# # Copyright 2024-Present Okta, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # openapi: 3.0.3 info: title: Okta Admin Management description: Allows customers to easily access the Okta Management APIs termsOfService: https://developer.okta.com/terms/ contact: name: Okta Developer Team url: https://developer.okta.com/ email: devex-public@okta.com license: name: Apache-2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html version: 5.1.0 x-logo: url: logo.svg backgroundColor: transparent altText: Okta Developer servers: - url: https://{yourOktaDomain} variables: yourOktaDomain: default: subdomain.okta.com description: The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. tags: - name: AgentPools x-displayName: Directory Agent Pools description: The Agent Pools API provides operations to manage the update settings of the directory agents for your org. - name: ApiServiceIntegrations x-displayName: API Service Integrations description: | This API provides operations to manage API service integration instances in your org. For a current list of available API service integrations, see the [Okta Integration Network catalog](https://www.okta.com/integrations/?capability=api). See [Add an API Service Integration](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-api-service-integration) for corresponding admin instructions using the Admin Console. If you want to build an API service integration, see [API service integrations in the OIN](https://developer.okta.com/docs/guides/oin-api-service-overview/). - name: ApiToken x-displayName: API Tokens description: The API Tokens API provides operations to manage SSWS API tokens for your org. - name: Application x-displayName: Applications description: |- The Applications API provides operations to manage apps in your org. To create a custom app integration instance, use the [Create an Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) operation with the schema provided in the request payload. To create an app instance from the Okta Integration Network (OIN), use the [Create an Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) operation with the corresponding OIN app schema in the request body. - name: ApplicationConnections x-displayName: Application Connections description: | The Application Connections API provides operations for configuring connections to an app. Okta supports token-based and OAuth 2.0-based provisioning connections for supported apps. The following available provisioning connections are supported by the indicated apps: |
Connection
| Description |
Apps supported
| | -------------------------------- | -------------- | ----------- | | Token | The provisioning API connection is based on bearer token authentication. | | | OAuth 2.0 | The provisioning API connection is based on OAuth 2.0 authentication. | | > **Note:** The Okta Org2Org (`okta_org2org`) app isn't available in Okta Integrator Free Plan orgs. If you need to test this feature in your Integrator Free Plan org, contact your Okta account team. - name: ApplicationCrossAppAccessConnections x-displayName: Application Cross App Access Connections description: | The Application Cross App Access Connections API provides operations to configure and manage Cross App Access connections between a requesting app and a resource app. To establish the Cross App Access connection, both the requesting app and the resource app must support the `Connect with Okta` App Feature. - name: ApplicationFeatures x-displayName: Application Features description: | The Application Features API supports operations to configure app provisioning feature settings. You must have app provisioning enabled to configure provisioning features. See [Update the default Provisioning Connection](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication). The following available provisioning features are supported by the indicated apps: |
Feature
| Description |
Apps supported
| | -------------------- | -------------- | ----------- | | `USER_PROVISIONING` | Similar to the app **Provisioning** > **To App** setting in the Admin Console, user profiles are pushed from Okta to the third-party app. You can configure rules for creating users, deactivating users, and syncing passwords. | | | `INBOUND_PROVISIONING` | Similar to the app **Provisioning** > **To Okta** provisioning setting in the Admin Console, user profiles are imported from the third-party app into Okta. You can schedule user import and configure rules for user creation and matching. | | > **Note:** The Okta Org2Org (`okta_org2org`) app isn't available in Okta Integrator Free Plan orgs. If you need to test this feature in your Integrator Free Plan org, contact your Okta account team. - name: ApplicationGrants x-displayName: Application Grants description: | The Application Grants API provides a set of operations to manage scope consent grants for an app. A scope consent grant represents an app's permission to include specific Okta scopes in OAuth 2.0 Bearer tokens. If the app doesn't have permission to grant consent for a particular Okta scope, token requests that contain the scope are denied. - name: ApplicationGroups x-displayName: Application Groups description: The Application Groups API provides a set of operations to manage group assignment for an app. - name: ApplicationLogos x-displayName: Application Logos description: Provides a resource to manage the application instance logo - name: ApplicationPolicies x-displayName: Application Policies description: The Application Policies API provides a resource to manage authentication policies associated with an app. - name: ApplicationSSO x-displayName: Application SSO description: Provides a Single Sign-On (SSO) resource for an application - name: ApplicationSSOCredentialKey x-displayName: Application Key Credentials description: | The Application Key Credentials API provides a set of operations to manage an app's key store credentials. - name: ApplicationSSOFederatedClaims x-displayName: Application Federated Claims description: | The federated claims for an application - name: ApplicationSSOPublicKeys x-displayName: Application Public Keys description: | The Application Public Keys API provides a set of operations to manage public JSON keys used for OAuth 2.0 client authentication as described in [Client authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/client-auth/) or for encrypting ID tokens. Encrypting ID tokens is self-service [Early Access](https://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea). - name: ApplicationTokens x-displayName: Application Tokens description: | Resource to manage OAuth 2.0 tokens for an app > **Note:** To configure refresh tokens for an app, see > [grant_types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/settings/oauthClient/grant_types&t=request) > and [refresh_token](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/settings/oauthClient/refresh_token&t=request). - name: ApplicationUsers x-displayName: Application Users description: | The Application Users API provides operations to manage app users and their assignments. The object returned from assigning a user to an app is known as the application user. You can assign users to apps for: * SSO only * SSO and provisioning - name: AssociatedDomainCustomizations x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine x-displayName: Associated Domain Customizations description: |- The Associated Domain Customizations API provides operations to manage associated domain customizations in your org. You can create associations between your custom domains and three well-known endpoints: * `/.well-known/apple-app-site-association` * `/.well-known/assetlinks.json` * `/.well-known/webauthn` See [Customize associated domains](https://developer.okta.com/docs/guides/custom-well-known-uri/main/) for more information about the endpoints and how to customize them. > **Notes:** > * You can't update the well-known URI files for the default brand. > * The maximum file size of each well-known URI file is 100 KB. - name: AttackProtection x-displayName: Attack Protection description: The Attack Protection API provides operations to configure the User Lockout Settings and the Authenticator Settings in your org to protect against password abuse. - name: Authenticator x-displayName: Authenticators description: |- The Authenticators Administration API provides operations to configure which authenticators are available to end users for use when they sign in to apps. End users are required to use one or more authenticators based on the security requirements of the app sign-in policy. Okta Identity Engine currently supports authenticators for the following factors: **Knowledge-based:** * Password * Security Question * Temporary access code (TAC) **Possession-based:** * Phone (SMS, voice call) * Email * WebAuthn * Duo * Custom app > **Note:** There are several limitations when you create or modify a `webauthn` authenticator. See [Configure the FIDO2 (WebAuthn) authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-webauthn) and [FIDO2 (WebAuthn) support and behavior](https://help.okta.com/okta_help.htm?type=oie&id=webauthn-compatability). - name: AuthorizationServer x-displayName: Authorization Servers description: |- Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them. **Work with the Default Authorization Server** Okta provides a pre-configured Custom Authorization Server with the name `default`. This Default Authorization Server includes a basic access policy and rule, which you can edit to control access. It allows you to specify `default` instead of the `authorizationServerId` in requests to it: `https://${yourOktaDomain}/api/v1/authorizationServers/default` vs `https://${yourOktaDomain}/api/v1/authorizationServers/${authorizationServerId}` for other Custom Authorization Servers - name: AuthorizationServerAssoc x-displayName: Authorization Server Associated Servers description: Associated authorization servers allow you to designate a trusted authorization server that you associate with another authorization server. This type of association provides a way to configure [token exchange](https://developer.okta.com/docs/guides/set-up-token-exchange/main/#trusted-servers) between other authorization servers under the same Okta tenant. - name: AuthorizationServerClaims x-displayName: Authorization Server Claims description: Provides operations to manage custom token claims for the given `authServerId` and `claimId` - name: AuthorizationServerClients x-displayName: Authorization Server Clients description: |- These endpoints allow you to manage tokens issued by an authorization server for a particular client. For example, you can revoke every active refresh token for a specific client. You can also revoke specific tokens or manage tokens at the user level. Read [Validate access tokens](https://developer.okta.com/docs/guides/validate-access-tokens/dotnet/main/) and [Validate ID tokens](https://developer.okta.com/docs/guides/validate-id-tokens/main/) to understand more about how OAuth 2.0 tokens work. - name: AuthorizationServerKeys x-displayName: Authorization Server Keys description: |- Provides operations to manage [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc7517) credentials for the given `authServerId`. > **Note:** Looking for how to obtain the jwks_uri for your org or custom authorization server? See the [well-known OpenID metadata endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/getWellKnownOpenIDConfigurationCustomAS) and the [well-known OAuth 2.0 metadata endpoint](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/getWellKnownOAuthConfigurationCustomAS). - name: AuthorizationServerPolicies x-displayName: Authorization Server Policies description: Provides operations to manage policies for the given `authServerId`. - name: AuthorizationServerRules x-displayName: Authorization Server Rules description: Provides operations to manage policy rules for the given `authServerId`, `policyId`, and `ruleId`. - name: AuthorizationServerScopes x-displayName: Authorization Server Scopes description: Provides operations to manage custom token scopes for the given `authServerId` and `scopeId`. See [scope properties](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#scope-properties). - name: Behavior x-displayName: Behavior Rules description: The Behavior Rules API provides operations to manage the behavior detection rules for your organization. - name: Brands x-displayName: Brands description: |- These endpoints allow you to manage Brands, and their metadata, in your orgs. With Brands, you can customize the following: * [The Okta-hosted sign-in page](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/) * [The sign-out page](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/) * [Error pages](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomPages/) * [Email templates](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomTemplates/) * [The Okta End-User Dashboard](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Themes/) > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: CAPTCHA x-displayName: CAPTCHAs description: |- As an option to increase org security, Okta supports CAPTCHA services to prevent automated sign-in attempts. You can integrate one of two providers: [hCaptcha](https://www.hcaptcha.com/) or [reCAPTCHA v2](https://developers.google.com/recaptcha/docs/invisible). The vendor implementations supported by Okta are both invisible. They each run risk-analysis software in the background during user sign in to determine the likelihood that the user is a bot. This risk analysis is based on the settings that you configure with the provider that you choose. Before you configure your org to use CAPTCHA, sign in to the vendor of your choice or sign up for an account. For more details, refer to [CAPTCHA integration](https://help.okta.com/okta_help.htm?type=oie&id=csh-captcha). - name: CustomDomain x-displayName: Custom Domains description: The Custom Domains API provides operations to manage custom domains for your organization. - name: CustomPages x-displayName: Custom Pages description: |- These endpoints allow you to customize the contents of various pages, including: * The Okta-hosted sign-in page * Error pages * The sign-out page > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: CustomTemplates x-displayName: Custom Email Templates description: |- These endpoints allow you to programmatically manage email customizations. Okta provides many customizable email templates. For example, the `UserActivation` email template allows users to activate their account. Use email customizations to override a template's default content. See the [list of email templates](https://developer.okta.com/docs/guides/custom-email/main/#use-customizable-email-templates). Each template has default content that Okta translates to any one of the supported languages. The following settings determine the language for emails sent from Okta to a user, if the user hasn't selected a specific display language: * The user's locale property value (if specified) * The org's display language See [Supported languages](https://developer.okta.com/docs/guides/custom-email/main/#supported-languages). The following constraints apply to email customizations: * If an email template has any customizations at all, exactly one of them must be the default (where `isDefault` is `true`). Okta uses the default customization when no other customization applies to the user's language settings. * Each email template can have only one customization for each supported language. ### Enable other locales Use the [BCP 47 format](https://www.rfc-editor.org/info/bcp47) to enable more locales than Okta's 27 default languages. Once you create a customization with the new locale, the locale appears in the Admin Console along with the default-supported locales. Include `null` in the subject or body of the email customization. Okta replaces `null` with a default value based on the following order of priority: - An existing default email customization, if one exists - Okta-provided translated content for the specified language, if one exists - Okta-provided translated content for the brand locale, if it's set - Okta-provided content in English - name: Device x-displayName: Devices description: |- The Okta Devices API provides a centralized integration platform to fetch and manage device information. Okta administrators can use these APIs to manage workforce identity Device object information. The Devices API supports the following device operations: * GET or DELETE device objects * Perform lifecycle transitions on the device objects. Device lifecycle is defined as transitions of the device status by the associated operations. The device object follows a predefined lifecycle transition flow. Device lifecycle operations are idempotent and its calls are synchronous. The Devices API supports the following authorization schemes: * SSWS: [API tokens](https://developer.okta.com/docs/reference/core-okta-api/#authentication) * Bearer: [OAuth2.0 and OpenID Connect](https://developer.okta.com/docs/concepts/oauth-openid/) > **Notes:** > * For devices to enroll in Okta and show up in the Devices API, the following actions are required: > * Admins: Enable Okta FastPass. See [Enable FastPass](https://help.okta.com/okta_help.htm?type=oie&id=ext-fp-enable). > * End users with existing mobile Okta Verify enrollments: After you upgrade your org to Okta Identity Engine, direct end users with existing Okta Verify enrollments to use [FastPass](https://help.okta.com/okta_help.htm?type=oie&id=csh-fp-main). > * End users with a new enrollment in Okta Verify on an Okta Identity Engine org have a device record created in the device inventory by default. > See [Device Registration](https://help.okta.com/okta_help.htm?type=oie&id=csh-device-registration) and [Login Using Okta Verify](https://help.okta.com/okta_help.htm?type=eu&id=ext-ov-user-overview). - name: DeviceAssurance x-displayName: Device Assurance Policies description: The Device Assurance Policies API provides operations to manage device assurance policies in your organization. - name: DeviceIntegrations x-displayName: Device Integrations description: |- The Device Integrations API provides operations to retrieve, and activate or deactivate, an endpoint security integration in your organization. Examples of device integrations include the following: * Device Posture Provider * Windows Security Center * Chrome Device Trust * OSQuery * Android Device Trust - name: DevicePostureCheck x-displayName: Device Posture Checks description: The Device Posture Checks API provides operations to manage custom device posture checks for use in device assurance policies in your organization. - name: DirectoriesIntegration x-displayName: Directories Integration description: |- The Directories Integration API provides operations to manage Active Directory (AD) objects in a connected on-premises directory through Okta. You can add or remove users from groups based on their identity and access requirements. This ensures that changes made to user access in Okta are reflected in AD. When you use Okta Access Certifications to revoke a user's membership to an AD group, the removal is reflected in AD. Okta can only manage group memberships for users and groups imported into Okta using the AD integration. You can't use this API to manage users and groups that weren't imported through AD integration or are outside of the integration's org unit scope. See [Bidirectional Group Management](https://help.okta.com/okta_help.htm?type=oie&id=ad-bidirectional-group-mgmt). - name: EmailCustomization x-displayName: Org Email Settings description: The Org Email Settings API provides operations to modify the email bounce list for your Okta org. - name: EmailDomain x-displayName: Email Domains description: The Email Domains API provides operations to manage email domains for your organization. - name: EmailServer x-displayName: Email Servers description: The Email Servers API allows you to configure a custom external email provider to send email notifications. By default, notifications such as the welcome email or an account recovery email are sent through an Okta-managed SMTP server. Adding a custom email provider gives you more control over your email delivery. - name: EventHook x-displayName: Event Hooks description: |- The Event Hooks API provides operations to manage event hooks for your organization. For general information on event hooks and how to create and use them, see [Event hooks](https://developer.okta.com/docs/concepts/event-hooks/). The following documentation is only for the management API, which provides a CRUD interface for registering event hooks. For a step-by-step guide on implementing an example event hook, see the [Event hook](https://developer.okta.com/docs/guides/event-hook-implementation/) guide. When you create an event hook, you need to specify which events you want to subscribe to. To see the list of event types currently eligible for use in event hooks, use the [Event Types](https://developer.okta.com/docs/reference/api/event-types/#catalog) catalog and search with the parameter `event-hook-eligible`. - name: Feature x-displayName: Features description: |- The Okta Features API provides operations to manage self-service Early Access (EA) and Beta features in your org. > **Note:** Important background information for this API is available on the [Feature Lifecycle Management](https://developer.okta.com/docs/concepts/feature-lifecycle-management/) page. - name: GovernanceBundle x-displayName: IAM Governance Bundles description: |- The IAM Governance Bundle API provides operations for managing governance entitlement bundles, including roles and resources associated with the bundles, for the Admin Console. For details on governance bundles for the Admin Console, see [Govern Okta admin roles](https://help.okta.com/okta_help.htm?type=oie&id=csh-governance-admin-roles) and [Entitlement Management](https://help.okta.com/okta_help.htm?type=oie&id=ext-entitlement-mgt). - name: Group x-displayName: Groups description: The Groups API provides operations to manage Okta groups and their user members in your org. - name: GroupOwner x-displayName: Group Owners description: |- The Group Owners API provides operations to manage owners of Okta groups in your org. > **Note**: This API is only available if you're subscribed to Okta Identity Governance. Contact Okta Support for more information. - name: GroupPushMapping x-displayName: Group Push Mappings description: The Group Push Mappings API provides operations to manage group push mappings for your org. You must have provisioning enabled in the target app to use group push mappings. See [Manage Group Push](https://help.okta.com/okta_help.htm?type=oie&id=ext-manage-group-push). - name: GroupRule x-displayName: Group Rules description: The Group Rules API provides operations to manage rules for Okta groups in your org. - name: HookKey x-displayName: Hook Keys description: |- The Okta Key Management API provides a CRUD interface for JSON Web Keys (JWK) used with other parts of the application, such as inline hooks. For information on how to create inline hooks, see [inline hooks](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/). > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: IdentityProvider x-displayName: Identity Providers description: The Identity Providers API provides operations to manage federations with external identity providers (IdPs). For example, your app can support signing in with credentials from Apple, Facebook, Google, LinkedIn, Microsoft, an enterprise IdP using SAML 2.0, or an IdP using the OpenID Connect (`OIDC`) protocol. - name: IdentityProviderKeys x-displayName: Identity Provider Keys description: The Identity Provider Keys API provides operations to manage key credentials for identity providers (IdPs). - name: IdentityProviderSigningKeys x-displayName: Identity Provider Signing Keys description: |- The Identity Provider Signing Keys API provides operations to manage signing key credentials and certificate signing requests (CSRs) for identity providers (IdPs). > **Note:** Okta currently uses the same key for both request signing and the decryption of SAML assertions that the IdP encrypts. Changing your signing key also changes your decryption key. - name: IdentityProviderUsers x-displayName: Identity Provider Users description: The Identity Provider Users API provides operations to manage identity provider (IdP) users. - name: IdentitySource x-displayName: Identity Sources description: The Okta Identity Source API provides a mechanism to synchronize an HR source (the custom identity source) with Okta user profiles in an org. See [Build an Anything-as-a-Source custom client integration](https://developer.okta.com/docs/guides/anything-as-a-source/). - name: InlineHook x-displayName: Inline Hooks description: |- The Inline Hooks API provides operations to manage inline hooks for your organization. For general information on inline hooks and how to create and use them, see [inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/). The following documentation is only for the management API, which provides a CRUD interface for registering inline hooks. - name: LinkedObject x-displayName: Linked Objects description: |- Users have relationships to each other, like manager and subordinate or customer and sales representative. You can create users with relationships by using the Linked Objects API to represent the relationship. 1. Create a linked object definition such as Manager:Subordinate or Case Worker:Client. These pairs are represented by a `primary` attribute and an `associated` attribute. 2. Link users together to create the relationship between the two. You create a linked object value with a single request that links one `primary` and one `associated` user. For each relationship: * A user has at most one `primary` link (a user has a single manager), but can have many `associated` links (a user can have many subordinates). * A user can be the `primary` in one relationship and the `associated` in another. * A user can be both the `primary` and `associated` in the same relationship. Okta Expression Language function for [linked objects](https://developer.okta.com/docs/reference/okta-expression-language/#linked-object-function) provides access to the details about a linked user. > **Note:** The linked objects feature isn't available for OpenID Connect claims. ## Example usage Okta allows you to create up to 200 linked object definitions. These definitions are one-to-many, for example: * A manager has many subordinates. Each subordinate has one manager. * A sales representative has many customers. Each customer has one sales rep. * A case worker has many clients. Each client has one case worker. Most orgs have more than one manager or sales representative. You can create the linked object definition once, and then assign the `primary` relationship to as many users as you have people in that relationship. You can assign the `associated` relationship for a single `primary` user to as many users as needed. The `associated` user can be related to only one `primary` per linked object definition. But you can assign a user to more than one linked object definition. For example, assume that you've created one linked object definition for manager (`primary`) and for subordinates (`associated`): * Joe is Frank's manager. * Bob is Joe's manager, but Jane's subordinate. * Jane is the CEO, so she reports to herself. Thus, you can create chains of relationships (Jane > Bob > Joe > Frank) or terminal relationships (Jane is both `primary` and `associated` user). Then, if you create another linked object relationship for scrum team membership, you could assign relationships to the same four users: * Bob is the scrum lead for the Identity Scrum team. * Joe and Frank are both contributors to the team. Bob can be the `primary` for a Manager:Subordinate, an `associated` user for that same linked object definition, and also the `primary` for the Scrumlead:Contributor linked object definition. To represent a relationship, create a linked object definition that specifies a `primary` (parent) relationship and an `associated` (child) relationship, and then add a link in which the appropriate user is assigned to each side of that link type. ## Links between user types If you created multiple user types (see [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/)), they all share the same linked object definitions. For example, if you have separate user types for employees and contractors, a link could designate an employee as the manager for a contractor, with the contractor being a subordinate of that employee. ## Link definition operations Link definition operations allow you to manage the creation and removal of the link definitions. If you remove a link definition, links based on that definition are unavailable. > **Note:** Links reappear if you recreate the definition. However, Okta is likely to change this behavior so that links don't reappear. Don't rely on this behavior in production environments. - name: LogStream x-displayName: Log Streaming description: The Log Streaming API provides operations to manage log stream configurations for an org. You can configure up to two log stream integrations per org. - name: NetworkZone x-displayName: Network Zones description: |- The Network Zones API provides operations to manage system default and custom zones in your Okta org. Network Zones are configurable boundaries that you can use to grant or restrict access to resources in your organization. They're used for two purposes: * `POLICY`: Network Zones used to guide policy decisions * `BLOCKLIST`: Network Zones used to deny access from certain IP addresses, locations, Autonomous System Numbers (ASNs), proxy types, or IP service categories before policy evaluation > **Note:** The Network Zone blocklist applies to all URLs for the org. See [Network zones](https://help.okta.com/okta_help.htm?id=ext_Security_Network) in the Okta product documentation. Your Okta org provides the following default system Network Zones that you can modify and use: * `LegacyIpZone`: The system default IP Network Zone * `BlockedIpZone`: The system default IP Blocklist Network Zone * `DefaultEnhancedDynamicZone`: The system default Enhanced Dynamic Network Zone You can create and use the following custom Network Zones: * IP Network Zone (`IP`): Allows you to define network perimeters around a set of IPs * Dynamic Network Zone (`DYNAMIC`): Allows you to define network perimeters around location, IP type, or ASNs * Enhanced Dynamic Network Zone (`DYNAMIC_V2`): Extends the Dynamic Network Zone and allows you to include or exclude specific locations, ASNs, or IP service categories > **Note:** To create multiple Network Zones, you must have Adaptive MFA enabled in your Okta org. - name: OAuth2ResourceServerCredentialsKeys x-displayName: Authorization Server Public Keys x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true description: Provides operations to manage public [JSON Web Key](https://datatracker.ietf.org/doc/html/rfc7517) credentials used for encrypting tokens minted by the custom authorization server. - name: OktaApplicationSettings x-displayName: Okta Application Settings description: The Okta Application Settings API provides operations to manage settings for Okta apps in your org. - name: OktaPersonalSettings x-displayName: Okta Personal Settings description: The Okta Personal Settings API provides operations to manage the [Okta Personal](https://www.okta.com/products/okta-personal/workforce) settings of your Okta org. - name: OrgCreator x-displayName: Org Creator description: |- > **Note:** You need to have the **Platform—Multi-org Deployment** product to enable the **Org Creator API** feature. Contact your Okta account team for more information. The Org Creator API provides an operation to create Okta orgs (child orgs) based on features from your current org (the parent org). See [Org Creator](https://developer.okta.com/docs/concepts/org-creator/). - name: OrgSettingAdmin x-displayName: Org Admin Settings description: The Org Admin Settings API provides operations to manage the admin settings for your Okta org. - name: OrgSettingCommunication x-displayName: Org Communication Settings description: The Org Communication Settings API provides operations to manage the communication settings for your Okta org. For example, opt users in or out of communication emails. - name: OrgSettingContact x-displayName: Org Contacts description: The Org Contacts API provides operations to manage the contact types of your Okta org. - name: OrgSettingCustomization x-displayName: Org Customization description: The Org Customization API provides operations to retrieve and modify custom settings for your Okta org. - name: OrgSettingGeneral x-displayName: Org General Settings description: The Org General Settings API provides operations to manage the general settings of your Okta org. - name: OrgSettingMetadata x-displayName: Org Metadata description: The Org Metadata API provides operation to fetch metadata for your Okta org. - name: OrgSettingSupport x-displayName: Org Support Settings description: The Org Support Settings API provides operations to manage the support settings for your Okta org. - name: Policy x-displayName: Policies description: |- The Okta Policy API enables an administrator to perform policy and policy rule operations. The policy framework is used by Okta to control rules and settings that govern many things: - user session lifetime - whether multi-factor authentication is required when signing in - what MFA factors may be employed - password complexity requirements - what types of self-service operations are permitted under various circumstances - which identity provider to route users to Policy settings for a particular policy type, such as `SIGN_ON` policy, consist of one or more policy objects, each of which contains one or more policy rules. Policies and rules contain conditions that determine whether they are applicable to a particular user at a particular time. See: * [Authenticator enrollment policies](https://developer.okta.com/docs/concepts/policies/#authenticator-enrollment-policies): `MFA_ENROLL` * [App sign-in policies](https://developer.okta.com/docs/concepts/policies/#app-sign-in-policies): `ACCESS_POLICY` * [Device signal collection policies](https://developer.okta.com/docs/guides/device-signal-collection-policies/main/): `DEVICE_SIGNAL_COLLECTION` * [Entity risk policies](https://developer.okta.com/docs/concepts/policies/#identity-threat-protection-policies): `ENTITY_RISK` * [Global session policies](https://developer.okta.com/docs/concepts/policies/#global-session-policies): `SIGN_ON` * [IdP discovery policies](https://developer.okta.com/docs/concepts/policies/#route-to-other-identity-providers): `IDP_DISCOVERY` * [Password policies](https://developer.okta.com/docs/concepts/policies/#password-policies): `PASSWORD` * [Identity Threat Protection policies](https://developer.okta.com/docs/concepts/policies/#identity-threat-protection-policies): `POST_AUTH_SESSION` * [User profile policies](https://developer.okta.com/docs/concepts/policies/#user-profile-policies): `PROFILE_ENROLLMENT` ### Policy evaluation When a policy needs to be retrieved for a particular user, for example when the user attempts to sign in to Okta, or when the user initiates a self-service operation, then a policy evaluation takes place. During policy evaluation each policy of the appropriate type is considered in turn, in the order indicated by the policy priority. Each of the conditions associated with the policy is evaluated. If one or more of the conditions can't be met, then the next policy in the list is considered. If the conditions can be met, then each of the rules associated with the policy is considered in turn, in the order specified by the rule priority. Each of the conditions associated with a given rule is evaluated. If all of the conditions associated with a rule are met, then the settings contained in the rule, and in the associated policy, are applied to the user. If none of the policy rules have conditions that can be met, then the next policy in the list is considered. ### Rule priority Rules have a priority that govern the order that they are considered during evaluation. The highest priority rule has a priority of `1`. For example, if a particular policy had two rules: * Rule A has priority `1` and applies to LDAP API scenarios. * Rule B has priority `2` and applies to ANYWHERE (network connection) scenarios. If a request came in from the LDAP endpoint, the action in rule A is taken, and rule B isn't evaluated. This occurs because even though requests coming from anywhere match the ANYWHERE location condition of rule B, rule A has higher priority and is evaluated first. ### Default rules Only the default policy contains a default rule. In Identity Engine, you can't delete default rules, but can edit them, except for: * The property `usePersistentCookie` of the default global session policy's default rule, which is read-only. * The default identity provider routing rule and the default rule of the default authenticator enrollment policy, which are also read-only. #### Policy limitations Different policy types control settings for different operations. All policy types share a common framework, message structure, and API, but have different policy settings and rule data. Keep in mind the following policy-specific limitations. #### App sign-in policy The app sign-in policy has the following limitations: * You can have a maximum of 5000 app sign-in policies in an org. There is a max limit of 100 rules allowed per policy. When you create an app sign-in policy, you automatically also create a default policy rule with the lowest priority of `99`. The highest priority that you can set an app sign-in policy rule to is `0`. * When you [merge duplicate app sign-in policies](https://help.okta.com/oie/en-us/content/topics/identity-engine/policies/consolidate-auth-policies.htm?cshid=ext-merge-auth-policies), policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email. #### IdP discovery policy The IdP discovery policy has the following limitations: * You can add up to 10 providers to a single `idp` policy action. * You can define only one provider for the following IdP types: `AgentlessDSSO`, `IWA`, `X509`. * You can't define a provider if `idpSelectionType` is `DYNAMIC`. * You can't define a `providerExpression` if `idpSelectionType` is `SPECIFIC`. * If a user identifier condition is defined together with an `OKTA` provider, sign-in requests are handled by Okta exclusively. #### Password policy The password policy is enforced only for Okta and AD-sourced users. For AD-sourced users, ensure that your Active Directory policies don't conflict with the Okta policies. #### User profile policy The user profile policy has the following limitations: * You can't update or delete the required base attributes in the default user profile: `email`, `firstName`, or `lastName`. * You can have a maximum of 500 user profile policies in an org. A user profile policy can only have one rule associated with it. Adding more rules isn't allowed. The default rule is required and is always the last rule in the priority order. If you add rules to the default policy, they have a higher priority than the default rule. The `system` object determines whether a rule is created by a system or by a user. The default rule is the only rule that has this attribute. See [Configure multiple identifiers](https://developer.okta.com/docs/guides/multiple-identifiers/main/). - name: PrincipalRateLimit x-displayName: Principal Rate Limits description: The Principal Rate Limits API provides operations to manage Principal Rate Limits for your organization. - name: ProfileMapping x-displayName: Profile Mappings description: The Mappings API provides operations to manage the mapping of profile properties between an Okta user and an app user using [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language). You can find more information on Okta user and app user profiles in Okta's [User profiles](https://developer.okta.com/docs/concepts/user-profiles/#what-is-the-okta-universal-directory). - name: PushProvider x-displayName: Push Providers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] description: |- The Okta Push Providers API provides a centralized integration platform to fetch and manage push provider configurations. Okta administrators can use these APIs to provide their push provider credentials, for example from APNs and FCM, so that Okta can send push notifications to their own custom app authenticator applications. The Push Providers API supports the following **Authorization Schemes**: * SSWS - [API tokens](https://developer.okta.com/docs/reference/core-okta-api/#authentication) * Bearer - [OAuth2.0 and OpenID Connect](https://developer.okta.com/docs/concepts/oauth-openid/) > **Notes:** > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/reference/core-okta-api/#authentication). > * You can use the Push Providers API as part of the "Create a custom authenticator" flow. See the [Custom authenticator integration guide](https://developer.okta.com/docs/guides/authenticators-custom-authenticator/android/main/). - name: RateLimitSettings x-displayName: Rate Limit Settings description: The Rate Limit Settings APIs provide operations to manage settings and configurations surrounding rate limiting in your Okta organization. - name: Realm x-displayName: Realms description: |- > **Note:** This API is only available if you're subscribed to Okta Identity Governance, Secure Partner Access, or Advanced Directory Management. Contact Okta Support for more information. The Realms API provides operations to manage realms. See [Manage realms](https://help.okta.com/okta_help.htm?type=oie&id=csh-realms). - name: RealmAssignment x-displayName: Realm Assignments description: |- > **Note:** This API is only available if you're subscribed to Okta Identity Governance or Secure Partner Access, or Advanced Directory Management. Contact Okta Support for more information. The Realm Assignments API provides operations to manage realm assignments. See [Realm assignments](https://help.okta.com/okta_help.htm?type=oie&id=csh-realms-assignment) and [Manage realms](https://help.okta.com/okta_help.htm?type=oie&id=csh-realms). > **Note:** When you create realm assignments in bulk, realm assignment priorities must be unique. - name: RoleAssignmentAUser x-displayName: User Role Assignments description: The User Role Assignments APIs allow you to assign roles and designate third-party admin status to users. - name: RoleAssignmentBGroup x-displayName: Group Role Assignments description: The Group Role Assignments APIs allow you to assign roles and designate third-party admin status to groups. - name: RoleAssignmentClient x-displayName: Client Role Assignments description: The Client Role Assignments APIs allow you to assign roles and designate third-party admin status to public client apps. - name: RoleBTargetAdmin x-displayName: User Role Targets description: |- User role targets are a way of limiting the app or group resources for a [standard role](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles) that's assigned to an admin user within your org. You can define admin roles to target groups, apps, and app instances. * **Group targets:** Grant an admin permission to manage only a specified group. For example, an admin role may be assigned to manage only the IT group. * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. > **Note:** You can only use the User Role Targets API with [standard roles](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles). For custom roles, use [Resource Sets](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleCResourceSet/) to define specific targets. See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). - name: RoleBTargetBGroup x-displayName: Group Role Targets description: |- Group role targets allow you to limit the app or group resources for a [standard role](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles) that's assigned to a group within your org. You can define admin roles to target groups, apps, and app instances. * **Group targets:** Grant an admin permission to manage only a specified group. For example, an admin role may be assigned to manage only the IT group. * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. > **Note:** You can only use the Group Role Targets API with [standard roles](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles). For custom roles, use [Resource Sets](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleCResourceSet/) to define specific targets. See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). - name: RoleBTargetClient x-displayName: Client Role Targets description: |- Client role targets allow you to limit the app or group resources for a [standard role](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles) that's assigned to a client (app) within your org. You can define admin roles to target groups, apps, and app instances. * **Group targets:** Grant an admin permission to manage only a specified group. For example, an admin role may be assigned to manage only the IT group. * **App targets:** Grant an admin permission to manage all instances of an OIN-cataloged app integration. For example, an admin role can manage all customer instances of an OIN-cataloged app, such as Salesforce or Facebook. * **App instance targets:** Grant an admin permission to manage an instance of an OIN-catalog app. For example, there may be a few Salesforce app instances configured for each sales region of an org. You can configure an admin to manage two Salesforce instances in a specific region and not the other regional Salesforce instances. > **Note:** You can only use the Client Role Targets API with [standard roles](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#standard-roles). For custom roles, use [Resource Sets](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleCResourceSet/) to define specific targets. See the [Role Assignments concept](https://developer.okta.com/docs/concepts/role-assignment/). - name: RoleCResourceSet x-displayName: Resource Sets description: The Resource Sets API provides operations to manage resource sets as a custom set of resources. See [Supported resources](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#supported-resources). - name: RoleCResourceSetResource x-displayName: Resource Set Resources description: The Resource Set Resources API provides operations to manage resources within a resource set. You can add or remove resources in resource sets. See [Supported resources](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#supported-resources). - name: RoleDResourceSetBinding x-displayName: Role Resource Set Bindings description: |- The Role Resource Set Bindings API provides operations to assign members to a [Custom Role](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleECustom/) that targets resources in a [Resource Set](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleCResourceSet/). These operations allow you to assign custom roles to admins who are scoped to the designated resources in a resource set. The returned role resource set binding is a single unique combination of a resource set, a custom role, and members. > **Note:** If you use a custom role with permissions that don't apply to the resources in the resource set, it doesn't affect the admin role. For example, the `okta.users.userprofile.manage` permission gives the admin no privileges if it's granted to a resource set that only includes `https://{yourOktaDomain}/api/v1/groups/{targetGroupId}` resources. If you want the admin to be able to manage the users within the group, the resource set must include the corresponding `https://{yourOktaDomain}/api/v1/groups/{targetGroupId}/users` resources. - name: RoleDResourceSetBindingMember x-displayName: Role Resource Set Binding Members description: The Role Resource Set Binding Members API provides operations to manage members in a [Role Resource Set Binding](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleDResourceSetBinding/). - name: RoleECustom x-displayName: Custom Roles description: The Custom Roles API provides operations to manage custom roles that limit an admin's access to a subset of permissions and resources. - name: RoleECustomPermission x-displayName: Custom Role Permissions description: The Custom Role Permissions API provides operations to manage the permissions assigned to a custom role. - name: SSFReceiver x-displayName: SSF Receiver description: |- > This is a feature of Identity Threat Protection with Okta AI. It's also offered with limited support to orgs with [Adaptive MFA](https://okta.my.salesforce.com/sfc/p/#A0000000KWYD/a/4z000000rJ1i/OTjS8PbMNZItVbs4ER6XpO0s72javcjMUHhaRU3CYnY) enabled, where you must be directly assigned the super admin role to perform tasks. Okta uses the [Shared Signals Framework (SSF)](https://sharedsignals.guide/) to receive security-related events and other data-subject signals from third-party security vendors. In this scenario, commonly used terms for third-party vendors that send signals are "transmitters", Okta is the "receiver", and the connection between the two entities is referred to as a "stream." The SSF Receiver API allows you to manage SSF vendor stream configurations between the transmitter and Okta. A stream is configured by [creating a Security Events Provider](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SSFReceiver/#tag/SSFReceiver/operation/createSecurityEventsProviderInstance) object in your Okta org. You can create a Security Events Provider object in Okta with a published well-known URL or an issuer-and-JWKS combination. After the Security Events Provider object is created for a transmitter, the provider can use the [SSF Security Event Tokens](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SSFSecurityEventToken/) API to publish events to Okta. While the SSF allows ingestion through push and poll-based operations, Okta currently supports only push-based operations. - name: SSFSecurityEventToken x-displayName: SSF Security Event Tokens description: |- > This feature is only available with Identity Threat Protection in Identity Engine. The Shared Signals Framework (SSF) Security Event Tokens API allows third-party security event providers to send Security Event Tokens (SETs) to Okta. The provider must be configured in Okta as a Security Events Provider instance before transmitting a SET to Okta. See [Create a Security Events Provider](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SSFReceiver/#tag/SSFReceiver/operation/createSecurityEventsProviderInstance). After the token is verified, any appropriate action is performed upon ingestion. Okta uses the Shared Signals Framework (SSF) defined by the [OpenID Shared Signals and Events Framework specification](https://openid.net/specs/openid-sse-framework-1_0.html). A risk signal is ingested as a Security Event Token (SET), a type of JSON Web Token (JWT) that must comply with the SET RFC: [RFC 8417 - Security Event Token(SET)](https://datatracker.ietf.org/doc/html/rfc8417). The `security.events.provider.receive_event` System Log event is created when a SET is published to Okta successfully. - name: SSFTransmitter x-displayName: SSF Transmitter description: |- Okta uses the [Shared Signals Framework (SSF)](https://openid.net/specs/openid-sharedsignals-framework-1_0-ID3.html) to send security-related events and other data-subject signals to third-party security vendors. In this scenario, commonly used terms for third-party vendors that receive signals are "receivers", Okta is the "transmitter", and the connection between the two entities is referred to as a "stream." The SSF Transmitter API allows you to manage SSF stream configurations between the receiver that receives signals transmitted by Okta. Okta sends signals in the form of [Security Event Tokens (SETs)](https://datatracker.ietf.org/doc/html/rfc8417) to a third-party SSF receiver. Okta's SSF Transmitter currently supports two types of CAEP events: [Session Revoked](https://openid.net/specs/openid-caep-1_0-ID2.html#name-session-revoked) and [Credential Change](https://openid.net/specs/openid-caep-1_0-ID2.html#name-credential-change). The following Okta events are mapped to the CAEP Session Revoked event: - user.session.end The following Okta events are mapped to the CAEP Credential Change event: - user.mfa.factor.activate - user.mfa.factor.deactivate - user.mfa.factor.suspend - user.mfa.factor.unsuspend - user.mfa.factor.update - user.mfa.factor.reset_all - user.account.reset_password - user.account.update_password To enable the transmission of signals from Okta, you must create an SSF Stream using the SSF Transmitter API and configure the third-party receiver to accept signals from Okta. - name: Schema x-displayName: Schemas description: |- The Schemas API provides operations to manage custom user profiles as well as endpoints to discover the structure of the log stream configuration. Okta's [Universal Directory](https://help.okta.com/okta_help.htm?id=ext_About_Universal_Directory) allows admins to define custom user profiles for Okta users and apps. Okta adopts a subset of [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) as the schema language to describe and validate extensible user profiles. For log stream schemas, Okta uses [JSON Schema Draft 2020-12](https://json-schema.org/specification.html). [JSON Schema](http://json-schema.org/) is a lightweight declarative format for describing the structure, constraints, and validation of JSON documents. > **Note:** Okta implements only a subset of [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) and [JSON Schema Draft 2020-12](https://json-schema.org/specification.html). This document describes which parts apply to Okta, and any extensions Okta has made to [JSON Schema Draft 4](https://tools.ietf.org/html/draft-zyp-json-schema-04) and [JSON Schema Draft 2020-12](https://json-schema.org/specification.html). ### Unique Attributes You can enforce uniqueness for custom properties in Okta user profiles or the Okta group profile, such as an employee identification number. You can declare a maximum of five unique properties for each user type and five unique properties in the Okta group profile. Different user types can have the same or different unique properties (up to the limit of five per type). Unique properties in Okta user profiles share a single namespace across all [user types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) in an org. If user types A and B both contain the property `ice cream` and you identify it as unique in both profiles, then if a user of type A has the value `chocolate`, no other users of type A or B (or any other user type that declares `ice cream` as unique) can have that value. Properties that aren't unique also aren't tracked for uniqueness. Suppose the property `candy` is unique in type E and not unique in type F. If a user of type E has the value `caramel` for the `candy` property, no other users of type E can also have the value `caramel`, but any number of users of type F can already have or later be assigned the value `caramel`. Furthermore, because `candy` is not unique in type F, any values users of type F may have are not considered when enforcing uniqueness for users of type E. No matter how many users of type F already have the value `cotton`, it might be assigned to a user of type E as long as no other such user already has that value. If you attempt to create or update a user with a duplicate value for a custom user property with a uniqueness restriction, the user creation or update operation fails. The user isn't created or updated until you enter a unique value. Similarly, creating or updating a group fails when the request contains a value for a unique custom group property that is duplicated by another group. `null` values don't enter into the uniqueness calculation. If the unique property isn't also specified as being required, you can also omit the value entirely. Multiple users or groups can omit the property and not violate uniqueness. To enforce uniqueness for custom properties, you can either add new unique custom properties or update existing custom properties to be unique. #### Add new unique custom property You can use the [add property to user profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [add property to group profile schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to add one or more unique custom user or group properties. Specify `"unique": true` on the properties to be marked as unique. The response shows the properties with `"unique": "UNIQUE_VALIDATED"` and uniqueness is then enforced on those properties. #### Update existing custom property to be unique You can use the [update user profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [update group profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to mark existing custom user or group properties as unique by specifying `"unique": true` on the properties to be marked as unique. After the request to mark existing custom properties as unique is submitted, an asynchronous validation check is performed to make sure that there are no existing duplicate entries. If you have a significant number of users or groups, the validation can take some time. A uniqueness status of `"unique": "PENDING_UNIQUENESS"` indicates that the validation check is still in progress. Use the Universal Directory page in the Admin Console (**Directory** > **Directory Integrations**) to track the status of the validation check. After the validation completes, if you submit a retrieve user schema request or a retreive group schema request, the property's uniqueness status changes to `UNIQUE_VALIDATED` if no duplicate records are found, and uniqueness is then enforced on that property. Otherwise, if duplicate records are found, the `unique` attribute of the schema property isn't shown in the get schema request and uniqueness isn't enforced on the schema property. #### Update existing unique custom property to be non-unique You can use the [update user profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateUserProfile) request or the [update group profile schema property](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/updateGroupSchema) request to change existing unique custom user or group properties to be non-unique by specifying `"unique": false` on the properties to be changed to non-unique. The response shows the properties without the `unique` attribute and the uniqueness constraint is then removed on those properties. **Note:** If multiple user types declare a property as unique and you remove the uniqueness constraint on one type, there may be a delay before users of other types that declare the property as unique can be assigned values formerly held by users of the first type. - name: ServiceAccount x-displayName: Service Accounts description: |- The Service Accounts API provides operations to manage SaaS or On-Prem Provisioning (OPP) app accounts as service accounts. > **Note:** This feature is available only if you're subscribed to Okta Privileged Access. Ensure that you've set up the Okta Privileged Access app before managing app accounts through this API. See [Manage service accounts](https://help.okta.com/okta_help.htm?type=oie&id=ud-privileged-acnt). - name: Session x-displayName: Sessions description: |- Okta uses a cookie-based authentication mechanism to maintain a user's authentication Session across web requests. The Okta Sessions API provides operations to create and manage authentication Sessions for users in your Okta organization. >**Notes:** > * Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies). > * The Sessions API doesn't support direct authentication. Direct authentication is supported through the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#authentication-operations) or through OIDC using the [Resource Owner Password flow](https://developer.okta.com/docs/guides/implement-grant-type/ropassword/main/). ### Session cookie Okta uses an HTTP session cookie to provide access to your Okta organization and applications across web requests for an interactive user agent such as a web browser. A session cookie has an expiration configurable by an administrator for the organization and is valid until the cookie expires or the user closes the Session (logout) or browser application. ### Session token A [session token](https://developer.okta.com/docs/reference/api/authn/#session-token) is a one-time bearer token that provides proof of authentication and may be redeemed for an interactive SSO session in Okta in a user agent. Session tokens can only be used **once** to establish a Session for a user and are revoked when the token expires. Okta provides a very rich [Authentication API](https://developer.okta.com/docs/reference/api/authn/) to validate a [user's primary credentials](https://developer.okta.com/docs/reference/api/authn/#primary-authentication) and secondary [MFA factor](https://developer.okta.com/docs/reference/api/authn/#verify-factor). A session token is returned after successful authentication, which can be later exchanged for a session cookie that uses one of the following flows: - [Retrieve a session cookie by visiting the OpenID Connect Authorization Endpoint](https://developer.okta.com/docs/guides/session-cookie/main/#retrieve-a-session-cookie-through-the-openid-connect-authorization-endpoint) - [Retrieve a session cookie by visiting a session redirect link](https://developer.okta.com/docs/guides/session-cookie/main/#retrieve-a-session-cookie-by-visiting-a-session-redirect-link) - [Retrieve a session cookie by visiting an application embed link](https://developer.okta.com/docs/guides/session-cookie/main/#retrieve-a-session-cookie-by-visiting-an-application-embed-link) >**Note:** **Session tokens** are secrets and should be protected at rest and during transit. A session token for a user is equivalent to having the user's actual credentials. - name: Subscription x-displayName: Subscriptions description: The Subscriptions API provides operations to manage email subscription settings for Okta administrator notifications. - name: SystemLog x-displayName: System Log description: |- The Okta System Log records system events that are related to your organization in order to provide an audit trail that can be used to understand platform activity and to diagnose problems. The System Log API provides near real-time, read-only access to your organization's System Log and is the programmatic counterpart of the [System Log UI](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog). The terms "event" and "log event" are often used interchangeably. In the context of this API, an "event" is an occurrence of interest within the system, and a "log" or "log event" is the recorded fact. The System Log API supports these primary use cases: * Event data export into a security information and event management system (SIEM) * System monitoring * Development debugging * Event introspection and audit > **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). For further details and examples, see [System Log query](https://developer.okta.com/docs/reference/system-log-query/). - name: Template x-displayName: SMS Templates description: |- The SMS Templates API provides operations to manage custom SMS templates for verification. > **Note:** Only SMS custom Templates are available through the API. SMS Templates customize the SMS message that is sent to users. One default SMS Template is provided. All custom Templates must have the variable `${code}` as part of the text. The `${code}` variable is replaced with the actual SMS code when the message is sent. Optionally, you can also use the variable `${org.name}`. If a Template contains `${org.name}`, it is replaced with the organization name before the SMS message is sent. ### SMS Template macros Only two macros are supported for SMS Templates: |
Type
| Description | | -------------------- | ----------- | | ${code} | The one-time verification code that's required for a user to sign in. | | ${org.name} | The Okta org name that the user is trying to authenticate into. | >**Note:** The length of your SMS message can't exceed 160 characters. If the verification code portion of the message falls outside of the 160-character limit, your message isn't sent. - name: Themes x-displayName: Themes description: |- These endpoints allow you to customize the look and feel of pages and templates, including the following: * The Okta-hosted sign-in page * The sign-out page * Error pages * Email templates * The Okta End-User Dashboard Each new org contains Okta default branding. You can upload your own assets (colors, background image, logo, and favicon) to replace the default assets. Then you can publish these assets directly to your pages and templates. > **Notes:** > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). > * Okta optimizes the `primaryColorContrastHex` and `secondaryColorContrastHex` properties for the highest contrast between the font color and the background or button color. To disable or override the contrast auto-detection, update either contrast value with an accepted contrast hex code. Any update disables future automatic optimizations for the contrast hex. > * Contrast color is used by pages to optimize the opacity of text color when primary or secondary color is used as the background. - name: ThreatInsight x-displayName: ThreatInsight description: |- [Okta ThreatInsight](https://help.okta.com/okta_help.htm?id=ext_threatinsight) maintains a constantly evolving list of IP addresses that consistently exhibit malicious activity. Authentication requests that are associated with an IP in this list can be logged to the [System Log](https://help.okta.com/okta_help.htm?id=ext_Reports_SysLog) and blocked. ThreatInsight also covers non-authentication requests in limited capacity depending on the attack patterns of these malicious IPs. The ThreatInsight API provides operations to manage your org ThreatInsight configuration. > **Note:** To prevent abuse, Okta ThreatInsight works in a limited capacity for free trial edition orgs. Contact Okta Support if fully functional Okta ThreatInsight is required. - name: TrustedOrigin x-displayName: Trusted Origins description: |- The Trusted Origins API provides operations to manage Trusted Origins and sources. When external URLs are requested during sign-in, sign-out, or recovery operations, Okta checks those URLs against the allowed list of Trusted Origins. Trusted Origins also enable browser-based applications to access Okta APIs from JavaScript (CORS). If the origins aren't specified, the related operation (redirect or Okta API access) isn't permitted. You can also configure Trusted Origins to allow iFrame embedding of Okta resources, such as Okta sign-in pages and the Okta End-User Dashboard, within that origin. > **Notes:** > * This feature is supported for Okta domains only. It isn't currently supported for custom domains. > * Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/). - name: UISchema x-displayName: UI Schema description: |- The Okta UI Schema API allows you to control how inputs appear on an enrollment form. The UI Schema API is only available as a part of Okta Identity Engine. If you're not sure which solution you're using, check the footer on any page of the Admin Console. The version number is appended with E for Identity Engine orgs and C for Classic Engine orgs. - name: User x-displayName: Users description: "The Users API provides operations to manage users in your organization.\n> **Note:** Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs.\n> OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See [Okta API authentication methods](https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/).\n\n### User status\nThe following diagram shows the flow of user status:\n![STAGED, PROVISIONED, ACTIVE, RECOVERY, LOCKED_OUT, PASSWORD_EXPIRED, or DEPROVISIONED](../../../../../images/users/okta-user-status.png)\n\n### User creation scenarios\n\n The following table describes the user experience and expectation of user status and welcome screen, depending on which options (security question and answer, password, and activate query) are defined during user creation.\n\n **User creation details and outcomes**\n\n | Security Q & A | Password | Activate Query Parameter | User Status | Login Credential | Welcome Screen |\n | ----- | -------- | ------------------------ | ------------- | ---------------------- | -------------- |\n | | | FALSE | `STAGED` | | |\n | | | TRUE | `PROVISIONED` or `ACTIVE` | One-Time Token (Email) or Email | X |\n | X | | FALSE | `STAGED` | | |\n | X | | TRUE | `PROVISIONED` or `ACTIVE` | One-Time Token (Email) or Email | X |\n | | X | FALSE | `STAGED` | | |\n | | X | TRUE | `ACTIVE` | Password | X |\n | X | X | FALSE | `STAGED` | | |\n | X | X | TRUE | `ACTIVE` | Password | |\n\nCreating users with a `FEDERATION` or `SOCIAL` provider sets the user status to either `ACTIVE` or `STAGED` based on the `activate` query parameter since these two providers don't support a `password` or `recovery_question` credential.\n\nMore information about the use cases are in the following sections and in the examples for [Create a user](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser).\n\n#### Create user with optional password\n\nWhen making the password optional, the user status following user creation can be affected by the enrollment policy. See [Create an authenticator enrollment policy](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-mfa-policy).\n\nBased on the group memberships that are specified when the user is created, a password may or may not be required to make the user's status `ACTIVE`. The groups assigned to the user determines the enrollment policy applied to the user. If the enrollment policy has the password authenticator set to `required`, then the user's status is determined by if the user is created with a password:\n\n* Created with a password - the user status is set to `PROVISIONED` and a One-Time Token is sent to the user through email\n* Created without a password - the user status is set to `ACTIVE` and they can immediately sign in using their password authenticator\n\nIf the user doesn't have an enrolled authenticator, Okta sets the user to `PROVISIONED` and sends an activation link. The user must click the activation link before they can sign in. The activation link provides a baseline assurance that can be used to enroll in other authenticators. If the user has one or more enrolled authenticators at activation time, they're set to `ACTIVE` and can sign in directly.\n\nSee [Passwordless authentication](https://help.okta.com/okta_help.htm?type=oie&id=ext-passwordless-auth) in the help documentation.\n\n#### Create user without credentials\n\nCreates a user without a `password` or a recovery `question` and `answer`.\n\nIf appropriate, when the user is activated, an email is sent to the user with an activation token that the user can use to complete the activation process.\n\nThis is the default flow for new user registration using the Admin Console.\n\n#### Create user with recovery question\n\nCreates a user without a `password`.\n\nWhen the user is activated, an email is sent to the user with an activation token that can be used to complete the activation process.\nThis flow is useful if migrating users from an existing user store.\n\n#### Create user with password\n\nCreates a user without a recovery `question` and `answer`.\n\nThe new user is able to sign in after activation with the assigned password. This flow is common when developing a custom user registration experience.\n> **Important:** Don't generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.\n\n> **Note:** You can also use this scenario to create a user without sending an activation email. See this [Knowledge Base article](https://support.okta.com/help/s/article/How-to-Avoid-Sending-a-Welcome-Email?language=en_US#:~:text=For%20users%20imported%20from%20the,t%20send%20new%20user%20activation).\n\n#### Create user with imported hashed password\n\nCreates a user with a specified hashed password.\n\nThe new user is able to sign in after activation with the specified password.\n\nThis flow is common when migrating users from another data store in cases where we want to allow the users to retain their current passwords.\n> **Important:** Do not generate or send a one-time activation token when activating users with an imported password. Users should login with their imported password.\n\n#### Create user with password import inline hook\n\nCreates a user with a `Password Hook` object specifying that a password inline hook should be used to handle password verification.\n\nThe password inline hook is triggered to handle verification of the end user's password the first time the user tries to sign in, with Okta calling the password inline hook to check that the password the user supplied is valid. If the password is valid, Okta stores the hash of the password that was provided and can authenticate the user independently from then on. See [Create a password import inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook) for more details.\n\nThe new user is able to sign in after activation with the valid password. This flow supports migrating users from another data store in cases where we wish to allow the users to retain their current passwords.\n> **Important:** Don't generate or send a one-time activation token when activating users with an password inline hook. Users should sign in with their existing password to be imported using the password import inline hook.\n\n#### Create user with password and recovery question\n\nCreates a new user with a password and recovery `question` and `answer`.\n\nThe new user is able to log in with the assigned password after activation. This flow is common when developing a custom user-registration experience.\n> **Important:** Don't generate or send a one-time activation token when activating users with an assigned password. Users should login with their assigned password.\n\n#### Create user with authentication provider\n\nCreates a new passwordless user with a `SOCIAL` or `FEDERATION` authentication provider that must be authenticated through a trusted identity provider.\n\n#### Create user in group\n\nCreates a user that is added to the specified groups upon creation.\n\nUse this in conjunction with other create operations for a group admin that's scoped to create users only in specified groups. The request can specify up to 20 group IDs. (This limit applies only when creating a user. You can add the user later to more groups.)\n\n#### Create user with non-default user type\n\nCreates a user with a specified user type. You can include the type specification with any of the above Create user operations. This example demonstrates creating a user without credentials.\nThe user type determines which [Schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After you create a user, you can assign the user a different user type using the full replacement [PUT operation](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType/operation/replaceUserType).\n\n### Links object\n\nThe links object specifies link relations. See [`_links`](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=_links&t=response).\n\n> **Note:** This links object is different from [linked objects](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/LinkedObject/).\n\n#### Individual users versus collection of users\n\nFor an individual user result, the links object contains a full set of link relations available for that user as determined by your policies. For a collection of users, the links object contains only the `self` link. Operations that return a collection of users include [List all users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) and [List all member users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroupUsers).\n\nThe following table shows some links that may be available on a user, as determined by your policies:\n\n| Link Relation Type | Description |\n|------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n|self\t | A self-referential link to this user |\n|activate\t | Lifecycle action to [activate the user](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) |\n|deactivate |\tLifecycle action to [deactivate the user](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/deactivateUser) |\n|suspend |\tLifecycle action to [suspend the user](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/suspendUser) |\n|unsuspend |\tLifecycle action to [unsuspend the user](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/unsuspendUser) |\n|resetPassword |\tLifecycle action to [trigger a password reset](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) |\n|expirePassword |\tLifecycle action to [expire the user's password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/expirePassword) |\n|resetFactors |\tLifecycle action to [reset all MFA factors](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/resetFactors) |\n|unlock |\tLifecycle action to [unlock a locked-out user](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/unlockUser) |\n|forgotPassword |\t[Resets a user's password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/forgotPassword) by validating the user's recovery credential. |\n|changePassword |\t[Changes a user's password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changePassword) validating the user's current password |\n|changeRecoveryQuestion |\t[Changes a user's recovery credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changeRecoveryQuestion) by validating the user's current password |" - name: UserAuthenticatorEnrollments x-displayName: User Authenticator Enrollments description: |- The Authenticator Enrollments API provides operations for admins to manage the authenticator enrollments of their users. An authenticator enrollment is the specific instance of an authenticator that a user has enrolled. For example, if a user enrolls an `sms` method with a phone number, they can use both `sms` and `voice` methods. The Authenticator Enrollments API allows admins to manage both of those user enrollments. - name: UserClassification x-displayName: User Classification description: The User Classification API provides operations to manage user classifications in your org. - name: UserCred x-displayName: User Credentials description: The User Credentials API provides operations to manage user credentials in your org. - name: UserFactor x-displayName: User Factors description: |- The Factors API provides operations to enroll, manage, and verify factors for multifactor authentication (MFA). Generally, authentication involves verifying a different one-time passcode (OTP). Manage both administration and end-user accounts, or verify an individual factor at any time. Okta supports several different types of factors: | Factor Type | Description | |-----------------------|-------------| | `call` | Software OTP sent using a voice call to a registered phone number | | `sms` | Software OTP sent using SMS to a registered phone number | | `email` | Software OTP sent using email | | `question` | Additional knowledge-based security question | | `push` | Out-of-band verification using a push notification to a device and transaction verification with digital signature | | `token` | Software or hardware OTP sent to a device | | `token:hardware` | Hardware OTP sent to a device | | `token:hotp` | Custom [TOTP](https://www.ietf.org/rfc/rfc6238.txt) factor that uses an extension of the [HMAC (Hash-Based Message Authentication Codes)](https://www.okta.com/identity-101/hmac/)-based one-time passcode (HOTP) algorithm | | `token:software:totp` | Software time-based one-time passcode (TOTP) | | `u2f` | Hardware Universal 2nd Factor (U2F) device | | `web` | HTML inline frame (iframe) for embedding verification from a third party | | `webauthn` | Hardware WebAuthn device | | `signed_nonce` | Okta Fastpass (device-bound authentication). This is available for OIE orgs if the org has users that have enrolled with Okta Verify after the org started using OIE. The `signed_nonce` factor type can only be retrieved using GET operations or deleted using the [DELETE](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/unenrollFactor) operation. It cannot be enrolled, activated, or verified through other HTTP methods with the Factors API. | - name: UserGrant x-displayName: User Grants description: |- The User Grants API provides operations to manage user consent grants in your org. A consent represents a user's explicit permission to allow an app to access resources protected by scopes. Consent grants are different from tokens because a consent can outlast a token. Also, there can be multiple tokens with varying sets of scopes derived from a single consent. When an app comes back and needs to get a new access token, it may not need to prompt the user for consent. This happens if they've already consented to the specified scopes. Consent grants remain valid until the user manually revokes them, or until the user, app, authorization server, or scope is deactivated or deleted. > **Hint:** For all grant operations, you can use `me` instead of the `userId` in an endpoint that contains `/users`, in an active session with no SSWS token (API token). For example: `https://${yourOktaDomain}/api/v1/users/me/grants` returns all the grants for the active session user. > **Note:** Some browsers have begun blocking third-party cookies by default, disrupting Okta functionality in certain flows. For more information, see [FAQ: How Blocking Third Party Cookies Can Potentially Impact Your Okta Environment](https://support.okta.com/help/s/article/FAQ-How-Blocking-Third-Party-Cookies-Can-Potentially-Impact-Your-Okta-Environment). - name: UserLifecycle x-displayName: User Lifecycle description: |- The User Lifecycle API provides lifecycle operations, which are non-idempotent operations that initiate a state transition for a user's status. Some operations are asynchronous while others are synchronous. The user's current status limits what operations are allowed. - name: UserLinkedObject x-displayName: User Linked Objects description: |- The User Linked Objects API provides operations to manage user linked objects in your org. Use link value operations to assign users to a relationship, represented by a pair of `primary` and `associated` links. See also the [Linked Objects API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/LinkedObject/). For these operations, the examples use consistent IDs so that you can follow the operations more easily: * `manager` is the `primary` relationship and is assigned `00u5t60iloOHN9pBi0h7` * `subordinate` is the `associated` relationship and is assigned to IDs `00u5zex6ztMbOZhF50h7` and `00u1tsf0nQKavLDUh0g5` - name: UserOAuth x-displayName: User OAuth 2.0 Token Management description: |- The User OAuth 2.0 Token Management API provides operations to manage tokens issued by an authorization server for a particular user and client in your org. For example, you can revoke every active refresh token for a user in the context of a specific client. You can also [revoke specific tokens](https://developer.okta.com/docs/guides/revoke-tokens/main/) or [manage tokens at the authorization server level](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/AuthorizationServer/). Read [Validate Access Tokens](https://developer.okta.com/docs/guides/validate-access-tokens/) to understand more about how OAuth 2.0 tokens work. - name: UserResources x-displayName: User Resources description: The User Resources API provides operations related to user resources. - name: UserRisk x-displayName: User Risk description: |- > This feature is only available with Identity Threat Protection in Identity Engine. The User Risk API enables you to manage a user's risk level within Okta. x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] - name: UserSessions x-displayName: User Sessions description: The User Sessions API provides operations to manage user sessions in your org. - name: UserType x-displayName: User Types description: The User Types API provides operations to manage user types. - name: WebAuthnPreregistration x-displayName: WebAuthn Preregistration description: |- The WebAuthn preregistration API provides a flow to initiate and set up WebAuthn preregistration authenticator enrollments through third-party fulfillment providers. > **Note:** For information about using WebAuthn preregistration with YubiKeys, see [Require phishing-resistant authentication with pre-enrolled YubiKey](https://help.okta.com/okta_help.htm?type=oie&id=csh-preenrolled-yubikey-main). Use the following sequence of endpoints to set up WebAuthn preregistration authenticator enrollments. 1. [Generate a fulfillment request](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/WebAuthnPreregistration/#tag/WebAuthnPreregistration/operation/generateFulfillmentRequest) 2. [Enroll a preregistered WebAuthn factor](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/WebAuthnPreregistration/#tag/WebAuthnPreregistration/operation/enrollPreregistrationEnrollment) 3. [Activate a preregistered WebAuthn factor](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/WebAuthnPreregistration/#tag/WebAuthnPreregistration/operation/activatePreregistrationEnrollment) After you set up the preregistered WebAuthn factor, you can send the PIN to the user. externalDocs: description: Find more info here url: https://developer.okta.com/docs/reference/ paths: /.well-known/app-authenticator-configuration: get: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: Retrieve the well-known app authenticator configuration description: Retrieves the well-known app authenticator configuration. Includes an app authenticator's settings, supported methods, and other details. operationId: getWellKnownAppAuthenticatorConfiguration parameters: - name: oauthClientId in: query description: Filters app authenticator configurations by `oauthClientId` required: true schema: type: string responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/WellKnownAppAuthenticatorConfiguration' examples: AuthenticatorConfiguration: $ref: '#/components/examples/WellKnownAppAuthenticatorConfigurationCustomApp' '400': $ref: '#/components/responses/ErrorMissingRequiredParameter400' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: [] tags: - Authenticator /.well-known/apple-app-site-association: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine get: summary: Retrieve the customized apple-app-site-association URI content description: |- Retrieves the content of the `apple-app-site-assocation` well-known URI > **Note:** When serving this URI, Okta adds `authsrv` content to provide a seamless experience for Okta Verify. You can't modify the content in the `authsrv` object. operationId: getAppleAppSiteAssociationWellKnownURI responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/PublicAppleAppSiteWellKnownURI' examples: Response: $ref: '#/components/examples/PublicAppleAppSiteWellKnownURIResponse' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: [] tags: - AssociatedDomainCustomizations /.well-known/assetlinks.json: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine get: summary: Retrieve the customized assetlinks.json URI content description: Retrieves the content of the `assetlinks.json` well-known URI operationId: getAssetLinksWellKnownURI responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/PublicAssetLinksWellKnownURI' examples: Response: $ref: '#/components/examples/PublicAssetLinksWellKnownURIResponse' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: [] tags: - AssociatedDomainCustomizations /.well-known/okta-organization: get: summary: Retrieve the Org metadata description: Retrieves the org metadata, which includes the org ID, configured custom domains, and authentication pipeline operationId: getWellknownOrgMetadata responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/WellKnownOrgMetadata' examples: Identity Engine org with a custom domain: $ref: '#/components/examples/WellKnownOrgMetadataResponseCustomUrlOie' Classic Engine org: $ref: '#/components/examples/WellKnownOrgMetadataResponseClassic' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: [] tags: - OrgSettingMetadata x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /.well-known/ssf-configuration: get: summary: Retrieve the SSF transmitter metadata description: Retrieves SSF Transmitter configuration metadata. This includes all supported endpoints and key information about certain properties of the Okta org as the transmitter, such as `delivery_methods_supported`, `issuer`, and `jwks_uri`. operationId: getWellknownSsfMetadata responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/WellKnownSSFMetadata' examples: wellKnownSSFMetadataExample: $ref: '#/components/examples/wellKnownSSFMetadataExample' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: [] tags: - SSFTransmitter x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /.well-known/webauthn: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine get: summary: Retrieve the customized webauthn URI content description: Retrieves the content of the `webauthn` well-known URI operationId: getWebAuthnWellKnownURI responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/PublicWebauthnSiteWellKnownURI' examples: Response: $ref: '#/components/examples/PublicWebauthnWellKnownURIResponse' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: [] tags: - AssociatedDomainCustomizations /api/v1/agentPools: get: summary: List all agent pools description: Lists all agent pools with pagination support operationId: listAgentPools parameters: - $ref: '#/components/parameters/queryLimitPerPoolType' - $ref: '#/components/parameters/queryPoolType' - $ref: '#/components/parameters/queryAfter' responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/AgentPool' examples: ListAllAgentPoolsResponse: $ref: '#/components/examples/ListAllAgentPoolsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.read tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates: parameters: - $ref: '#/components/parameters/pathPoolId' get: summary: List all agent pool updates description: Lists all agent pool updates operationId: listAgentPoolsUpdates parameters: - $ref: '#/components/parameters/queryScheduled' responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/AgentPoolUpdate' examples: ListAllAgentPoolUpdatesResponse: $ref: '#/components/examples/ListAllAgentPoolUpdatesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.read tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an agent pool update description: Creates an agent pool update operationId: createAgentPoolsUpdate requestBody: content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdate' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdate' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.manage tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/settings: parameters: - $ref: '#/components/parameters/pathPoolId' get: summary: Retrieve an agent pool update's settings description: Retrieves the current state of the agent pool update instance settings operationId: getAgentPoolsUpdateSettings responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdateSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.read tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Update an agent pool update settings description: Updates an agent pool update instance settings operationId: updateAgentPoolsUpdateSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdateSetting' required: true responses: '201': description: Updated content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdateSetting' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.manage tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}: parameters: - $ref: '#/components/parameters/pathPoolId' - $ref: '#/components/parameters/pathUpdateId' get: summary: Retrieve an agent pool update by ID description: Retrieves an agent pool update by its `updateId` operationId: getAgentPoolsUpdateInstance responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdate' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.read tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Update an agent pool update by ID description: Updates an agent pool update instance and returns the latest agent pool update operationId: updateAgentPoolsUpdate requestBody: content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdate' required: true responses: '201': description: Updated content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdate' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.manage tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an agent pool update description: Deletes agent pool update operationId: deleteAgentPoolsUpdate responses: '204': description: Deleted '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.manage tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/activate: parameters: - $ref: '#/components/parameters/pathPoolId' - $ref: '#/components/parameters/pathUpdateId' post: summary: Activate an agent pool update description: Activates a scheduled agent pool update operationId: activateAgentPoolsUpdate responses: '201': description: Activated content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdate' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.manage tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/deactivate: parameters: - $ref: '#/components/parameters/pathPoolId' - $ref: '#/components/parameters/pathUpdateId' post: summary: Deactivate an agent pool update description: Deactivates scheduled agent pool update operationId: deactivateAgentPoolsUpdate responses: '201': description: Deactivated content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdate' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.manage tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/pause: parameters: - $ref: '#/components/parameters/pathPoolId' - $ref: '#/components/parameters/pathUpdateId' post: summary: Pause an agent pool update description: Pauses a running or queued agent pool update operationId: pauseAgentPoolsUpdate responses: '201': description: Paused content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdate' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.manage tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/resume: parameters: - $ref: '#/components/parameters/pathPoolId' - $ref: '#/components/parameters/pathUpdateId' post: summary: Resume an agent pool update description: Resumes a running or queued agent pool update operationId: resumeAgentPoolsUpdate responses: '201': description: Resumed content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdate' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.manage tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/retry: parameters: - $ref: '#/components/parameters/pathPoolId' - $ref: '#/components/parameters/pathUpdateId' post: summary: Retry an agent pool update description: Retries an agent pool update if the update is unsuccessful or communication with Okta was interrupted during an agent auto-update operationId: retryAgentPoolsUpdate responses: '201': description: Retried content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdate' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.manage tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/agentPools/{poolId}/updates/{updateId}/stop: parameters: - $ref: '#/components/parameters/pathPoolId' - $ref: '#/components/parameters/pathUpdateId' post: summary: Stop an agent pool update description: Stops an agent pool update operationId: stopAgentPoolsUpdate responses: '201': description: Stopped content: application/json: schema: $ref: '#/components/schemas/AgentPoolUpdate' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.agentPools.manage tags: - AgentPools x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/api-tokens: get: summary: List all API token metadata description: Lists all the metadata of the active API tokens operationId: listApiTokens responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/ApiToken' examples: List Tokens: $ref: '#/components/examples/ApiTokenListMetadataResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apiTokens.read tags: - ApiToken x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/api-tokens/current: delete: summary: Revoke the current API token description: Revokes the API token provided in the Authorization header operationId: revokeCurrentApiToken responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] tags: - ApiToken x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/api-tokens/{apiTokenId}: parameters: - $ref: '#/components/parameters/pathApiTokenId' get: summary: Retrieve an API token's metadata description: Retrieves the metadata for an active API token by `apiTokenId` operationId: getApiToken responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ApiToken' examples: HCaptcha: $ref: '#/components/examples/ApiTokenMetadataResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apiTokens.read tags: - ApiToken x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Upsert an API token network condition description: Upserts an API Token Network Condition by `apiTokenId` operationId: upsertApiToken requestBody: content: application/json: example: name: api_token_name clientName: client_name userId: 00uabcdefg1234567890 network: connection: ANYWHERE created: '2021-11-09T20:38:10.000Z' schema: $ref: '#/components/schemas/ApiTokenUpdate' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ApiToken' examples: HCaptcha: $ref: '#/components/examples/ApiTokenMetadataResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apiTokens.manage tags: - ApiToken x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke an API token description: Revokes an API token by `apiTokenId` operationId: revokeApiToken responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apiTokens.manage tags: - ApiToken x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps: get: summary: List all applications description: |- Lists all apps in the org with pagination. A subset of apps can be returned that match a supported filter expression or query. The results are [paginated](/#pagination) according to the `limit` parameter. If there are multiple pages of results, the header contains a `next` link. Treat the link as an opaque value (follow it, don't parse it). > **Note:** To list all of a member's assigned app links, use the [List all assigned app links endpoint in the User Resources API](/openapi/okta-management/management/tag/UserResources/#tag/UserResources/operation/listAppLinks). operationId: listApplications parameters: - name: q in: query description: Searches for apps with `name` or `label` properties that starts with the `q` value using the `startsWith` operation schema: type: string example: Okta - name: after in: query description: Specifies the [pagination](/#pagination) cursor for the next page of results. Treat this as an opaque value obtained through the `next` link relationship. schema: type: string example: 16278919418571 - name: useOptimization in: query description: Specifies whether to use query optimization. If you specify `useOptimization=true` in the request query, the response contains a subset of app instance properties. schema: type: boolean default: false - name: alwaysIncludeVpnSettings in: query description: Specifies whether to include the VPN configuration for existing notifications in the result, regardless of whether VPN notifications are configured schema: type: boolean default: false - name: limit in: query description: Specifies the number of results per page schema: type: integer format: int32 default: -1 maximum: 200 - name: filter in: query description: 'Filters apps with a supported expression for a subset of properties. Filtering supports the following limited number of properties: `id`, `status`, `credentials.signing.kid`, `settings.slo.enabled`, or `name`. See [Filter](https://developer.okta.com/docs/api/#filter).' schema: type: string examples: ActiveStatusEx: value: status%20eq%20%22ACTIVE%22 summary: Filter for active apps NameFilterEx: value: name%20eq%20%22okta_org2org%22 summary: Filter for apps with `okta_org2org` name CredKidEx: value: credentials.signing.kid%20eq%20%22SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-F1bm4%22 summary: Filter for apps using a specific key - $ref: '#/components/parameters/queryAppsExpand' - name: includeNonDeleted description: Specifies whether to include non-active, but not deleted apps in the results in: query schema: type: boolean default: false responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Application' examples: ResponseExample1: $ref: '#/components/examples/GetApplicationsByUserResponseEx' ResponseExample2: $ref: '#/components/examples/GetApplicationsByGroupResponseEx' ResponseExample3: $ref: '#/components/examples/GetApplicationsByKeyResponseEx' ResponseExample4: $ref: '#/components/examples/GetApplicationsByNameResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - Application x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an application description: | Creates an app instance in your Okta org. You can either create an OIN app instance or a custom app instance: * OIN app instances have prescribed `name` (key app definition) and `signOnMode` options. See the [OIN schemas](/openapi/okta-management/management/tag/Application/#tag/Application/schema/GoogleApplication) for the request body. * For custom app instances, select the [signOnMode](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/signOnMode&t=request) that pertains to your app and specify the required parameters in the request body. operationId: createApplication parameters: - name: activate in: query description: Executes activation lifecycle operation when creating the app schema: type: boolean default: true - name: OktaAccessGateway-Agent in: header schema: type: string x-codegen-request-body-name: application requestBody: content: application/json: schema: $ref: '#/components/schemas/Application' examples: BOOKMARK: $ref: '#/components/examples/BookmarkEx' AUTO_LOGIN: $ref: '#/components/examples/AutoLoginEx' BASIC_AUTH: $ref: '#/components/examples/BasicAuthEx' SECURE_PASSWORD_STORE: $ref: '#/components/examples/SecurePasswordStoreEx' WS_FEDERATION: $ref: '#/components/examples/WSFederationEx' BROWSER_PLUGIN: $ref: '#/components/examples/BrowserPluginEx' BROWSER_PLUGIN_SWA_3FIELD: $ref: '#/components/examples/BrowserPluginSwa3FieldEx' SAML_2_0: $ref: '#/components/examples/Saml2.0Ex' OPENID_CONNECT: $ref: '#/components/examples/OpenidConnectEx' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Application' examples: BOOKMARK: $ref: '#/components/examples/BookmarkAppResponseEx' AUTO_LOGIN: $ref: '#/components/examples/AutoLoginAppResponseEx' BASIC_AUTH: $ref: '#/components/examples/BasicAuthResponseEx' SECURE_PASSWORD_STORE: $ref: '#/components/examples/SecurePasswordStoreResponseEx' WS_FEDERATION: $ref: '#/components/examples/WSFederationResponseEx' BROWSER_PLUGIN: $ref: '#/components/examples/BrowserPluginResponseEx' BROWSER_PLUGIN_SWA_3FIELD: $ref: '#/components/examples/BrowserPluginSwa3FieldResponseEx' SAML_2_0: $ref: '#/components/examples/Saml2.0ResponseEx' OPENID_CONNECT: $ref: '#/components/examples/OpenidConnectResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - Application x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/google/{appId}/oauth2/callback: parameters: - $ref: '#/components/parameters/pathAppId' /api/v1/apps/office365/{appId}/oauth2/callback: parameters: - $ref: '#/components/parameters/pathAppId' /api/v1/apps/{appId}: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: Retrieve an application description: Retrieves an application from your Okta organization by `id` operationId: getApplication parameters: - name: expand in: query description: |- An optional query parameter to return the specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property. Valid value: `expand=user/{userId}` schema: type: string example: user/0oa1gjh63g214q0Hq0g4 responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Application' examples: RetrieveEx1: $ref: '#/components/examples/GetApplicationsResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - Application x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace an application description: | Replaces properties for an application > **Notes:** > * All required properties must be specified in the request body > * You can't modify system-assigned properties, such as `id`, `name`, `status`, `created`, and `lastUpdated`. The values for these properties in the PUT request body are ignored. operationId: replaceApplication x-codegen-request-body-name: application requestBody: content: application/json: schema: $ref: '#/components/schemas/Application' examples: BOOKMARK: $ref: '#/components/examples/BookmarkPutEx' AUTO_LOGIN: $ref: '#/components/examples/AutoLoginPutEx' BASIC_AUTH: $ref: '#/components/examples/BasicAuthPutEx' SECURE_PASSWORD_STORE: $ref: '#/components/examples/SecurePasswordStorePutEx' WS_FEDERATION: $ref: '#/components/examples/WSFederationPutEx' BROWSER_PLUGIN: $ref: '#/components/examples/BrowserPluginPutEx' BROWSER_PLUGIN_SWA_3FIELD: $ref: '#/components/examples/BrowserPluginSwa3FieldPutEx' SAML_2_0: $ref: '#/components/examples/Saml2.0PutEx' OPENID_CONNECT: $ref: '#/components/examples/OpenidConnectPutEx' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Application' examples: BOOKMARK: $ref: '#/components/examples/BookmarkPutResponseEx' AUTO_LOGIN: $ref: '#/components/examples/AutoLoginPutResponseEx' BASIC_AUTH: $ref: '#/components/examples/BasicAuthPutResponseEx' SECURE_PASSWORD_STORE: $ref: '#/components/examples/SecurePasswordStorePutResponseEx' WS_FEDERATION: $ref: '#/components/examples/WSFederationPutResponseEx' BROWSER_PLUGIN: $ref: '#/components/examples/BrowserPluginPutResponseEx' BROWSER_PLUGIN_SWA_3FIELD: $ref: '#/components/examples/BrowserPluginSwa3FieldPutResponseEx' SAML_2_0: $ref: '#/components/examples/Saml2.0PutResponseEx' OPENID_CONNECT: $ref: '#/components/examples/OpenidConnectPutResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - Application x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an application description: Deletes an inactive application operationId: deleteApplication responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - Application x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: Retrieve the default provisioning connection description: Retrieves the default provisioning connection for an app operationId: getDefaultProvisioningConnectionForApplication responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ProvisioningConnectionResponse' examples: ProvisioningConnectionTokenZscalerEx: $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileZscalerEx' ProvisioningConnectionTokenOrg2OrgEx: $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx' ProvisioningConnectionOauthO365Ex: $ref: '#/components/examples/ProvisioningConnectionOauthResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationConnections x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Update the default provisioning connection description: Updates the default provisioning connection for an app operationId: updateDefaultProvisioningConnectionForApplication parameters: - in: query name: activate schema: type: boolean description: Activates the provisioning connection requestBody: content: application/json: schema: oneOf: - $ref: '#/components/schemas/ProvisioningConnectionTokenRequest' - $ref: '#/components/schemas/ProvisioningConnectionOauthRequest' examples: ProvisioningConnectionTokenZscalerEx: $ref: '#/components/examples/ProvisioningConnectionTokenRequestEx' ProvisioningConnectionTokenOrg2OrgEx: $ref: '#/components/examples/ProvisioningConnectionTokenOrg2OrgRequestEx' ProvisioningConnectionOAuthOrg2OrgEx: $ref: '#/components/examples/ProvisioningConnectionOAuthOrg2OrgWithRotationRequestEx' ProvisioningConnectionOauthO365Ex: $ref: '#/components/examples/ProvisioningConnectionOauthO365RequestEx' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ProvisioningConnectionResponse' examples: ProvisioningConnectionTokenZscalerEx: $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileZscalerEx' ProvisioningConnectionTokenOrg2OrgEx: $ref: '#/components/examples/ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx' ProvisioningConnectionOAuthOrg2OrgEx: $ref: '#/components/examples/ProvisioningConnectionOAuthOrg2OrgWithRotationResponseEx' ProvisioningConnectionOauthO365Ex: $ref: '#/components/examples/ProvisioningConnectionOauthResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationConnections x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default/jwks: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: Retrieve a JSON Web Key Set (JWKS) for the default provisioning connection description: Retrieves a JWKS for the default provisioning connection. This can be used by the OAuth 2.0 app's `jwk_uri` property in the target org. operationId: getUserProvisioningConnectionJWKS responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/AppConnectionUserProvisionJWKResponse' examples: UserProvisioningJsonWebKeysResponseExample: $ref: '#/components/examples/UserProvisioningJsonWebKeysResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationConnections x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/apps/{appId}/connections/default/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAppId' post: summary: Activate the default provisioning connection description: Activates the default provisioning connection for an app operationId: activateDefaultProvisioningConnectionForApplication responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationConnections x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/connections/default/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAppId' post: summary: Deactivate the default provisioning connection description: Deactivates the default provisioning connection for an app operationId: deactivateDefaultProvisioningConnectionForApplication responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationConnections x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all certificate signing requests description: Lists all Certificate Signing Requests for an application operationId: listCsrsForApplication responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Csr' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Generate a certificate signing request description: |- Generates a new key pair and returns the Certificate Signing Request(CSR) for it. The information in a CSR is used by the Certificate Authority (CA) to verify and create your certificate. It also contains the public key that is included in your certificate. Returns CSR in `pkcs#10` format if the `Accept` media type is `application/pkcs10` or a CSR object if the `Accept` media type is `application/json`. > **Note:** The key pair isn't listed in the Key Credentials for the app until it's published. operationId: generateCsrForApplication x-codegen-request-body-name: metadata requestBody: content: application/json: schema: $ref: '#/components/schemas/CsrMetadata' required: true responses: '201': description: Created headers: Content-Type: schema: type: string description: The Content-Type of the response examples: pkcs10Header: summary: application/pkcs10 Content-Type header value: application/pkcs10; filename=okta.p10 json: summary: application/json Content-Type header value: application/json Content-Transfer-Encoding: schema: type: string description: Encoding of the response example: base64 content: application/pkcs10: schema: $ref: '#/components/schemas/AppCsrPkcs10' examples: CsrPkcs10Response: $ref: '#/components/examples/AppCsrPkcs10Response' application/json: schema: $ref: '#/components/schemas/Csr' examples: CsrJsonResponse: $ref: '#/components/examples/AppCsrJsonResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs/{csrId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathCsrId' get: summary: Retrieve a certificate signing request description: |- Retrieves a Certificate Signing Request (CSR) for the app by `csrId`. Returns a Base64-encoded CSR in DER format if the `Accept` media type is `application/pkcs10` or a CSR object if the `Accept` media type is `application/json`. operationId: getCsrForApplication responses: '200': description: Success headers: Content-Type: schema: type: string description: The Content-Type of the response examples: pkcs10Header: summary: application/pkcs10 Content-Type header value: application/pkcs10; filename=okta.p10 json: summary: application/json Content-Type header value: application/json Content-Transfer-Encoding: schema: type: string description: Encoding of the response example: base64 content: application/json: schema: $ref: '#/components/schemas/Csr' examples: CsrJsonResponse: $ref: '#/components/examples/AppCsrJsonResponse' application/pkcs10: schema: $ref: '#/components/schemas/AppCsrPkcs10' examples: CsrPkcs10Response: $ref: '#/components/examples/AppCsrPkcs10Response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke a certificate signing request description: Revokes a Certificate Signing Request and deletes the key pair from the app operationId: revokeCsrFromApplication responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/csrs/{csrId}/lifecycle/publish: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathCsrId' post: summary: Publish a certificate signing request description: |- Publishes a Certificate Signing Request (CSR) for the app with a signed X.509 certificate and adds it into the Application Key Credentials. > **Note:** Publishing a certificate completes the lifecycle of the CSR and it's no longer accessible. operationId: publishCsrFromApplication requestBody: required: true content: application/x-x509-ca-cert: schema: type: string format: binary description: |- X.509 certificate in `CER` format. The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. example: '@certificate.pem' x-okta-operationId: publishBinaryCerCert application/pkix-cert: schema: type: string format: binary description: |- X.509 certificate in `DER` format. The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. example: MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q== x-okta-operationId: publishBinaryDerCert application/x-pem-file: schema: type: string format: binary description: X.509 certificate in `PEM` format example: '@certificate.pem' x-okta-operationId: publishBinaryPemCert responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/JsonWebKey' examples: PublishCSR: $ref: '#/components/examples/KeyCredentialExample' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorPublishCSRCertDoesNotMatchCSR: $ref: '#/components/examples/ErrorPublishCSRCertDoesNotMatchCSR' ErrorPublishCSRCertValidityLessThan90Days: $ref: '#/components/examples/ErrorPublishCSRCertValidityLessThan90Days' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/jwks: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all the OAuth 2.0 client JSON Web Keys description: Lists all JSON Web Keys for an OAuth 2.0 client app operationId: listJwk responses: '200': description: OK content: application/json: schema: type: array items: oneOf: - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' - $ref: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' discriminator: propertyName: use mapping: sig: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' enc: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' examples: OAuthClientJsonWebKeyListResponseExample: $ref: '#/components/examples/oAuthClientJsonWebKeyListResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Add a JSON Web Key description: |- Adds a new JSON Web Key to the client`s JSON Web Keys. > **Note:** This API doesn't allow you to add a key if the existing key doesn't have a `kid`. This is also consistent with how the [Dynamic Client Registration](/openapi/okta-oauth/oauth/tag/Client/) or [Applications](/openapi/okta-management/management/tag/Application/) APIs behave, as they don't allow the creation of multiple keys without `kids`. Use the [Replace an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) or the [Replace a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/replaceClient) operation to update the JWKS or [Delete an OAuth 2.0 Client JSON Web Key](/openapi/okta-management/management/tag/ApplicationSSOPublicKeys/#tag/ApplicationSSOPublicKeys/operation/deletejwk) and re-add the key with a `kid`. operationId: addJwk requestBody: required: true content: application/json: schema: oneOf: - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyRequest' - $ref: '#/components/schemas/OAuth2ClientJsonEncryptionKeyRequest' examples: createOAuth2ClientJsonWebKeyRequestBody: $ref: '#/components/examples/oAuthClientJsonWebKeyRequest' createOAuth2ClientJsonInactiveEncryptionKeyRequestBody: $ref: '#/components/examples/oAuthClientJsonInactiveEncryptionKeyRequest' createOAuth2ClientJsonActiveEncryptionKeyRequestBody: $ref: '#/components/examples/oAuthClientJsonActiveEncryptionKeyRequest' responses: '201': description: Created content: application/json: schema: oneOf: - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' - $ref: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' discriminator: propertyName: use mapping: sig: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' enc: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' examples: newOAuth2ClientJsonWebKeyResponse: $ref: '#/components/examples/oAuthClientJsonWebKey' newOAuth2ClientJsonInactiveEncryptionKeyResponse: $ref: '#/components/examples/oAuthClientJsonInactiveEncryptionKey' newOAuth2ClientJsonActiveEncryptionKeyResponse: $ref: '#/components/examples/oAuthClientJsonActiveEncryptionKey' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorClientJsonWebKeyNonUniqueKid: $ref: '#/components/examples/ErrorClientJsonWebKeyNonUniqueKid' ErrorClientJsonWebKeyDuplicateKid: $ref: '#/components/examples/ErrorClientJsonWebKeyDuplicateKid' ErrorClientJsonWebKeyKidLengthTooShort: $ref: '#/components/examples/ErrorClientJsonWebKeyKidLengthTooShort' ErrorClientJsonWebKeyTooManyKids: $ref: '#/components/examples/ErrorClientJsonWebKeyTooManyKids' ErrorOnlyOneActiveEncryptionKeyAllowed: $ref: '#/components/examples/ErrorOnlyOneActiveEncryptionKeyAllowed' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/jwks/{keyId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathJsonWebKeyId' get: summary: Retrieve an OAuth 2.0 client JSON Web Key description: Retrieves an OAuth 2.0 Client JSON Web Key by `keyId`. operationId: getJwk responses: '200': description: OK content: application/json: schema: type: object oneOf: - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' - $ref: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' discriminator: propertyName: use mapping: sig: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' enc: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' examples: OAuthClientJsonWebKeyResponseExample: $ref: '#/components/examples/oAuthClientJsonWebKey' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an OAuth 2.0 client JSON Web Key description: Deletes an OAuth 2.0 Client JSON Web Key by `keyId`. You can only delete an inactive key. operationId: deletejwk responses: '204': description: No Content '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorDeleteActiveJsonWebKey: $ref: '#/components/examples/ErrorDeleteActiveJsonWebKey' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathJsonWebKeyId' post: summary: Activate an OAuth 2.0 client JSON Web Key description: |- Activates an OAuth 2.0 Client JSON Web Key by `keyId` > **Note:** You can have only one active encryption key at any given time for app. When you activate an inactive key, the current active key is automatically deactivated. operationId: activateOAuth2ClientJsonWebKey responses: '200': description: OK content: application/json: schema: oneOf: - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' - $ref: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' discriminator: propertyName: use mapping: sig: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' enc: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' examples: activateOAuth2ClientJsonWebKeyResponse: $ref: '#/components/examples/oAuthClientJsonWebKey' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathJsonWebKeyId' post: summary: Deactivate an OAuth 2.0 client JSON Web Key description: |- Deactivates an OAuth 2.0 Client JSON Web Key by `keyId`. > **Note:** You can only deactivate signing keys. Deactivating the active encryption key isn't allowed if the client has ID token encryption enabled. You can activate another encryption key, which makes the current key inactive. operationId: deactivateOAuth2ClientJsonWebKey responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' examples: deactivateOAuth2ClientJsonWebKeyResponse: $ref: '#/components/examples/deactivateOAuth2ClientJsonWebKeyResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod: $ref: '#/components/examples/ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod' ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm: $ref: '#/components/examples/ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm' ErrorDeactivateEncryptionKey: $ref: '#/components/examples/ErrorDeactivateEncryptionKey' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all key credentials description: Lists all key credentials for an app operationId: listApplicationKeys responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/JsonWebKey' examples: ListAllKeyCredentialsExample: $ref: '#/components/examples/ListAllKeyCredentialsExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys/generate: parameters: - $ref: '#/components/parameters/pathAppId' post: summary: Generate a key credential description: |- Generates a new X.509 certificate for an app key credential > **Note:** To update an Application with the newly generated key credential, use the [Replace an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication) request with the new [credentials.signing.kid](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing/kid&t=request) value in the request body. You can provide just the [Signing Credential object](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials/signing&t=request) instead of the entire [Application Credential object](/openapi/okta-management/management/tag/Application/#tag/Application/operation/replaceApplication!path=4/credentials&t=request). operationId: generateApplicationKey parameters: - name: validityYears description: Expiry years of the Application Key Credential in: query required: true schema: type: integer example: 5 responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/JsonWebKey' examples: KeyCredentialExample: $ref: '#/components/examples/KeyCredentialExample' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorKeyCredentialInvalidValidity: $ref: '#/components/examples/ErrorKeyCredentialInvalidValidity' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys/{keyId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathKeyId' get: summary: Retrieve a key credential description: Retrieves a specific Application Key Credential by `kid` operationId: getApplicationKey responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/JsonWebKey' examples: KeyCredentialExample: $ref: '#/components/examples/KeyCredentialExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/keys/{keyId}/clone: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathKeyId' post: summary: Clone a key credential description: |- Clones an X.509 certificate for an Application Key Credential from a source app to a target app. For step-by-step instructions to clone a credential, see [Share application key credentials for IdPs across apps](https://developer.okta.com/docs/guides/sharing-cert/main/). > **Note:** Sharing certificates isn't a recommended security practice. operationId: cloneApplicationKey parameters: - name: targetAid in: query description: Unique key of the target Application required: true schema: type: string example: 0ouuytCAJSSDELFTUIDS responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/JsonWebKey' examples: KeyCredentialExample: $ref: '#/components/examples/KeyCredentialExample' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorKeyCredentialCloneDuplicateKey: $ref: '#/components/examples/ErrorKeyCredentialCloneDuplicateKey' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOCredentialKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/secrets: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all OAuth 2.0 client secrets description: Lists all client secrets for an OAuth 2.0 client app operationId: listOAuth2ClientSecrets responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2ClientSecret' examples: OAuthClientSecretListResponseExample: $ref: '#/components/examples/oAuthClientSecretListResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an OAuth 2.0 client secret description: |- Creates an OAuth 2.0 Client Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects. > **Note:** This API lets you bring your own secret. If [token_endpoint_auth_method](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=4/credentials/oauthClient/token_endpoint_auth_method&t=request) of the app is `client_secret_jwt`, then the minimum length of `client_secret` is 32 characters. If no secret is specified in the request, Okta adds a new system-generated secret. operationId: createOAuth2ClientSecret requestBody: content: application/json: schema: $ref: '#/components/schemas/OAuth2ClientSecretRequestBody' examples: createOAuth2ClientSecretSystemGeneratedRequestBody: $ref: '#/components/examples/createOAuth2ClientSecretSystemGeneratedRequestBody' createOAuth2ClientSecretCustomRequestBody: $ref: '#/components/examples/createOAuth2ClientSecretCustomRequestBody' responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/OAuth2ClientSecret' examples: newOAuth2ClientSecretResponse: $ref: '#/components/examples/oAuth2ClientSecretResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorClientSecretTooLong: $ref: '#/components/examples/ErrorClientSecretTooLong' ErrorClientSecretTooShort: $ref: '#/components/examples/ErrorClientSecretTooShort' ErrorClientSecretTooShortJWT: $ref: '#/components/examples/ErrorClientSecretTooShortWithClientSecretJWT' ErrorClientSecretPrivateKeyJWT: $ref: '#/components/examples/ErrorClientSecretWithPrivateKeyJWT' ErrorClientSecretNonAscii: $ref: '#/components/examples/ErrorClientSecretNonAscii' ErrorMaxNumberOfSecrets: $ref: '#/components/examples/ErrorMaxNumberOfSecrets' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/secrets/{secretId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathClientSecretId' get: summary: Retrieve an OAuth 2.0 client secret description: Retrieves an OAuth 2.0 Client Secret by `secretId` operationId: getOAuth2ClientSecret responses: '200': description: OK content: application/json: schema: type: object $ref: '#/components/schemas/OAuth2ClientSecret' examples: OAuthClientSecretResponseExample: $ref: '#/components/examples/oAuth2ClientSecretResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an OAuth 2.0 client secret description: Deletes an OAuth 2.0 Client Secret by `secretId`. You can only delete an inactive Secret. operationId: deleteOAuth2ClientSecret responses: '204': description: No Content '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorDeleteActiveClientSecret: $ref: '#/components/examples/ErrorDeleteActiveSecret' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathClientSecretId' post: summary: Activate an OAuth 2.0 client secret description: Activates an OAuth 2.0 Client Secret by `secretId` operationId: activateOAuth2ClientSecret responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OAuth2ClientSecret' examples: activateOAuth2ClientSecretResponse: $ref: '#/components/examples/activateOAuth2ClientSecretResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathClientSecretId' post: summary: Deactivate an OAuth 2.0 client secret description: Deactivates an OAuth 2.0 Client Secret by `secretId`. You can't deactivate a secret if it's the only secret of the client. operationId: deactivateOAuth2ClientSecret responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OAuth2ClientSecret' examples: deactivateOAuth2ClientSecretResponse: $ref: '#/components/examples/deactivateOAuth2ClientSecretResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorDeactivateTheOnlyClientSecret: $ref: '#/components/examples/ErrorDeactivateTheOnlyClientSecret' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOPublicKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/cwo/connections: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: Retrieve all Cross App Access connections description: | Retrieves inbound and outbound Cross App Access connections associated with an app operationId: getAllCrossAppAccessConnections parameters: - name: after in: query required: false description: Specifies the pagination cursor for the next page of connection results schema: type: string - name: limit in: query required: false description: | Specifies the number of results to return per page. The values: * -1: Return all results (up to system maximum) * 0: Return an empty result set * Positive integer: Return up to that many results (capped at system maximum) schema: type: integer format: int32 default: -1 maximum: 200 responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OrgCrossAppAccessConnection' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationCrossAppAccessConnections x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine post: summary: Create a Cross App Access connection description: | Creates a Cross App Access connection operationId: createCrossAppAccessConnection requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/OrgCrossAppAccessConnection' responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/OrgCrossAppAccessConnection' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationCrossAppAccessConnections x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/apps/{appId}/cwo/connections/{connectionId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/connectionId' get: summary: Retrieve a Cross App Access connection description: | Retrieves the Cross App Access connection with the specified ID operationId: getCrossAppAccessConnection responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgCrossAppAccessConnection' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationCrossAppAccessConnections x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine patch: summary: Update a Cross App Access connection description: | Updates the Cross App Access connection with the specified ID operationId: updateCrossAppAccessConnection requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/OrgCrossAppAccessConnectionPatchRequest' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgCrossAppAccessConnection' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationCrossAppAccessConnections x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine delete: summary: Delete a Cross App Access connection description: | Deletes a Cross App Access connection with the specified ID operationId: deleteCrossAppAccessConnection responses: '204': description: No Content '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationCrossAppAccessConnections x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/apps/{appId}/express-configure/oauth2/authorize: parameters: - $ref: '#/components/parameters/pathAppId' /api/v1/apps/{appId}/express-configure/{capabilityType}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/capabilityType' /api/v1/apps/{appId}/features: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all features description: | Lists all features for an app > **Note:** This request returns an error if provisioning isn't enabled for the app. > To set up provisioning, see [Update the default provisioning connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/updateDefaultProvisioningConnectionForApplication). operationId: listFeaturesForApplication responses: '200': description: Success content: application/json: schema: items: $ref: '#/components/schemas/ApplicationFeature' type: array examples: ListAppFeatureResponse: $ref: '#/components/examples/AppFeatureListResponseEx' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ListAppFeatureAPIValidationFailed: $ref: '#/components/examples/ErrorAppFeatureAPIValidationFailed' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationFeatures x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/features/{featureName}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathFeatureName' get: summary: Retrieve a feature description: Retrieves a Feature object for an app operationId: getFeatureForApplication responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ApplicationFeature' examples: AppFeatureResponse: $ref: '#/components/examples/AppFeatureResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationFeatures x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Update a feature description: | Updates a Feature object for an app > **Note:** This endpoint supports partial updates. operationId: updateFeatureForApplication requestBody: content: application/json: schema: oneOf: - $ref: '#/components/schemas/CapabilitiesObject' - $ref: '#/components/schemas/CapabilitiesInboundProvisioningObject' examples: UpdateAppFeatureEx: $ref: '#/components/examples/UpdateAppFeatureRequestEx' UpdateInboundProvisioningFeatureEx: $ref: '#/components/examples/UpdateInboundProvisioningFeatureRequestEx' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ApplicationFeature' examples: UpdateAppFeatureEx: $ref: '#/components/examples/UpdateAppFeatureResponseEx' UpdateInboundProvisioningFeatureEx: $ref: '#/components/examples/UpdateInboundProvisioningFeatureResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationFeatures x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/federated-claims: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all configured federated claims description: Lists all federated claims for your app operationId: listFederatedClaims responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/FederatedClaim' examples: listFederatedClaimResponse: $ref: '#/components/examples/listFederatedClaimResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationSSOFederatedClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a federated claim description: 'Creates a claim that will be included in tokens produced by federation protocols (for example: OIDC `id_tokens` or SAML Assertions)' operationId: createFederatedClaim requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/FederatedClaimRequestBody' examples: createFederatedClaimRequestBody: $ref: '#/components/examples/createFederatedClaimRequestBody' responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/FederatedClaim' examples: federatedClaimResponse: $ref: '#/components/examples/federatedClaimResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOFederatedClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/federated-claims/{claimId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/claimId' get: summary: Retrieve a federated claim description: Retrieves a federated claim by `claimId` operationId: getFederatedClaim responses: '200': description: OK content: application/json: schema: type: object $ref: '#/components/schemas/FederatedClaimRequestBody' examples: federatedClaimResponse: $ref: '#/components/examples/federatedClaimResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationSSOFederatedClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a federated claim description: 'Replaces a claim that will be included in tokens produced by federation protocols (for example: OIDC `id_tokens` or SAML Assertions)' operationId: replaceFederatedClaim requestBody: content: application/json: schema: $ref: '#/components/schemas/FederatedClaim' examples: replaceFederatedClaim: $ref: '#/components/examples/replaceFederatedClaimRequestBody' responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/FederatedClaim' examples: replaceFederatedClaimResponse: $ref: '#/components/examples/replaceFederatedClaimResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOFederatedClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a federated claim description: Deletes a federated claim by `claimId` operationId: deleteFederatedClaim responses: '204': description: No Content '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationSSOFederatedClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/grants: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all app grants description: Lists all scope consent Grants for the app operationId: listScopeConsentGrants parameters: - $ref: '#/components/parameters/queryAppGrantsExpand' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' examples: ListAppGrantsExample: $ref: '#/components/examples/ListAppGrantsEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.appGrants.read tags: - ApplicationGrants x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Grant consent to scope description: Grants consent for the app to request an OAuth 2.0 Okta scope operationId: grantConsentToScope x-codegen-request-body-name: oAuth2ScopeConsentGrant requestBody: content: application/json: schema: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' examples: AppGrantsExample: $ref: '#/components/examples/AppGrantsPostEx' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' examples: AppGrantsExample: $ref: '#/components/examples/AppGrantsEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.appGrants.manage tags: - ApplicationGrants x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/grants/{grantId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathGrantId' get: summary: Retrieve an app grant description: Retrieves a single scope consent Grant object for the app operationId: getScopeConsentGrant parameters: - $ref: '#/components/parameters/queryAppGrantsExpand' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' examples: AppGrantsExample: $ref: '#/components/examples/AppGrantsEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.appGrants.read tags: - ApplicationGrants x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke an app grant description: Revokes permission for the app to grant the given scope operationId: revokeScopeConsentGrant responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.appGrants.manage tags: - ApplicationGrants x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/group-push/mappings: parameters: - $ref: '#/components/parameters/pathAppId' get: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: List all group push mappings description: Lists all group push mappings with pagination support operationId: listGroupPushMappings parameters: - name: after description: Specifies the pagination cursor for the next page of mappings in: query schema: type: string - name: limit in: query description: Specifies the number of results returned schema: type: integer format: int32 default: 100 maximum: 1000 minimum: 1 - name: lastUpdated description: |- Filters group push mappings by last updated date. The `lastUpdated` parameter supports the following format: `YYYY-MM-DDTHH:mm:ssZ`. This filters mappings updated on or after the specified date and time in UTC. If you don't specify a value, all group push mappings are returned. in: query schema: type: string example: '2025-01-01T00:00:00Z' - name: sourceGroupId description: Filters group push mappings by source group ID. If you don't specify a value, all group push mappings are returned. in: query schema: type: string example: 00g00000000000000000 - name: status description: Filters group push mappings by status. If you don't specify a value, all group push mappings are returned. in: query schema: $ref: '#/components/schemas/GroupPushMappingStatus' responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/GroupPushMapping' examples: List group push mappings: $ref: '#/components/examples/ListGroupPushMappingsResponse_Example' List group push mappings with active filter: $ref: '#/components/examples/ListGroupPushMappingsResponse_ExampleWithActiveFilter' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read - okta.groups.read tags: - GroupPushMapping post: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Create a group push mapping description: |- Creates or links a group push mapping. **Note:** Either `targetGroupId` or `targetGroupName` must be provided, but not both. If `targetGroupId` is provided, it links to an existing group. If `targetGroupName` is provided, it creates a new group. operationId: createGroupPushMapping x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateGroupPushMappingRequest' examples: Create group push mapping (create new group): $ref: '#/components/examples/CreateGroupPushMappingRequest_ExampleCreate' Create group push mapping (Active Directory): $ref: '#/components/examples/CreateGroupPushMappingRequest_ExampleCreate_ActiveDirectory' Create group push mapping (link existing group): $ref: '#/components/examples/CreateGroupPushMappingRequest_ExampleLink' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/GroupPushMapping' examples: Create group push mapping: $ref: '#/components/examples/CreateGroupPushMappingResponse_ExampleCreate' Create group push mapping (Active Directory): $ref: '#/components/examples/CreateGroupPushMappingResponse_ExampleCreate_ActiveDirectory' Create group push mapping (link existing group): $ref: '#/components/examples/CreateGroupPushMappingResponse_ExampleLink' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage - okta.groups.manage tags: - GroupPushMapping /api/v1/apps/{appId}/group-push/mappings/{mappingId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathGroupPushMappingId' get: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Retrieve a group push mapping description: Retrieves a group push mapping by ID operationId: getGroupPushMapping responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/GroupPushMapping' examples: Retrieve group push mapping: $ref: '#/components/examples/RetrieveGroupPushMappingResponse_Example' Retrieve group push mapping (Active Directory): $ref: '#/components/examples/RetrieveGroupPushMappingResponse_Example_ActiveDirectory' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read - okta.groups.read tags: - GroupPushMapping patch: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Update a group push mapping description: Updates the status of a group push mapping operationId: updateGroupPushMapping x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateGroupPushMappingRequest' examples: Update group push mapping: $ref: '#/components/examples/UpdateGroupPushMappingRequest_Example' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/GroupPushMapping' examples: Update group push mapping: $ref: '#/components/examples/UpdateGroupPushMappingResponse_Example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage - okta.groups.manage tags: - GroupPushMapping delete: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Delete a group push mapping description: Deletes a specific group push mapping. The group push mapping must be in an `INACTIVE` state. operationId: deleteGroupPushMapping parameters: - in: query name: deleteTargetGroup description: If set to `true`, the target group is also deleted. If set to `false`, the target group isn't deleted. required: true schema: type: boolean default: false responses: '204': description: No Content '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': description: Forbidden headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage - okta.groups.manage tags: - GroupPushMapping /api/v1/apps/{appId}/groups: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all application groups description: Lists all app group assignments operationId: listApplicationGroupAssignments parameters: - name: q in: query description: |- Specifies a filter for a list of assigned groups returned based on their names. The value of `q` is matched against the group `name`. This filter only supports the `startsWith` operation that matches the `q` string against the beginning of the [group name](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=profile/name&t=response). schema: type: string example: test - name: after in: query description: Specifies the pagination cursor for the `next` page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string example: 16275000448691 - $ref: '#/components/parameters/queryGroupAssignmentLimit' - $ref: '#/components/parameters/queryGroupAssignmentWithMetadataExpand' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/ApplicationGroupAssignment' examples: listGroupAssignmentsResponseExample: $ref: '#/components/examples/GroupAssignmentExListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationGroups x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/groups/{groupId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathGroupId' get: summary: Retrieve an application group description: Retrieves an app group assignment operationId: getApplicationGroupAssignment parameters: - $ref: '#/components/parameters/queryGroupAssignmentWithGroupExpand' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ApplicationGroupAssignment' examples: getGroupAssignmentResponseExample: $ref: '#/components/examples/EmbeddedGroupAssignmentSampleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationGroups x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Assign an application group description: |- Assigns a [Group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) to an app, which in turn assigns the app to each [User](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/) that belongs to the group. The resulting application user [scope](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers!c=200&path=scope&t=response) is `GROUP` since the assignment was from the group membership. operationId: assignGroupToApplication x-codegen-request-body-name: applicationGroupAssignment requestBody: content: application/json: schema: $ref: '#/components/schemas/ApplicationGroupAssignment' examples: putGroupAssignmentRequestExample: $ref: '#/components/examples/GroupAssignmentPutRequestExample' required: false responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ApplicationGroupAssignment' examples: putGroupAssignmentResponseExample: $ref: '#/components/examples/GroupAssignmentPutResponseExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationGroups x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true patch: summary: Update an application group description: Updates a group assignment to an app operationId: updateGroupAssignmentToApplication requestBody: content: application/json: schema: type: array items: $ref: '#/components/schemas/JsonPatchOperation' examples: groupAssignmentPatchRequetExample: $ref: '#/components/examples/GroupAssignmentPatchRequestExample' required: false responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ApplicationGroupAssignment' examples: patchGroupAssignmentResponseExample: $ref: '#/components/examples/GroupAssignmentPatchResponseExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationGroups x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign an application group description: Unassigns a Group from an app operationId: unassignApplicationFromGroup responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationGroups x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/interclient-allowed-apps: parameters: - $ref: '#/components/parameters/pathAppId' /api/v1/apps/{appId}/interclient-allowed-apps/{allowedAppId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/appIdToDelete' /api/v1/apps/{appId}/interclient-target-apps: parameters: - $ref: '#/components/parameters/pathAppId' /api/v1/apps/{appId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAppId' post: summary: Activate an application description: Activates an inactive application operationId: activateApplication responses: '200': description: Success content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - Application x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAppId' post: summary: Deactivate an application description: |- Deactivates an active application > **Note:** Deactivating an app triggers a full reconciliation of all users assigned to the app by groups. This reconcile process removes the app assignment for the deactivated app, and might also correct assignments that were supposed to be removed but failed previously. operationId: deactivateApplication responses: '200': description: Success content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - Application x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/logo: parameters: - $ref: '#/components/parameters/pathAppId' post: summary: Upload an application logo description: | Uploads a logo for the app instance. If the app already has a logo, this operation replaces the previous logo. The logo is visible in the Admin Console as an icon for your app instance. If you have one `appLink` object configured, this logo also appears in the End-User Dashboard as an icon for your app. > **Note:** If you have multiple `appLink` objects, use the Admin Console to add logos for each app link. > You can't use the API to add logos for multiple app links. operationId: uploadApplicationLogo requestBody: content: multipart/form-data: schema: type: object properties: file: type: string format: binary description: | The image file containing the logo. The file must be in PNG, JPG, SVG, or GIF format, and less than one MB in size. For best results, use an image with a transparent background and a square dimension of 200 x 200 pixels to prevent upscaling. > **Notes:** > * Only SVG files encoded in UTF-8 are supported. For example, `` is a valid SVG file declaration. > * `multipart/form-data` isn't supported for Python. Remove the `"Content-Type": "multipart/form-data"` line if you use the Python request sample code. required: - file responses: '201': description: Content Created '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationLogos x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/policies/{policyId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathPolicyId' put: summary: Assign an app sign-in policy description: |- Assigns an app to an [app sign-in policy](/openapi/okta-management/management/tag/Policy/), identified by `policyId`. If the app was previously assigned to another policy, this operation replaces that assignment with the updated policy identified by `policyId`. > **Note:** When you [merge duplicate app sign-in policies](https://help.okta.com/okta_help.htm?type=oie&id=ext-merge-auth-policies), the policy and mapping CRUD operations may be unavailable during the consolidation. When the consolidation is complete, you receive an email with merged results. operationId: assignApplicationPolicy responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationPolicies x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/apps/{appId}/sso/saml/metadata: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: Preview the application SAML metadata description: Previews the SSO SAML metadata for an application operationId: previewSAMLmetadataForApplication parameters: - name: kid in: query required: true schema: type: string example: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo responses: '200': description: OK content: text/xml: schema: type: string description: SAML metadata in XML examples: previewSAML: summary: SAML metadata example value: | MIIDqDCCApCgAwIBAgIGAVGNO4qeMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJ ARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODUwMDhaFw0xNzEyMTAxODUxMDdaMIGUMQswCQYD VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsG A1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEc MBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBALAakG48bgcTWHdwmVLHig0mkiRejxIVm3wbzrNSJcBruTq2zCYZ1rGfVxTYON8kJqvkXPmv kzWKhpEkvhubL+mx29XpXY0AsNIfgcm5xIV56yhXSvlMdqzGo3ciRwoACaF+ClNLxmXK9UTZD89B bVVGCG5AEvja0eCQ0GYsO5i9aSI5aTroab8Aew31PuWl/RGQWmjVy8+7P4wwkKKJNKCpxMYDlhfa WRp0zwUSbUCO0qEyeAYdZx6CLES4FGrDi/7D6G+ewWC+kbz1tL1XpF2Dcg3+IOlHrV6VWzz3rG39 v9zFIncjvoQJFDGWhpqGqcmXvgH0Ze3SVcVF01T+bK0CAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA AHmnSZ4imjNrIf9wxfQIcqHXEBoJ+oJtd59cw1Ur/YQY9pKXxoglqCQ54ZmlIf4GghlcZhslLO+m NdkQVwSmWMh6KLxVM18/xAkq8zyKbMbvQnTjFB7x45bgokwbjhivWqrB5LYHHCVN7k/8mKlS4eCK Ci6RGEmErjojr4QN2xV0qAqP6CcGANgpepsQJCzlWucMFKAh0x9Kl8fmiQodfyLXyrebYsVnLrMf jxE1b6dg4jKvv975tf5wreQSYZ7m//g3/+NnuDKkN/03HqhV7hTNi1fyctXk8I5Nwgyr+pT5LT2k YoEdncuy+GQGzE9yLOhC4HNfHQXpqp2tMPdRlw== urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationSSO x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/tokens: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all application refresh tokens description: | Lists all refresh tokens for an app > **Note:** The results are [paginated](/#pagination) according to the `limit` parameter. > If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). operationId: listOAuth2TokensForApplication parameters: - $ref: '#/components/parameters/queryAppGrantsExpand' - $ref: '#/components/parameters/queryAppAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2RefreshToken' examples: getOAuth2TokenForApplicationListExample: $ref: '#/components/examples/OAuth2RefreshTokenResponseListEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationTokens x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke all application tokens description: Revokes all OAuth 2.0 refresh tokens for the specified app. Any access tokens issued with these refresh tokens are also revoked, but access tokens issued without a refresh token aren't affected. operationId: revokeOAuth2TokensForApplication responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationTokens x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/tokens/{tokenId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathTokenId' get: summary: Retrieve an application token description: Retrieves a refresh token for the specified app operationId: getOAuth2TokenForApplication parameters: - $ref: '#/components/parameters/queryAppGrantsExpand' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2RefreshToken' examples: getOAuth2TokenForApplicationExample: $ref: '#/components/examples/OAuth2RefreshTokenResponseEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationTokens x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke an application token description: Revokes the specified token for the specified app operationId: revokeOAuth2TokenForApplication responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationTokens x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appId}/users: parameters: - $ref: '#/components/parameters/pathAppId' get: summary: List all application users description: Lists all assigned users for an app operationId: listApplicationUsers parameters: - $ref: '#/components/parameters/queryAppAfter' - $ref: '#/components/parameters/queryAppLimit' - $ref: '#/components/parameters/queryAppUserQ' - $ref: '#/components/parameters/queryAppUserExpand' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/AppUser' examples: ListAppUsersExample: $ref: '#/components/examples/AppUserListEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Assign an application user description: |- Assigns a user to an app for: * SSO only
