConfiguration" } ] }, "session_expiration": { "type": "number", "description": "Session expiration time (seconds)" }, "enforce_par": { "type": "boolean", "description": "Enforce PAR (Pushed Authorization Request) for this client" }, "fapi_version_compliancy": { "type": "boolean", "description": "FAPI compliance" }, "id_token_encryption": { "description": "ID Token encryption configuration", "allOf": [ { "$ref": "#/components/schemas/ApiIdTokenEncryptionConfiguration" } ] } }, "required": [ "app_id", "tenant_id", "client_id", "client_secret", "name", "description", "resources", "created_at", "updated_at", "authentication_protocol", "client_group_id", "default_custom_claims", "redirect_uris", "device_authorization", "ciba_authorization", "supported_prompts", "token_expiration", "session_expiration", "enforce_par", "fapi_version_compliancy" ] }, "ApiSamlClient": { "type": "object", "properties": { "app_id": { "type": "string", "description": "Application ID" }, "tenant_id": { "type": "string", "description": "Tenant ID" }, "client_id": { "type": "string", "description": "Client ID used for API requests" }, "client_secret": { "type": "string", "description": "Client secret used to obtain tokens for API authorization" }, "name": { "type": "string", "description": "Client name displayed in the Admin Portal" }, "description": { "type": "string", "description": "Short description of your client, displayed in the Admin Portal" }, "resources": { "description": "List of resources this client is allowed to explicitly request access to", "type": "array", "items": { "type": "string" } }, "created_at": { "format": "date-time", "type": "string", "description": "Date the client was created" }, "updated_at": { "format": "date-time", "type": "string", "description": "Date the client was last updated" }, "authentication_protocol": { "type": "string", "description": "Authentication protocol used by the client", "enum": [ "oidc", "saml" ] }, "client_group_id": { "type": "string", "description": "Id of client group where client is assigned" }, "default_custom_claims": { "type": "array", "description": "List of all the custom claims the client wants to receive by default", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "default_user_info_claims": { "type": "array", "description": "List of client default custom claims returned by the UserInfo endpoint", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "sync_id_token_claims_to_userinfo": { "type": "boolean", "description": "When true, UserInfo custom claims are kept in sync with default_custom_claims", "default": false }, "short_cookies_samesite_type": { "type": "string", "enum": [ "lax", "none" ], "description": "Short cookies samesite type. Possible values: \"none\", \"lax\", \"strict\". Default: \"lax\"", "default": "lax" }, "optional_acs_url": { "type": "boolean", "description": "Allow the ACS URL to be optional" }, "sp_acs_url": { "type": "string", "description": "SAML ACS URL" }, "sp_entity_id": { "type": "string", "description": "SP SAML entity ID" }, "metadata_url": { "type": "string", "description": "SAML IDP metadata URL" }, "sso_url": { "type": "string", "description": "SAML SSO URL" }, "entity_id": { "type": "string", "description": "SAML Entity ID" }, "x509_certificate": { "type": "string", "description": "X.509 certificate" }, "sp_name_id_type": { "type": "string", "description": "SAML NameID Type", "enum": [ "email", "secondaryEmail", "username", "phoneNumber", "externalUserId" ] }, "sign_assertion": { "type": "boolean", "description": "Sign SAML assertion" }, "use_centralized_login": { "type": "boolean", "description": "When enabled, SAML SP-initiated SSO redirects to the tenant centralized hub application instead of hosted login" } }, "required": [ "app_id", "tenant_id", "client_id", "client_secret", "name", "description", "resources", "created_at", "updated_at", "authentication_protocol", "client_group_id", "default_custom_claims", "optional_acs_url", "sp_acs_url", "sp_entity_id", "metadata_url", "sso_url", "entity_id", "x509_certificate", "sp_name_id_type", "sign_assertion" ] }, "ApiCreateOidcClientInput": { "type": "object", "properties": { "name": { "type": "string", "description": "Name of the client", "example": "My Client" }, "description": { "type": "string", "description": "Short description of the client" }, "resources": { "description": "List of resources IDs associated with this client", "type": "array", "items": { "type": "string" } }, "authentication_protocol": { "type": "string", "enum": [ "oidc", "saml" ], "description": "Authentication protocol used by the client", "default": "oidc" }, "client_group_id": { "type": "string", "description": "Id of client group to associate with" }, "default_custom_claims": { "type": "array", "description": "List of client default custom claims", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "default_user_info_claims": { "type": "array", "description": "List of client default custom claims returned by the UserInfo endpoint. Mutually exclusive with sync_id_token_claims_to_userinfo=true in the same request.", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "sync_id_token_claims_to_userinfo": { "type": "boolean", "description": "When true, UserInfo custom claims are kept in sync with default_custom_claims (the ID Token list). Mutually exclusive with explicit default_user_info_claims in the same request.", "default": false }, "short_cookies_samesite_type": { "type": "string", "enum": [ "lax", "none" ], "description": "Short cookies samesite type. Possible values: \"none\", \"lax\", \"strict\". Default: \"lax\"", "default": "lax" }, "redirect_uris": { "description": "List of URIs approved for redirects for your client", "example": [ "https://www.example.com/login" ], "type": "array", "items": { "type": "string" } }, "client_type": { "type": "string", "enum": [ "web", "native" ], "description": "Client type", "default": "web" }, "device_authorization": { "description": "Configuration for an [OAuth Device Authorization Flow](https://www.rfc-editor.org/rfc/rfc8628)", "allOf": [ { "$ref": "#/components/schemas/ApiDeviceAuthConfiguration" } ] }, "ciba_authorization": { "description": "CIBA authorization flow configuration", "allOf": [ { "$ref": "#/components/schemas/ApiCibaAuthConfiguration" } ] }, "is_third_party": { "type": "boolean", "description": "Is third party client" }, "allowed_scopes": { "description": "Allowed scopes", "type": "array", "items": { "type": "string" } }, "consent_uri": { "type": "string", "description": "Consent URI" }, "consent_validity_period": { "type": "number", "description": "Consent validity period" }, "pkce": { "type": "string", "enum": [ "enforcePkceInsteadOfClientCredentials", "enforcePkceAlongsideClientCredentials", "allowPkceAlongsideClientCredentials" ], "description": "PKCE configuration" }, "supported_prompts": { "type": "array", "example": [ "login", "consent", "none" ], "description": "Supported prompts for the OIDC authentication flow", "items": { "type": "string", "enum": [ "login", "consent", "none" ] } }, "token_expiration": { "description": "Token expiration settings", "allOf": [ { "$ref": "#/components/schemas/ApiTokenExpirationConfiguration" } ] }, "session_expiration": { "type": "number", "description": "Session expiration time (seconds)" }, "enforce_par": { "type": "boolean", "description": "enforce PAR (Pushed Authorization Request) for this client" }, "role_ids": { "description": "Role IDs", "type": "array", "items": { "type": "string" } }, "fapi_version_compliancy": { "type": "boolean", "description": "FAPI 2.0 compliancy configuration" }, "token_endpoint_auth_method": { "type": "string", "enum": [ "client_secret_basic", "self_signed_tls_client_auth", "tls_client_auth", "none", "private_key_jwt" ], "description": "This field is deprecated- to configure pkce use \"pkce\" field instead", "default": "client_secret_basic", "deprecated": true }, "response_types": { "type": "array", "default": [ "code", "id_token" ], "example": [ "code" ], "items": { "type": "string", "enum": [ "code", "id_token" ] } }, "authentication_configuration": { "description": "Client authentication configuration", "allOf": [ { "$ref": "#/components/schemas/ApiClientAuthenticationConfiguration" } ] }, "id_token_encryption": { "description": "ID Token encryption configuration", "allOf": [ { "$ref": "#/components/schemas/ApiIdTokenEncryptionConfiguration" } ] } }, "required": [ "name", "redirect_uris" ] }, "ApiCreateSamlClientInput": { "type": "object", "properties": { "name": { "type": "string", "description": "Name of the client", "example": "My Client" }, "description": { "type": "string", "description": "Short description of the client" }, "resources": { "description": "List of resources IDs associated with this client", "type": "array", "items": { "type": "string" } }, "authentication_protocol": { "type": "string", "enum": [ "oidc", "saml" ], "description": "Authentication protocol used by the client", "default": "oidc" }, "client_group_id": { "type": "string", "description": "Id of client group to associate with" }, "default_custom_claims": { "type": "array", "description": "List of client default custom claims", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "default_user_info_claims": { "type": "array", "description": "List of client default custom claims returned by the UserInfo endpoint. Mutually exclusive with sync_id_token_claims_to_userinfo=true in the same request.", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "sync_id_token_claims_to_userinfo": { "type": "boolean", "description": "When true, UserInfo custom claims are kept in sync with default_custom_claims (the ID Token list). Mutually exclusive with explicit default_user_info_claims in the same request.", "default": false }, "short_cookies_samesite_type": { "type": "string", "enum": [ "lax", "none" ], "description": "Short cookies samesite type. Possible values: \"none\", \"lax\", \"strict\". Default: \"lax\"", "default": "lax" }, "sp_acs_url": { "type": "string", "description": "SAML ACS URL" }, "sp_entity_id": { "type": "string", "description": "SAML Service provider entity ID" }, "sp_name_id_type": { "type": "string", "enum": [ "email", "secondaryEmail", "username", "phoneNumber", "externalUserId" ], "description": "SAML Name ID Type" }, "supported_prompts": { "type": "array", "example": [ "login", "consent", "none" ], "description": "Supported prompts for the OIDC authentication flow", "items": { "type": "string", "enum": [ "login", "consent", "none" ] } }, "sign_assertion": { "type": "boolean", "description": "Sign SAML assertion" }, "optional_acs_url": { "type": "boolean", "description": "Allow ACS URL to be optional" }, "use_centralized_login": { "type": "boolean", "description": "When enabled, SAML SP-initiated SSO redirects to the tenant centralized hub application instead of hosted login" } }, "required": [ "name", "sp_entity_id" ] }, "IdentifierIsTakenHttpError": { "type": "object", "properties": { "message": { "type": "string" }, "error_code": { "type": "number" }, "ts_error_code": { "type": "string" } }, "required": [ "message", "error_code", "ts_error_code" ] }, "NotFoundHttpError": { "type": "object", "properties": { "message": { "type": "string" }, "error_code": { "type": "number", "example": 404 } }, "required": [ "message", "error_code" ] }, "ApiUpdateOidcClientInput": { "type": "object", "properties": { "name": { "type": "string", "description": "Name of the client", "example": "My Client" }, "description": { "type": "string", "description": "Short description of the client" }, "resources": { "description": "List of resources IDs associated with this client", "type": "array", "items": { "type": "string" } }, "client_group_id": { "type": "string", "description": "Id of client group to associate with" }, "default_custom_claims": { "type": "array", "description": "List of client default custom claims", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "default_user_info_claims": { "type": "array", "description": "List of client default custom claims returned by the UserInfo endpoint. Mutually exclusive with sync_id_token_claims_to_userinfo=true in the same request.", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "sync_id_token_claims_to_userinfo": { "type": "boolean", "description": "When true, UserInfo custom claims are kept in sync with default_custom_claims (the ID Token list). Mutually exclusive with explicit default_user_info_claims in the same request.", "default": false }, "short_cookies_samesite_type": { "type": "string", "enum": [ "lax", "none" ], "description": "Short cookies samesite type. Possible values: \"none\", \"lax\", \"strict\". Default: \"lax\"", "default": "lax" }, "redirect_uris": { "description": "List of URIs approved for redirects for your client", "example": [ "https://www.example.com/login" ], "type": "array", "items": { "type": "string" } }, "client_type": { "type": "string", "enum": [ "web", "native" ], "description": "Client type", "default": "web" }, "device_authorization": { "description": "Configuration for an [OAuth Device Authorization Flow](https://www.rfc-editor.org/rfc/rfc8628)", "allOf": [ { "$ref": "#/components/schemas/ApiDeviceAuthConfiguration" } ] }, "ciba_authorization": { "description": "CIBA authorization flow configuration", "allOf": [ { "$ref": "#/components/schemas/ApiCibaAuthConfiguration" } ] }, "is_third_party": { "type": "boolean", "description": "Is third party client" }, "allowed_scopes": { "description": "Allowed scopes", "type": "array", "items": { "type": "string" } }, "consent_uri": { "type": "string", "description": "Consent URI" }, "consent_validity_period": { "type": "number", "description": "Consent validity period" }, "pkce": { "type": "string", "enum": [ "enforcePkceInsteadOfClientCredentials", "enforcePkceAlongsideClientCredentials", "allowPkceAlongsideClientCredentials" ], "description": "PKCE configuration" }, "supported_prompts": { "type": "array", "example": [ "login", "consent", "none" ], "description": "Supported prompts for the OIDC authentication flow", "items": { "type": "string", "enum": [ "login", "consent", "none" ] } }, "token_expiration": { "description": "Token expiration settings", "allOf": [ { "$ref": "#/components/schemas/ApiTokenExpirationConfiguration" } ] }, "session_expiration": { "type": "number", "description": "Session expiration time (seconds)" }, "enforce_par": { "type": "boolean", "description": "enforce PAR (Pushed Authorization Request) for this client" }, "role_ids": { "description": "Role IDs", "type": "array", "items": { "type": "string" } }, "fapi_version_compliancy": { "type": "boolean", "description": "FAPI 2.0 compliancy configuration" }, "token_endpoint_auth_method": { "type": "string", "enum": [ "client_secret_basic", "self_signed_tls_client_auth", "tls_client_auth", "none", "private_key_jwt" ], "description": "This field is deprecated- to configure pkce use \"pkce\" field instead", "default": "client_secret_basic", "deprecated": true }, "response_types": { "type": "array", "default": [ "code", "id_token" ], "example": [ "code" ], "items": { "type": "string", "enum": [ "code", "id_token" ] } }, "authentication_configuration": { "description": "Client authentication configuration", "allOf": [ { "$ref": "#/components/schemas/ApiClientAuthenticationConfiguration" } ] }, "id_token_encryption": { "description": "ID Token encryption configuration", "allOf": [ { "$ref": "#/components/schemas/ApiIdTokenEncryptionConfiguration" } ] } } }, "ApiUpdateSamlClientInput": { "type": "object", "properties": { "name": { "type": "string", "description": "Name of the client", "example": "My Client" }, "description": { "type": "string", "description": "Short description of the client" }, "resources": { "description": "List of resources IDs associated with this client", "type": "array", "items": { "type": "string" } }, "client_group_id": { "type": "string", "description": "Id