Assignments to SSO apps typically don't include a user profile. However, if your SSO app requires a profile but doesn't have provisioning enabled, you can add profile attributes in the request body. * SSO and provisioning
Assignments to SSO and provisioning apps typically include credentials and an app-specific profile. Profile mappings defined for the app are applied first before applying any profile properties that are specified in the request body. > **Notes:** > * When Universal Directory is enabled, you can only specify profile properties that aren't defined in profile mappings. > * Omit mapped properties during assignment to minimize assignment errors. operationId: assignUserToApplication x-codegen-request-body-name: appUser requestBody: content: application/json: schema: $ref: '#/components/schemas/AppUserAssignRequest' examples: AppUserSSOEx: $ref: '#/components/examples/AppUserAssignSSORequest' AppUserProvEx: $ref: '#/components/examples/AppUserAssignProvRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AppUser' examples: AppUserSSOEx: $ref: '#/components/examples/AppUserSSOResponse' AppUserProvEx: $ref: '#/components/examples/AppUserProvResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAppUserForbidden403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationUsers /api/v1/apps/{appId}/users/{userId}: parameters: - $ref: '#/components/parameters/pathAppId' - $ref: '#/components/parameters/pathAppUserId' get: summary: Retrieve an application user description: Retrieves a specific user assignment for a specific app operationId: getApplicationUser parameters: - $ref: '#/components/parameters/queryAppUserExpand' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AppUser' examples: GetAppUserExample: $ref: '#/components/examples/AppUserProvExpandResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - ApplicationUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Update an application user description: Updates the profile or credentials of a user assigned to an app operationId: updateApplicationUser x-codegen-request-body-name: appUser requestBody: content: application/json: schema: $ref: '#/components/schemas/AppUserUpdateRequest' examples: AppUserUpdateCredEx: $ref: '#/components/examples/AppUserUpdateCredRequest' AppUserUpdateProfileEx: $ref: '#/components/examples/AppUserUpdateProfileRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AppUser' examples: AppUserUpdateCredEx: $ref: '#/components/examples/AppUserCredUpdateResponse' AppUserUpdateProfileEx: $ref: '#/components/examples/AppUserProfUpdateResponse' '400': $ref: '#/components/responses/ErrorAppUserUpdateBadRequest400' '403': $ref: '#/components/responses/ErrorAppUserForbidden403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign an application user description: |- Unassigns a user from an app For directories like Active Directory and LDAP, they act as the owner of the user's credential with Okta delegating authentication (DelAuth) to that directory. If this request is successful for a user when DelAuth is enabled, then the user is in a state with no password. You can then reset the user's password. > **Important:** This is a destructive operation. You can't recover the user's app profile. If the app is enabled for provisioning and configured to deactivate users, the user is also deactivated in the target app. operationId: unassignUserFromApplication parameters: - name: sendEmail in: query description: Sends a deactivation email to the administrator if `true` schema: type: boolean default: false x-okta-added-version: 1.5.0 responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/apps/{appName}/{appId}/oauth2/callback: parameters: - $ref: '#/components/parameters/pathOAuthProvisioningAppName' - $ref: '#/components/parameters/pathAppId' post: summary: Verify the provisioning connection description: | Verifies the OAuth 2.0-based connection as part of the OAuth 2.0 consent flow. The validation of the consent flow is the last step of the provisioning setup for an OAuth 2.0-based connection. Currently, this operation only supports `office365`,`google`, `zoomus`, and `slack` apps. operationId: verifyProvisioningConnectionForApplication parameters: - name: code in: query schema: type: string description: Unique string associated with each authentication request - name: state in: query schema: type: string description: A temporary code string that the client exchanges for an access token responses: '204': description: No content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - ApplicationConnections x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/authenticators: get: summary: List all authenticators description: Lists all authenticators operationId: listAuthenticators responses: '200': description: Success content: application/json: schema: items: $ref: '#/components/schemas/AuthenticatorBase' type: array examples: OrgAuthenticatorsEx: $ref: '#/components/examples/AuthenticatorsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.read tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine post: summary: Create an authenticator description: Creates an authenticator operationId: createAuthenticator parameters: - in: query name: activate description: Whether to execute the activation lifecycle operation when Okta creates the authenticator schema: type: boolean default: true x-codegen-request-body-name: authenticator requestBody: $ref: '#/components/requestBodies/AuthenticatorRequestBody' responses: '200': $ref: '#/components/responses/AuthenticatorResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/authenticators/{authenticatorId}: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' get: summary: Retrieve an authenticator description: Retrieves an authenticator from your Okta organization by `authenticatorId` operationId: getAuthenticator responses: '200': $ref: '#/components/responses/AuthenticatorResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.read tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Replace an authenticator description: Replaces the properties for an authenticator identified by `authenticatorId` operationId: replaceAuthenticator x-codegen-request-body-name: authenticator requestBody: $ref: '#/components/requestBodies/AuthenticatorRequestBody' responses: '200': $ref: '#/components/responses/AuthenticatorResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/aaguids: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' get: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: List all custom AAGUIDs description: |- Lists all custom Authenticator Attestation Global Unique Identifiers (AAGUIDs) in the org Only custom AAGUIDs that an admin has created are returned. operationId: listAllCustomAAGUIDs responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AllCustomAAGUIDResponseObject' examples: default: $ref: '#/components/examples/AllCustomAAGUIDResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.read tags: - Authenticator post: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Create a custom AAGUID description: Creates a custom AAGUID for the WebAuthn authenticator operationId: createCustomAAGUID requestBody: content: application/json: schema: $ref: '#/components/schemas/CustomAAGUIDCreateRequestObject' examples: default: $ref: '#/components/examples/CustomAAGUIDRequest' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/CustomAAGUIDResponseObject' examples: default: $ref: '#/components/examples/CustomAAGUIDResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator /api/v1/authenticators/{authenticatorId}/aaguids/{aaguid}: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' - $ref: '#/components/parameters/pathAAGUID' get: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Retrieve a custom AAGUID description: Retrieves a custom AAGUID operationId: getCustomAAGUID responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/CustomAAGUIDResponseObject' examples: default: $ref: '#/components/examples/CustomAAGUIDResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.read tags: - Authenticator put: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Replace a custom AAGUID description: Replaces a custom AAGUID for the specified WebAuthn authenticator operationId: replaceCustomAAGUID requestBody: content: application/json: schema: $ref: '#/components/schemas/CustomAAGUIDUpdateRequestObject' examples: default: $ref: '#/components/examples/CustomAAGUIDUpdateRequest' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/CustomAAGUIDResponseObject' examples: default: $ref: '#/components/examples/CustomAAGUIDResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator patch: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Update a custom AAGUID description: Updates the properties of a custom AAGUID by the `authenticatorId` and `aaguid` ID operationId: updateCustomAAGUID requestBody: content: application/merge-patch+json: schema: $ref: '#/components/schemas/CustomAAGUIDUpdateRequestObject' examples: default: $ref: '#/components/examples/CustomAAGUIDUpdateRequest' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/CustomAAGUIDResponseObject' examples: default: $ref: '#/components/examples/CustomAAGUIDResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator delete: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Delete a custom AAGUID description: |- Deletes a custom AAGUID You can only delete custom AAGUIDs that an admin has created. operationId: deleteCustomAAGUID responses: '204': description: Deleted '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator /api/v1/authenticators/{authenticatorId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' post: summary: Activate an authenticator description: Activates an authenticator by `authenticatorId` operationId: activateAuthenticator responses: '200': $ref: '#/components/responses/AuthenticatorResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' post: summary: Deactivate an authenticator description: Deactivates an authenticator by `authenticatorId` operationId: deactivateAuthenticator responses: '200': $ref: '#/components/responses/AuthenticatorResponseInactiveWebAuthn' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/methods: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' get: summary: List all methods of an authenticator description: Lists all methods of an authenticator identified by `authenticatorId` operationId: listAuthenticatorMethods responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/AuthenticatorMethodBase' examples: Phone: $ref: '#/components/examples/AuthenticatorMethodPhone' TAC: $ref: '#/components/examples/AuthenticatorMethodTac' WebAuthn: $ref: '#/components/examples/AuthenticatorMethodWebAuthn' WebAuthnWithRpId: $ref: '#/components/examples/AuthenticatorMethodWebAuthnWithRpId' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.read tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/methods/{methodType}: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' - $ref: '#/components/parameters/pathMethodType' get: summary: Retrieve an authenticator method description: Retrieves a method identified by `methodType` of an authenticator identified by `authenticatorId` operationId: getAuthenticatorMethod responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthenticatorMethodBase' examples: sms: $ref: '#/components/examples/AuthenticatorMethodSms' tac: $ref: '#/components/examples/AuthenticatorMethodTac' voice: $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' webauthn: $ref: '#/components/examples/AuthenticatorMethodWebAuthn' webauthnWithRpId: $ref: '#/components/examples/AuthenticatorMethodWebAuthnWithRpId' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.read tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Replace an authenticator method description: Replaces a method of `methodType` for an authenticator identified by `authenticatorId` operationId: replaceAuthenticatorMethod requestBody: content: application/json: schema: $ref: '#/components/schemas/AuthenticatorMethodBase' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthenticatorMethodBase' examples: sms: $ref: '#/components/examples/AuthenticatorMethodSms' tac: $ref: '#/components/examples/AuthenticatorMethodTac' voice: $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' webauthn: $ref: '#/components/examples/AuthenticatorMethodWebAuthn' webauthnWithRpId: $ref: '#/components/examples/AuthenticatorMethodWebAuthnWithRpId' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' - $ref: '#/components/parameters/pathMethodType' post: summary: Activate an authenticator method description: Activates a method for an authenticator identified by `authenticatorId` and `methodType` operationId: activateAuthenticatorMethod responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthenticatorMethodBase' examples: sms: $ref: '#/components/examples/AuthenticatorMethodSms' webauthn: $ref: '#/components/examples/AuthenticatorMethodWebAuthn' webauthnWithRpId: $ref: '#/components/examples/AuthenticatorMethodWebAuthnWithRpId' tac: $ref: '#/components/examples/AuthenticatorMethodTac' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/methods/{methodType}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' - $ref: '#/components/parameters/pathMethodType' post: summary: Deactivate an authenticator method description: Deactivates a method for an authenticator identified by `authenticatorId` and `methodType` operationId: deactivateAuthenticatorMethod responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthenticatorMethodBase' examples: voice: $ref: '#/components/examples/AuthenticatorMethodInactiveVoice' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/authenticators/{authenticatorId}/methods/{webAuthnMethodType}/verify-rp-id-domain: parameters: - $ref: '#/components/parameters/pathAuthenticatorId' - $ref: '#/components/parameters/pathWebAuthnMethodType' post: summary: Verify a Relying Party ID domain description: Verifies the [Relying Party identifier (RP ID)](https://www.w3.org/TR/webauthn/#relying-party-identifier) domain for the specified WebAuthn authenticator and the specific `webauthn` authenticator method operationId: verifyRpIdDomain responses: '204': description: No Content '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authenticators.manage tags: - Authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/authorizationServers: get: summary: List all authorization servers description: Lists all custom authorization servers in the org operationId: listAuthorizationServers parameters: - name: q in: query description: Searches the `name` and `audiences` of authorization servers for matching values example: customasone schema: type: string - name: limit in: query description: 'Specifies the number of authorization server results on a page. Maximum value: 200' schema: type: integer format: int32 default: 200 - name: after in: query description: Specifies the pagination cursor for the next page of authorization servers. Treat as an opaque value and obtain through the next link relationship. schema: type: string responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/AuthorizationServer' examples: ListAuthServers: $ref: '#/components/examples/ListAuthServersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management post: summary: Create an authorization server description: Creates an authorization server operationId: createAuthorizationServer x-codegen-request-body-name: authorizationServer requestBody: content: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' examples: CreateAuthServer: $ref: '#/components/examples/CreateAuthServerBody' CreateAuthServerWithAccessTokenEncryption: $ref: '#/components/examples/CreateAuthServerWithAccessTokenEncryptionBody' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' examples: CreateAuthServer: $ref: '#/components/examples/CreateAuthServerResponse' CreateAuthServerWithAccessTokenEncryption: $ref: '#/components/examples/CreateAuthServerWithAccessTokenEncryptionResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: summary: Retrieve an authorization server description: Retrieves an authorization server operationId: getAuthorizationServer responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' examples: RetrieveAuthServer: $ref: '#/components/examples/RetrieveAuthServerResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management put: summary: Replace an authorization server description: Replaces an authorization server operationId: replaceAuthorizationServer x-codegen-request-body-name: authorizationServer requestBody: content: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' examples: ReplaceAuthServer: $ref: '#/components/examples/ReplaceAuthServerBody' ReplaceAuthServerEnableTokenEncryption: $ref: '#/components/examples/ReplaceAuthServerEnableTokenEncryptionBody' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthorizationServer' examples: ReplaceAuthServer: $ref: '#/components/examples/ReplaceAuthServerResponse' ReplaceAuthServerEnableTokenEncryption: $ref: '#/components/examples/ReplaceAuthServerEnableTokenEncryptionResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management delete: summary: Delete an authorization server description: Deletes an authorization server operationId: deleteAuthorizationServer responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/associatedServers: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all associated authorization servers description: Lists all associated Authorization Servers by trusted type for the given `authServerId` operationId: listAssociatedServersByTrustedType parameters: - name: trusted in: query description: Searches trusted authorization servers when `true` or searches untrusted authorization servers when `false` schema: type: boolean - name: q in: query description: Searches for the name or audience of the associated authorization servers example: customasone schema: type: string - name: limit in: query description: Specifies the number of results for a page schema: type: integer format: int32 default: 200 - name: after in: query description: Specifies the pagination cursor for the next page of the associated authorization servers schema: type: string responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/AuthorizationServer' examples: ListAssocAuthServer: $ref: '#/components/examples/ListAssocAuthServerResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerAssoc x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management post: summary: Create an associated authorization server description: Creates trusted relationships between the given authorization server and other authorization servers operationId: createAssociatedServers x-codegen-request-body-name: associatedServerMediated requestBody: content: application/json: schema: $ref: '#/components/schemas/AssociatedServerMediated' examples: CreateAssocAuthServer: $ref: '#/components/examples/CreateAssocAuthServerBody' required: true responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/AuthorizationServer' examples: CreateAssocAuthServer: $ref: '#/components/examples/CreateAssocAuthServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerAssoc x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/associatedServers/{associatedServerId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathAssociatedServerId' delete: summary: Delete an associated authorization server description: Deletes an associated Authorization Server operationId: deleteAssociatedServer responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerAssoc x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/claims: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all custom token claims description: Lists all custom token Claims defined for a specified custom authorization server operationId: listOAuth2Claims responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2Claim' examples: ListCustomTokenClaims: $ref: '#/components/examples/ListCustomTokenClaimsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management post: summary: Create a custom token claim description: Creates a custom token Claim for a custom authorization server operationId: createOAuth2Claim x-codegen-request-body-name: oAuth2Claim requestBody: content: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' examples: CreateCustomTokenClaim: $ref: '#/components/examples/CreateCustomTokenClaimBody' required: true responses: '201': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' examples: CreateCustomTokenClaim: $ref: '#/components/examples/CreateCustomTokenClaimResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/claims/{claimId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathClaimId' get: summary: Retrieve a custom token claim description: Retrieves a custom token Claim by the specified `claimId` operationId: getOAuth2Claim responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' examples: RetrieveCustomTokenClaim: $ref: '#/components/examples/RetrieveCustomTokenClaimResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management put: summary: Replace a custom token claim description: Replaces a custom token Claim specified by the `claimId` operationId: replaceOAuth2Claim x-codegen-request-body-name: oAuth2Claim requestBody: content: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' examples: ReplaceCustomTokenClaim: $ref: '#/components/examples/ReplaceCustomTokenClaimBody' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2Claim' examples: ReplaceCustomTokenClaim: $ref: '#/components/examples/ReplaceCustomTokenClaimResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management delete: summary: Delete a custom token claim description: Deletes a custom token Claim specified by the `claimId` operationId: deleteOAuth2Claim responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerClaims x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/clients: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all client resources for an authorization server description: |- Lists all client resources for which the specified authorization server has tokens. > **Note:** To list a specific user's client resources for which they have tokens or grants, use the [List all clients endpoint in the User Resources API](/openapi/okta-management/management/tag/UserResources/#tag/UserResources/operation/listUserClients). operationId: listOAuth2ClientsForAuthorizationServer responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2Client' examples: ListClients: $ref: '#/components/examples/ListClientsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerClients x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathClientId' get: summary: List all refresh tokens for a client description: Lists all refresh tokens issued by an authorization server for a specific Client operationId: listRefreshTokensForAuthorizationServerAndClient parameters: - name: expand in: query description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string - name: after in: query description: Specifies the pagination cursor for the next page of tokens schema: type: string - name: limit in: query description: The maximum number of tokens to return (maximum 200) schema: type: integer format: int32 default: -1 responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2RefreshToken' examples: ListRefreshTokenClients: $ref: '#/components/examples/ListRefreshTokensClientsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerClients x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management delete: summary: Revoke all refresh tokens for a client description: Revokes all refresh tokens for a Client operationId: revokeRefreshTokensForAuthorizationServerAndClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerClients x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathClientId' - $ref: '#/components/parameters/pathTokenId' get: summary: Retrieve a refresh token for a client description: Retrieves a refresh token for a Client operationId: getRefreshTokenForAuthorizationServerAndClient parameters: - name: expand in: query description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2RefreshToken' examples: RetrieveRefreshTokenClient: $ref: '#/components/examples/RetrieveRefreshTokenClientResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerClients x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management delete: summary: Revoke a refresh token for a client description: Revokes a refresh token for a Client operationId: revokeRefreshTokenForAuthorizationServerAndClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerClients x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/credentials/keys: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all credential keys description: Lists all of the current, future, and expired Keys used by the Custom Authorization Server operationId: listAuthorizationServerKeys responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/AuthorizationServerJsonWebKey' examples: ListAuthorizationServerKeys: $ref: '#/components/examples/ListAuthorizationServerKeys' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/credentials/keys/{keyId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathCredentialKeyId' get: summary: Retrieve an authorization server key description: Retrieves an Authorization Server Key specified by the `keyId` operationId: getAuthorizationServerKey responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthorizationServerJsonWebKey' examples: ActiveAuthorizationServerKey: $ref: '#/components/examples/ActiveAuthorizationServerKey' NextAuthorizationServerKey: $ref: '#/components/examples/NextAuthorizationServerKey' ExpiredAuthorizationServerKey: $ref: '#/components/examples/ExpiredAuthorizationServerKey' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate: parameters: - $ref: '#/components/parameters/pathAuthServerId' post: summary: Rotate all credential keys description: |- Rotates the current Keys for a Custom Authorization Server. If you rotate Keys, the `ACTIVE` Key becomes the `EXPIRED` Key, the `NEXT` Key becomes the `ACTIVE` Key, and the Custom Authorization Server immediately begins using the new active Key to sign tokens. > **Note:** Okta rotates your Keys automatically in `AUTO` mode. You can rotate Keys yourself in either mode. If Keys are rotated manually, you should invalidate any intermediate cache. and fetch the Keys again using the Keys endpoint. operationId: rotateAuthorizationServerKeys x-codegen-request-body-name: use requestBody: content: application/json: schema: $ref: '#/components/schemas/JwkUse' required: true responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/AuthorizationServerJsonWebKey' examples: RotateAuthorizationServerKeys: $ref: '#/components/examples/ListAuthorizationServerKeys' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: InvalidRotateUse: $ref: '#/components/examples/InvalidRotateUse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAuthServerId' post: summary: Activate an authorization server description: Activates an authorization server operationId: activateAuthorizationServer responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAuthServerId' post: summary: Deactivate an authorization server description: Deactivates an authorization server operationId: deactivateAuthorizationServer responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/policies: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all policies description: Lists all policies operationId: listAuthorizationServerPolicies responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/AuthorizationServerPolicy' examples: ListAuthorizationServerPolicies: $ref: '#/components/examples/ListAuthorizationServerPolicies' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerPolicies x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management post: summary: Create a policy description: Creates a policy operationId: createAuthorizationServerPolicy x-codegen-request-body-name: policy requestBody: content: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' examples: CreateAuthorizationServerPolicyRule: $ref: '#/components/examples/CreateAuthorizationServerPolicyRequest' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' examples: AuthorizationServerPolicy: $ref: '#/components/examples/AuthorizationServerPolicy' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerPolicies x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathPolicyId' get: summary: Retrieve a policy description: Retrieves a policy operationId: getAuthorizationServerPolicy responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' examples: AuthorizationServerPolicy: $ref: '#/components/examples/AuthorizationServerPolicy' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerPolicies x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management put: summary: Replace a policy description: Replaces a policy operationId: replaceAuthorizationServerPolicy x-codegen-request-body-name: policy requestBody: content: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' examples: UpdateAuthorizationServerPolicyRule: $ref: '#/components/examples/UpdateAuthorizationServerPolicyRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicy' examples: AuthorizationServerPolicy: $ref: '#/components/examples/AuthorizationServerPolicy' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerPolicies x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management delete: summary: Delete a policy description: Deletes a policy operationId: deleteAuthorizationServerPolicy responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerPolicies x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathPolicyId' post: summary: Activate a policy description: Activates an authorization server policy operationId: activateAuthorizationServerPolicy responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerPolicies x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathPolicyId' post: summary: Deactivate a policy description: Deactivates an authorization server policy operationId: deactivateAuthorizationServerPolicy responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerPolicies x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathPolicyId' get: summary: List all policy rules description: Lists all policy rules for the specified Custom Authorization Server and Policy operationId: listAuthorizationServerPolicyRules responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/AuthorizationServerPolicyRule' examples: ListAuthorizationServerPolicyRules: $ref: '#/components/examples/ListAuthorizationServerPolicyRules' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerRules x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management post: summary: Create a policy rule description: Creates a policy rule for the specified Custom Authorization Server and Policy operationId: createAuthorizationServerPolicyRule x-codegen-request-body-name: policyRule requestBody: content: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest' examples: CreateAuthorizationServerPolicyRule: $ref: '#/components/examples/CreateAuthorizationServerPolicyRuleRequest' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicyRule' examples: AuthorizationServerPolicyRule: $ref: '#/components/examples/AuthorizationServerPolicyRule' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerRules x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathPolicyId' - $ref: '#/components/parameters/pathRuleId' get: summary: Retrieve a policy rule description: Retrieves a policy rule by `ruleId` operationId: getAuthorizationServerPolicyRule responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicyRule' examples: AuthorizationServerPolicyRule: $ref: '#/components/examples/AuthorizationServerPolicyRule' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerRules x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management put: summary: Replace a policy rule description: Replaces the configuration of the Policy Rule defined in the specified Custom Authorization Server and Policy operationId: replaceAuthorizationServerPolicyRule x-codegen-request-body-name: policyRule requestBody: content: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicyRuleRequest' examples: UpdateAuthorizationServerPolicyRule: $ref: '#/components/examples/UpdateAuthorizationServerPolicyRuleRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthorizationServerPolicyRule' examples: AuthorizationServerPolicyRule: $ref: '#/components/examples/AuthorizationServerPolicyRule' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerRules x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management delete: summary: Delete a policy rule description: Deletes a Policy Rule defined in the specified Custom Authorization Server and Policy operationId: deleteAuthorizationServerPolicyRule responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerRules x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathPolicyId' - $ref: '#/components/parameters/pathRuleId' post: summary: Activate a policy rule description: Activates an authorization server policy rule operationId: activateAuthorizationServerPolicyRule responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerRules x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathPolicyId' - $ref: '#/components/parameters/pathRuleId' post: summary: Deactivate a policy rule description: Deactivates an authorization server policy rule operationId: deactivateAuthorizationServerPolicyRule responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerRules x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all Custom Authorization Server Public JSON Web Keys description: Lists all the public keys used by the custom authorization server operationId: listOAuth2ResourceServerJsonWebKeys responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKey' examples: ListOAuth2ResourceServerJsonWebKeys: $ref: '#/components/examples/ListOAuth2ResourceServerJsonWebKeys' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - OAuth2ResourceServerCredentialsKeys x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true post: summary: Add a JSON Web Key description: |- Adds a new JSON Web Key to the custom authorization server`s JSON web keys. > **Note:** This API doesn't allow you to add a key if the existing key doesn't have a `kid`. Use the [Replace an Authorization Server](/openapi/okta-management/management/tag/AuthorizationServer/#tag/AuthorizationServer/operation/replaceAuthorizationServer) operation to update the JWKS or [Delete a Custom Authorization Server Public JSON Web Key](/openapi/okta-management/management/tag/OAuth2ResourceServerCredentialsKeys/#tag/OAuth2ResourceServerCredentialsKeys/operation/deleteOAuth2ResourceServerJsonWebKey) and re-add the key with a `kid`. > **Note:** This API doesn't allow you to add a key with an ACTIVE status. You need to add an INACTIVE key first, and then ACTIVATE the key. operationId: addOAuth2ResourceServerJsonWebKey requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKeyRequestBody' examples: addOAuth2ResourceServerJsonWebKeyRequestBody: $ref: '#/components/examples/AddOAuth2ResourceServerJsonWebKeyRequest' responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKey' examples: getOAuth2ResourceServerKey: $ref: '#/components/examples/OAuth2ResourceServerJsonWebKey' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorJsonWebKeyNonUniqueKid: $ref: '#/components/examples/ErrorJsonWebKeyNonUniqueKid' ErrorJsonWebKeyKidLengthTooShort: $ref: '#/components/examples/ErrorJsonWebKeyKidLengthTooShort' ErrorJsonWebKeyTooManyKids: $ref: '#/components/examples/ErrorJsonWebKeyTooManyKids' ErrorJsonWebKeyCannotAddActiveKey: $ref: '#/components/examples/ErrorJsonWebKeyCannotAddActiveKey' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - OAuth2ResourceServerCredentialsKeys x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys/{keyId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/CustomAsPathJsonWebKeyId' get: summary: Retrieve a Custom Authorization Server Public JSON Web Key description: Retrieves a custom authorization server public JSON web key by key `id` operationId: getOAuth2ResourceServerJsonWebKey responses: '200': description: OK content: application/json: schema: type: object $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKey' examples: OAuthResourceServerJsonWebKeyResponseExample: $ref: '#/components/examples/OAuth2ResourceServerJsonWebKey' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - OAuth2ResourceServerCredentialsKeys x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true delete: summary: Delete a Custom Authorization Server Public JSON Web Key description: Deletes a custom authorization server public JSON web key by key `id`. You can only delete an inactive key. operationId: deleteOAuth2ResourceServerJsonWebKey responses: '204': description: No Content '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorDeleteCustomAsActiveJsonWebKey: $ref: '#/components/examples/ErrorDeleteCustomAsActiveJsonWebKey' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - OAuth2ResourceServerCredentialsKeys x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys/{keyId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/CustomAsPathJsonWebKeyId' post: summary: Activate a Custom Authorization Server Public JSON Web Key description: |- Activates a custom authorization server public JSON web key by key `id`. > **Note:** You can have only one active key at any given time for the authorization server. When you activate an inactive key, Okta automatically deactivates the current active key. operationId: activateOAuth2ResourceServerJsonWebKey responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKey' examples: activateOAuth2ResourceServerJsonWebKeyResponse: $ref: '#/components/examples/OAuth2ResourceServerJsonWebKey' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - OAuth2ResourceServerCredentialsKeys x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true /api/v1/authorizationServers/{authServerId}/resourceservercredentials/keys/{keyId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/CustomAsPathJsonWebKeyId' post: summary: Deactivate a Custom Authorization Server Public JSON Web Key description: |- Deactivates a custom authorization server public JSON web key by key `id`. > **Note:** Deactivating the active key isn't allowed if the authorization server has access token encryption enabled. You can activate another key, which makes the current key inactive. operationId: deactivateOAuth2ResourceServerJsonWebKey responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OAuth2ResourceServerJsonWebKey' examples: deactivateOAuth2ResourceServerJsonWebKeyResponse: $ref: '#/components/examples/OAuth2ResourceServerJsonWebKey' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorDeactivateActiveKey: $ref: '#/components/examples/ErrorDeactivateActiveKey' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - OAuth2ResourceServerCredentialsKeys x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true /api/v1/authorizationServers/{authServerId}/scopes: parameters: - $ref: '#/components/parameters/pathAuthServerId' get: summary: List all custom token scopes description: Lists all custom token scopes operationId: listOAuth2Scopes parameters: - name: q in: query description: Searches the `name` of Custom Token Scopes for matching values schema: type: string - name: filter in: query description: Filter expression for Custom Token Scopes schema: type: string - name: after in: query description: |- Specifies the pagination cursor for the next page of scopes. Treat the after cursor as an opaque value and obtain it through the next link relationship. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query description: |- Specifies the number of objects to return per page. If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: integer maximum: 200 responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2Scope' examples: ExampleScopes: $ref: '#/components/examples/ExampleOAuth2Scopes' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerScopes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management post: summary: Create a custom token scope description: Creates a custom token scope operationId: createOAuth2Scope x-codegen-request-body-name: oAuth2Scope requestBody: content: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' examples: CreateOAuth2ScopeRequest: $ref: '#/components/examples/CreateOAuth2ScopeRequest' required: true responses: '201': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' examples: ExampleOAuth2Scope: $ref: '#/components/examples/ExampleOAuth2Scope' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerScopes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/authorizationServers/{authServerId}/scopes/{scopeId}: parameters: - $ref: '#/components/parameters/pathAuthServerId' - $ref: '#/components/parameters/pathScopeId' get: summary: Retrieve a custom token scope description: Retrieves a custom token scope operationId: getOAuth2Scope responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' examples: ExampleOAuth2Scope: $ref: '#/components/examples/ExampleOAuth2Scope' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.read tags: - AuthorizationServerScopes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management put: summary: Replace a custom token scope description: Replaces a custom token scope operationId: replaceOAuth2Scope x-codegen-request-body-name: oAuth2Scope requestBody: content: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' examples: UpdateOAuth2Scope: $ref: '#/components/examples/UpdateOAuth2ScopeRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2Scope' examples: UpdatedOAuth2Scope: $ref: '#/components/examples/UpdatedOAuth2ScopeResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerScopes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management delete: summary: Delete a custom token scope description: Deletes a custom token scope operationId: deleteOAuth2Scope responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.authorizationServers.manage tags: - AuthorizationServerScopes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - API Access Management /api/v1/behaviors: get: summary: List all behavior detection rules description: Lists all behavior detection rules with pagination support operationId: listBehaviorDetectionRules responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/BehaviorRule' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.behaviors.read tags: - Behavior x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a behavior detection rule description: Creates a new behavior detection rule operationId: createBehaviorDetectionRule x-codegen-request-body-name: rule requestBody: content: application/json: schema: $ref: '#/components/schemas/BehaviorRule' examples: Behavior Rule Request: $ref: '#/components/examples/BehaviorRuleRequest' required: true responses: '200': description: Created content: application/json: schema: $ref: '#/components/schemas/BehaviorRule' examples: Behavior Rule Response: $ref: '#/components/examples/BehaviorRuleResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: API Validation Failed: $ref: '#/components/examples/ErrorApiValidationFailed' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.behaviors.manage tags: - Behavior x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/behaviors/{behaviorId}: parameters: - $ref: '#/components/parameters/pathBehaviorId' get: summary: Retrieve a behavior detection rule description: Retrieves a Behavior Detection Rule by `behaviorId` operationId: getBehaviorDetectionRule responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/BehaviorRule' examples: Behavior Rule Response: $ref: '#/components/examples/BehaviorRuleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' examples: Resource Not Found: $ref: '#/components/examples/ErrorResourceNotFound' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.behaviors.read tags: - Behavior x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a behavior detection rule description: Replaces a Behavior Detection Rule by `behaviorId` operationId: replaceBehaviorDetectionRule x-codegen-request-body-name: rule requestBody: content: application/json: schema: $ref: '#/components/schemas/BehaviorRule' examples: Behavior Rule Request: $ref: '#/components/examples/BehaviorRuleRequest' required: true responses: '200': description: Created content: application/json: schema: $ref: '#/components/schemas/BehaviorRule' examples: Behavior Rule Response: $ref: '#/components/examples/BehaviorRuleResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: API Validation Failed: $ref: '#/components/examples/ErrorApiValidationFailed' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' examples: Resource Not Found: $ref: '#/components/examples/ErrorResourceNotFound' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.behaviors.manage tags: - Behavior x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a behavior detection rule description: Deletes a Behavior Detection Rule by `behaviorId` operationId: deleteBehaviorDetectionRule responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' examples: Resource Not Found: $ref: '#/components/examples/ErrorResourceNotFound' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.behaviors.manage tags: - Behavior x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/behaviors/{behaviorId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathBehaviorId' post: summary: Activate a behavior detection rule description: Activates a behavior detection rule operationId: activateBehaviorDetectionRule responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/BehaviorRule' examples: Behavior Rule Response: $ref: '#/components/examples/BehaviorRuleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.behaviors.manage tags: - Behavior x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/behaviors/{behaviorId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathBehaviorId' post: summary: Deactivate a behavior detection rule description: Deactivates a behavior detection rule operationId: deactivateBehaviorDetectionRule responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/BehaviorRule' examples: Behavior Rule Response: $ref: '#/components/examples/BehaviorRuleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.behaviors.manage tags: - Behavior x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands: get: summary: List all brands description: Lists all the brands in your org operationId: listBrands parameters: - $ref: '#/components/parameters/queryExpandBrand' - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' - $ref: '#/components/parameters/queryFilter' responses: '200': description: Successfully returned the list of brands content: application/json: schema: type: array items: $ref: '#/components/schemas/BrandWithEmbedded' examples: Get brands response: $ref: '#/components/examples/ListBrandsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - Brands x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a brand description: Creates a new brand in your org operationId: createBrand requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateBrandRequest' examples: Create brand request: $ref: '#/components/examples/CreateBrandRequest' responses: '201': description: Successfully created the brand content: application/json: schema: $ref: '#/components/schemas/Brand' examples: Create brand response: $ref: '#/components/examples/CreateBrandResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '409': description: Could not create the new brand because same name already exist. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Cannot create brand with the same name: $ref: '#/components/examples/ErrorCreateBrandExists' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - Brands x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve a brand description: Retrieves a brand by `brandId` operationId: getBrand parameters: - $ref: '#/components/parameters/queryExpandBrand' responses: '200': description: Successfully retrieved the brand content: application/json: schema: $ref: '#/components/schemas/BrandWithEmbedded' examples: Get brand response: $ref: '#/components/examples/GetBrandResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - Brands x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a brand description: |+ Replaces a brand by `brandId` Passing an invalid `brandId` returns a `404 Not Found` status code with the error code `E0000007`. Not providing `agreeToCustomPrivacyPolicy` with `customPrivacyPolicyUrl` returns a `400 Bad Request` status code with the error code `E0000001`. operationId: replaceBrand x-codegen-request-body-name: brand requestBody: content: application/json: schema: $ref: '#/components/schemas/BrandRequest' examples: Update brand request: $ref: '#/components/examples/UpdateBrandRequest' required: true responses: '200': description: Successfully replaced the brand content: application/json: schema: $ref: '#/components/schemas/Brand' examples: Update brand response: $ref: '#/components/examples/UpdateBrandResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - Brands x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a brand description: Deletes a brand by `brandId` operationId: deleteBrand responses: '204': description: Successfully deleted the brand. '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '409': description: Conflict content: application/json: schema: $ref: '#/components/schemas/Error' examples: Cannot delete default brand: $ref: '#/components/examples/ErrorDeleteDefaultBrand' Cannot delete brand associated with a domain: $ref: '#/components/examples/ErrorDeleteBrandAssociatedWithDomain' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - Brands x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/domains: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: List all domains associated with a brand description: Lists all domains associated with a brand by `brandId` operationId: listBrandDomains responses: '200': description: Successfully returned the list of domains for the brand content: application/json: schema: $ref: '#/components/schemas/BrandDomains' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - Brands x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/queryExpandPageRoot' get: summary: Retrieve the error page sub-resources description: Retrieves the error page sub-resources. The `expand` query parameter specifies which sub-resources to include in the response. operationId: getErrorPage responses: '200': description: Successfully retrieved the error page. content: application/json: schema: $ref: '#/components/schemas/PageRoot' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error/customized: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the customized error page description: Retrieves the customized error page. The customized error page appears in your live environment. operationId: getCustomizedErrorPage responses: '200': description: Successfully retrieved the customized error page. headers: Location: schema: type: string format: uri content: application/json: schema: $ref: '#/components/schemas/ErrorPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the customized error page description: Replaces the customized error page. The customized error page appears in your live environment. operationId: replaceCustomizedErrorPage requestBody: content: application/json: schema: $ref: '#/components/schemas/ErrorPage' required: true responses: '200': description: Successfully replaced the customized error page. headers: Location: schema: type: string format: uri content: application/json: schema: $ref: '#/components/schemas/ErrorPage' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete the customized error page description: Deletes the customized error page. As a result, the default error page appears in your live environment. operationId: deleteCustomizedErrorPage responses: '204': description: Successfully deleted the customized error page. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error/default: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the default error page description: Retrieves the default error page. The default error page appears when no customized error page exists. operationId: getDefaultErrorPage responses: '200': description: Successfully retrieved the default error page. content: application/json: schema: $ref: '#/components/schemas/ErrorPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/error/preview: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the preview error page preview description: Retrieves the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`. operationId: getPreviewErrorPage responses: '200': description: Successfully retrieved the preview error page. headers: Location: schema: type: string format: uri content: application/json: schema: $ref: '#/components/schemas/ErrorPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the preview error page description: Replaces the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`. operationId: replacePreviewErrorPage requestBody: content: application/json: schema: $ref: '#/components/schemas/ErrorPage' required: true responses: '200': description: Successfully replaced the preview error page. headers: Location: schema: type: string format: uri content: application/json: schema: $ref: '#/components/schemas/ErrorPage' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete the preview error page description: Deletes the preview error page. The preview error page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/error/preview`. operationId: deletePreviewErrorPage responses: '204': description: Successfully deleted the preview error page. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/queryExpandPageRoot' get: summary: Retrieve the sign-in page sub-resources description: Retrieves the sign-in page sub-resources. The `expand` query parameter specifies which sub-resources to include in the response. operationId: getSignInPage responses: '200': description: Successfully retrieved the sign-in page. content: application/json: schema: $ref: '#/components/schemas/PageRoot' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/customized: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the customized sign-in page description: Retrieves the customized sign-in page. The customized sign-in page appears in your live environment. operationId: getCustomizedSignInPage responses: '200': description: Successfully retrieved the customized sign-in page. headers: Location: schema: type: string format: uri content: application/json: schema: $ref: '#/components/schemas/SignInPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the customized sign-in page description: Replaces the customized sign-in page. The customized sign-in page appears in your live environment. operationId: replaceCustomizedSignInPage requestBody: content: application/json: schema: $ref: '#/components/schemas/SignInPage' required: true responses: '200': description: Successfully replaced the customized sign-in page. headers: Location: schema: type: string format: uri content: application/json: schema: $ref: '#/components/schemas/SignInPage' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete the customized sign-in page description: Deletes the customized sign-in page. As a result, the default sign-in page appears in your live environment. operationId: deleteCustomizedSignInPage responses: '204': description: Successfully deleted the sign-in page. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/default: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the default sign-in page description: Retrieves the default sign-in page. The default sign-in page appears when no customized sign-in page exists. operationId: getDefaultSignInPage responses: '200': description: Successfully retrieved the default sign-in page. content: application/json: schema: $ref: '#/components/schemas/SignInPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/preview: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the preview sign-in page preview description: Retrieves the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`. operationId: getPreviewSignInPage responses: '200': description: Successfully retrieved the preview sign-in page. headers: Location: schema: type: string format: uri content: application/json: schema: $ref: '#/components/schemas/SignInPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the preview sign-in page description: Replaces the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`. operationId: replacePreviewSignInPage requestBody: content: application/json: schema: $ref: '#/components/schemas/SignInPage' required: true responses: '200': description: Successfully replaced the preview sign-in page. headers: Location: schema: type: string format: uri content: application/json: schema: $ref: '#/components/schemas/SignInPage' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete the preview sign-in page description: Deletes the preview sign-in page. The preview sign-in page contains unpublished changes and isn't shown in your live environment. Preview it at `${yourOktaDomain}/login/preview`. operationId: deletePreviewSignInPage responses: '204': description: Successfully deleted the preview sign-in page. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-in/widget-versions: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: List all Sign-In Widget versions description: Lists all sign-in widget versions supported by the current org operationId: listAllSignInWidgetVersions responses: '200': description: Successfully listed the sign-in widget versions. content: application/json: schema: type: array items: type: string pattern: ^\d+\.\d+$ '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/pages/sign-out/customized: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: Retrieve the sign-out page settings description: Retrieves the sign-out page settings operationId: getSignOutPageSettings responses: '200': description: Successfully retrieved the sign-out page settings. content: application/json: schema: $ref: '#/components/schemas/HostedPage' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the sign-out page settings description: Replaces the sign-out page settings operationId: replaceSignOutPageSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/HostedPage' required: true responses: '200': description: Successfully replaced the sign-out page settings. content: application/json: schema: $ref: '#/components/schemas/HostedPage' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - CustomPages x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: List all email templates description: Lists all supported email templates operationId: listEmailTemplates parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' - $ref: '#/components/parameters/queryExpandEmailTemplate' responses: '200': description: Successfully returned the list of email templates. content: application/json: schema: type: array items: $ref: '#/components/schemas/EmailTemplateResponse' examples: List email templates response: $ref: '#/components/examples/ListEmailTemplateResponse' headers: Link: schema: type: string description: The pagination header containing links to the current and next page of results. See [Pagination](/#pagination) for more information. '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.read tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: summary: Retrieve an email template description: Retrieves the details of an email template by name operationId: getEmailTemplate parameters: - $ref: '#/components/parameters/queryExpandEmailTemplate' responses: '200': description: Successfully retrieved the email template. content: application/json: schema: $ref: '#/components/schemas/EmailTemplateResponse' examples: Get email template response: $ref: '#/components/examples/GetEmailTemplateResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.read tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/customizations: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: summary: List all email customizations description: | Lists all customizations of an email template If Custom languages for Okta Email Templates is enabled, all existing customizations are retrieved, including customizations for additional languages. If disabled, only customizations for Okta-supported languages are returned. operationId: listEmailCustomizations parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: Successfully retrieved all email customizations for the specified email template. content: application/json: schema: type: array items: $ref: '#/components/schemas/EmailCustomization' examples: List Email customizations response: $ref: '#/components/examples/ListEmailCustomizationResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.read tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an email customization description: | Creates a new Email Customization If Custom languages for Okta Email Templates is enabled, you can create a customization for any BCP47 language in addition to the Okta-supported languages. operationId: createEmailCustomization x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/EmailCustomization' examples: Create email customization request: $ref: '#/components/examples/CreateUpdateEmailCustomizationRequest' responses: '201': description: Successfully created the email customization. content: application/json: schema: $ref: '#/components/schemas/EmailCustomization' examples: Create email customization response: $ref: '#/components/examples/CreateUpdateEmailCustomizationResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '409': description: Could not create the email customization because it conflicts with an existing email customization. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Default email customization already exists: $ref: '#/components/examples/ErrorEmailCustomizationDefaultAlreadyExists' Email customization already exists for the specified language: $ref: '#/components/examples/ErrorEmailCustomizationLanguageAlreadyExists' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.manage tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete all email customizations description: | Deletes all customizations for an email template If Custom languages for Okta Email Templates is enabled, all customizations are deleted, including customizations for additional languages. If disabled, only customizations in Okta-supported languages are deleted. operationId: deleteAllCustomizations responses: '204': description: Successfully deleted all customizations for the email template. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.manage tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' - $ref: '#/components/parameters/pathCustomizationId' get: summary: Retrieve an email customization description: | Retrieves an email customization by its unique identifier If Custom languages for Okta Email Templates is disabled, requests to retrieve an additional language customization by ID result in a `404 Not Found` error response. operationId: getEmailCustomization responses: '200': description: Successfully retrieved the email customization. content: application/json: schema: $ref: '#/components/schemas/EmailCustomization' examples: Get email customization response: $ref: '#/components/examples/EmailCustomizationResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.read tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace an email customization description: | Replaces an email customization using property values If Custom languages for Okta Email Templates is disabled, requests to update a customization for an additional language return a `404 Not Found` error response. operationId: replaceEmailCustomization x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/EmailCustomization' examples: Update email customization request: $ref: '#/components/examples/CreateUpdateEmailCustomizationRequest' description: Request responses: '200': description: Successfully updated the email customization. content: application/json: schema: $ref: '#/components/schemas/EmailCustomization' examples: Update email customization response: $ref: '#/components/examples/CreateUpdateEmailCustomizationResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '409': description: Could not update the email customization because the update would cause a conflict with an existing email customization. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Default email customization already exists: $ref: '#/components/examples/ErrorEmailCustomizationDefaultAlreadyExists' Email customization already exists for the specified language: $ref: '#/components/examples/ErrorEmailCustomizationLanguageAlreadyExists' Cannot set the default email customization's isDefault to false: $ref: '#/components/examples/ErrorEmailCustomizationCannotClearDefault' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.manage tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an email customization description: | Deletes an Email Customization by its unique identifier If Custom languages for Okta Email Templates is disabled, deletion of an existing additional language customization by ID doesn't register. operationId: deleteEmailCustomization responses: '204': description: Successfully deleted the email customization. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '409': description: Could not delete the email customization deleted because it is the default email customization. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Cannot delete default email customization: $ref: '#/components/examples/ErrorEmailCustomizationCannotDeleteDefault' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.manage tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/customizations/{customizationId}/preview: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' - $ref: '#/components/parameters/pathCustomizationId' get: summary: Retrieve a preview of an email customization description: | Retrieves a Preview of an Email Customization. All variable references are populated from the current user's context. For example, `${user.profile.firstName}`. If Custom languages for Okta Email Templates is disabled, requests for the preview of an additional language customization by ID return a `404 Not Found` error response. operationId: getCustomizationPreview responses: '200': description: Successfully generated a preview of the email customization. content: application/json: schema: $ref: '#/components/schemas/EmailPreview' examples: Preview email customization response: $ref: '#/components/examples/PreviewEmailCustomizationResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.read tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/default-content: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: summary: Retrieve an email template default content description: | Retrieves an email template's default content Defaults to the current user's language given the following: - Custom languages for Okta Email Templates is enabled - An additional language is specified for the `language` parameter operationId: getEmailDefaultContent parameters: - $ref: '#/components/parameters/queryLanguage' responses: '200': description: Successfully retrieved the email template's default content. content: application/json: schema: $ref: '#/components/schemas/EmailDefaultContent' examples: Get email template default content response: $ref: '#/components/examples/EmailTemplateDefaultContentResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.read tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/default-content/preview: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: summary: Retrieve a preview of the email template default content description: | Retrieves a preview of an Email Template's default content. All variable references are populated using the current user's context. For example, `${user.profile.firstName}`. Defaults to the current user's language given the following: - Custom languages for Okta Email Templates is enabled - An additional language is specified for the `language` parameter operationId: getEmailDefaultPreview parameters: - $ref: '#/components/parameters/queryLanguage' responses: '200': description: Successfully generated a preview of the email template's default content. content: application/json: schema: $ref: '#/components/schemas/EmailPreview' examples: Preview email template default content response: $ref: '#/components/examples/PreviewEmailTemplateDefaultContentResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.read tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/settings: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' get: summary: Retrieve the email template settings description: Retrieves an email template's settings operationId: getEmailSettings responses: '200': description: Successfully retrieved the email template's settings. content: application/json: schema: $ref: '#/components/schemas/EmailSettingsResponse' examples: Get email template settings response: $ref: '#/components/examples/EmailSettingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.read tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the email template settings description: Replaces an email template's settings operationId: replaceEmailSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/EmailSettings' responses: '200': description: Successfully updated the email template's settings. content: application/json: schema: $ref: '#/components/schemas/EmailSettings' examples: Update email template settings: $ref: '#/components/examples/EmailSettingsResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '409': description: Conflict content: application/json: schema: $ref: '#/components/schemas/Error409' examples: Conflict: $ref: '#/components/examples/ErrorEmailSettingsRaceCondition' '422': description: Could not update the email template's settings due to an invalid setting value. content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid email template recipients: $ref: '#/components/examples/ErrorInvalidEmailTemplateRecipients' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.manage tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/templates/email/{templateName}/test: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathTemplateName' post: summary: Send a test email description: |- Sends a test email to the current user's primary and secondary email addresses. The email content is selected based on the following priority: 1. The email customization for the language specified in the `language` query parameter If Custom languages for Okta Email Templates is enabled and the `language` parameter is an additional language, the test email uses the customization corresponding to the language. 2. The email template's default customization 3. The email template's default content, translated to the current user's language > **Note:** Super admins can view customized email templates with the **Send a test email** request. However, when custom email templates are sent to super admins as part of actual email notification flows, the customizations aren't applied. Instead, the default email template is used. This only applies to super admins. operationId: sendTestEmail parameters: - $ref: '#/components/parameters/queryLanguage' responses: '204': description: Successfully sent a test email. content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.read tags: - CustomTemplates x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/themes: parameters: - $ref: '#/components/parameters/pathBrandId' get: summary: List all themes description: |- Lists all the themes in your brand. > **Important:** Currently each org supports only one theme, therefore this contains a single object only. operationId: listBrandThemes responses: '200': description: Successfully returned the list of themes content: application/json: schema: type: array items: $ref: '#/components/schemas/ThemeResponse' examples: Get themes response: $ref: '#/components/examples/ListThemesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - Themes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathThemeId' get: summary: Retrieve a theme description: Retrieves a theme for a brand operationId: getBrandTheme responses: '200': description: Successfully retrieved the theme content: application/json: schema: $ref: '#/components/schemas/ThemeResponse' examples: Get theme response: $ref: '#/components/examples/GetThemeResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - Themes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a theme description: Replaces a theme for a brand operationId: replaceBrandTheme x-codegen-request-body-name: theme requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateThemeRequest' examples: Update theme request: $ref: '#/components/examples/UpdateThemeRequest' required: true responses: '200': description: Successfully replaced the theme content: application/json: schema: $ref: '#/components/schemas/ThemeResponse' examples: Update theme response: $ref: '#/components/examples/UpdateThemeResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - Themes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}/background-image: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathThemeId' post: summary: Upload the background image description: Uploads and replaces the background image for the theme. The file must be in PNG, JPG, or GIF format and less than 2 MB in size. operationId: uploadBrandThemeBackgroundImage requestBody: content: multipart/form-data: schema: type: object description: The file must be in PNG, JPG, or GIF format and less than 2 MB in size. properties: file: type: string format: binary required: - file description: background image file responses: '201': description: Content Created content: application/json: schema: $ref: '#/components/schemas/ImageUploadResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - Themes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete the background image description: Deletes a theme background image operationId: deleteBrandThemeBackgroundImage responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - Themes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}/favicon: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathThemeId' post: summary: Upload the favicon description: Uploads and replaces the favicon for the theme operationId: uploadBrandThemeFavicon requestBody: content: multipart/form-data: schema: type: object description: The file must be in PNG or ICO format and have a 1:1 ratio with a maximum dimension of 512 x 512 properties: file: type: string format: binary required: - file description: favicon file responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/ImageUploadResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - Themes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete the favicon description: Deletes a theme favicon. The theme will use the default Okta favicon. operationId: deleteBrandThemeFavicon responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - Themes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/themes/{themeId}/logo: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathThemeId' post: summary: Upload the logo description: Uploads and replaces the logo for the theme. The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling. operationId: uploadBrandThemeLogo requestBody: content: multipart/form-data: schema: description: The file must be in PNG, JPG, or GIF format and less than 100kB in size. For best results use landscape orientation, a transparent background, and a minimum size of 300px by 50px to prevent upscaling. type: object properties: file: type: string format: binary required: - file description: logo file responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ImageUploadResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - Themes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete the logo description: Deletes a Theme logo. The theme will use the default Okta logo. operationId: deleteBrandThemeLogo responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - Themes x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/brands/{brandId}/well-known-uris: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/queryExpandWellKnownUris' get: summary: Retrieve all the well-known URIs description: Retrieves the content from each of the well-known URIs for a specified brand operationId: getAllWellKnownURIs responses: '200': description: Successfully retrieved all the well-known URIs content: application/json: schema: $ref: '#/components/schemas/WellKnownURIsRoot' examples: Retrieve all URIs response: $ref: '#/components/examples/WellKnownURIsRootResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - AssociatedDomainCustomizations x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/brands/{brandId}/well-known-uris/{path}: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathWellKnownUriPath' - $ref: '#/components/parameters/queryExpandWellKnownUri' get: summary: Retrieve the well-known URI of a specific brand description: Retrieves the well-known URI of a specific brand and well-known URI path operationId: getRootBrandWellKnownURI responses: '200': description: Successfully retrieved the well-known URI content: application/json: schema: $ref: '#/components/schemas/WellKnownURIObjectResponse' examples: Retrieve well-known URI of a specific brand: $ref: '#/components/examples/WellKnownURIRootResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid path: $ref: '#/components/examples/ErrorInvalidWellKnownPath' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - AssociatedDomainCustomizations x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/brands/{brandId}/well-known-uris/{path}/customized: parameters: - $ref: '#/components/parameters/pathBrandId' - $ref: '#/components/parameters/pathWellKnownUriPath' get: summary: Retrieve the customized content of the specified well-known URI description: Retrieves the customized content of a well-known URI for a specific brand and well-known URI path operationId: getBrandWellKnownURI responses: '200': description: Successfully retrieved the customized well-known URI content content: application/json: schema: $ref: '#/components/schemas/WellKnownURIObjectResponse' examples: Retrieve the customized well-known URI: $ref: '#/components/examples/WellKnownURIResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid path: $ref: '#/components/examples/ErrorInvalidWellKnownPath' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.read tags: - AssociatedDomainCustomizations x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Replace the customized well-known URI of the specific path description: |- Replaces the content of a customized well-known URI that you specify. There are endpoint-specific format requirements when you update the content of a customized well-known URI. See [Customize associated domains](https://developer.okta.com/docs/guides/custom-well-known-uri/main/). operationId: replaceBrandWellKnownURI requestBody: content: application/json: schema: $ref: '#/components/schemas/WellKnownURIRequest' examples: Update well-known URI request: $ref: '#/components/examples/UpdateWellKnownURIRequest' responses: '200': description: Successfully updated the well-known URI of the specified path content: application/json: schema: $ref: '#/components/schemas/WellKnownURIObjectResponse' examples: Update well-known URI response: $ref: '#/components/examples/WellKnownURIResponse' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: Invalid path: $ref: '#/components/examples/ErrorInvalidWellKnownPath' apple-app-site-association representation contains authsrv: $ref: '#/components/examples/InvalidWellKnownAppleAppSiteRepresentationError' webauthn representation doesn't contain origins: $ref: '#/components/examples/InvalidWellKnownWebauthnRepresentationError' webauthn representation origins is not string array: $ref: '#/components/examples/InvalidWellKnownWebauthnRepresentationOriginStringError' Invalid content type for apple-app-site-association and webauthn: $ref: '#/components/examples/InvalidWellKnownJsonTypeError' Invalid content type for assetlinks.json: $ref: '#/components/examples/InvalidWellKnownArrayTypeError' Cannot update well-known URI for default brand: $ref: '#/components/examples/CannotUpdateWellKnownUriForDefaultBrandError' size limit exceeded: $ref: '#/components/examples/WellKnownRepresentationSizeLimitExceededError' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.brands.manage tags: - AssociatedDomainCustomizations x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/captchas: get: summary: List all CAPTCHA instances description: Lists all CAPTCHA instances with pagination support. A subset of CAPTCHA instances can be returned that match a supported filter expression or query. operationId: listCaptchaInstances responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/CAPTCHAInstance' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.captchas.read tags: - CAPTCHA x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine post: summary: Create a CAPTCHA instance description: Creates a new CAPTCHA instance. Currently, an org can only configure a single CAPTCHA instance. operationId: createCaptchaInstance x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/CAPTCHAInstance' examples: HCaptcha: $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' ReCaptcha: $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/CAPTCHAInstance' examples: HCaptcha: $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' ReCaptcha: $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' Error Limit of One CAPTCHA instance per org: $ref: '#/components/examples/ErrorCAPTCHALimitOfOne' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.captchas.manage tags: - CAPTCHA x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/captchas/{captchaId}: parameters: - $ref: '#/components/parameters/pathCaptchaId' get: summary: Retrieve a CAPTCHA instance description: Retrieves the properties of a specified CAPTCHA instance operationId: getCaptchaInstance responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CAPTCHAInstance' examples: HCaptcha: $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' ReCaptcha: $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.captchas.read tags: - CAPTCHA x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine post: summary: Update a CAPTCHA instance description: Partially updates the properties of a specified CAPTCHA instance operationId: updateCaptchaInstance x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/CAPTCHAInstance' examples: HCaptcha: $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' ReCaptcha: $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CAPTCHAInstance' examples: HCaptcha: $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' ReCaptcha: $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.captchas.manage tags: - CAPTCHA x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Replace a CAPTCHA instance description: Replaces the properties for a specified CAPTCHA instance operationId: replaceCaptchaInstance x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/CAPTCHAInstance' examples: HCaptcha: $ref: '#/components/examples/CAPTCHAInstanceRequestHCaptcha' ReCaptcha: $ref: '#/components/examples/CAPTCHAInstanceRequestReCaptcha' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CAPTCHAInstance' examples: HCaptcha: $ref: '#/components/examples/CAPTCHAInstanceResponseHCaptcha' ReCaptcha: $ref: '#/components/examples/CAPTCHAInstanceResponseReCaptcha' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.captchas.manage tags: - CAPTCHA x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine delete: summary: Delete a CAPTCHA instance description: |- Deletes a specified CAPTCHA instance > **Note:** If your CAPTCHA instance is still associated with your org, the request fails. You must first update your Org-wide CAPTCHA settings to remove the CAPTCHA instance. operationId: deleteCaptchaInstance responses: '204': description: No Content '403': description: Forbidden headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' Cannot remove CAPTCHA in use: $ref: '#/components/examples/ErrorCAPTCHAOrgWideSetting' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.captchas.manage tags: - CAPTCHA x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/device-assurances: get: summary: List all device assurance policies description: Lists all device assurance policies operationId: listDeviceAssurancePolicies responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/DeviceAssurance' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.deviceAssurance.read tags: - DeviceAssurance x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine post: summary: Create a device assurance policy description: Creates a new device assurance policy operationId: createDeviceAssurancePolicy x-codegen-request-body-name: deviceAssurance requestBody: content: application/json: schema: $ref: '#/components/schemas/DeviceAssurance' examples: Android: $ref: '#/components/examples/DeviceAssuranceAndroidRequest' iOS: $ref: '#/components/examples/DeviceAssuranceIosRequest' MacOS: $ref: '#/components/examples/DeviceAssuranceMacOSRequest' Windows: $ref: '#/components/examples/DeviceAssuranceWindowsRequest' ChromeOSWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest' ChromeOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersRequest' MacOSWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest' MacOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersRequest' WindowsWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersRequest' WindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabled: $ref: '#/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabledRequest' WindowsWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersRequest' AndroidWithAndroidDeviceTrustThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersRequest' AndroidWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersRequest' iOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceIosWithDevicePostureIdPSignalProvidersRequest' AndroidWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest' iOSWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest' MacOSWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest' WindowsWithDynamicVersionRequirements: $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest' WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest' WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest' AndroidWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceAndroidWithGracePeriodRequest' iOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceIosWithGracePeriodRequest' MacOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceMacOSWithGracePeriodRequest' WindowsWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceWindowsWithGracePeriodRequest' ChromeOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceChromeOSWithGracePeriodRequest' MacOSWithDevicePostureChecks: $ref: '#/components/examples/DeviceAssuranceMacOSWithDevicePostureChecksRequest' WindowsWithDevicePostureChecks: $ref: '#/components/examples/DeviceAssuranceWindowsWithDevicePostureChecksRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeviceAssurance' examples: Android: $ref: '#/components/examples/DeviceAssuranceAndroidResponse' iOS: $ref: '#/components/examples/DeviceAssuranceIosResponse' MacOS: $ref: '#/components/examples/DeviceAssuranceMacOSResponse' Windows: $ref: '#/components/examples/DeviceAssuranceWindowsResponse' ChromeOSWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse' ChromeOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersResponse' MacOSWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse' MacOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersResponse' WindowsWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersResponse' WindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabled: $ref: '#/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabledResponse' WindowsWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersResponse' AndroidWithAndroidDeviceTrustThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersResponse' AndroidWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersResponse' iOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceIosWithDevicePostureIdPSignalProvidersResponse' AndroidWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' iOSWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' MacOSWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' WindowsWithDynamicVersionRequirements: $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' AndroidWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceAndroidWithGracePeriodResponse' iOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceIosWithGracePeriodResponse' MacOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceMacOSWithGracePeriodResponse' WindowsWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceWindowsWithGracePeriodResponse' ChromeOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceChromeOSWithGracePeriodResponse' MacOSWithDevicePostureChecks: $ref: '#/components/examples/DeviceAssuranceMacOSWithDevicePostureChecksResponse' WindowsWithDevicePostureChecks: $ref: '#/components/examples/DeviceAssuranceWindowsWithDevicePostureChecksResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.deviceAssurance.manage tags: - DeviceAssurance x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/device-assurances/{deviceAssuranceId}: parameters: - $ref: '#/components/parameters/pathDeviceAssuranceId' get: summary: Retrieve a device assurance policy description: Retrieves a device assurance policy by `deviceAssuranceId` operationId: getDeviceAssurancePolicy responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeviceAssurance' examples: Android: $ref: '#/components/examples/DeviceAssuranceAndroidResponse' iOS: $ref: '#/components/examples/DeviceAssuranceIosResponse' MacOS: $ref: '#/components/examples/DeviceAssuranceMacOSResponse' Windows: $ref: '#/components/examples/DeviceAssuranceWindowsResponse' ChromeOSWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse' ChromeOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersResponse' MacOSWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse' MacOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersResponse' WindowsWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersResponse' WindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabled: $ref: '#/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabledResponse' WindowsWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersResponse' AndroidWithAndroidDeviceTrustThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersResponse' AndroidWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersResponse' iOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceIosWithDevicePostureIdPSignalProvidersResponse' AndroidWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' iOSWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' MacOSWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' WindowsWithDynamicVersionRequirements: $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' AndroidWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceAndroidWithGracePeriodResponse' iOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceIosWithGracePeriodResponse' MacOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceMacOSWithGracePeriodResponse' WindowsWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceWindowsWithGracePeriodResponse' ChromeOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceChromeOSWithGracePeriodResponse' MacOSWithDevicePostureChecks: $ref: '#/components/examples/DeviceAssuranceMacOSWithDevicePostureChecksResponse' WindowsWithDevicePostureChecks: $ref: '#/components/examples/DeviceAssuranceWindowsWithDevicePostureChecksResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.deviceAssurance.read tags: - DeviceAssurance x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Replace a device assurance policy description: Replaces a device assurance policy by `deviceAssuranceId` operationId: replaceDeviceAssurancePolicy x-codegen-request-body-name: deviceAssurance requestBody: content: application/json: schema: $ref: '#/components/schemas/DeviceAssurance' examples: Android: $ref: '#/components/examples/DeviceAssuranceAndroidRequest' iOS: $ref: '#/components/examples/DeviceAssuranceIosRequest' MacOS: $ref: '#/components/examples/DeviceAssuranceMacOSRequest' Windows: $ref: '#/components/examples/DeviceAssuranceWindowsRequest' ChromeOSWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest' ChromeOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersRequest' MacOSWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest' MacOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersRequest' WindowsWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersRequest' WindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabled: $ref: '#/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabledRequest' WindowsWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersRequest' AndroidWithAndroidDeviceTrustThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersRequest' AndroidWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersRequest' iOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceIosWithDevicePostureIdPSignalProvidersRequest' AndroidWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementRequest' iOSWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementRequest' MacOSWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementRequest' WindowsWithDynamicVersionRequirements: $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest' WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest' WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest' AndroidWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceAndroidWithGracePeriodRequest' iOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceIosWithGracePeriodRequest' MacOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceMacOSWithGracePeriodRequest' WindowsWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceWindowsWithGracePeriodRequest' ChromeOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceChromeOSWithGracePeriodRequest' MacOSWithDevicePostureChecks: $ref: '#/components/examples/DeviceAssuranceMacOSWithDevicePostureChecksRequest' WindowsWithDevicePostureChecks: $ref: '#/components/examples/DeviceAssuranceWindowsWithDevicePostureChecksRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeviceAssurance' examples: Android: $ref: '#/components/examples/DeviceAssuranceAndroidResponse' iOS: $ref: '#/components/examples/DeviceAssuranceIosResponse' MacOS: $ref: '#/components/examples/DeviceAssuranceMacOSResponse' Windows: $ref: '#/components/examples/DeviceAssuranceWindowsResponse' ChromeOSWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse' ChromeOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersResponse' MacOSWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse' MacOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersResponse' WindowsWithDeviceTrustConnectorThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersResponse' WindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabled: $ref: '#/components/examples/DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabledResponse' WindowsWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersResponse' AndroidWithAndroidDeviceTrustThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersResponse' AndroidWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersResponse' iOSWithDevicePostureIdPThirdPartySignalProviders: $ref: '#/components/examples/DeviceAssuranceIosWithDevicePostureIdPSignalProvidersResponse' AndroidWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceAndroidWithDynamicVersionRequirementResponse' iOSWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceIosWithDynamicVersionRequirementResponse' MacOSWithDynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceMacOSWithDynamicVersionRequirementResponse' WindowsWithDynamicVersionRequirements: $ref: '#/components/examples/DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse' WindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionString: $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse' WindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirement: $ref: '#/components/examples/DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse' AndroidWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceAndroidWithGracePeriodResponse' iOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceIosWithGracePeriodResponse' MacOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceMacOSWithGracePeriodResponse' WindowsWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceWindowsWithGracePeriodResponse' ChromeOSWithGracePeriod: $ref: '#/components/examples/DeviceAssuranceChromeOSWithGracePeriodResponse' MacOSWithDevicePostureChecks: $ref: '#/components/examples/DeviceAssuranceMacOSWithDevicePostureChecksResponse' WindowsWithDevicePostureChecks: $ref: '#/components/examples/DeviceAssuranceWindowsWithDevicePostureChecksResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.deviceAssurance.manage tags: - DeviceAssurance x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine delete: summary: Delete a device assurance policy description: Deletes a device assurance policy by `deviceAssuranceId`. If the device assurance policy is currently being used in the org Authentication Policies, the delete will not be allowed. operationId: deleteDeviceAssurancePolicy responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '409': description: Conflict headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorDeviceAssuranceInUse: $ref: '#/components/examples/ErrorDeviceAssuranceInUse' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.deviceAssurance.manage tags: - DeviceAssurance x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/device-integrations: get: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: List all device integrations description: Lists all device integrations for your org. Examples include Device Posture Provider, Windows Security Center, Chrome Device Trust, OSQuery, and Android Device Trust. operationId: listDeviceIntegrations responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/DeviceIntegrations' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.deviceIntegrations.read tags: - DeviceIntegrations /api/v1/device-integrations/{deviceIntegrationId}: parameters: - $ref: '#/components/parameters/pathDeviceIntegrationId' get: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Retrieve a device integration description: Retrieves a device integration by `deviceIntegrationId` operationId: getDeviceIntegration responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeviceIntegrations' examples: CrowdStrike: $ref: '#/components/examples/DeviceIntegrationCrowdStrikeResponse' WindowsSecurityCenter: $ref: '#/components/examples/DeviceIntegrationWindowsSecurityCenterResponse' ChromeDeviceTrustConnector: $ref: '#/components/examples/DeviceIntegrationChromeDeviceTrustConnectorResponse' DevicePostureIdP: $ref: '#/components/examples/DeviceIntegrationDevicePostureIdPResponse' DevicePostureCheck: $ref: '#/components/examples/DeviceIntegrationDevicePostureCheckResponse' AndroidZeroTrust: $ref: '#/components/examples/DeviceIntegrationAndroidZeroTrustResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.deviceIntegrations.read tags: - DeviceIntegrations /api/v1/device-integrations/{deviceIntegrationId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathDeviceIntegrationId' post: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Activate a device integration description: Activates a device integration and populates the related configurations by `deviceIntegrationId` operationId: activateDeviceIntegration responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeviceIntegrations' examples: ChromeDeviceTrustConnector: $ref: '#/components/examples/DeviceIntegrationChromeDeviceTrustConnectorResponse' DevicePostureIdP: $ref: '#/components/examples/DeviceIntegrationDevicePostureIdPResponse' DevicePostureCheck: $ref: '#/components/examples/DeviceIntegrationDevicePostureCheckResponse' AndroidZeroTrust: $ref: '#/components/examples/DeviceIntegrationAndroidZeroTrustResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.deviceIntegrations.manage tags: - DeviceIntegrations /api/v1/device-integrations/{deviceIntegrationId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathDeviceIntegrationId' post: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Deactivate a device integration description: Deactivates a device integration by `deviceIntegrationId` operationId: deactivateDeviceIntegration responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeviceIntegrations' examples: CrowdStrike: $ref: '#/components/examples/DeviceIntegrationCrowdStrikeResponse' WindowsSecurityCenter: $ref: '#/components/examples/DeviceIntegrationWindowsSecurityCenterResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.deviceIntegrations.manage tags: - DeviceIntegrations /api/v1/device-posture-checks: get: summary: List all device posture checks description: Lists all device posture checks operationId: listDevicePostureChecks responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/DevicePostureCheck' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devicePostureChecks.read tags: - DevicePostureCheck x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine post: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: Create a device posture check description: Creates a device posture check operationId: createDevicePostureCheck x-codegen-request-body-name: devicePostureCheck requestBody: content: application/json: schema: $ref: '#/components/schemas/DevicePostureCheck' examples: MacOS: $ref: '#/components/examples/DevicePostureChecksMacOSRequest' Windows: $ref: '#/components/examples/DevicePostureChecksWindowsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DevicePostureCheck' examples: MacOS: $ref: '#/components/examples/DevicePostureChecksMacOSResponse' Windows: $ref: '#/components/examples/DevicePostureChecksWindowsResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devicePostureChecks.manage tags: - DevicePostureCheck /api/v1/device-posture-checks/default: get: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: List all default device posture checks description: Lists all default device posture checks. Default device posture checks are defined by Okta. Their type will always be `BUILTIN`. operationId: listDefaultDevicePostureChecks responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/DevicePostureCheck' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devicePostureChecks.read tags: - DevicePostureCheck /api/v1/device-posture-checks/{postureCheckId}: parameters: - $ref: '#/components/parameters/pathPostureCheckId' get: summary: Retrieve a device posture check description: Retrieves a device posture check by `postureCheckId` operationId: getDevicePostureCheck responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DevicePostureCheck' examples: MacOS: $ref: '#/components/examples/DevicePostureChecksMacOSResponse' Windows: $ref: '#/components/examples/DevicePostureChecksWindowsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devicePostureChecks.read tags: - DevicePostureCheck x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: Replace a device posture check description: Replaces a device posture check by `postureCheckId` operationId: replaceDevicePostureCheck x-codegen-request-body-name: devicePostureCheck requestBody: content: application/json: schema: $ref: '#/components/schemas/DevicePostureCheck' examples: MacOS: $ref: '#/components/examples/DevicePostureChecksMacOSRequest' Windows: $ref: '#/components/examples/DevicePostureChecksWindowsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DevicePostureCheck' examples: MacOS: $ref: '#/components/examples/DevicePostureChecksMacOSResponse' Windows: $ref: '#/components/examples/DevicePostureChecksWindowsResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devicePostureChecks.manage tags: - DevicePostureCheck delete: summary: Delete a device posture check description: Deletes a device posture check by `postureCheckId`. You can't delete the device posture check if it's used in a device assurance policy. operationId: deleteDevicePostureCheck responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '409': description: Conflict headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorDeviceCheckInUse: $ref: '#/components/examples/ErrorDevicePostureCheckInUse' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devicePostureChecks.manage tags: - DevicePostureCheck x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/devices: get: summary: List all devices description: |- Lists all devices with pagination support. >**Note:** To list all devices enrolled by a user, use the [List all devices endpoint in the User Resources API](/openapi/okta-management/management/tag/UserResources/#tag/UserResources/operation/listUserDevices). You can return a subset of devices that match a supported search criteria using the `search` query parameter. Searches for devices based on the properties specified in the `search` parameter conforming SCIM filter specifications (case-insensitive). This data is eventually consistent. The API returns different results depending on specified queries in the request. Empty list is returned if no objects match `search` request. > **Note:** The `search` parameter results are sourced from an eventually consistent datasource and may not reflect the latest information. Don't use search results directly for record updates, as the data might be stale and therefore overwrite newer data, resulting in data loss. Use an `id` lookup for records that you update to ensure your results contain the latest data. This operation requires [URL encoding](https://www.w3.org/TR/html4/interact/forms.html#h-17.13.4.1). For example, `search=profile.displayName eq "Bob"` is encoded as `search=profile.displayName%20eq%20%22Bob%22`. operationId: listDevices parameters: - name: after in: query schema: type: string description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](/#pagination) for more information. example: 200u3des4afA47rYJu1d7 - name: limit in: query schema: type: integer minimum: 1 maximum: 200 default: 200 example: 20 description: A limit on the number of objects to return (recommend `20`) - name: search in: query description: |- A SCIM filter expression that filters the results. Searches include all device `profile` properties and the device `id`, `status`, and `lastUpdated` properties. Searches for devices can be filtered by the contains (`co`) operator. You can only use `co` with these select device profile attributes: `profile.displayName`, `profile.serialNumber`, `profile.imei`, `profile.meid`, `profile.udid`, and `profile.sid`. See [Operators](https://developer.okta.com/docs/api/#operators). schema: type: string example: lastUpdated gt "2019-06-01T09:00:00.000Z" examples: FilterByDeviceStatus: summary: Filter by device status value: status%20eq%20%22ACTIVE%22 FilterByLastUpdatedTime: summary: Filter by last updated time value: lastUpdated%20gt%20%222024-12-23'T'00%3A00%3A00.000Z%22 FilterByDeviceId: summary: Filter by device ID value: id%20eq%20%22guo4a5u7JHHhjXrMK0g4%22 FilterByDeviceDisplayName: summary: Filter by device display name value: profile.displayName%20eq%20%22Bob%22 FilterByDevicePlatform: summary: Filter by device platform value: profile.platform%20eq%20%22WINDOWS%22 FilterBySID: summary: Filter by device security identifier (SID) value: profile.sid%20sw%20%22S-1%22 - name: expand in: query description: Includes associated user details and management status for the device in the `_embedded` attribute schema: type: string example: userSummary enum: - user - userSummary x-enumDescriptions: user: Lists full details for associated users userSummary: Lists summaries for associated users examples: UserFullDetails: summary: Get a detailed list of associated users value: user UserSummaries: summary: Get the list of associated user summaries value: userSummary responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/DeviceList' examples: APIDevicesResponseUserSummaryExample: type: array $ref: '#/components/examples/APIDevicesListAllUserSummaryResponse' APIDevicesResponseExample: type: array $ref: '#/components/examples/APIDevicesListAllResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devices.read tags: - Device x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/devices/{deviceId}: parameters: - $ref: '#/components/parameters/pathDeviceId' get: summary: Retrieve a device description: Retrieves a device by `deviceId` operationId: getDevice responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Device' examples: APIDevicesResponseExample: $ref: '#/components/examples/DeviceResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devices.read tags: - Device x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine delete: summary: Delete a device description: |- Deletes (permanently) a device by `deviceId` if it has a status of `DEACTIVATED`. You can transition the device to `DEACTIVATED` status using the [Deactivate a Device](/openapi/okta-management/management/tag/Device/#tag/Device/operation/deactivateDevice) endpoint. This request is destructive and deletes all of the profile data related to the device. Once deleted, device data can't be recovered. However, reenrollment creates a new device record. > **Note:** Attempts to delete a device that isn't in a `DEACTIVATED` state raise an error. operationId: deleteDevice responses: '204': description: No Content '403': description: Forbidden headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devices.manage tags: - Device x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathDeviceId' post: summary: Activate a device description: |- Activates a device by setting its status to `ACTIVE` by `deviceId`. Activated devices are used to create and delete device user links. operationId: activateDevice responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devices.manage tags: - Device x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathDeviceId' post: summary: Deactivate a device description: |- Deactivates a device by setting its status to `DEACTIVATED` by `deviceId`. Deactivation causes a device to lose all device user links. Set the device status to `DEACTIVATED` before deleting it. > **Note:** When deactivating a Device, keep in mind the following: - Device deactivation is a destructive operation for device factors and client certificates. Device reenrollment using Okta Verify allows end users to set up new factors on the device. - Device deletion removes the device record from Okta. Reenrollment creates a new device record. operationId: deactivateDevice responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devices.manage tags: - Device x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/suspend: parameters: - $ref: '#/components/parameters/pathDeviceId' post: summary: Suspend a Device description: |- Suspends a device by setting its status to `SUSPENDED`. Use suspended devices to create and delete device user links. You can only unsuspend or deactivate suspended devices. > **Note:** `SUSPENDED` status is meant to be temporary, so it isn't destructive. operationId: suspendDevice responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devices.manage tags: - Device x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/devices/{deviceId}/lifecycle/unsuspend: parameters: - $ref: '#/components/parameters/pathDeviceId' post: summary: Unsuspend a Device description: |- Unsuspends a device by returning its `status` to `ACTIVE`. >**Note:** Only devices with a `SUSPENDED` status can be unsuspended. operationId: unsuspendDevice responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devices.manage tags: - Device x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/devices/{deviceId}/users: parameters: - $ref: '#/components/parameters/pathDeviceId' get: summary: List all users for a device description: Lists all Users for a device by `deviceId` operationId: listDeviceUsers responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/DeviceUser' examples: APIDevicesListAllUsersResponseExample: summary: List all users for a specific device $ref: '#/components/examples/APIDevicesListAllUsersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.devices.read tags: - Device x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/directories/{appInstanceId}/groups/modify: parameters: - $ref: '#/components/parameters/appInstanceId' post: summary: Update an Active Directory group membership description: |- Updates an Active Directory group membership directly in Active Directory > **Note:** See **Before you begin: Active Directory integration with the following setup** in the [Use Okta Access Certifications to manage AD group membership](https://help.okta.com/okta_help.htm?type=oie&id=ad-bidirectional-group-mgt-configure) product documentation. operationId: updateADGroupMembership requestBody: content: application/json: schema: $ref: '#/components/schemas/AgentAction' examples: addUserToGroup: $ref: '#/components/examples/add-user-request' required: true responses: '200': description: OK '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: APIValidationFailed: $ref: '#/components/examples/ErrorApiValidationFailed' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '502': $ref: '#/components/responses/Error502NoConnectedAgents' '504': $ref: '#/components/responses/Error504AgentTimeOut' security: - oauth2: - okta.directories.groups.manage tags: - DirectoriesIntegration x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/domains: get: summary: List all custom domains description: Lists all verified custom domains for the org operationId: listCustomDomains responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/DomainListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.domains.read tags: - CustomDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a custom domain description: Creates your custom domain operationId: createCustomDomain x-codegen-request-body-name: domain requestBody: content: application/json: schema: $ref: '#/components/schemas/DomainRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/DomainResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.domains.manage tags: - CustomDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/domains/{domainId}: parameters: - $ref: '#/components/parameters/pathDomainId' get: summary: Retrieve a custom domain description: Retrieves a custom domain by `domainId` operationId: getCustomDomain responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/DomainResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.domains.read tags: - CustomDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a custom domain's brand description: Replaces a custom domain's brand operationId: replaceCustomDomain requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateDomain' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/DomainResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.domains.manage tags: - CustomDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a custom domain description: Deletes a custom domain by `domainId` operationId: deleteCustomDomain responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.domains.manage tags: - CustomDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/domains/{domainId}/certificate: parameters: - $ref: '#/components/parameters/pathDomainId' put: summary: Upsert the custom domain's certificate description: |- Upserts (creates or renews) the `MANUAL` certificate for the custom domain > **Notes:** > * If the existing `certificateSourceType` is `OKTA_MANAGED`, this operation changes the source type to `MANUAL`. Okta no longer manages and renews certificates for this domain after you provide a user-managed certificate. > * Okta supports TLS certificates and private keys that are PEM-encoded and 2048, 3072, or 4096 bits. See the [Custom domain guide](https://developer.okta.com/docs/guides/custom-url-domain/main/) for more details. operationId: upsertCertificate x-codegen-request-body-name: certificate requestBody: content: application/json: schema: $ref: '#/components/schemas/DomainCertificate' required: true responses: '204': description: No Content content: {} '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.domains.manage tags: - CustomDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/domains/{domainId}/verify: parameters: - $ref: '#/components/parameters/pathDomainId' post: summary: Verify a custom domain description: |- Verifies the custom domain and validity of DNS records by `domainId`. Verify your custom domain to confirm that you own or control the domain and that you have properly configured the required DNS records. Furthermore, if the `certificateSourceType` in the domain is `OKTA_MANAGED`, then an attempt is made to obtain and install a certificate. After a certificate is obtained and installed by Okta, Okta manages the certificate including certificate renewal. Verify your custom domain after you've [created it](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/CustomDomain/#tag/CustomDomain/operation/createCustomDomain) and after you've added your TXT and CNAME records to your domain provider. Okta doesn't verify your domain automatically. You must use the API to verify your custom domain if you change your DNS records or if you encounter issues with domain validation. > **Note:** DNS record changes can take time to propagate. If you recently updated your DNS records, you may need to wait before verifying your custom domain. If you encounter issues with domain verification, double-check your DNS records and ensure that they're correctly configured. See [Update your DNS TXT](https://developer.okta.com/docs/guides/custom-url-domain/main/#update-your-dns-txt) for more information about verifying your custom domain. operationId: verifyDomain responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/DomainResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.domains.manage tags: - CustomDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/dr/status/{domain}: parameters: - $ref: '#/components/parameters/domain' /api/v1/email-domains: parameters: - $ref: '#/components/parameters/queryExpandEmailDomain' get: summary: List all email domains description: Lists all the Email Domains in your org operationId: listEmailDomains responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/EmailDomainResponseWithEmbedded' examples: List email domain response: $ref: '#/components/examples/EmailDomainResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailDomains.read tags: - EmailDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an email domain description: Creates an Email Domain in your org operationId: createEmailDomain x-codegen-request-body-name: emailDomain requestBody: content: application/json: schema: $ref: '#/components/schemas/EmailDomain' examples: Create email domain request: $ref: '#/components/examples/CreateEmailDomainRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/EmailDomainResponse' examples: Create email domain response: $ref: '#/components/examples/EmailDomainResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '409': description: Conflict content: application/json: schema: $ref: '#/components/schemas/Error' examples: Email domain already exists: $ref: '#/components/examples/ErrorEmailDomainAlreadyExists' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailDomains.manage tags: - EmailDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/email-domains/{emailDomainId}: parameters: - $ref: '#/components/parameters/pathEmailDomainId' - $ref: '#/components/parameters/queryExpandEmailDomain' get: summary: Retrieve an email domain description: Retrieves an Email Domain by `emailDomainId` operationId: getEmailDomain responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/EmailDomainResponseWithEmbedded' examples: Retrieve email domain response: $ref: '#/components/examples/EmailDomainResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailDomains.read tags: - EmailDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace an email domain description: Replaces associated username and sender display name by `emailDomainId` operationId: replaceEmailDomain x-codegen-request-body-name: updateEmailDomain requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateEmailDomain' examples: Update email domain request: $ref: '#/components/examples/UpdateEmailDomainRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailDomainResponse' examples: Update email domain response: $ref: '#/components/examples/UpdatedEmailDomainResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailDomains.manage tags: - EmailDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an email domain description: Deletes an Email Domain by `emailDomainId` operationId: deleteEmailDomain responses: '204': description: No Content content: {} '400': description: Unable to delete custom email domain due to mail provider specific restrictions content: application/json: schema: $ref: '#/components/schemas/Error' examples: Email domain in use: $ref: '#/components/examples/ErrorEmailDomainInUse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailDomains.manage tags: - EmailDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/email-domains/{emailDomainId}/verify: parameters: - $ref: '#/components/parameters/pathEmailDomainId' post: summary: Verify an email domain description: Verifies an Email Domain by `emailDomainId` operationId: verifyEmailDomain responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/EmailDomainResponse' examples: Verified email domain response: $ref: '#/components/examples/VerifiedEmailDomainResponse' '400': description: Email domain could not be verified by mail provider content: application/json: schema: $ref: '#/components/schemas/Error' examples: Email domain could not be verified: $ref: '#/components/examples/ErrorEmailDomainNotVerified' Email domain invalid status: $ref: '#/components/examples/ErrorEmailDomainInvalidStatus' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailDomains.manage tags: - EmailDomain x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/email-servers: get: summary: List all enrolled SMTP servers description: Lists all the enrolled custom SMTP server configurations operationId: listEmailServers responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailServerListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailServers.read tags: - EmailServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine post: summary: Create a custom SMTP server description: Creates a custom email SMTP server configuration for your org operationId: createEmailServer requestBody: content: application/json: schema: $ref: '#/components/schemas/EmailServerPost' responses: '201': description: Successfully enrolled server credentials content: application/json: schema: $ref: '#/components/schemas/EmailServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailServers.manage tags: - EmailServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/email-servers/{emailServerId}: parameters: - $ref: '#/components/parameters/pathEmailServerId' get: summary: Retrieve an SMTP server configuration description: Retrieves the specified custom SMTP server configuration operationId: getEmailServer responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailServerListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailServers.read tags: - EmailServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine patch: summary: Update an SMTP server configuration description: Updates the specified custom SMTP server configuration operationId: updateEmailServer requestBody: content: application/json: schema: $ref: '#/components/schemas/EmailServerRequest' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailServerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailServers.manage tags: - EmailServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine delete: summary: Delete an SMTP server configuration description: Deletes the specified custom SMTP server configuration operationId: deleteEmailServer responses: '204': description: No content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailServers.manage tags: - EmailServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/email-servers/{emailServerId}/test: parameters: - $ref: '#/components/parameters/pathEmailServerId' post: summary: Test an SMTP server configuration description: Tests the specified custom SMTP Server configuration operationId: testEmailServer requestBody: content: application/json: schema: $ref: '#/components/schemas/EmailTestAddresses' responses: '204': description: No content '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.emailServers.manage tags: - EmailServer x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/eventHooks: get: summary: List all event hooks description: Lists all event hooks operationId: listEventHooks responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/EventHook' examples: RetrieveAllEventHooks: $ref: '#/components/examples/RetrieveAllEventHooks' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.eventHooks.read tags: - EventHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an event hook description: |- Creates a new event hook for your organization in `ACTIVE` status. You pass an event hook object in the JSON payload of your request. That object represents the set of required information about the event hook you're registering, including: * The URI of your external service * The [events](https://developer.okta.com/docs/reference/api/event-types/) in Okta you want to subscribe to * An optional event hook filter that can reduce the number of event hook calls. This is a self-service Early Access (EA) feature. See [Create an event hook filter](https://developer.okta.com/docs/concepts/event-hooks/#create-an-event-hook-filter). Additionally, you can specify a secret API key for Okta to pass to your external service endpoint for security verification. Note that the API key you set here is unrelated to the Okta API token you must supply when making calls to Okta APIs. Optionally, you can specify extra headers that Okta passes to your external service with each call. Your external service must use a valid HTTPS endpoint. operationId: createEventHook x-codegen-request-body-name: eventHook requestBody: content: application/json: schema: $ref: '#/components/schemas/EventHook' examples: CreateAnEventHook: $ref: '#/components/examples/CreateAnEventHook' CreateAnEventHookWithFilter: $ref: '#/components/examples/CreateAnEventHookWithFilter' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/EventHook' examples: CreateAnEventHook: $ref: '#/components/examples/RetrieveAnEventHook' CreateAnEventHookWithFilter: $ref: '#/components/examples/RetrieveAnEventHookWithFilter' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.eventHooks.manage tags: - EventHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}: parameters: - $ref: '#/components/parameters/pathEventHookId' get: summary: Retrieve an event hook description: Retrieves an event hook operationId: getEventHook responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/EventHook' examples: RetrieveAnEventHook: $ref: '#/components/examples/RetrieveAnEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.eventHooks.read tags: - EventHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace an event hook description: |- Replaces an event hook. Okta validates the new properties before replacing the existing values. Some event hook properties are immutable and can't be updated. Refer to the parameter description in the request body schema. >**Note:** Updating the `channel` property requires you to verify the hook again. operationId: replaceEventHook x-codegen-request-body-name: eventHook requestBody: content: application/json: schema: $ref: '#/components/schemas/EventHook' examples: ReplaceAnEventHook: $ref: '#/components/examples/ReplaceAnEventHookWithFilter' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/EventHook' examples: ReplaceAnEventHook: $ref: '#/components/examples/RetrieveAnEventHookWithFilter' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.eventHooks.manage tags: - EventHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an event hook description: |- Deletes the event hook that matches the provided `id`. After deletion, the event hook is unrecoverable. As a safety precaution, you can only delete event hooks with a status of `INACTIVE`. operationId: deleteEventHook responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.eventHooks.manage tags: - EventHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathEventHookId' post: summary: Activate an event hook description: Activates the event hook that matches the provided `id` operationId: activateEventHook responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/EventHook' examples: ActivateAnEventHook: $ref: '#/components/examples/RetrieveAnEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.eventHooks.manage tags: - EventHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathEventHookId' post: summary: Deactivate an event hook description: Deactivates the event hook that matches the provided `id` operationId: deactivateEventHook responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/EventHook' examples: DeactivateAnEventHook: $ref: '#/components/examples/RetrieveADeactivatedEventHook' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.eventHooks.manage tags: - EventHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/eventHooks/{eventHookId}/lifecycle/verify: parameters: - $ref: '#/components/parameters/pathEventHookId' post: summary: Verify an event hook description: |- Verifies that the event hook matches the provided `eventHookId`. To verify ownership, your endpoint must send information back to Okta in JSON format. See [Event hooks](https://developer.okta.com/docs/concepts/event-hooks/#one-time-verification-request). Only `ACTIVE` and `VERIFIED` event hooks can receive events from Okta. If a response is not received within 3 seconds, the outbound request times out. One retry is attempted after a timeout or error response. If a successful response still isn't received, this operation returns a 400 error with more information about the failure. operationId: verifyEventHook responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/EventHook' examples: VerifyAnEventHook: $ref: '#/components/examples/RetrieveAnEventHook' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.eventHooks.manage tags: - EventHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/features: get: summary: List all features description: Lists all self-service features for your org operationId: listFeatures responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Feature' examples: FeaturesList: summary: List all self-service features for your org $ref: '#/components/examples/ListFeaturesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.features.read tags: - Feature x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/features/{featureId}: parameters: - $ref: '#/components/parameters/pathFeatureId' get: summary: Retrieve a feature description: Retrieves a feature by ID operationId: getFeature responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Feature' examples: FeaturesRetrieve: summary: Retrieve a feature by ID $ref: '#/components/examples/RetrieveFeaturesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.features.read tags: - Feature x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/features/{featureId}/dependencies: parameters: - $ref: '#/components/parameters/pathFeatureId' get: summary: List all dependencies description: |- Lists all feature dependencies for a specified feature. A feature's dependencies are the features that it requires to be enabled in order for itself to be enabled. operationId: listFeatureDependencies responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Feature' examples: FeaturesDependenciesList: summary: List all dependencies $ref: '#/components/examples/ListFeatureDependenciesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.features.read tags: - Feature x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/features/{featureId}/dependents: parameters: - $ref: '#/components/parameters/pathFeatureId' get: summary: List all dependents description: |- Lists all feature dependents for the specified feature. A feature's dependents are the features that need to be disabled in order for the feature itself to be disabled. operationId: listFeatureDependents responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Feature' examples: FeaturesDependentsList: summary: List all feature dependents for the specified feature $ref: '#/components/examples/ListFeatureDependentsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.features.read tags: - Feature x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/features/{featureId}/{lifecycle}: parameters: - $ref: '#/components/parameters/pathFeatureId' - $ref: '#/components/parameters/pathLifecycle' post: summary: Update a feature lifecycle description: |- Updates a feature's lifecycle status. Use this endpoint to enable or disable a feature for your org. Use the `mode=force` parameter to override dependency restrictions for a particular feature. Normally, you can't enable a feature if it has one or more dependencies that aren't enabled. When you use the `mode=force` parameter while enabling a feature, Okta first tries to enable any disabled features that this feature may have as dependencies. If you don't pass the `mode=force` parameter and the feature has dependencies that need to be enabled before the feature is enabled, a 400 error is returned. When you use the `mode=force` parameter while disabling a feature, Okta first tries to disable any enabled features that this feature may have as dependents. If you don't pass the `mode=force` parameter and the feature has dependents that need to be disabled before the feature is disabled, a 400 error is returned. The following chart shows the different state transitions for a feature. ![State transitions of a feature](../../../../../images/features/update-ssfeat-flowchart.png '#width=500px;') operationId: updateFeatureLifecycle parameters: - name: mode in: query description: Indicates if you want to force enable or disable a feature. Supported value is `force`. schema: type: string responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Feature' examples: FeaturesUpdate: summary: Update the feature lifecycle status $ref: '#/components/examples/UpdateFeatureLifecycleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.features.manage tags: - Feature x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/first-party-app-settings/{appName}: parameters: - $ref: '#/components/parameters/pathFirstPartyAppName' get: summary: Retrieve the Okta application settings description: Retrieves the settings for an Okta app (also known as an Okta first-party app) operationId: getFirstPartyAppSettings responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/AdminConsoleSettings' examples: exampleSettings: $ref: '#/components/examples/AdminConsoleSettingsExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.read tags: - OktaApplicationSettings x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the Okta application settings description: Replaces the settings for an Okta app (also known as an Okta first-party app) operationId: replaceFirstPartyAppSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/AdminConsoleSettings' examples: exampleSettings: $ref: '#/components/examples/AdminConsoleSettingsExample' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AdminConsoleSettings' examples: exampleSettings: $ref: '#/components/examples/AdminConsoleSettingsExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.apps.manage tags: - OktaApplicationSettings x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups: get: summary: List all groups description: |- Lists all groups with pagination support. > **Note:** To list all groups belonging to a member, use the [List all groups endpoint in the User Resources API](/openapi/okta-management/management/tag/UserResources/#tag/UserResources/operation/listUserGroups). The number of groups returned depends on the specified [`limit`](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!in=query&path=limit&t=request), if you have a search, filter, and/or query parameter set, and if that parameter is not null. We recommend using a limit less than or equal to 200. A subset of groups can be returned that match a supported filter expression, query, or search criteria. > **Note:** The `search` parameter results are sourced from an eventually consistent datasource and may not reflect the latest information. operationId: listGroups parameters: - name: search in: query description: |- Searches for groups with a supported [filtering](https://developer.okta.com/docs/api/#filter) expression for all properties except for `_embedded`, `_links`, and `objectClass`. Okta recommends this query parameter because it provides the largest range of search options and optimal performance. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). Using search requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding), for example, `search=type eq "OKTA_GROUP"` is encoded as `search=type+eq+%22OKTA_GROUP%22`. This operation searches many properties: * Any group profile attribute, including imported app group profile attributes. * The top-level properties: `id`, `created`, `lastMembershipUpdated`, `lastUpdated`, and `type`. * The [source](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links/source&t=response) of groups with type of `APP_GROUP`, accessed as `source.id`. You can also use the `sortBy` and `sortOrder` parameters. Searches for groups can be filtered by the following operators: `sw`, `eq`, and `co`. You can only use `co` with these select profile attributes: `profile.name` and `profile.description`. See [Operators](https://developer.okta.com/docs/api/#operators). schema: type: string examples: searchByType: value: type%20eq%20%22APP_GROUP%22 summary: Search by type description: Search for groups that have a type of APP_GROUP searchByLastMembershipUpdatedAfterDate: value: lastMembershipUpdated%20gt%20%222014-01-01T00%3A00%3A00.000Z%22 summary: Search by last updated membership timestamp description: Search for groups whose memberships were last updated after 01/01/2024 searchById: value: id%20eq%20%2200gak46y5hydV6NdM0g4%22 summary: Search by ID description: Search for groups with the specified ID (00gak46y5hydV6NdM0g4) searchByProfileName: value: profile.name%20eq%20%22West%20Coast%20users%22 summary: Search by name description: Search for groups that have a group profile name of West Coast users searchBySamAccountName: value: profile.samAccountName%20sw%20%22West%20Coast%22 summary: Search using an operator description: Search for groups whose samAccountName profile attribute starts with "West Coast" searchBySourceId: value: source.id%20eq%20%220oa2v0el0gP90aqjJ0g7%22 summary: Search by source ID description: Search for groups that have the source app with the specified source ID (0oa2v0el0gP90aqjJ0g7) searchByIdTypeAndCreationDate: value: type%20eq%20%22APP_GROUP%22%20and%20%28created%20lt%20%222014-01-01T00%3A00%3A00.000Z%22%20and%20source.id%20eq%20%220oa2v0el0gP90aqjJ0g7%22%29 summary: Search with multiple criteria description: List groups of type APP_GROUP that were created before 01/01/2014 and whose source app has the ID 0oa2v0el0gP90aqjJ0g7 - name: filter in: query description: |- Filter expression for groups. See [Filter](https://developer.okta.com/docs/api/#filter). Filtering supports the following limited number of properties: `id`, `type`, `lastUpdated`, and `lastMembershipUpdated`. > **Note:** All filters must be [URL encoded](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. See [Special characters](https://developer.okta.com/docs/api/#special-characters). schema: type: string examples: filterById: value: id%20eq%20%2200g1emaKYZTWRYYRRTSK%22 summary: Filter by ID description: Filter group with a specific ID (00g1emaKYZTWRYYRRTSK) filterByType: value: type%20eq%20%22OKTA_GROUP%22 summary: Filter by type description: Filter groups that are of the type OKTA_GROUP filterByTypeAndProfileLastUpdatedAfterDate: value: type%20eq%20%22OKTA_GROUP%22%20and%20lastUpdated%20gt%20%222016-11-11T00%3A00%3A00.000Z%22 summary: Filter by type and last updated date description: Filter groups that are OKTA_GROUP type with profile updated after 11/11/2016 filterByTypeAndProfileOrMembershipUpdatedBeforeDate: value: type%20eq%20%22OKTA_GROUP%22%20and%20%28lastUpdated%20lt%20%222015-11-11T00%3A00%3A00.000Z%22%20or%20lastMembershipUpdated%20lt%20%222015-11-11T00%3A00%3A00.000Z%22%29 summary: Filter by multiple criteria description: Filter groups that are OKTA_GROUP type, with profiles or memberships updated before 11/11/2015 - name: q in: query description: |- Finds a group that matches the `name` property. > **Note:** Paging and searching are currently mutually exclusive. You can't page a query. The default limit for a query is 300 results. Query is intended for an auto-complete picker use case where users refine their search string to constrain the results. schema: type: string example: West&limit=10 - name: after in: query description: Specifies the pagination cursor for the next page of groups. The `after` cursor should be treated as an opaque value and obtained through the next link relation. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query description: |- Specifies the number of group results in a page. Okta recommends using a specific value other than the default or maximum. If your request times out, retry your request with a smaller `limit` and [page the results](https://developer.okta.com/docs/api/#pagination). The Okta default `Everyone` group isn't returned for users with a group admin role. schema: type: integer format: int32 maximum: 10000 - name: expand in: query description: |- If specified, additional metadata is included in the response. Possible values are `stats` and `app`. This additional metadata is listed in the [`_embedded`](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/addGroup!c=200&path=_embedded&t=response) property of the response. > **Note:** You can use the `stats` value to return the number of users within a group. This is listed as the `_embedded.stats.usersCount` value in the response. See this [Knowledge Base article](https://support.okta.com/help/s/article/Is-there-an-API-that-returns-the-number-of-users-in-a-group?language=en_US) for more information and an example. schema: type: string - name: sortBy in: query description: Specifies the field to sort by (for search queries only). `sortBy` can be any single property, for example `sortBy=profile.name`. Groups with the same value for the `sortBy` property are ordered by `id`'. Use with `sortOrder` to control the order of results. schema: type: string example: lastUpdated - $ref: '#/components/parameters/querySortOrder' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Group' examples: ListGroupExample: $ref: '#/components/examples/list-groups-examples' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.read tags: - Group x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Add a group description: |- Adds a new group with the `OKTA_GROUP` type to your org. > **Note:** App import operations are responsible for syncing groups with `APP_GROUP` type such as Active Directory groups. See [About groups](https://help.okta.com/okta_help.htm?id=Directory_Groups) in the help documentation. operationId: addGroup x-codegen-request-body-name: group requestBody: content: application/json: schema: properties: profile: $ref: '#/components/schemas/OktaUserGroupProfile' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Group' examples: GroupExample: $ref: '#/components/examples/group-example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - Group x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/rules: get: summary: List all group rules description: Lists all group rules for your org operationId: listGroupRules parameters: - name: limit in: query description: Specifies the number of rule results in a page schema: type: integer format: int32 default: 50 minimum: 1 maximum: 200 - name: after in: query description: Specifies the pagination cursor for the next page of rules schema: type: string - name: search in: query description: Specifies the keyword to search rules for schema: type: string - name: expand in: query description: If specified as `groupIdToGroupNameMap`, then displays group names schema: type: string x-okta-added-version: 1.3.0 responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/GroupRule' examples: ListGroupRulesExample: $ref: '#/components/examples/list-group-rules-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.read tags: - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a group rule description: |- Creates a group rule to dynamically add users to the specified group if they match the condition. > **Note:** Group rules are created with the status set to `'INACTIVE'`. operationId: createGroupRule x-codegen-request-body-name: groupRule requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateGroupRuleRequest' examples: GroupRuleExample: $ref: '#/components/examples/create-group-rule-request-example' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/GroupRule' examples: GroupRuleExample: $ref: '#/components/examples/group-rule-example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/rules/{groupRuleId}: parameters: - $ref: '#/components/parameters/pathGroupRuleId' get: summary: Retrieve a group rule description: Retrieves a specific group rule by ID from your org operationId: getGroupRule parameters: - name: expand in: query description: If specified as `groupIdToGroupNameMap`, then show group names schema: type: string responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/GroupRule' examples: GroupRuleExample: $ref: '#/components/examples/group-rule-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.read tags: - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a group rule description: |- Replaces a group rule > **Notes:** You can only update rules with a group whose status is set to `INACTIVE`. > > You currently can't update the `actions` section. operationId: replaceGroupRule x-codegen-request-body-name: groupRule requestBody: content: application/json: schema: $ref: '#/components/schemas/GroupRule' examples: GroupRuleExample: $ref: '#/components/examples/group-rule-example' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/GroupRule' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a group rule description: Deletes a specific group rule by `groupRuleId` operationId: deleteGroupRule parameters: - name: removeUsers in: query description: If set to `true`, removes users from groups assigned by this rule schema: type: boolean default: false responses: '202': description: Accepted content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/rules/{groupRuleId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathGroupRuleId' post: summary: Activate a group rule description: Activates a specific group rule by ID from your org operationId: activateGroupRule responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/rules/{groupRuleId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathGroupRuleId' post: summary: Deactivate a group rule description: Deactivates a specific group rule by ID from your org operationId: deactivateGroupRule responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - GroupRule x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}: parameters: - $ref: '#/components/parameters/pathGroupId' get: summary: Retrieve a group description: Retrieves a specific group by `id` from your org operationId: getGroup responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Group' examples: GroupExample: $ref: '#/components/examples/group-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.read tags: - Group x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a group description: |- Replaces the profile for a group of `OKTA_GROUP` type from your org. > **Note :** You only can modify profiles for groups of the `OKTA_GROUP` type. > > App imports are responsible for updating profiles for groups of the `APP_GROUP` type, such as Active Directory groups. operationId: replaceGroup x-codegen-request-body-name: group requestBody: content: application/json: schema: properties: profile: $ref: '#/components/schemas/OktaUserGroupProfile' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Group' examples: GroupExample: $ref: '#/components/examples/group-example' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - Group x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a group description: |- Deletes a group of the `OKTA_GROUP` or `APP_GROUP` type from your org. > **Note:** You can't remove groups of type `APP_GROUP` if they are used in a group push mapping. operationId: deleteGroup responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - Group x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/apps: parameters: - $ref: '#/components/parameters/pathGroupId' get: summary: List all assigned apps description: Lists all apps that are assigned to a group. See [Application Groups API](/openapi/okta-management/management/tag/ApplicationGroups/). operationId: listAssignedApplicationsForGroup parameters: - name: after in: query description: Specifies the pagination cursor for the next page of apps schema: type: string - name: limit in: query description: Specifies the number of app results for a page schema: type: integer format: int32 default: 20 responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Application' examples: ListAppsExample: $ref: '#/components/examples/list-apps-example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.read tags: - Group x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/owners: parameters: - $ref: '#/components/parameters/pathGroupId' get: summary: List all group owners description: Lists all owners for a specific group operationId: listGroupOwners parameters: - name: search in: query description: SCIM filter expression for group owners. Allows you to filter owners by type. schema: type: string - name: after in: query description: Specifies the pagination cursor for the next page of owners schema: type: string - name: limit in: query description: Specifies the number of owner results in a page schema: type: integer format: int32 default: 1000 responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/GroupOwner' examples: ListsOneOwnerOfaGroup: $ref: '#/components/examples/ListsOwnerOneResponse' ListsMultipleOwnersOfaGroup: $ref: '#/components/examples/ListsOwnersMultipleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.read tags: - GroupOwner x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Assign a group owner description: Assigns a group owner operationId: assignGroupOwner parameters: - $ref: '#/components/parameters/pathGroupId' requestBody: content: application/json: schema: $ref: '#/components/schemas/AssignGroupOwnerRequestBody' examples: AssignAGroupOwner: $ref: '#/components/examples/AssignGroupOwnerRequest' required: true responses: '201': description: Success content: application/json: schema: $ref: '#/components/schemas/GroupOwner' examples: AssignAGroupOwner: $ref: '#/components/examples/AssignGroupOwnerResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - GroupOwner x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/owners/{ownerId}: parameters: - $ref: '#/components/parameters/pathGroupId' - $ref: '#/components/parameters/pathOwnerId' delete: summary: Delete a group owner description: Deletes a group owner from a specific group operationId: deleteGroupOwner responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - GroupOwner x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/roles: parameters: - $ref: '#/components/parameters/pathGroupId' get: summary: List all group role assignments description: Lists all assigned roles of a group by `groupId` operationId: listGroupAssignedRoles parameters: - $ref: '#/components/parameters/pathQueryRoleExpand' responses: '200': description: Success content: application/json: schema: type: array description: List of role assignments items: oneOf: - $ref: '#/components/schemas/StandardRole' - $ref: '#/components/schemas/CustomRole' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRole' APP_ADMIN: '#/components/schemas/StandardRole' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRole' HELP_DESK_ADMIN: '#/components/schemas/StandardRole' MOBILE_ADMIN: '#/components/schemas/StandardRole' ORG_ADMIN: '#/components/schemas/StandardRole' READ_ONLY_ADMIN: '#/components/schemas/StandardRole' REPORT_ADMIN: '#/components/schemas/StandardRole' SUPER_ADMIN: '#/components/schemas/StandardRole' USER_ADMIN: '#/components/schemas/StandardRole' WORKFLOWS_ADMIN: '#/components/schemas/CustomRole' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/CustomRole' ACCESS_REQUESTS_ADMIN: '#/components/schemas/CustomRole' CUSTOM: '#/components/schemas/CustomRole' examples: Standard roles: $ref: '#/components/examples/StandardRolesListResponseGroup' Custom roles: $ref: '#/components/examples/CustomRolesListResponseGroup' IAM-Based standard roles: $ref: '#/components/examples/IAMStandardRolesListResponseGroup' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleAssignmentBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Assign a role to a group description: |- Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a group. You can also assign a custom role to a group, but the preferred method to assign a custom role to a group is to create a binding between the custom role, the resource set, and the group. See [Create a role resource set binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). > **Notes:** > * The request payload is different for standard and custom role assignments. > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. operationId: assignRoleToGroup parameters: - name: disableNotifications in: query description: Grants the group third-party admin status when set to `true` schema: type: boolean default: false x-codegen-request-body-name: assignRoleRequest requestBody: content: application/json: schema: oneOf: - $ref: '#/components/schemas/StandardRoleAssignmentSchema' - $ref: '#/components/schemas/CustomRoleAssignmentSchema' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' APP_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' HELP_DESK_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' ORG_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' READ_ONLY_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' REPORT_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' SUPER_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' USER_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' WORKFLOWS_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' ACCESS_REQUESTS_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' CUSTOM: '#/components/schemas/CustomRoleAssignmentSchema' required: true responses: '200': description: Success content: application/json: schema: oneOf: - $ref: '#/components/schemas/StandardRole' - $ref: '#/components/schemas/CustomRole' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRole' APP_ADMIN: '#/components/schemas/StandardRole' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRole' HELP_DESK_ADMIN: '#/components/schemas/StandardRole' ORG_ADMIN: '#/components/schemas/StandardRole' READ_ONLY_ADMIN: '#/components/schemas/StandardRole' REPORT_ADMIN: '#/components/schemas/StandardRole' SUPER_ADMIN: '#/components/schemas/StandardRole' USER_ADMIN: '#/components/schemas/StandardRole' WORKFLOWS_ADMIN: '#/components/schemas/CustomRole' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/CustomRole' ACCESS_REQUESTS_ADMIN: '#/components/schemas/CustomRole' CUSTOM: '#/components/schemas/CustomRole' examples: Standard roles: $ref: '#/components/examples/CreateStandardRoleAssignmentResponseGroup' Custom roles: $ref: '#/components/examples/CreateCustomRoleResponseGroup' IAM-based standard roles: $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup' '201': description: Success content: {} '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleAssignmentBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/roles/{roleAssignmentId}: parameters: - $ref: '#/components/parameters/pathGroupId' - $ref: '#/components/parameters/pathRoleAssignmentId' get: summary: Retrieve a group role assignment description: Retrieves a role assigned to a group (identified by the `groupId`). The `roleAssignmentId` is the unique identifier for either a standard role group assignment object or a custom role resource set binding object. operationId: getGroupAssignedRole responses: '200': description: Success content: application/json: schema: oneOf: - $ref: '#/components/schemas/StandardRole' - $ref: '#/components/schemas/CustomRole' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRole' APP_ADMIN: '#/components/schemas/StandardRole' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRole' HELP_DESK_ADMIN: '#/components/schemas/StandardRole' ORG_ADMIN: '#/components/schemas/StandardRole' READ_ONLY_ADMIN: '#/components/schemas/StandardRole' REPORT_ADMIN: '#/components/schemas/StandardRole' SUPER_ADMIN: '#/components/schemas/StandardRole' USER_ADMIN: '#/components/schemas/StandardRole' WORKFLOWS_ADMIN: '#/components/schemas/CustomRole' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/CustomRole' ACCESS_REQUESTS_ADMIN: '#/components/schemas/CustomRole' CUSTOM: '#/components/schemas/CustomRole' examples: Standard roles: $ref: '#/components/examples/CreateStandardRoleAssignmentResponseGroup' Custom roles: $ref: '#/components/examples/CreateCustomRoleResponseGroup' IAM-based standard roles: $ref: '#/components/examples/CreateIAMStandardRoleResponseGroup' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleAssignmentBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign a group role description: Unassigns a role assignment (identified by `roleAssignmentId`) from a group (identified by the `groupId`) operationId: unassignRoleFromGroup responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleAssignmentBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps: parameters: - $ref: '#/components/parameters/pathGroupId' - $ref: '#/components/parameters/pathRoleAssignmentId' get: summary: List all group role app targets description: Lists all app targets for an `APP_ADMIN` role assignment to a group. The response includes a list of OIN-cataloged apps or app instances. The response payload for an app instance contains the `id` property, but an OIN-cataloged app doesn't. operationId: listApplicationTargetsForApplicationAdministratorRoleForGroup parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/CatalogApplication' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: parameters: - $ref: '#/components/parameters/pathGroupId' - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' put: summary: Assign a group role app target description: Assigns an OIN app target to an `APP_ADMIN` role assignment to a group. When you assign the first OIN app target, you reduce the scope of the role assignment. The role no longer applies to all app targets, but applies only to the specified target. An OIN app target that's assigned to the role overrides any existing instance targets of the OIN app. For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app with `facebook` for `appName` makes that user the administrator for all Facebook instances. operationId: assignAppTargetToAdminRoleForGroup responses: '200': description: Success content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign a group role app target description: | Unassigns an OIN app target from an `APP_ADMIN` role assignment to a group > **Note:** You can't remove the last app target from a role assignment. > If you need a role assignment that applies to all apps, delete the `APP_ADMIN` role assignment with the target and create another one. See [Unassign a group role](/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup). operationId: unassignAppTargetToAdminRoleForGroup responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: parameters: - $ref: '#/components/parameters/pathGroupId' - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' - $ref: '#/components/parameters/pathAppId' put: summary: Assign a group role app instance target description: |- Assigns an app instance target to an `APP_ADMIN` role assignment to a group. When you assign the first OIN app or app instance target, you reduce the scope of the role assignment. The role no longer applies to all app targets, but applies only to the specified target. > **Note:** You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app. > For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app. operationId: assignAppInstanceTargetToAppAdminRoleForGroup responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign a group role app instance target description: |- Unassigns an app instance target from an `APP_ADMIN` role assignment to a group > **Note:** You can't remove the last app instance target from a role assignment. > If you need a role assignment that applies to all apps, delete the `APP_ADMIN` role assignment with the target and create another one. See [Unassign a group role](/openapi/okta-management/management/tag/RoleAssignmentBGroup/#tag/RoleAssignmentBGroup/operation/unassignRoleFromGroup). operationId: unassignAppInstanceTargetToAppAdminRoleForGroup responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups: parameters: - $ref: '#/components/parameters/pathGroupId' - $ref: '#/components/parameters/pathRoleAssignmentId' get: summary: List all group role group targets description: |- Lists all group targets for a [`USER_ADMIN`](/openapi/okta-management/guides/roles/#standard-roles), `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to a group. If the role isn't scoped to specific group targets, Okta returns an empty array `[]`. operationId: listGroupTargetsForGroupRole parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Group' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/roles/{roleAssignmentId}/targets/groups/{targetGroupId}: parameters: - $ref: '#/components/parameters/pathGroupId' - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathTargetGroupId' put: summary: Assign a group role group target description: |- Assigns a group target to a [`USER_ADMIN`](/openapi/okta-management/guides/roles/#standard-roles), `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to a group. When you assign the first group target, you reduce the scope of the role assignment. The role no longer applies to all targets but applies only to the specified target. operationId: assignGroupTargetToGroupAdminRole responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign a group role group target description: Unassigns a group target from a [`USER_ADMIN`](/openapi/okta-management/guides/roles/#standard-roles), `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to a group. operationId: unassignGroupTargetFromGroupAdminRole responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetBGroup x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/users: parameters: - $ref: '#/components/parameters/pathGroupId' get: summary: List all member users description: |- Lists all users that are a member of a group. The default user limit is set to a very high number due to historical reasons that are no longer valid for most orgs. This will change in a future version of this API. The recommended page limit is now `limit=200`. operationId: listGroupUsers parameters: - $ref: '#/components/parameters/queryAfter' - name: limit in: query description: Specifies the number of user results in a page schema: type: integer format: int32 default: 1000 responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/User' examples: ListMemberUserResponse: $ref: '#/components/examples/ListUsersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.read tags: - Group x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/groups/{groupId}/users/{userId}: parameters: - $ref: '#/components/parameters/pathGroupId' - $ref: '#/components/parameters/pathUserId' put: summary: Assign a user to a group description: |- Assigns a user to a group with the `OKTA_GROUP` type. > **Note:** You only can modify memberships for groups of the `OKTA_GROUP` type. App imports are responsible for managing group memberships for groups of the `APP_GROUP` type, such as Active Directory groups. operationId: assignUserToGroup responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - Group x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign a user from a group description: |- Unassigns a user from a group with the `OKTA_GROUP` type. > **Note:** You only can modify memberships for groups of the `OKTA_GROUP` type. > > App imports are responsible for managing group memberships for groups of the `APP_GROUP` type, such as Active Directory groups. operationId: unassignUserFromGroup responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.groups.manage tags: - Group x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/hook-keys: get: summary: List all keys description: Lists all keys operationId: listHookKeys responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/HookKey' examples: ResponseExample: $ref: '#/components/examples/ListAllKeysResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.read tags: - HookKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a key description: |- Creates a key for use with other parts of the application, such as inline hooks > **Note:** Use the key name to access this key for inline hook operations. The total number of keys that you can create in an Okta org is limited to 50. The response is a [Key object](https://developer.okta.com/docs/reference/api/hook-keys/#key-object) that represents the key that you create. The `id` property in the response serves as the unique ID for the key, which you can specify when invoking other CRUD operations. The `keyId` provided in the response is the alias of the public key that you can use to get details of the public key data in a separate call. > **Note:** The keyId is the alias of the public key that you can use to retrieve the public key. operationId: createHookKey x-codegen-request-body-name: keyRequest requestBody: content: application/json: schema: $ref: '#/components/schemas/KeyRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/DetailedHookKeyInstance' examples: ResponseExample: $ref: '#/components/examples/CreateHookKeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.manage tags: - HookKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/hook-keys/public/{keyId}: parameters: - $ref: '#/components/parameters/pathPublicKeyId' get: summary: Retrieve a public key description: |- Retrieves a public key by `keyId` >**Note:** keyId is the alias of the public key. operationId: getPublicKey responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/_embedded' examples: ResponseExample: $ref: '#/components/examples/RetrievePublicKeyResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.read tags: - HookKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/hook-keys/{id}: parameters: - $ref: '#/components/parameters/pathHookKeyId' get: summary: Retrieve a key by ID description: |- Retrieves the public portion of the Key object using the `id` parameter >**Note:** The `?expand=publickey` query parameter optionally returns the full object including the details of the public key in the response body's `_embedded` property. operationId: getHookKey parameters: - name: id description: A valid key ID in: path schema: type: string responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/HookKey' examples: ResponseExample: $ref: '#/components/examples/RetrieveKeyResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.read tags: - HookKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a key description: |- Replaces a key by `id` This request replaces existing properties after passing validation. > **Note:** The only parameter that you can update is the name of the key, which must be unique at all times. operationId: replaceHookKey x-codegen-request-body-name: keyRequest requestBody: content: application/json: schema: $ref: '#/components/schemas/KeyRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/DetailedHookKeyInstance' examples: ResponseExample: $ref: '#/components/examples/ReplaceKeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.manage tags: - HookKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a key description: | Deletes a key by `id`. After being deleted, the key is unrecoverable. As a safety precaution, only keys that aren't being used are eligible for deletion. operationId: deleteHookKey responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.manage tags: - HookKey x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/assignees/users: get: summary: List all users with role assignments description: Lists all users with role assignments operationId: listUsersWithRoleAssignments parameters: - name: after description: Specifies the pagination cursor for the next page of targets in: query schema: type: string required: false - name: limit in: query description: Specifies the number of results returned. Defaults to `100`. schema: type: integer format: int32 default: 100 required: false responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/RoleAssignedUsers' examples: User List: $ref: '#/components/examples/RoleAssignedUsersResponseExample' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/governance/bundles: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] get: summary: List all governance bundles description: Lists all governance bundles for the Admin Console in your org operationId: listGovernanceBundles parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/GovernanceBundlesResponse' examples: GovernanceBundlesResponse: $ref: '#/components/examples/GovernanceBundlesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - GovernanceBundle post: summary: Create a governance bundle description: Creates a governance bundle of entitlements for the Admin Console operationId: createGovernanceBundle requestBody: content: application/json: schema: $ref: '#/components/schemas/GovernanceBundleCreateRequest' examples: GovernanceBundleCreateRequestStandardRole: $ref: '#/components/examples/GovernanceBundleCreateRequestStandardRole' GovernanceBundleCreateRequestScopedStandardRole: $ref: '#/components/examples/GovernanceBundleCreateRequestScopedStandardRole' GovernanceBundleCreateRequestCustomRole: $ref: '#/components/examples/GovernanceBundleCreateRequestCustomRole' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/GovernanceBundle' examples: GovernanceBundleCreateRequestStandardRole: $ref: '#/components/examples/GovernanceBundle' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - GovernanceBundle /api/v1/iam/governance/bundles/{bundleId}: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] parameters: - $ref: '#/components/parameters/pathBundleId' get: summary: Retrieve a governance bundle description: Retrieves a governance bundle for the Admin Console operationId: getGovernanceBundle responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/GovernanceBundle' examples: GovernanceBundle: $ref: '#/components/examples/GovernanceBundle' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - GovernanceBundle put: summary: Replace a governance bundle description: Replaces the properties of a governance bundle for the Admin Console operationId: replaceGovernanceBundle requestBody: content: application/json: schema: $ref: '#/components/schemas/GovernanceBundleUpdateRequest' examples: GovernanceBundleUpdateRequestStandardRole: $ref: '#/components/examples/GovernanceBundleUpdateRequestStandardRole' GovernanceBundleUpdateRequestScopedStandardRole: $ref: '#/components/examples/GovernanceBundleUpdateRequestScopedStandardRole' GovernanceBundleUpdateRequestCustomRole: $ref: '#/components/examples/GovernanceBundleUpdateRequestCustomRole' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/GovernanceBundle' examples: GovernanceBundle: $ref: '#/components/examples/GovernanceBundle' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - GovernanceBundle delete: summary: Delete a governance bundle description: Deletes an Admin Console governance bundle operationId: deleteGovernanceBundle responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - GovernanceBundle /api/v1/iam/governance/bundles/{bundleId}/entitlements: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] parameters: - $ref: '#/components/parameters/pathBundleId' get: summary: List all entitlements for a governance bundle description: Lists all entitlements specific to a governance bundle operationId: listBundleEntitlements parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/BundleEntitlementsResponse' examples: BundleEntitlementsResponse: $ref: '#/components/examples/BundleEntitlementsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - GovernanceBundle /api/v1/iam/governance/bundles/{bundleId}/entitlements/{entitlementId}/values: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] parameters: - $ref: '#/components/parameters/pathBundleId' - $ref: '#/components/parameters/pathEntitlementId' get: summary: List all values for a governance bundle entitlement description: Lists all entitlement values that are specific to a governance bundle entitlement operationId: listBundleEntitlementValues parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EntitlementValuesResponse' examples: EntitlementValuesResponse: $ref: '#/components/examples/EntitlementValuesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - GovernanceBundle /api/v1/iam/governance/optIn: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] get: summary: Retrieve the Admin Console opt-in status description: Retrieves the entitlement management opt-in status for the Admin Console operationId: getOptInStatus responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OptInStatusResponse' examples: OptInStatusResponse: $ref: '#/components/examples/OptInStatusResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - GovernanceBundle post: summary: Opt in the Admin Console to entitlement management description: Opts in the Admin Console to entitlement management operationId: optIn responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OptInStatusResponse' examples: OptInStatusResponse: $ref: '#/components/examples/OptInStatusResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - GovernanceBundle /api/v1/iam/governance/optOut: post: summary: Opt out the Admin Console from entitlement management description: Opts out the Admin Console from entitlement management operationId: optOut responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OptInStatusResponse' examples: OptOutStatusResponse: $ref: '#/components/examples/OptOutStatusResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - GovernanceBundle x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/iam/resource-sets: get: summary: List all resource sets description: Lists all resource sets with pagination support operationId: listResourceSets parameters: - $ref: '#/components/parameters/queryAfter' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ResourceSets' examples: Example Response: $ref: '#/components/examples/ResourceSetsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleCResourceSet x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a resource set description: |- Creates a new resource set. See [Supported resources](/openapi/okta-management/guides/roles/#supported-resources). > **Note:** The maximum number of `resources` allowed in a resource set object is 1000. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn). operationId: createResourceSet x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateResourceSetRequest' examples: Example Request: $ref: '#/components/examples/ResourceSetRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ResourceSet' examples: Example Response: $ref: '#/components/examples/ResourceSetResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleCResourceSet x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetIdOrLabel}: parameters: - $ref: '#/components/parameters/pathResourceSetIdOrLabel' get: summary: Retrieve a resource set description: Retrieves a resource set by `resourceSetIdOrLabel` operationId: getResourceSet responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ResourceSet' examples: Example Response: $ref: '#/components/examples/ResourceSetResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleCResourceSet x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a resource set description: Replaces the label and description of a resource set. See [Supported resources](/openapi/okta-management/guides/roles/#supported-resources). operationId: replaceResourceSet x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/ResourceSet' examples: Example Request: $ref: '#/components/examples/ReplaceResourceSetRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ResourceSet' examples: Example Response: $ref: '#/components/examples/ResourceSetResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleCResourceSet x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a resource set description: Deletes a resource set by `resourceSetIdOrLabel` operationId: deleteResourceSet responses: '204': description: No Content '403': description: Forbidden headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleCResourceSet x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings: parameters: - $ref: '#/components/parameters/pathResourceSetIdOrLabel' get: summary: List all role resource set bindings description: |- Lists all bindings for a resource set with pagination support. The returned `roles` array contains the roles for each binding associated with the specified resource set. If there are more than 100 bindings for the specified resource set, `links.next` provides the resource with pagination for the next list of bindings. operationId: listBindings parameters: - $ref: '#/components/parameters/queryAfter' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ResourceSetBindings' examples: Example Response: $ref: '#/components/examples/ResourceSetBindingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleDResourceSetBinding x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a role resource set binding description: |- Creates a binding for the resource set, custom role, and members (users or groups) > **Note:** If you use a custom role with permissions that don't apply to the resources in the resource set, it doesn't affect the admin role. For example, the `okta.users.userprofile.manage` permission gives the admin no privileges if it's granted to a resource set that only includes `https://{yourOktaDomain}/api/v1/groups/{targetGroupId}` resources. If you want the admin to be able to manage the users within the group, the resource set must include the corresponding `https://{yourOktaDomain}/api/v1/groups/{targetGroupId}/users` resource. operationId: createResourceSetBinding x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/ResourceSetBindingCreateRequest' examples: Example Request: $ref: '#/components/examples/ResourceSetBindingCreateRequestExample' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ResourceSetBindingEditResponse' examples: Example Response: $ref: '#/components/examples/ResourceSetBindingResponseExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleDResourceSetBinding x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}: parameters: - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathRoleIdOrLabel' get: summary: Retrieve a role resource set binding description: Retrieves the binding of a role (identified by `roleIdOrLabel`) for a resource set (identified by `resourceSetIdOrLabel`) operationId: getBinding responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ResourceSetBindingResponse' examples: Example Response: $ref: '#/components/examples/ResourceSetBindingResponseWithIdExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleDResourceSetBinding x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a role resource set binding description: Deletes a binding of a role (identified by `roleIdOrLabel`) and a resource set (identified by `resourceSetIdOrLabel`) operationId: deleteBinding responses: '204': description: No Content '403': description: Forbidden headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleDResourceSetBinding x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members: parameters: - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathRoleIdOrLabel' get: summary: List all role resource set binding members description: Lists all members of a role resource set binding with pagination support operationId: listMembersOfBinding parameters: - $ref: '#/components/parameters/queryAfter' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ResourceSetBindingMembers' examples: Example Response: $ref: '#/components/examples/ResourceSetBindingMembersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleDResourceSetBindingMember x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true patch: summary: Add more role resource set binding members description: Adds more members to a role resource set binding operationId: addMembersToBinding x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/ResourceSetBindingAddMembersRequest' examples: Example Request: $ref: '#/components/examples/ResourceSetBindingAddMembersRequestExample' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ResourceSetBindingEditResponse' examples: Example Response: $ref: '#/components/examples/ResourceSetBindingResponseExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleDResourceSetBindingMember x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/bindings/{roleIdOrLabel}/members/{memberId}: parameters: - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathRoleIdOrLabel' - $ref: '#/components/parameters/pathMemberId' get: summary: Retrieve a role resource set binding member description: Retrieves a member (identified by `memberId`) that belongs to a role resource set binding operationId: getMemberOfBinding responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ResourceSetBindingMember' examples: Example Response: $ref: '#/components/examples/ResourceSetBindingMemberResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleDResourceSetBindingMember x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign a role resource set binding member description: Unassigns a member (identified by `memberId`) from a role resource set binding operationId: unassignMemberFromBinding x-codegen-request-body-name: instance responses: '204': description: No Content '403': description: Forbidden headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleDResourceSetBindingMember x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources: parameters: - $ref: '#/components/parameters/pathResourceSetIdOrLabel' get: summary: List all resource set resources description: Lists all resources for the resource set operationId: listResourceSetResources parameters: - name: after description: Specifies the pagination cursor for the next page of targets in: query schema: type: string required: false - name: limit in: query description: Specifies the number of results returned. Defaults to `100`. schema: type: integer format: int32 default: 100 required: false responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ResourceSetResources' examples: Example Response: $ref: '#/components/examples/ResourceSetResourcesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleCResourceSetResource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Add a resource set resource with conditions description: Adds a resource with conditions for a resource set operationId: addResourceSetResource x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/ResourceSetResourcePostRequest' examples: ConditionExample: $ref: '#/components/examples/ResourceSetResourcePostRequestExample' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ResourceSetResource' examples: ConditionExample: $ref: '#/components/examples/ResourceSetResourceResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleCResourceSetResource patch: summary: Add more resources to a resource set description: Adds more resources to a resource set operationId: addResourceSetResources x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/ResourceSetResourcePatchRequest' examples: Example Request: $ref: '#/components/examples/ResourceSetResourcePatchRequestExample' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ResourceSet' examples: Example Response: $ref: '#/components/examples/ResourceSetResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleCResourceSetResource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources/{resourceId}: parameters: - $ref: '#/components/parameters/pathResourceSetIdOrLabel' - $ref: '#/components/parameters/pathResourceId' get: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Retrieve a resource set resource description: Retrieves a resource identified by `resourceId` in a resource set operationId: getResourceSetResource responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ResourceSetResource' examples: Example Response: $ref: '#/components/examples/ResourceSetResourceResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleCResourceSetResource put: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Replace the resource set resource conditions description: Replaces the conditions of a resource identified by `resourceId` in a resource set operationId: replaceResourceSetResource requestBody: content: application/json: schema: $ref: '#/components/schemas/ResourceSetResourcePutRequest' examples: Example Request: $ref: '#/components/examples/ResourceSetResourcePutRequestExample' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ResourceSetResource' examples: Example Response: $ref: '#/components/examples/ResourceSetResourceResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleCResourceSetResource delete: summary: Delete a resource set resource description: Deletes a resource (identified by `resourceId`) from a resource set operationId: deleteResourceSetResource responses: '204': description: No Content '403': description: Forbidden headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleCResourceSetResource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/roles: get: summary: List all custom roles description: Lists all custom roles with pagination support operationId: listRoles parameters: - $ref: '#/components/parameters/queryAfter' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/IamRoles' examples: Example Response: $ref: '#/components/examples/RolesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleECustom x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a custom role description: Creates a custom role operationId: createRole x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateIamRoleRequest' examples: Example Request: $ref: '#/components/examples/RoleRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IamRole' examples: Example Response: $ref: '#/components/examples/RoleResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleECustom x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/roles/{roleIdOrLabel}: parameters: - $ref: '#/components/parameters/pathRoleIdOrLabel' get: summary: Retrieve a role description: Retrieves a role by `roleIdOrLabel` operationId: getRole responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/IamRole' examples: Example Response: $ref: '#/components/examples/RoleResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleECustom x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a custom role description: Replaces the label and description for a custom role by `roleIdOrLabel` operationId: replaceRole x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateIamRoleRequest' examples: Example Request: $ref: '#/components/examples/ReplaceRoleRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/IamRole' examples: Example Response: $ref: '#/components/examples/RoleResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleECustom x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a custom role description: Deletes a custom role by `roleIdOrLabel` operationId: deleteRole responses: '204': description: No Content '403': description: Forbidden headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleECustom x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/roles/{roleIdOrLabel}/permissions: parameters: - $ref: '#/components/parameters/pathRoleIdOrLabel' get: summary: List all custom role permissions description: Lists all permissions for a custom role by `roleIdOrLabel` operationId: listRolePermissions responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Permissions' examples: Example Response: $ref: '#/components/examples/PermissionsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleECustomPermission x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/iam/roles/{roleIdOrLabel}/permissions/{permissionType}: parameters: - $ref: '#/components/parameters/pathRoleIdOrLabel' - $ref: '#/components/parameters/pathPermissionType' get: summary: Retrieve a custom role permission description: Retrieves a permission (identified by `permissionType`) for a custom role operationId: getRolePermission responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Permission' examples: Example Response without conditions: $ref: '#/components/examples/PermissionResponse' Example Response with conditions: $ref: '#/components/examples/PermissionResponseWithConditions' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleECustomPermission x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a custom role permission description: Creates a permission (specified by `permissionType`) for a custom role operationId: createRolePermission x-codegen-request-body-name: instance requestBody: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true content: application/json: schema: $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' examples: Example Request with include: $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude' Example Request with exclude: $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude' required: false responses: '204': description: No Content '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleECustomPermission x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Replace a custom role permission description: Replaces a permission (specified by `permissionType`) for a custom role operationId: replaceRolePermission x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateUpdateIamRolePermissionRequest' examples: Example Request with include: $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithInclude' Example Request with exclude: $ref: '#/components/examples/CreateUpdateIamRolePermissionRequestExampleWithExclude' required: false responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Permission' examples: Example Response: $ref: '#/components/examples/PermissionResponseWithConditions' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleECustomPermission delete: summary: Delete a custom role permission description: Deletes a permission (identified by `permissionType`) from a custom role operationId: deleteRolePermission responses: '204': description: No Content '403': description: Forbidden headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleECustomPermission x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/identity-sources/{identitySourceId}/sessions: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' get: summary: List all identity source sessions description: Lists all identity source sessions for the given identity source instance operationId: listIdentitySourceSessions responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/IdentitySourceSession' examples: sessionsList: $ref: '#/components/examples/ListSessionsResponseForGetSessions' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.read tags: - IdentitySource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] post: summary: Create an identity source session description: Creates an identity source session for the given identity source instance operationId: createIdentitySourceSession responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdentitySourceSession' examples: session: $ref: '#/components/examples/GetSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' get: summary: Retrieve an identity source session description: Retrieves an identity source session for a given identity source ID and session ID operationId: getIdentitySourceSession responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdentitySourceSession' examples: session: $ref: '#/components/examples/GetSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.read tags: - IdentitySource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] delete: summary: Delete an identity source session description: Deletes an identity source session for a given identity source ID and session Id operationId: deleteIdentitySourceSession responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-delete: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the data to be deleted in Okta description: Uploads external IDs of entities that need to be deleted in Okta from the identity source for the given session operationId: uploadIdentitySourceDataForDelete requestBody: content: application/json: schema: $ref: '#/components/schemas/BulkDeleteRequestBody' examples: bulkDeletePayload: $ref: '#/components/examples/bulkDeletePayload' responses: '202': description: Accepted '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-group-memberships-delete: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the group memberships to be deleted in Okta description: Uploads the group memberships that need to be deleted in Okta from the identity source for the given session operationId: uploadIdentitySourceGroupMembershipsForDelete requestBody: content: application/json: schema: $ref: '#/components/schemas/BulkGroupMembershipsDeleteRequestBody' examples: bulkGroupMembershipsDeletePayload: $ref: '#/components/examples/bulkGroupMembershipsDeletePayload' responses: '202': description: Accepted '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-group-memberships-upsert: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the group memberships to be upserted in Okta description: Uploads the group memberships that need to be inserted or updated in Okta from the identity source for the given session operationId: uploadIdentitySourceGroupMembershipsForUpsert requestBody: content: application/json: schema: $ref: '#/components/schemas/BulkGroupMembershipsUpsertRequestBody' examples: bulkGroupMembershipsUpsertPayload: $ref: '#/components/examples/bulkGroupMembershipsUpsertPayload' responses: '202': description: Accepted '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-groups-delete: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the group external IDs to be deleted in Okta description: Uploads external IDs of groups that need to be deleted in Okta from the identity source for the given session operationId: uploadIdentitySourceGroupsDataForDelete requestBody: content: application/json: schema: $ref: '#/components/schemas/BulkGroupDeleteRequestBody' examples: bulkGroupDeletePayload: $ref: '#/components/examples/bulkGroupDeletePayload' responses: '202': description: Accepted '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-groups-upsert: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the group profiles without memberships to be upserted in Okta description: Uploads the group profiles without memberships that need to be inserted or updated in Okta from the identity source for the given session operationId: uploadIdentitySourceGroupsForUpsert requestBody: content: application/json: schema: $ref: '#/components/schemas/BulkGroupUpsertRequestBody' examples: bulkGroupUpsertPayload: $ref: '#/components/examples/bulkGroupUpsertPayload' responses: '202': description: Accepted '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/bulk-upsert: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Upload the data to be upserted in Okta description: Uploads entities that need to be inserted or updated in Okta from the identity source for the given session operationId: uploadIdentitySourceDataForUpsert requestBody: content: application/json: schema: $ref: '#/components/schemas/BulkUpsertRequestBody' examples: bulkUpsertPayload: $ref: '#/components/examples/bulkUpsertPayload' responses: '202': description: Accepted '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/identity-sources/{identitySourceId}/sessions/{sessionId}/start-import: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathIdentitySourceSessionId' post: summary: Start the import from the identity source description: Starts the import from the identity source described by the uploaded bulk operations operationId: startImportFromIdentitySource responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdentitySourceSession' examples: triggeredSession: $ref: '#/components/examples/TriggerSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/identity-sources/{identitySourceId}/users: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' post: summary: Create an identity source user description: Creates a user in an identity source for the given identity source instance operationId: createIdentitySourceUser requestBody: content: application/json: schema: $ref: '#/components/schemas/UserRequestSchema' examples: userCreatePayload: $ref: '#/components/examples/UserPayload' responses: '200': description: Success '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/identity-sources/{identitySourceId}/users/{externalId}: parameters: - $ref: '#/components/parameters/pathIdentitySourceId' - $ref: '#/components/parameters/pathExternalUserId' get: summary: Retrieve an identity source user description: Retrieves a user by external ID in an identity source for the given identity source instance operationId: getIdentitySourceUser responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserResponseSchema' examples: userResponse: $ref: '#/components/examples/UserResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.read tags: - IdentitySource put: summary: Replace an existing identity source user description: Replaces an existing user for the given identity source instance and external ID operationId: replaceExistingIdentitySourceUser requestBody: content: application/json: schema: $ref: '#/components/schemas/UserRequestSchema' examples: userReplacePayload: $ref: '#/components/examples/UserReplacePayload' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserResponseSchema' examples: userResponse: $ref: '#/components/examples/UserReplaceResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource patch: summary: Update an identity source user description: Updates a user to an identity source for the given identity source instance and external ID operationId: updateIdentitySourceUsers requestBody: content: application/json: schema: $ref: '#/components/schemas/UsersUpdateRequestSchema' examples: userCreatePayload: $ref: '#/components/examples/UserUpdatePayload' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserResponseSchema' examples: userResponse: $ref: '#/components/examples/UserUpdateResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource delete: summary: Delete an identity source user description: Deletes a user in an identity source for the given identity source instance and external ID operationId: deleteIdentitySourceUser responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.identitySources.manage tags: - IdentitySource /api/v1/idps: get: summary: List all IdPs description: Lists all identity provider (IdP) integrations with pagination. A subset of IdPs can be returned that match a supported filter expression or query. operationId: listIdentityProviders parameters: - name: q in: query description: Searches the `name` property of IdPs for matching value schema: type: string example: Example SAML - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' - name: type in: query description: Filters IdPs by `type` schema: $ref: '#/components/schemas/IdentityProviderType' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/IdentityProvider' examples: MultipleIdPsResponse: $ref: '#/components/examples/MultipleIdPsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProvider x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an IdP description: |- Creates a new identity provider (IdP) integration. #### SAML 2.0 IdP You must first add the IdP's signature certificate to the IdP key store before you can add a SAML 2.0 IdP with a `kid` credential reference. Don't use `fromURI` to automatically redirect a user to a particular app after successfully authenticating with a third-party IdP. Instead, use SAML deep links. Using `fromURI` isn't tested or supported. For more information about using deep links when signing users in using an SP-initiated flow, see [Understanding SP-Initiated Login flow](https://developer.okta.com/docs/concepts/saml/#understanding-sp-initiated-login-flow). Use SAML deep links to automatically redirect the user to an app after successfully authenticating with a third-party IdP. To use deep links, assemble these three parts into a URL: * SP ACS URL
For example: `https://${yourOktaDomain}/sso/saml2/:idpId` * The app to which the user is automatically redirected after successfully authenticating with the IdP
For example: `/app/:app-location/:appId/sso/saml` * Optionally, if the app is an outbound SAML app, you can specify the `relayState` passed to it.