of client group to associate with" }, "default_custom_claims": { "type": "array", "description": "List of client default custom claims", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "default_user_info_claims": { "type": "array", "description": "List of client default custom claims returned by the UserInfo endpoint. Mutually exclusive with sync_id_token_claims_to_userinfo=true in the same request.", "items": { "type": "string", "enum": [ "tid", "fname", "lname", "mname", "email", "email_verified", "phone_number", "phone_number_verified", "groups", "new_user", "birthday", "language", "city", "address", "country", "street_address", "address_type", "webauthn", "roles", "ts_roles", "role_values", "ts_permissions", "permissions", "approval_data", "custom_group_data", "username", "secondary_phone_numbers", "secondary_emails", "picture", "created_at", "last_auth", "auth_time", "external_account_id", "external_user_id", "app_name", "custom_data", "custom_app_data", "ai_actor" ] } }, "sync_id_token_claims_to_userinfo": { "type": "boolean", "description": "When true, UserInfo custom claims are kept in sync with default_custom_claims (the ID Token list). Mutually exclusive with explicit default_user_info_claims in the same request.", "default": false }, "short_cookies_samesite_type": { "type": "string", "enum": [ "lax", "none" ], "description": "Short cookies samesite type. Possible values: \"none\", \"lax\", \"strict\". Default: \"lax\"", "default": "lax" }, "sp_acs_url": { "type": "string", "description": "SAML ACS URL" }, "sp_entity_id": { "type": "string", "description": "SAML Service provider entity ID" }, "sp_name_id_type": { "type": "string", "enum": [ "email", "secondaryEmail", "username", "phoneNumber", "externalUserId" ], "description": "SAML Name ID Type" }, "supported_prompts": { "type": "array", "example": [ "login", "consent", "none" ], "description": "Supported prompts for the OIDC authentication flow", "items": { "type": "string", "enum": [ "login", "consent", "none" ] } }, "sign_assertion": { "type": "boolean", "description": "Sign SAML assertion" }, "optional_acs_url": { "type": "boolean", "description": "Allow ACS URL to be optional" }, "use_centralized_login": { "type": "boolean", "description": "When enabled, SAML SP-initiated SSO redirects to the tenant centralized hub application instead of hosted login" } } }, "ApiUpdateResourceInAppInput": { "type": "object", "properties": { "resource_ids": { "type": "array", "items": { "type": "string" }, "description": "List of resources this application is allowed to explicitly request access to" } }, "required": [ "resource_ids" ] }, "ApiAppWithoutLogo": { "type": "object", "properties": { "app_id": { "type": "string", "description": "Application ID" }, "tenant_id": { "type": "string", "description": "Tenant ID" }, "app_name": { "type": "string", "description": "Application name displayed in the Admin Portal" }, "app_description": { "type": "string", "description": "Short description of your application, displayed in the Admin Portal" }, "client_type": { "type": "string", "enum": [ "web", "native" ], "description": "Type of the default client", "default": "web", "deprecated": true }, "client_id": { "type": "string", "description": "Client ID of the default client used for API requests", "deprecated": true }, "client_display_name": { "type": "string", "description": "Client name of the default client to display when needed", "deprecated": true }, "client_description": { "type": "string", "description": "Short description of the default client", "deprecated": true }, "client_secret": { "type": "string", "description": "Client secret of the default client used to obtain tokens for API authorization", "deprecated": true }, "redirect_uris": { "description": "List of URI approved for redirects for your default client", "deprecated": true, "type": "array", "items": { "type": "string" } }, "login_preferences": { "$ref": "#/components/schemas/ApiLoginPreferences" }, "created_at": { "format": "date-time", "type": "string", "description": "Date the application was created" }, "created_by": { "type": "string", "description": "The user that created the application" }, "updated_at": { "format": "date-time", "type": "string", "description": "Date the application was last updated" }, "resources": { "description": "List of resources the default client is allowed to explicitly request access to", "deprecated": true, "type": "array", "items": { "type": "string" } }, "service_providers": { "description": "List of service providers this application is allowed to explicitly redirect to", "type": "array", "items": { "type": "string" } }, "authenticator_preferences": { "description": "Configures the application as the Authentication Hub of this tenant, allowing other apps to use it to perform a centralized login.", "allOf": [ { "$ref": "#/components/schemas/ApiAuthenticatorAppPreferences" } ] }, "allow_public_signup": { "type": "boolean", "description": "Determines if the application is allowed to request to create new users via login flows" }, "client_auth_method": { "type": "string", "enum": [ "client_secret_basic", "self_signed_tls_client_auth", "tls_client_auth", "none", "private_key_jwt" ], "description": "This field is deprecated- to configure pkce use \"pkce\" field instead", "deprecated": true }, "pkce": { "type": "string", "enum": [ "enforcePkceInsteadOfClientCredentials", "enforcePkceAlongsideClientCredentials", "allowPkceAlongsideClientCredentials" ], "description": "PKCE configuration" }, "device_authorization": { "description": "Configuration for an [OAuth Device Authorization Flow](https://www.rfc-editor.org/rfc/rfc8628) of the default client", "deprecated": true, "allOf": [ { "$ref": "#/components/schemas/ApiDeviceAuthConfiguration" } ] }, "ciba_authorization": { "description": "CIBA authorization flow configuration of the default client", "deprecated": true, "allOf": [ { "$ref": "#/components/schemas/ApiCibaAuthConfiguration" } ] }, "password_sharing_group_id": { "type": "string", "description": "If the app has opted in to password sharing, this identifies the group of apps that it shares passwords with." }, "login_uri": { "type": "string", "description": "URI used to redirect the user to the login page of the application (when needed)", "example": "https://www.example.com/login" }, "invite_member_uri": { "type": "string", "description": "URI used to redirect the member to the login page of the application (when needed)", "example": "https://www.example.com/login" }, "invite_client_id": { "type": "string", "description": "Client used for the email magic link invitation flow" }, "subdomain": { "type": "string", "description": "Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)", "example": "myapp" }, "invite_member_email_expiration_minutes": { "type": "number", "description": "Member invite email link expiration in minutes", "default": 2880 }, "custom_domain": { "description": "Custom domain of the application that can be offered for the application to be accessed from", "allOf": [ { "$ref": "#/components/schemas/ApiCustomDomainOutput" } ] }, "external_communication": { "description": "External communication configuration for the application", "allOf": [ { "$ref": "#/components/schemas/ApiExternalCommunication" } ] }, "signing_key_enabled": { "type": "boolean", "description": "Determines if application specific signing key is enabled" }, "refresh_token_invalidation_trigger_configuration": { "description": "Refresh token invalidation trigger configuration", "allOf": [ { "$ref": "#/components/schemas/ApiRefreshTokenInvalidationTriggerConfiguration" } ] }, "application_type": { "type": "string", "enum": [ "ido", "basic" ], "description": "Application type" } }, "required": [ "app_id", "tenant_id", "app_name", "app_description", "login_preferences", "created_at", "created_by", "updated_at", "service_providers", "authenticator_preferences", "allow_public_signup" ] }, "ApiCreateAppInput": { "type": "object", "properties": { "app_name": { "type": "string", "description": "Name of the application", "example": "My App" }, "app_description": { "type": "string", "description": "Short description of the application" }, "service_providers": { "description": "List of service provider IDs associated with this application", "type": "array", "items": { "type": "string" } }, "allow_public_signup": { "type": "boolean", "description": "Determines if the application is allowed to request to create new users via login flows", "default": false }, "authenticator_preferences": { "description": "Configures the application as the Authentication Hub of this tenant, allowing other apps to use it to perform a centralized login", "allOf": [ { "$ref": "#/components/schemas/ApiAuthenticatorAppPreferences" } ] }, "login_uri": { "type": "string", "description": "URI used to redirect the user to the login page of the application (when needed)", "example": "https://www.example.com/login" }, "invite_member_uri": { "type": "string", "description": "URI used to redirect the member to the login page of the application (when needed)", "example": "https://www.example.com/login" }, "invite_member_email_expiration_minutes": { "type": "number", "description": "Member invite email link expiration in minutes", "default": 2880 }, "refresh_token_invalidation_trigger_configuration": { "description": "Refresh token invalidation trigger configuration", "allOf": [ { "$ref": "#/components/schemas/ApiRefreshTokenInvalidationTriggerConfiguration" } ] }, "client_type": { "type": "string", "enum": [ "web", "native" ], "description": "Client type of the default client", "default": "web", "deprecated": true }, "client_display_name": { "type": "string", "description": "Client name of the default client to display when needed", "deprecated": true }, "client_description": { "type": "string", "description": "Short description of the default client", "deprecated": true }, "first_client_authentication_protocol": { "type": "string", "description": "Defines the first client authentication protocol.", "enum": [ "oidc", "saml" ] }, "first_client": { "description": "Creates first client for the application. Client can be OIDC or SAML, depending what is set in first_client_authentication_protocol", "oneOf": [ { "$ref": "#/components/schemas/ApiCreateOidcClientInput" }, { "$ref": "#/components/schemas/ApiCreateSamlClientInput" } ] }, "redirect_uris": { "description": "List of URI approved for redirects for your default client", "example": [ "https://www.example.com/login" ], "deprecated": true, "type": "array", "items": { "type": "string" } }, "logo": { "type": "string", "description": "URI of your application's logo, such as for email templates" }, "resources": { "description": "List of resources IDs associated with the default client", "deprecated": true, "type": "array", "items": { "type": "string" } }, "device_authorization": { "description": "Configuration for an [OAuth Device Authorization Flow](https://www.rfc-editor.org/rfc/rfc8628) of the default client", "deprecated": true, "allOf": [ { "$ref": "#/components/schemas/ApiDeviceAuthConfiguration" } ] }, "ciba_authorization": { "description": "CIBA authorization flow configuration of the default client", "deprecated": true, "allOf": [ { "$ref": "#/components/schemas/ApiCibaAuthConfiguration" } ] }, "client_auth_method": { "type": "string", "enum": [ "client_secret_basic", "self_signed_tls_client_auth", "tls_client_auth", "none", "private_key_jwt" ], "description": "This field is deprecated- to configure pkce use \"pkce\" field instead", "default": "client_secret_basic", "deprecated": true }, "subdomain": { "type": "string", "description": "Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)", "example": "myapp" }, "custom_domain": { "type": "string", "description": "Domain of the application that can be offered for the application to be accessed from", "example": "myapp.com" }, "pkce": { "type": "string", "enum": [ "enforcePkceInsteadOfClientCredentials", "enforcePkceAlongsideClientCredentials", "allowPkceAlongsideClientCredentials" ], "description": "PKCE configuration for client" }, "should_delete_signing_key": { "type": "boolean", "description": "Determines whether the application-specific signing key should be deleted when disabled. If deleted, any tokens previously issued with this key will no longer be valid.", "default": false }, "signing_key_enabled": { "type": "boolean", "description": "Determines if application specific signing key is enabled", "default": false }, "invite_client_id": { "type": "string", "description": "Client used for the email magic link invitation flow" } }, "required": [ "app_name", "client_display_name" ] }, "ApiApp": { "type": "object", "properties": { "app_id": { "type": "string", "description": "Application ID" }, "tenant_id": { "type": "string", "description": "Tenant ID" }, "app_name": { "type": "string", "description": "Application name displayed in the Admin Portal" }, "app_description": { "type": "string", "description": "Short description of your application, displayed in the Admin Portal" }, "client_type": { "type": "string", "enum": [ "web", "native" ], "description": "Type of the default client", "default": "web", "deprecated": true }, "logo": { "type": "string", "description": "URI of your application's logo, such as for email templates" }, "client_id": { "type": "string", "description": "Client ID of the default client used for API requests", "deprecated": true }, "client_display_name": { "type": "string", "description": "Client name of the default client to display when needed", "deprecated": true }, "client_description": { "type": "string", "description": "Short description of the default client", "deprecated": true }, "client_secret": { "type": "string", "description": "Client secret of the default client used to obtain tokens for API authorization", "deprecated": true }, "redirect_uris": { "description": "List of URI approved for redirects for your default client", "deprecated": true, "type": "array", "items": { "type": "string" } }, "login_preferences": { "$ref": "#/components/schemas/ApiLoginPreferences" }, "created_at": { "format": "date-time", "type": "string", "description": "Date the application was created" }, "created_by": { "type": "string", "description": "The user that created the application" }, "updated_at": { "format": "date-time", "type": "string", "description": "Date the application was last updated" }, "resources": { "description": "List of resources the default client is allowed to explicitly request access to", "deprecated": true, "type": "array", "items": { "type": "string" } }, "service_providers": { "description": "List of service providers this application is allowed to explicitly redirect to", "type": "array", "items": { "type": "string" } }, "authenticator_preferences": { "description": "Configures the application as the Authentication Hub of this tenant, allowing other apps to use it to perform a centralized login.", "allOf": [ { "$ref": "#/components/schemas/ApiAuthenticatorAppPreferences" } ] }, "allow_public_signup": { "type": "boolean", "description": "Determines if the application is allowed to request to create new users via login flows" }, "client_auth_method": { "type": "string", "enum": [ "client_secret_basic", "self_signed_tls_client_auth", "tls_client_auth", "none", "private_key_jwt" ], "description": "This field is deprecated- to configure pkce use \"pkce\" field instead", "deprecated": true }, "pkce": { "type": "string", "enum": [ "enforcePkceInsteadOfClientCredentials", "enforcePkceAlongsideClientCredentials", "allowPkceAlongsideClientCredentials" ], "description": "PKCE configuration" }, "device_authorization": { "description": "Configuration for an [OAuth Device Authorization Flow](https://www.rfc-editor.org/rfc/rfc8628) of the default client", "deprecated": true, "allOf": [ { "$ref": "#/components/schemas/ApiDeviceAuthConfiguration" } ] }, "ciba_authorization": { "description": "CIBA authorization flow configuration of the default client", "deprecated": true, "allOf": [ { "$ref": "#/components/schemas/ApiCibaAuthConfiguration" } ] }, "password_sharing_group_id": { "type": "string", "description": "If the app has opted in to password sharing, this identifies the group of apps that it shares passwords with." }, "login_uri": { "type": "string", "description": "URI used to redirect the user to the login page of the application (when needed)", "example": "https://www.example.com/login" }, "invite_member_uri": { "type": "string", "description": "URI used to redirect the member to the login page of the application (when needed)", "example": "https://www.example.com/login" }, "invite_client_id": { "type": "string", "description": "Client used for the email magic link invitation flow" }, "subdomain": { "type": "string", "description": "Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)", "example": "myapp" }, "invite_member_email_expiration_minutes": { "type": "number", "description": "Member invite email link expiration in minutes", "default": 2880 }, "custom_domain": { "description": "Custom domain of the application that can be offered for the application to be accessed from", "allOf": [ { "$ref": "#/components/schemas/ApiCustomDomainOutput" } ] }, "external_communication": { "description": "External communication configuration for the application", "allOf": [ { "$ref": "#/components/schemas/ApiExternalCommunication" } ] }, "signing_key_enabled": { "type": "boolean", "description": "Determines if application specific signing key is enabled" }, "refresh_token_invalidation_trigger_configuration": { "description": "Refresh token invalidation trigger configuration", "allOf": [ { "$ref": "#/components/schemas/ApiRefreshTokenInvalidationTriggerConfiguration" } ] }, "application_type": { "type": "string", "enum": [ "ido", "basic" ], "description": "Application type" } }, "required": [ "app_id", "tenant_id", "app_name", "app_description", "logo", "login_preferences", "created_at", "created_by", "updated_at", "service_providers", "authenticator_preferences", "allow_public_signup" ] }, "ApiBasicApp": { "type": "object", "properties": { "app_id": { "type": "string", "description": "Application ID" }, "tenant_id": { "type": "string", "description": "Tenant ID" }, "app_name": { "type": "string", "description": "Application name displayed in the Admin Portal" }, "app_description": { "type": "string", "description": "Short description of your application, displayed in the Admin Portal" }, "login_uri": { "type": "string", "description": "URI used to redirect the user to the login page of the application (when needed)", "example": "https://www.example.com/login" }, "application_type": { "type": "string", "enum": [ "ido", "basic" ], "description": "Application type" } }, "required": [ "app_id", "tenant_id", "app_name", "app_description" ] }, "ApiUpdateAppInput": { "type": "object", "properties": { "app_name": { "type": "string", "description": "Name of the application", "example": "My App" }, "app_description": { "type": "string", "description": "Short description of the application" }, "service_providers": { "description": "List of service provider IDs associated with this application", "type": "array", "items": { "type": "string" } }, "allow_public_signup": { "type": "boolean", "description": "Determines if the application is allowed to request to create new users via login flows", "default": false }, "authenticator_preferences": { "description": "Configures the application as the Authentication Hub of this tenant, allowing other apps to use it to perform a centralized login", "allOf": [ { "$ref": "#/components/schemas/ApiAuthenticatorAppPreferences" } ] }, "login_uri": { "type": "string", "description": "URI used to redirect the user to the login page of the application (when needed)", "example": "https://www.example.com/login" }, "invite_member_uri": { "type": "string", "description": "URI used to redirect the member to the login page of the application (when needed)", "example": "https://www.example.com/login" }, "invite_member_email_expiration_minutes": { "type": "number", "description": "Member invite email link expiration in minutes", "default": 2880 }, "refresh_token_invalidation_trigger_configuration": { "description": "Refresh token invalidation trigger configuration", "allOf": [ { "$ref": "#/components/schemas/ApiRefreshTokenInvalidationTriggerConfiguration" } ] }, "client_type": { "type": "string", "enum": [ "web", "native" ], "description": "Client type of the default client", "default": "web", "deprecated": true }, "client_display_name": { "type": "string", "description": "Client name of the default client to display when needed", "deprecated": true }, "client_description": { "type": "string", "description": "Short description of the default client", "deprecated": true }, "first_client_authentication_protocol": { "type": "string", "description": "Defines the first client authentication protocol.", "enum": [ "oidc", "saml" ] }, "first_client": { "description": "Creates first client for the application. Client can be OIDC or SAML, depending what is set in first_client_authentication_protocol", "oneOf": [ { "$ref": "#/components/schemas/ApiCreateOidcClientInput" }, { "$ref": "#/components/schemas/ApiCreateSamlClientInput" } ] }, "redirect_uris": { "description": "List of URI approved for redirects for your default client", "example": [ "https://www.example.com/login" ], "deprecated": true, "type": "array", "items": { "type": "string" } }, "logo": { "type": "string", "description": "URI of your application's logo, such as for email templates" }, "resources": { "description": "List of resources IDs associated with the default client", "deprecated": true, "type": "array", "items": { "type": "string" } }, "device_authorization": { "description": "Configuration for an [OAuth Device Authorization Flow](https://www.rfc-editor.org/rfc/rfc8628) of the default client", "deprecated": true, "allOf": [ { "$ref": "#/components/schemas/ApiDeviceAuthConfiguration" } ] }, "ciba_authorization": { "description": "CIBA authorization flow configuration of the default client", "deprecated": true, "allOf": [ { "$ref": "#/components/schemas/ApiCibaAuthConfiguration" } ] }, "client_auth_method": { "type": "string", "enum": [ "client_secret_basic", "self_signed_tls_client_auth", "tls_client_auth", "none", "private_key_jwt" ], "description": "This field is deprecated- to configure pkce use \"pkce\" field instead", "default": "client_secret_basic", "deprecated": true }, "subdomain": { "type": "string", "description": "Subdomain of Org admin portal that can be offered for organizations to manage their users (when needed)", "example": "myapp" }, "custom_domain": { "type": "string", "description": "Domain of the application that can be offered for the application to be accessed from", "example": "myapp.com" }, "pkce": { "type": "string", "enum": [ "enforcePkceInsteadOfClientCredentials", "enforcePkceAlongsideClientCredentials", "allowPkceAlongsideClientCredentials" ], "description": "PKCE configuration for client" }, "should_delete_signing_key": { "type": "boolean", "description": "Determines whether the application-specific signing key should be deleted when disabled. If deleted, any tokens previously issued with this key will no longer be valid.", "default": false }, "signing_key_enabled": { "type": "boolean", "description": "Determines if application specific signing key is enabled", "default": false }, "invite_client_id": { "type": "string", "description": "Client used for the email magic link invitation flow" } } }, "ApiTokenSigningKey": { "type": "object", "properties": { "id": { "type": "string", "description": "ID of the signing key" }, "app_id": { "type": "string", "description": "Application ID" }, "tenant_id": { "type": "string", "description": "Tenant ID" }, "kid": { "type": "string", "description": "KID of the signing key" }, "name": { "type": "string", "description": "Name of the signing key" }, "status": { "type": "string", "description": "Status of the signing key", "enum": [ "signing", "disabled", "validating" ] }, "source": { "type": "string", "description": "Source of the signing key", "enum": [ "global", "mosaic", "uploaded" ] }, "created_at": { "format": "date-time", "type": "string", "description": "Date the signing key was created" }, "updated_at": { "format": "date-time", "type": "string", "description": "Date the signing key was updated" }, "deleted_at": { "format": "date-time", "type": "string", "description": "Date the signing key was deleted" } }, "required": [ "id", "app_id", "tenant_id", "kid", "name", "status", "source", "created_at", "updated_at", "deleted_at" ] }, "CreateTokenSigningKeyInput": { "type": "object", "properties": { "name": { "type": "string", "description": "Name of the signing key" } }, "required": [ "name" ] }, "UploadTokenSigningKey": { "type": "object", "properties": { "name": { "type": "string", "description": "Name of the signing key" }, "jwk": { "type": "object", "description": "JWK of the signing key" } }, "required": [ "name", "jwk" ] }, "UpdateTokenSigningKey": { "type": "object", "properties": { "status": { "type": "string", "description": "Status of the signing key", "enum": [ "signing", "disabled", "validating" ] }, "name": { "type": "string", "description": "Name of the signing key" } } }, "ApiLoginPreferences": { "type": "object", "properties": { "auth_methods": { "description": "Login preferences", "allOf": [ { "$ref": "#/components/schemas/ApiAuthMethods" } ] } }, "required": [ "auth_methods" ] }, "ApiDeviceAuthConfiguration": { "type": "object", "properties": { "enabled": { "type": "boolean", "description": "Determines if the client is allowed to use the OAuth device authorization flow", "default": false }, "approval_uri": { "type": "string", "description": "The URI of the page that allows the user to approve the access request", "example": "https://www.example.com/device/approval" }, "success_uri": { "type": "string", "description": "Callback URI that receives an indication of whether the end-user authentication was completed successfully.", "example": "https://www.example.com/device/complete" }, "input_uri": { "type": "string", "description": "The URI of the page that allows the user to enter the code", "example": "https://www.example.com/device/start" } }, "required": [ "enabled", "approval_uri", "success_uri", "input_uri" ] }, "ApiCibaAuthConfiguration": { "type": "object", "properties": { "enabled": { "type": "boolean", "description": "Determines if the client is allowed to use the OAuth CIBA authorization flow", "default": false }, "login_uri": { "type": "string", "description": "The URI of the page that allows the user to log-in and verify the access request", "example": "https://www.example.com/ciba/login" } }, "required": [ "enabled" ] }, "ApiClientAuthenticationConfiguration": { "type": "object", "properties": { "method": { "type": "string", "enum": [ "client_secret_basic", "self_signed_tls_client_auth", "tls_client_auth", "private_key_jwt" ], "description": "Client authentication method", "default": "client_secret_basic" }, "tls_client_auth": { "description": "TLS client authentication configuration for mTLS", "allOf": [ { "$ref": "#/components/schemas/TlsClientAuth" } ] }, "isMtlsCertTokenBound": { "type": "boolean", "description": "States whether to bind the access token to the client certificate when mTLS is enabled" }, "jwks": { "type": "object", "description": "A set of JWK keys containing the public keys for the Client to use for authentication" } }, "required": [ "method" ] }, "ApiTokenExpirationConfiguration": { "type": "object", "properties": { "access_token_ttl": { "type": "number", "description": "Access token time-to-live" }, "refresh_token_ttl": { "type": "number", "description": "Refresh token time-to-live" }, "max_refresh_rotate": { "type": "number", "description": "Maximum time the refresh token can be rotated" } } }, "ApiIdTokenEncryptionConfiguration": { "type": "object", "properties": { "enabled": { "type": "boolean", "description": "Determines if ID token encryption is enabled for the client", "default": false }, "jwks": { "type": "object", "description": "A set of JWK keys containing the public keys for the client to use for ID token encryption" } }, "required": [ "enabled" ] }, "ApiAuthenticatorAppPreferences": { "type": "object", "properties": { "is_centralized": { "type": "boolean", "description": "Indicates whether to set the application as the Authentication Hub for this tenant", "default": false }, "login_uri": { "type": "string", "description": "URI of the application that will initiate an authentication flow when centralized login is requested", "example": "https://www.example.com/login" } }, "required": [ "is_centralized", "login_uri" ] }, "ApiCustomDomainOutput": { "type": "object", "properties": { "domain": { "type": "string", "description": "Domain of the application that can be offered for the application to be accessed from", "example": "myapp.com" }, "updated_at": { "format": "date-time", "type": "string", "description": "Date the custom domain was last updated" }, "status": { "type": "string", "enum": [ "pending", "verified", "error" ], "description": "The status of the custom domain validation process", "default": "pending" }, "error": { "type": "string", "description": "The error message if the custom domain validation process failed" } }, "required": [ "domain", "updated_at" ] }, "ApiExternalCommunication": { "type": "object", "properties": { "language": { "type": "string", "enum": [ "en", "es", "pt", "fr", "ja", "fr-CA" ], "description": "Language configuration for the external communication. The default language is english.", "default": "en" } } }, "ApiRefreshTokenInvalidationTriggerConfiguration": { "type": "object", "properties": { "invalidateOnMemberSuspension": { "type": "boolean", "description": "Determines if refresh tokens should be invalidated when a member is suspended", "default": true }, "invalidateOnMemberPasswordReset": { "type": "boolean", "description": "Determines if refresh tokens should be invalidated when a member resets their password", "default": true }, "invalidateOnMemberRoleUpdate": { "type": "boolean", "description": "Determines if refresh tokens should be invalidated when a member role is updated", "default": true } } }, "ApiAuthMethods": { "type": "object", "properties": { "google": { "description": "Google login configuration", "allOf": [ { "$ref": "#/components/schemas/ClientSecretConfiguration" } ] }, "facebook": { "description": "Facebook login configuration", "allOf": [ { "$ref": "#/components/schemas/ClientSecretConfiguration" } ] }, "email": { "description": "Email magic link login configuration", "allOf": [ { "$ref": "#/components/schemas/EmailConfiguration" } ] }, "email_otp": { "description": "Email one time password login configuration", "allOf": [ { "$ref": "#/components/schemas/EmailOtpConfiguration" } ] }, "apple": { "description": "Apple login configuration", "allOf": [ { "$ref": "#/components/schemas/AppleConfiguration" } ] }, "sms": { "description": "SMS one time password login configuration", "allOf": [ { "$ref": "#/components/schemas/SMSConfiguration" } ] }, "webauthn_api": { "description": "WebAuthn API configuration", "allOf": [ { "$ref": "#/components/schemas/WebAuthnApiConfiguration" } ] }, "line": { "description": "Line login configuration", "allOf": [ { "$ref": "#/components/schemas/ClientSecretConfiguration" } ] }, "password": { "description": "Password login configuration", "allOf": [ { "$ref": "#/components/schemas/PasswordConfiguration" } ] }, "totp": { "description": "TOTP login configuration", "allOf": [ { "$ref": "#/components/schemas/TotpConfiguration" } ] }, "push": { "description": "Push configuration", "allOf": [ { "$ref": "#/components/schemas/PushConfiguration" } ] }, "tiktok": { "description": "TikTok login configuration", "allOf": [ { "$ref": "#/components/schemas/ClientSecretConfiguration" } ] }, "pin_authenticator": { "description": "PIN authenticator configuration", "allOf": [ { "$ref": "#/components/schemas/PinAuthenticatorConfiguration" } ] }, "face": { "description": "Face authenticator configuration", "allOf": [ { "$ref": "#/components/schemas/FaceAuthenticatorConfiguration" } ] } } }, "TlsClientAuth": { "type": "object", "properties": { "certificate_chain": { "type": "string", "description": "Certificate chain including intermediate CA certificates used for client certificate validation" }, "distinguished_name": { "type": "number", "description": "The length of the generated OTP code. Must be between 4 and 8.", "example": 6 }, "ocsp_on": { "type": "boolean", "description": "Enables OCSP (Online Certificate Status Protocol) verification" }, "ocsp_responder_uri": { "type": "string", "description": "OCSP responder URI" }, "ocsp_responder_certificate": { "type": "string", "description": "OCSP responder certificate used for signature verification" }, "ocsp_fail_open": { "type": "boolean", "description": "OCSP fail-open" } } }, "ClientSecretConfiguration": { "type": "object", "properties": { "clientId": { "type": "string", "description": "Client ID retrieved from the identity provider" }, "clientSecret": { "type": "string", "description": "Client Secret retrieved from the identity provider" }, "redirectUris": { "description": "List of URIs approved for redirects for your client", "example": [ "https://www.example.com/login" ], "type": "array", "items": { "type": "string" } } }, "required": [ "clientId" ] }, "EmailConfiguration": { "type": "object", "properties": { "expiresIn": { "type": "number", "description": "Number of minutes until the email link/code expires" }, "linksPerUser": { "type": "number", "description": "Allowed magic links to send a user per minute" }, "message": { "$ref": "#/components/schemas/MessageConfiguration" } }, "required": [ "expiresIn", "linksPerUser", "message" ] }, "EmailOtpConfiguration": { "type": "object", "properties": { "expiresIn": { "type": "number", "description": "Number of minutes until the OTP expires" }, "lockoutDuration": { "type": "number", "description": "OTP lockout duration (in minutes) after maximum attempts are reached", "example": 15 }, "maxFailures": { "type": "number", "description": "Number of wrong OTP attempts allowed before the passcode is invalidated. Must be between 1 and 20.", "example": 3 }, "codeLength": { "type": "number", "description": "The length of the generated OTP code. Must be between 4 and 8.", "example": 6 }, "crossClientsAllowed": { "type": "boolean", "description": "Determines if OTP authentication is allowed across different clients within the same application", "default": false }, "message": { "$ref": "#/components/schemas/MessageConfiguration" } }, "required": [ "expiresIn", "maxFailures", "message" ] }, "AppleConfiguration": { "type": "object", "properties": { "clientId": { "type": "string", "description": "Services ID retrieved from Apple" }, "clientSecret": { "type": "string", "description": "Client Secret Signing Key retrieved from Apple" }, "redirectUris": { "description": "List of URIs approved for redirects for your client", "example": [ "https://www.example.com/login" ], "type": "array", "items": { "type": "string" } }, "appleTeamId": { "type": "string", "description": "Apple Team ID" }, "keyId": { "type": "string", "description": "Apple Key ID" } }, "required": [ "clientId", "appleTeamId", "keyId" ] }, "SMSConfiguration": { "type": "object", "properties": { "expiresIn": { "type": "number", "description": "Number of minutes until the OTP expires" }, "lockoutDuration": { "type": "number", "description": "OTP lockout duration (in minutes) after maximum attempts are reached", "example": 15 }, "maxFailures": { "type": "number", "description": "Number of wrong OTP attempts allowed before the passcode is invalidated. Must be between 1 and 20.", "example": 3 }, "codeLength": { "type": "number", "description": "The length of the generated OTP code. Must be between 4 and 8.", "example": 6 }, "crossClientsAllowed": { "type": "boolean", "description": "Determines if OTP authentication is allowed across different clients within the same application", "default": false } }, "required": [ "expiresIn", "maxFailures" ] }, "WebAuthnApiConfiguration": { "type": "object", "properties": { "failuresExpireIn": { "type": "number", "description": "Number of minutes until previous failed attempts are considered expired. Must be between 1 and 525600 minutes (1 year).", "default": 15, "example": 15, "minimum": 1, "maximum": 525600 }, "lockoutTiers": { "description": "Progressive lockout tiers based on failed attempts", "type": "array", "items": { "$ref": "#/components/schemas/LockoutTier" } }, "rpId": { "type": "string", "description": "Domain to which WebAuthn credentials are registered and used to authenticate (e.g., example.com)" }, "rpWebOrigins": { "description": "A list of Web origins that will be used to request registration and authentication. The origin must match the domain of the RP ID, but may be a subdomain of the RP ID (e.g., https://login.example.com ). The origin must also include the HTTPS scheme and port (if relevant).", "type": "array", "items": { "type": "string" } }, "rpMobileOrigins": { "description": "A list of mobile origins that will be used to request registration and authentication. The origin must match the domain of the RP ID.", "type": "array", "items": { "type": "string" } }, "replaceExistingPasskey": { "type": "boolean", "description": "Set to true in order to replace the existing passkey. Default is False.", "default": false }, "maxFailures": { "type": "number", "description": "Number of wrong attempts allowed before the passcode is invalidated. Must be between 1 and 20.", "example": 3, "default": 5, "deprecated": true }, "lockoutDuration": { "type": "number", "description": "Lockout duration (in minutes) after maximum attempts are reached", "example": 15, "default": 15, "deprecated": true }, "allowSyncedPasskeys": { "type": "boolean", "description": "Allow synced passkeys", "default": true }, "enforceAttestation": { "type": "boolean", "description": "Enforce attestation for device-bound passkeys", "default": false }, "attestationType": { "type": "string", "enum": [ "none", "indirect", "direct" ], "description": "Attestation conveyance preference (none, indirect, or direct)", "default": "none" }, "aaguidAllowList": { "description": "List of allowed AAGUIDs (Authenticator Attestation GUIDs). If specified, only authenticators with these AAGUIDs will be accepted. Mutually exclusive with aaguidBlockList.", "type": "array", "items": { "type": "string" } }, "aaguidBlockList": { "description": "List of blocked AAGUIDs (Authenticator Attestation GUIDs). Authenticators with these AAGUIDs will be rejected. Mutually exclusive with aaguidAllowList.", "type": "array", "items": { "type": "string" } }, "rpOrigin": { "type": "string", "deprecated": true, "description": "Web origin that will be used to request registration and authentication. The origin must match the domain of the RP ID, but may be a subdomain of the RP ID (e.g., https://login.example.com ). The origin must also include the HTTPS scheme and port (if relevant)." }, "rpOrigins": { "deprecated": true, "description": "Use rpWebOrigins or rpMobileOrigins instead", "type": "array", "items": { "type": "string" } } }, "required": [ "rpId" ] }, "PasswordConfiguration": { "type": "object", "properties": { "failuresExpireIn": { "type": "number", "description": "Number of minutes until previous failed attempts are considered expired. Must be between 1 and 525600 minutes (1 year).", "default": 15, "example": 15, "minimum": 1, "maximum": 525600 }, "lockoutTiers": { "description": "Progressive lockout tiers based on failed attempts", "type": "array", "items": { "$ref": "#/components/schemas/LockoutTier" } }, "resetValidityMinutes": { "type": "number", "description": "Number of minutes until reset password token/OTP expires.", "default": 5, "example": 5, "minimum": 5, "maximum": 60 }, "passwordComplexity": { "type": "number", "description": "Password complexity. Must be between 1 and 5.", "default": 5, "example": 5, "minimum": 1, "maximum": 5 }, "passwordMinLength": { "type": "number", "description": "Minimum required length of the password.", "default": 14, "example": 14, "minimum": 5, "maximum": 14 }, "blockPreviousPasswords": { "type": "number", "description": "Number of most recent passwords to block the user from setting as their new password.", "default": 0, "example": 0, "minimum": 0, "maximum": 20 }, "checkHibp": { "type": "boolean", "description": "Check password updates against HIBP.", "default": false }, "checkDictionary": { "type": "boolean", "description": "Check password updates against a predefined dictionary.", "default": false }, "passwordExpiresIn": { "type": "number", "description": "Number of days until the password expires. Must be between 1 and 1096 days (3 years).", "default": 90, "example": 90, "minimum": 1, "maximum": 1096 }, "ignoreExpiration": { "type": "boolean", "description": "Ignore password expiration. If true, the password will never expire.", "default": false }, "maxPasswordFailures": { "type": "number", "description": "Number of wrong password attempts allowed before the user is suspended. Must be between 1 and 20.", "default": 5, "example": 5, "minimum": 1, "maximum": 20 }, "passwordSuspensionDuration": { "type": "number", "description": "Number of minutes to suspend the user from authenticating using password after the maximum number of allowed failed attempts is exceeded. Must be between 1 and 525600 minutes (1 year).", "default": 15, "example": 15, "minimum": 1, "maximum": 525600 }, "tempPasswordValidityHours": { "type": "number", "description": "Number of hours until temporary passwords are considered expired. Must be between 1 and 8760 hours (1 year).", "example": 24, "minimum": 1, "maximum": 8760 }, "message": { "$ref": "#/components/schemas/MessageConfiguration" }, "requireMFA": { "type": "boolean", "description": "Require multi-factor authentication for password reset flows.", "default": false }, "codeLength": { "type": "number", "description": "The length of the generated OTP code. Must be between 4 and 8.", "example": 6 }, "notifyOnPasswordUpdate": { "type": "boolean", "default": false, "description": "Send email to end-user upon password update" } }, "required": [ "resetValidityMinutes", "passwordComplexity", "passwordMinLength", "blockPreviousPasswords", "passwordExpiresIn", "message" ] }, "TotpConfiguration": { "type": "object", "properties": { "failuresExpireIn": { "type": "number", "description": "Number of minutes until previous failed attempts are considered expired. Must be between 1 and 525600 minutes (1 year).", "default": 15, "example": 15, "minimum": 1, "maximum": 525600 }, "lockoutTiers": { "description": "Progressive lockout tiers based on failed attempts", "type": "array", "items": { "$ref": "#/components/schemas/LockoutTier" } }, "algorithm": { "type": "string", "enum": [ "sha1", "sha256", "sha512" ], "description": "The algorithm used to generate the TOTP code", "default": "sha1" }, "digits": { "type": "number", "description": "Number of digits in the generated TOTP code, must be 6 or 8", "example": 6, "default": 6 }, "period": { "type": "number", "description": "Number of seconds in which the TOTP code is valid", "example": 30, "default": 30 }, "window": { "type": "number", "description": "Number of windows to check for valid TOTP codes", "example": 2, "default": 1 }, "issuer": { "type": "string", "description": "TOTP issuer", "example": "My Company" }, "maxFailures": { "type": "number", "description": "Number of wrong TOTP attempts allowed before the passcode is invalidated. Must be between 1 and 20.", "example": 3, "default": 5, "deprecated": true }, "lockoutDuration": { "type": "number", "description": "TOTP lockout duration (in minutes) after maximum attempts are reached", "example": 15, "default": 15, "deprecated": true }, "maxTotpPerUser": { "type": "number", "description": "Maximum number of TOTP authenticators allowed per user. Must be between 1 and 50.", "example": 1, "default": 1 } } }, "PushConfiguration": { "type": "object", "properties": { "apn": { "description": "APN configuration. Can be a single object or an array of objects.", "oneOf": [ { "$ref": "#/components/schemas/APNConfiguration" }, { "type": "array", "items": { "$ref": "#/components/schemas/APNConfiguration" } } ], "items": { "type": "string" } }, "fcm": { "description": "FCM configuration", "allOf": [ { "$ref": "#/components/schemas/FcmConfiguration" } ] } } }, "PinAuthenticatorConfiguration": { "type": "object", "properties": { "failuresExpireIn": { "type": "number", "description": "Number of minutes until previous failed attempts are considered expired. Must be between 1 and 525600 minutes (1 year).", "default": 15, "example": 15, "minimum": 1, "maximum": 525600 }, "lockoutTiers": { "description": "Progressive lockout tiers based on failed attempts", "type": "array", "items": { "$ref": "#/components/schemas/LockoutTier" } }, "maxFailures": { "type": "number", "description": "Number of wrong PIN Authenticator attempts allowed before the passcode is invalidated. Must be between 1 and 20.", "example": 3, "default": 5, "deprecated": true }, "lockoutDuration": { "type": "number", "description": "PIN Authenticator lockout duration (in minutes) after maximum attempts are reached", "example": 15, "default": 15, "deprecated": true } } }, "FaceAuthenticatorConfiguration": { "type": "object", "properties": { "failuresExpireIn": { "type": "number", "description": "Number of minutes until previous failed attempts are considered expired. Must be between 1 and 525600 minutes (1 year).", "default": 15, "example": 15, "minimum": 1, "maximum": 525600 }, "lockoutTiers": { "description": "Progressive lockout tiers based on failed attempts", "type": "array", "items": { "$ref": "#/components/schemas/LockoutTier" } }, "maxFailures": { "type": "number", "description": "Number of wrong Face Authenticator attempts allowed. Must be between 1 and 20.", "example": 3, "default": 5, "deprecated": true }, "lockoutDuration": { "type": "number", "description": "Face Authenticator lockout duration (in minutes) after maximum attempts are reached", "example": 15, "default": 15, "deprecated": true }, "saveImageEmbedding": { "type": "boolean", "description": "Enables saving the image embedding", "default": true } } }, "MessageConfiguration": { "type": "object", "properties": { "primaryColor": { "type": "string", "description": "Primary color of the email, specified as a Hex color" }, "from": { "type": "string", "description": "Origin of the email message" }, "subject": { "type": "string", "description": "Subject of the email message" } }, "required": [ "primaryColor" ] }, "LockoutTier": { "type": "object", "properties": { "attempts": { "type": "number", "description": "Number of failed attempts before this tier is triggered", "example": 3, "minimum": 1 }, "duration": { "type": "number", "description": "Lockout duration in minutes for this tier", "example": 15, "minimum": 1, "maximum": 525600 } }, "required": [ "attempts", "duration" ] }, "APNConfiguration": { "type": "object", "properties": { "key": { "type": "string", "description": "APN key" }, "keyId": { "type": "string", "description": "APN key id" }, "teamId": { "type": "string", "description": "APN team id" }, "bundle": { "type": "string", "description": "APN bundle" }, "isProduction": { "type": "boolean", "description": "Is Production APN Environment" } }, "required": [ "key", "keyId", "teamId", "bundle" ] }, "FcmConfiguration": { "type": "object", "properties": { "key": { "type": "object", "description": "FCM key" } }, "required": [ "key" ] } } }