For example: `?RelayState=:anyUrlEncodedValue` The deep link for the above three parts is:
`https://${yourOktaDomain}/sso/saml2/:idpId/app/:app-location/:appId/sso/saml?RelayState=:anyUrlEncodedValue` #### Smart Card X509 IdP You must first add the IdP's server certificate to the IdP key store before you can add a Smart Card `X509` IdP with a `kid` credential reference. You need to upload the whole trust chain as a single key using the [Key Store API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderKeys/#tag/IdentityProviderKeys/operation/createIdentityProviderKey). Depending on the information stored in the smart card, select the proper [template](https://developer.okta.com/docs/reference/okta-expression-language/#idp-user-profile) `idpuser.subjectAltNameEmail` or `idpuser.subjectAltNameUpn`. #### Identity verification vendors as identity providers Identity verification (IDV) vendors work like IdPs, with a few key differences. IDV vendors verify your user's identities by requiring them to submit a proof of identity. There are many ways to verify user identities. For example, a proof of identity can be a selfie to determine liveliness or it can be requiring users to submit a photo of their driver's license and matching that information with a database. There are three IDV vendors (Persona, CLEAR Verified, and Incode) with specific configuration settings and another IDV vendor type (Custom IDV) that lets you create a custom IDV vendor, using a [standardized IDV process](https://developer.okta.com/docs/guides/idv-integration/main/). You can configure each of the IDV vendors as IdPs in your org by creating an account with the vendor, and then creating an IdP integration. Control how the IDVs verify your users by using [Okta account management policy rules](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). * [Persona](https://withpersona.com/) * [CLEAR Verified](https://www.clearme.com/) * [Incode](https://incode.com/) * [Custom IDV](https://help.okta.com/okta_help.htm?type=oie&id=idp-add-custom-idv-vendor) operationId: createIdentityProvider x-codegen-request-body-name: identityProvider requestBody: description: IdP settings content: application/json: schema: $ref: '#/components/schemas/IdentityProvider' examples: CreateGenericOidcIdPRequest: $ref: '#/components/examples/CreateGenericOidcIdPRequest' CreateSamlIdPRequest: $ref: '#/components/examples/CreateSamlIdPRequest' CreateAppleIdPRequest: $ref: '#/components/examples/CreateAppleIdPRequest' CreateFacebookIdPRequest: $ref: '#/components/examples/CreateFacebookIdPRequest' CreateGoogleIdPRequest: $ref: '#/components/examples/CreateGoogleIdPRequest' CreateMicrosoftIdPRequest: $ref: '#/components/examples/CreateMicrosoftIdPRequest' CreateSmartCardIdPRequest: $ref: '#/components/examples/CreateSmartCardIdPRequest' CreatePersonaIDVRequest: $ref: '#/components/examples/CreatePersonaIDVRequest' CreateCLEARIDVRequest: $ref: '#/components/examples/CreateCLEARIDVRequest' CreateIncodeIDVRequest: $ref: '#/components/examples/CreateIncodeIDVRequest' CreateCustomIDVRequest: $ref: '#/components/examples/CreateCustomIDVRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdentityProvider' examples: CreateGenericOidcIdpResponse: $ref: '#/components/examples/GenericOidcIdpResponse' CreateSamlIdPResponse: $ref: '#/components/examples/SamlIdPResponse' CreateAppleIdPResponse: $ref: '#/components/examples/AppleIdPResponse' CreateFacebookIdPResponse: $ref: '#/components/examples/FacebookIdPResponse' CreateGoogleIdPResponse: $ref: '#/components/examples/GoogleIdPResponse' CreateMicrosoftIdPResponse: $ref: '#/components/examples/MicrosoftIdPResponse' CreateSmartCardIdPResponse: $ref: '#/components/examples/SmartCardIdPResponse' CreatePersonaIDVResponse: $ref: '#/components/examples/PersonaIDVResponse' CreateCLEARIDVResponse: $ref: '#/components/examples/CLEARIDVResponse' CreateIncodeIDVResponse: $ref: '#/components/examples/IncodeIDVResponse' CreateCustomIDVResponse: $ref: '#/components/examples/CustomIDVResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProvider x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/credentials/keys: get: summary: List all IdP key credentials description: Lists all identity provider (IdP) key credentials operationId: listIdentityProviderKeys parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/IdPKeyCredential' examples: ListIdPKeyCredentialsResponse: $ref: '#/components/examples/MultipleIdPKeyCredentialsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProviderKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an IdP key credential description: |- Creates a new X.509 certificate credential in the identity provider (IdP) key store > **Note:** RSA-based certificates are supported for all IdP types. Okta currently supports EC-based certificates only for the `X509` IdP type. For EC-based certificates we support only P-256, P-384, and P-521 curves. operationId: createIdentityProviderKey x-codegen-request-body-name: jsonWebKey requestBody: content: application/json: schema: $ref: '#/components/schemas/IdPCertificateCredential' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdPKeyCredential' examples: IdPKeyCredentialResponse: $ref: '#/components/examples/IdPKeyCredentialResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProviderKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/credentials/keys/{kid}: parameters: - $ref: '#/components/parameters/pathKid' get: summary: Retrieve an IdP key credential description: Retrieves a specific identity provider (IdP) key credential by `kid` operationId: getIdentityProviderKey responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdPKeyCredential' examples: IdPKeyCredentialResponse: $ref: '#/components/examples/IdPKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProviderKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace an IdP key credential description: Replaces an identity provider (IdP) key credential by `kid` operationId: replaceIdentityProviderKey requestBody: description: Updated IdP key credential content: application/json: schema: $ref: '#/components/schemas/IdPKeyCredential' examples: IdPKeyCredentialRequest: $ref: '#/components/examples/IdPKeyCredentialRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdPKeyCredential' examples: IdPKeyCredentialResponse: $ref: '#/components/examples/IdPKeyCredentialResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProviderKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an IdP key credential description: Deletes a specific identity provider (IdP) key credential by `kid` if it isn't currently being used by an active or inactive IdP operationId: deleteIdentityProviderKey responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProviderKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}: parameters: - $ref: '#/components/parameters/pathIdpId' get: summary: Retrieve an IdP description: Retrieves an identity provider (IdP) integration by `idpId` operationId: getIdentityProvider responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdentityProvider' examples: GenericOidcIdpResponse: $ref: '#/components/examples/GenericOidcIdpResponse' SamlIdPResponse: $ref: '#/components/examples/SamlIdPResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProvider x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace an IdP description: Replaces an identity provider (IdP) integration by `idpId` operationId: replaceIdentityProvider x-codegen-request-body-name: identityProvider requestBody: description: Updated configuration for the IdP content: application/json: schema: $ref: '#/components/schemas/IdentityProvider' examples: ReplaceIdPRequest: $ref: '#/components/examples/ReplaceIdPRequestResponse' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdentityProvider' examples: ReplaceIdPResponse: $ref: '#/components/examples/ReplaceIdPRequestResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProvider x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an IdP description: |- Deletes an identity provider (IdP) integration by `idpId` * All existing IdP users are unlinked with the highest order profile source taking precedence for each IdP user. * Unlinked users keep their existing authentication provider such as `FEDERATION` or `SOCIAL`. operationId: deleteIdentityProvider responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProvider x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/csrs: parameters: - $ref: '#/components/parameters/pathIdpId' get: summary: List all certificate signing requests description: Lists all certificate signing requests (CSRs) for an identity provider (IdP) operationId: listCsrsForIdentityProvider responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/IdPCsr' examples: MultipleIdPCsrsResponse: $ref: '#/components/examples/MultipleIdPCsrsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Generate a certificate signing request description: |- Generates a new key pair and returns a certificate signing request (CSR) for it > **Note:** The private key isn't listed in the [signing key credentials for the identity provider (IdP)](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProviderSigningKeys/#tag/IdentityProviderSigningKeys/operation/listIdentityProviderSigningKeys) until it's published. operationId: generateCsrForIdentityProvider x-codegen-request-body-name: metadata requestBody: content: application/json: schema: $ref: '#/components/schemas/CsrMetadata' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/IdPCsr' examples: CsrJsonResponse: $ref: '#/components/examples/CsrJsonResponse' application/pkcs10: schema: $ref: '#/components/schemas/IdPCsrPkcs10' examples: CsrPkcs10Response: $ref: '#/components/examples/CsrPkcs10Response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}: parameters: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathIdpCsrId' get: summary: Retrieve a certificate signing request description: Retrieves a specific certificate signing request (CSR) by `id` operationId: getCsrForIdentityProvider responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdPCsr' examples: CsrJsonResponse: $ref: '#/components/examples/CsrJsonResponse' application/pkcs10: schema: $ref: '#/components/schemas/IdPCsrPkcs10' examples: CsrPkcs10Response: $ref: '#/components/examples/CsrPkcs10Response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke a certificate signing request description: Revokes a certificate signing request (CSR) and deletes the key pair from the identity provider (IdP) operationId: revokeCsrForIdentityProvider responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/csrs/{idpCsrId}/lifecycle/publish: parameters: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathIdpCsrId' post: summary: Publish a certificate signing request description: |- Publishes the certificate signing request (CSR) with a signed X.509 certificate and adds it into the signing key credentials for the identity provider (IdP) > **Notes:** > * Publishing a certificate completes the lifecycle of the CSR, and it's no longer accessible. > * If the validity period of the certificate is less than 90 days, a 400 error response is returned. operationId: publishCsrForIdentityProvider requestBody: required: true content: application/pkix-cert: schema: type: string format: binary description: |- X.509 certificate in `DER` format. The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. example: MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q== x-okta-operationId: publishBinaryDerCertForIdentityProvider application/x-x509-ca-cert: schema: type: string format: binary description: |- X.509 certificate in `CER` format. The client can either post in binary or Base64URL-encoded. If the post is Base64URL-encoded, set the `Content-Transfer-Encoding` header to `base64`. example: '@certificate.cer' x-okta-operationId: publishBinaryCerCertForIdentityProvider application/x-pem-file: schema: type: string format: binary description: X.509 certificate in `PEM` format example: '@certificate.pem' x-okta-operationId: publishBinaryPemCertForIdentityProvider responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/IdPKeyCredential' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/keys: parameters: - $ref: '#/components/parameters/pathIdpId' get: summary: List all signing key credentials for IdP description: Lists all signing key credentials for an identity provider (IdP) operationId: listIdentityProviderSigningKeys responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/IdPKeyCredential' examples: MultipleIdPSigningKeyCredentialsResponse: $ref: '#/components/examples/MultipleIdPSigningKeyCredentialsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/keys/active: parameters: - $ref: '#/components/parameters/pathIdpId' get: summary: List the active signing key credential for IdP description: Lists the active signing key credential for an identity provider (IdP) operationId: listActiveIdentityProviderSigningKey responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/IdPKeyCredential' examples: ActiveIdPSigningKeyCredentialResponse: $ref: '#/components/examples/ActiveIdPSigningKeyCredentialResponse' '204': description: No Content content: {} '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProviderSigningKeys x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/keys/generate: parameters: - $ref: '#/components/parameters/pathIdpId' post: summary: Generate a new signing key credential for IdP description: |- Generates a new X.509 certificate for an identity provider (IdP) signing key credential to be used for signing assertions sent to the IdP. IdP signing keys are read-only. > **Note:** To update an IdP with the newly generated key credential, [update your IdP](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider) using the returned key's `kid` in the [signing credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/credentials/signing/kid&t=request). operationId: generateIdentityProviderSigningKey parameters: - name: validityYears in: query description: expiry of the IdP key credential required: true schema: type: integer format: int32 minimum: 2 maximum: 10 responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdPKeyCredential' examples: IdPSigningKeyCredentialResponse: $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/keys/{kid}: parameters: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathKid' get: summary: Retrieve a signing key credential for IdP description: Retrieves a specific identity provider (IdP) key credential by `kid` operationId: getIdentityProviderSigningKey responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdPKeyCredential' examples: IdPSigningKeyCredentialResponse: $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/credentials/keys/{kid}/clone: parameters: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathKid' post: summary: Clone a signing key credential for IdP description: |- Clones an X.509 certificate for an identity provider (IdP) signing key credential from a source IdP to target IdP > **Caution:** Sharing certificates isn't a recommended security practice. > **Note:** If the key is already present in the list of key credentials for the target IdP, you receive a 400 error response. operationId: cloneIdentityProviderKey parameters: - name: targetIdpId in: query required: true description: '`id` of the target IdP' schema: type: string responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/IdPKeyCredential' examples: IdPSigningKeyCredentialResponse: $ref: '#/components/examples/IdPSigningKeyCredentialResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProviderSigningKeys x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathIdpId' post: summary: Activate an IdP description: Activates an inactive identity provider (IdP) operationId: activateIdentityProvider responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdentityProvider' examples: ActivateIdPResponse: $ref: '#/components/examples/ActivateIdPResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProvider x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathIdpId' post: summary: Deactivate an IdP description: Deactivates an active identity provider (IdP) operationId: deactivateIdentityProvider responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdentityProvider' examples: DeactivateIdPResponse: $ref: '#/components/examples/DeactivateIdPResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProvider x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/users: parameters: - $ref: '#/components/parameters/pathIdpId' get: summary: List all users for IdP description: Lists all the users linked to an identity provider (IdP) operationId: listIdentityProviderApplicationUsers parameters: - $ref: '#/components/parameters/queryFilter' - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' - name: expand in: query description: Expand user data schema: type: string example: user responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/IdentityProviderApplicationUser' examples: ListIdPUsersResponse: $ref: '#/components/examples/ListIdPUsersResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/users/{userId}: parameters: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathUserId' get: summary: Retrieve a user for IdP description: Retrieves a linked identity provider (IdP) user by ID operationId: getIdentityProviderApplicationUser responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdentityProviderApplicationUser' examples: IdPAppUserResponse: $ref: '#/components/examples/IdPAppUserResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Link a user to IdP description: |- Links an Okta user to an existing SAML or social identity provider (IdP). The SAML IdP must have `honorPersistentNameId` set to `true` to use this API. The [Name Identifier Format](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/replaceIdentityProvider!path=protocol/0/settings&t=request) of the incoming assertion must be `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`. operationId: linkUserToIdentityProvider x-codegen-request-body-name: userIdentityProviderLinkRequest requestBody: content: application/json: schema: $ref: '#/components/schemas/UserIdentityProviderLinkRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/IdentityProviderApplicationUser' examples: LinkIdPAppUserResponse: $ref: '#/components/examples/LinkIdPAppUserResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unlink a user from IdP description: Unlinks the Okta user and the identity provider (IdP) user. The next time the user federates into Okta through this IdP, they have to re-link their account according to the account link policy. operationId: unlinkUserFromIdentityProvider responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.manage tags: - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/idps/{idpId}/users/{userId}/credentials/tokens: parameters: - $ref: '#/components/parameters/pathIdpId' - $ref: '#/components/parameters/pathUserId' get: summary: List all tokens from OIDC IdP description: |- Lists the tokens minted by the social authentication provider when the user authenticates with Okta via Social Auth. Okta doesn't import all the user information from a social provider. If the app needs information that isn't imported, it can get the user token from this endpoint. Then the app can make an API call to the social provider with the token to request the additional information. operationId: listSocialAuthTokens responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/SocialAuthToken' examples: SocialAuthTokensResponse: $ref: '#/components/examples/SocialAuthTokensResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.idps.read tags: - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/inlineHooks: get: summary: List all inline hooks description: |- Lists all inline hooks or all inline hooks of a specific type. When listing a specific inline hook, you need to specify its type. The following types are currently supported: | Type Value | Name | |------------------------------------|----------------------------------------------------------------| | `com.okta.import.transform` | [User import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createUserImportInlineHook) | | `com.okta.oauth2.tokens.transform` | [Token inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTokenInlineHook) | | `com.okta.saml.tokens.transform` | [SAML assertion inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createSAMLAssertionInlineHook) | | `com.okta.telephony.provider` | [Telephony inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTelephonyInlineHook) | | `com.okta.user.credential.password.import` | [Password import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook)| | `com.okta.user.pre-registration` | [Registration inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook) | operationId: listInlineHooks parameters: - $ref: '#/components/parameters/inlineHookType' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/InlineHook' examples: InlineHooktMgmtListAllexample: $ref: '#/components/examples/InlineHooktMgmtListAllexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.read tags: - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an inline hook description: |- Creates an inline hook This endpoint creates an inline hook for your org in an `ACTIVE` status. You need to pass an inline hooks object in the JSON payload of your request. That object represents the set of required information about the inline hook that you're registering, including: * The URI of your external service endpoint * The type of inline hook you're registering * The type of authentication you're registering There are two authentication options that you can configure for your inline hook: HTTP headers and OAuth 2.0 tokens. HTTP headers let you specify a secret API key that you want Okta to pass to your external service endpoint (so that your external service can check for its presence as a security measure). >**Note:** The API key that you set here is unrelated to the Okta API token you must supply when making calls to Okta APIs. You can also optionally specify extra headers that you want Okta to pass to your external service with each call. To configure HTTP header authentication, see parameters for the `config` object. OAuth 2.0 tokens provide enhanced security between Okta and your external service. You can configure these tokens for the following types—client secret and private key. >**Note:** Your external service's endpoint needs to be a valid HTTPS endpoint. The URI you specify should always begin with `https://`. The total number of inline hooks that you can create in an Okta org is limited to 50, which is a combined total for any combination of inline hook types. operationId: createInlineHook x-codegen-request-body-name: inlineHookCreate requestBody: content: application/json: schema: $ref: '#/components/schemas/InlineHookCreate' examples: CreateInlineHookHTTP: $ref: '#/components/examples/InlineHookMgmtCreateHTTPRequest' CreateInlineHookOAuthClientSecret: $ref: '#/components/examples/InlineHookMgmtCreateOAuthClientSecretRequest' CreateInlineHookOAuthPrivateKey: $ref: '#/components/examples/InlineHookMgmtCreateOAuthPrivateKeyRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/InlineHookCreateResponse' examples: CreateInlineHookHTTP: $ref: '#/components/examples/InlineHookMgmtCreateHTTPResponse' CreateInlineHookOAuthClientSecret: $ref: '#/components/examples/InlineHookMgmtCreateOAuthClientSecretResponse' CreateInlineHookOAuthPrivateKey: $ref: '#/components/examples/InlineHookMgmtCreateOAuthPrivateKeyResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.manage tags: - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}: parameters: - $ref: '#/components/parameters/pathInlineHookId' get: summary: Retrieve an inline hook description: Retrieves an inline hook by `inlineHookId` operationId: getInlineHook responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/InlineHook' examples: InlineHookHTTP: $ref: '#/components/examples/InlineHookMgmtHTTPexample' InlineHookOAuthClientSecret: $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample' InlineHookOAuthPrivateKey: $ref: '#/components/examples/InlineHookMgmtOauthPKJexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.read tags: - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Update an inline hook description: Updates an inline hook by `inlineHookId` operationId: updateInlineHook x-codegen-request-body-name: inlineHook requestBody: content: application/json: schema: $ref: '#/components/schemas/InlineHookReplace' examples: UpdateInlineHookHTTP: $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/InlineHook' examples: UpdateInlineHookHTTP: $ref: '#/components/examples/InlineHookMgmtPutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.manage tags: - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace an inline hook description: |- Replaces an inline hook by `inlineHookId`. The submitted inline hook properties replace the existing properties after passing validation. >**Note:** Some properties are immutable and can't be updated. operationId: replaceInlineHook x-codegen-request-body-name: inlineHook requestBody: content: application/json: schema: $ref: '#/components/schemas/InlineHookReplace' examples: UpdateInlineHookHTTP: $ref: '#/components/examples/InlineHookMgmtPutHTTPRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/InlineHook' examples: UpdateInlineHookHTTP: $ref: '#/components/examples/InlineHookMgmtPutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.manage tags: - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an inline hook description: Deletes an inline hook by `inlineHookId`. After it's deleted, the inline hook is unrecoverable. As a safety precaution, only inline hooks with a status of `INACTIVE` are eligible for deletion. operationId: deleteInlineHook responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.manage tags: - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/execute: parameters: - $ref: '#/components/parameters/pathInlineHookId' post: summary: Execute an inline hook description: |- Executes the inline hook that matches the provided `inlineHookId` by using the request body as the input. This inline hook sends the provided data through the `channel` object and returns a response if it matches the correct data contract. Otherwise it returns an error. You need to construct a JSON payload that matches the payloads that Okta would send to your external service for this inline hook type. A timeout of three seconds is enforced on all outbound requests, with one retry in the event of a timeout or an error response from the remote system. If a successful response isn't received after the request, a 400 error is returned with more information about what failed. >**Note:** This execution endpoint isn't tied to any other functionality in Okta, and you should only use it for testing purposes. operationId: executeInlineHook x-codegen-request-body-name: payloadData requestBody: content: application/json: schema: oneOf: - $ref: '#/components/schemas/PasswordImportRequestExecute' - $ref: '#/components/schemas/TelephonyRequestExecute' - $ref: '#/components/schemas/RegistrationInlineHookRequest' - $ref: '#/components/schemas/TokenRequest' - $ref: '#/components/schemas/SAMLPayloadExecute' - $ref: '#/components/schemas/UserImportRequestExecute' examples: PasswordImportPayloadExample: $ref: '#/components/examples/PasswordImportPayloadExample' TelephonyPayloadExample: $ref: '#/components/examples/TelephonyPayloadExample' ProfileEnrollmentRequest: $ref: '#/components/examples/ProfileEnrollmentRequest' TokenPayLoadExample: $ref: '#/components/examples/TokenPayLoadExample' SAMLPayloadExample: $ref: '#/components/examples/SAMLPayLoadExample' UserImportPayloadExample: $ref: '#/components/examples/UserImportPayloadExample' required: true responses: '200': description: Success content: application/json: schema: oneOf: - $ref: '#/components/schemas/PasswordImportResponse' - $ref: '#/components/schemas/TelephonyResponse' - $ref: '#/components/schemas/RegistrationInlineHookResponse' - $ref: '#/components/schemas/TokenHookResponse' - $ref: '#/components/schemas/SAMLHookResponse' - $ref: '#/components/schemas/UserImportResponse' examples: PasswordImportPayloadExample: $ref: '#/components/examples/PasswordImportVerifiedResponse' TelephonyPayloadExample: $ref: '#/components/examples/TelephonySuccessResponse' ProfileEnrollmentRequest: $ref: '#/components/examples/ProfileEnrollmentResponse' TokenPayLoadExample: $ref: '#/components/examples/TokenHookResponse' SAMLPayloadExample: $ref: '#/components/examples/SAMLHookResponseExample' UserImportPayloadExample: $ref: '#/components/examples/UserImportChangeAppUserProfileExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.manage tags: - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathInlineHookId' post: summary: Activate an inline hook description: Activates the inline hook by `inlineHookId` operationId: activateInlineHook responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/InlineHook' examples: ActivateAnInlineHook: $ref: '#/components/examples/InlineHookMgmtOAuthCSPexample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.manage tags: - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/inlineHooks/{inlineHookId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathInlineHookId' post: summary: Deactivate an inline hook description: Deactivates the inline hook by `inlineHookId` operationId: deactivateInlineHook responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/InlineHook' examples: DeactivateAnInlineHook: $ref: '#/components/examples/InlineHookMgmtHTTPexampleDeactivate' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.inlineHooks.manage tags: - InlineHook x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/logStreams: get: summary: List all log streams description: Lists all log stream objects in your org. You can request a paginated list or a subset of log streams that match a supported filter expression. operationId: listLogStreams parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' - name: filter in: query description: An expression that [filters](/#filter) the returned objects. You can only use the `eq` operator on either the `status` or `type` properties in the filter expression. schema: type: string example: type eq "aws_eventbridge" responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/LogStream' examples: ExampleGetAllResponse: $ref: '#/components/examples/LogStreamGetAllResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.logStreams.read tags: - LogStream x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] post: summary: Create a log stream description: Creates a new log stream object operationId: createLogStream x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/LogStream' examples: LogStreamPostRequestExample: $ref: '#/components/examples/LogStreamPostRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/LogStream' examples: LogStreamPostResponseExample: $ref: '#/components/examples/LogStreamPostResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.logStreams.manage tags: - LogStream x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/logStreams/{logStreamId}: parameters: - $ref: '#/components/parameters/pathLogStreamId' get: summary: Retrieve a log stream description: Retrieves a log stream object by ID operationId: getLogStream responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LogStream' examples: LogStreamGetRequestExample: $ref: '#/components/examples/LogStreamPostResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.logStreams.read tags: - LogStream x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] put: summary: Replace a log stream description: |- Replaces the log stream object properties for a given ID. This operation is typically used to update the configuration of a log stream. Depending on the type of log stream you want to update, certain properties can't be modified after the log stream is initially created. Use the [Retrieve the log stream schema for the schema type](/openapi/okta-management/management/tag/Schema/#tag/Schema/operation/getLogStreamSchema) request to determine which properties you can update for the specific log stream type. Log stream properties with the `"writeOnce" : true` attribute can't be updated after creation. You must still specify these `writeOnce` properties in the request body with the original values in the PUT request. > **Note:** You don't have to specify properties that have both the `"writeOnce": true` and the `"writeOnly": true` attributes in the PUT request body. These property values are ignored even if you add them in the PUT request body. operationId: replaceLogStream x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/LogStreamPutSchema' examples: LogStreamPutRequestExample: $ref: '#/components/examples/LogStreamPutRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LogStream' examples: LogStreamPostResponseExample: $ref: '#/components/examples/LogStreamPutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.logStreams.manage tags: - LogStream x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] delete: summary: Delete a log stream description: Deletes a log stream object from your org by ID operationId: deleteLogStream responses: '204': description: No Content '403': description: Forbidden headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.logStreams.manage tags: - LogStream x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/logStreams/{logStreamId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathLogStreamId' post: summary: Activate a log stream description: Activates a log stream by `logStreamId` operationId: activateLogStream responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LogStream' examples: LogStreamActivateResponseExample: $ref: '#/components/examples/LogStreamActivateResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.logStreams.manage tags: - LogStream x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/logStreams/{logStreamId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathLogStreamId' post: summary: Deactivate a log stream description: Deactivates a log stream by `logStreamId` operationId: deactivateLogStream responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LogStream' examples: LogStreamDeactivateResponseExample: $ref: '#/components/examples/LogStreamDeactivateResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.logStreams.manage tags: - LogStream x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/logs: get: summary: List all System Log events description: |- Lists all System Log events See [System Log query](https://developer.okta.com/docs/reference/system-log-query/) for further details and examples, and [System Log filters and search](https://help.okta.com/okta_help.htm?type=oie&id=csh-syslog-filters) for common use cases. By default, 100 System Log events are returned. If there are more events, see the [header link](https://developer.okta.com/docs/api/#link-header) for the `next` link, or increase the number of returned objects using the `limit` parameter. >**Note:** The value of the `clientSecret` property in the System Log is secured by a hashing function, and isn't the value used during authentication. operationId: listLogEvents parameters: - name: since description: Filters the lower time bound of the log events `published` property for bounded queries or persistence time for polling queries in: query schema: type: string format: ISO 8601 compliant timestamp default: 7 days prior to until - name: until description: Filters the upper time bound of the log events `published` property for bounded queries or persistence time for polling queries. in: query schema: type: string format: ISO 8601 compliant timestamp default: current time - name: after description: Retrieves the next page of results. Okta returns a link in the HTTP Header (`rel=next`) that includes the after query parameter in: query schema: type: string format: Opaque token - name: filter description: Filter expression that filters the results. All operators except [ ] are supported. See [Filter](https://developer.okta.com/docs/api/#filter) and [Operators](https://developer.okta.com/docs/api/#operators). in: query schema: type: string format: SCIM Filter expression - name: q description: Filters log events results by one or more case insensitive keywords. in: query schema: type: string format: URL encoded string. Max length is 40 characters per keyword, with a maximum of 10 keyword filters per query (before encoding) - name: limit description: Sets the number of results that are returned in the response in: query schema: type: integer format: Integer between 0 and 1000 default: 100 - name: sortOrder description: The order of the returned events that are sorted by the `published` property in: query schema: type: string enum: - ASCENDING - DESCENDING default: ASCENDING responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/LogEvent' examples: ListLogs: $ref: '#/components/examples/ListLogs' LogTargetChangeDetails: $ref: '#/components/examples/LogTargetChangeDetails' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.logs.read tags: - SystemLog x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/mappings: get: summary: List all profile mappings description: |- Lists all profile mappings in your org with [pagination](https://developer.okta.com/docs/api/#pagination). You can return a subset of profile mappings that match a supported `sourceId` and/or `targetId`. The results are [paginated](/#pagination) according to the `limit` parameter. If there are multiple pages of results, the Link header contains a `next` link that you should treat as an opaque value (follow it, don't parse it). See [Link Header](https://developer.okta.com/docs/api/#link-header). The response is a collection of profile mappings that include a subset of the profile mapping object's parameters. The profile mapping object describes the properties mapping between an Okta user and an app user profile using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). operationId: listProfileMappings parameters: - name: after in: query description: Mapping `id` that specifies the pagination cursor for the next page of mappings schema: type: string - name: limit in: query description: Specifies the number of results per page schema: type: integer format: int32 default: 20 maximum: 200 - name: sourceId in: query description: The user type or app instance ID that acts as the source of expressions in a mapping. If this parameter is included, all returned mappings have this as their `source.id`. schema: type: string - name: targetId in: query description: The user type or app instance ID that acts as the target of expressions in a mapping. If this parameter is included, all returned mappings have this as their `target.id`. schema: type: string responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/ListProfileMappings' examples: MappingList: summary: List all profile mappings response $ref: '#/components/examples/ListMappingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.profileMappings.read tags: - ProfileMapping x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/mappings/{mappingId}: parameters: - $ref: '#/components/parameters/pathMappingId' get: summary: Retrieve a profile mapping description: Retrieves a single profile mapping referenced by its ID operationId: getProfileMapping responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ProfileMapping' examples: MappingRetrieve: summary: Retrieve a single profile mapping $ref: '#/components/examples/RetrieveMappingsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.profileMappings.read tags: - ProfileMapping x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] post: summary: Update a profile mapping description: Updates an existing profile mapping by adding, updating, or removing one or many property mappings operationId: updateProfileMapping x-codegen-request-body-name: profileMapping requestBody: content: application/json: schema: $ref: '#/components/schemas/ProfileMappingRequest' examples: Addpropertymapping: $ref: '#/components/examples/AddMappingBody' Updatepropertymapping: $ref: '#/components/examples/UpdateMappingBody' Removepropertymapping: $ref: '#/components/examples/RemoveMappingBody' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ProfileMapping' examples: Addpropertymapping: summary: Update an existing profile mapping by adding one or more properties $ref: '#/components/examples/AddMappingResponse' Updatepropertymapping: summary: Update an existing profile mapping by updating one or more properties $ref: '#/components/examples/UpdateMappingResponse' Removepropertymapping: summary: Update an existing profile mapping by removing one or more properties $ref: '#/components/examples/RemoveMappingResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.profileMappings.manage tags: - ProfileMapping x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/meta/layouts/apps/{appName}: parameters: - $ref: '#/components/parameters/pathAppName' /api/v1/meta/layouts/apps/{appName}/sections/{section}/{operation}: parameters: - $ref: '#/components/parameters/pathAppName' - $ref: '#/components/parameters/pathSection' - $ref: '#/components/parameters/pathOperation' /api/v1/meta/schemas/apps/{appId}/default: parameters: - $ref: '#/components/parameters/pathAppId' get: x-okta-iam-permissions: - okta.apps.read - okta.apps.manage x-okta-iam-admin-roles: - API_ACCESS_MANAGEMENT_ADMIN - READ_ONLY_ADMIN - MOBILE_ADMIN - ORG_ADMIN - APP_ADMIN summary: Retrieve the default app user schema for an app description: |- Retrieves the default schema for an app user. The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to apps. All users assigned to a given app use the same app user schema. Therefore, unlike the user schema operations, the app user schema operations all specify `default` and don't accept a schema ID. operationId: getApplicationUserSchema responses: '200': description: successful operation content: application/json: schema: $ref: '#/components/schemas/UserSchema' examples: Response with a subset of properties for brevity: $ref: '#/components/examples/DefaultAppUserSchemaResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.schemas.read tags: - Schema x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: x-okta-iam-permissions: - okta.apps.manage x-okta-iam-admin-roles: - API_ACCESS_MANAGEMENT_ADMIN - APP_ADMIN summary: Update the app user profile schema for an app description: |- Updates the app user schema. This updates, adds, or removes one or more custom profile properties or the nullability of a base property in the app user schema for an app. Changing a base property's nullability (for example, the value of its `required` field) is allowed only if it is nullable in the default predefined schema for the app. > **Note:** You must set properties explicitly to `null` to remove them from the schema; otherwise, `POST` is interpreted as a partial update. The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to apps. All users assigned to a given app use the same app user schema. Therefore, unlike the user schema operations, the app user schema operations all specify `default` and don't accept a schema ID. operationId: updateApplicationUserProfile x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/UserSchema' examples: Add a custom property to the app user schema: $ref: '#/components/examples/AppUserSchemaAddRequest' required: false responses: '200': description: successful operation content: application/json: schema: $ref: '#/components/schemas/UserSchema' examples: Response with a subset of properties for brevity: $ref: '#/components/examples/AppUserSchemaResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.schemas.manage tags: - Schema x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/meta/schemas/group/default: get: x-okta-iam-permissions: - okta.apps.manage x-okta-iam-admin-roles: - API_ACCESS_MANAGEMENT_ADMIN - APP_ADMIN - ORG_ADMIN summary: Retrieve the default group schema description: |- Retrieves the group schema The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to groups. All groups use the same group schema. Unlike user schema operations, group schema operations all specify `default` and don't accept a schema ID. operationId: getGroupSchema parameters: [] responses: '200': description: successful operation content: application/json: schema: $ref: '#/components/schemas/GroupSchema' examples: Response with a subset of properties for brevity: $ref: '#/components/examples/GroupSchemaResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.schemas.read tags: - Schema x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: x-okta-iam-permissions: - okta.apps.manage x-okta-iam-admin-roles: - API_ACCESS_MANAGEMENT_ADMIN - APP_ADMIN - ORG_ADMIN summary: Update the group profile schema description: |- Updates the group profile schema. This updates, adds, or removes one or more custom profile properties in a group schema. Currently Okta does not support changing base group profile properties. > **Note:** You must set properties explicitly to `null` to remove them from the schema; otherwise, `POST` is interpreted as a partial update. The [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature does not extend to groups. All groups use the same group schema. Unlike user schema operations, group schema operations all specify `default` and don't accept a schema ID. operationId: updateGroupSchema requestBody: content: application/json: schema: $ref: '#/components/schemas/GroupSchema' examples: Add a custom property to the group schema: $ref: '#/components/examples/GroupSchemaAddRequest' responses: '200': description: successful operation content: application/json: schema: $ref: '#/components/schemas/GroupSchema' example: Response with a subset of properties for brevity: $ref: '#/components/examples/GroupSchemaResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.schemas.manage tags: - Schema x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/meta/schemas/logStream: get: x-okta-iam-admin-roles: - SUPER_ADMIN summary: List the log stream schemas description: Lists the schema for all log stream types visible for this org operationId: listLogStreamSchemas responses: '200': description: successful operation content: application/json: schema: type: array items: $ref: '#/components/schemas/LogStreamSchema' examples: All log stream schemas for your org: $ref: '#/components/examples/LogStreamSchemaList' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.logStreams.read tags: - Schema x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/meta/schemas/logStream/{logStreamType}: parameters: - $ref: '#/components/parameters/pathLogStreamType' get: x-okta-iam-admin-roles: - SUPER_ADMIN summary: Retrieve the log stream schema for the schema type description: Retrieves the schema for a log stream type. The `logStreamType` element in the URL specifies the log stream type, which is either `aws_eventbridge` or `splunk_cloud_logstreaming`. Use the `aws_eventbridge` literal to retrieve the AWS EventBridge type schema, and use the `splunk_cloud_logstreaming` literal retrieve the Splunk Cloud type schema. operationId: getLogStreamSchema responses: '200': description: successful operation content: application/json: schema: $ref: '#/components/schemas/LogStreamSchema' examples: Schema for type `aws_eventbridge`: $ref: '#/components/examples/LogStreamSchemaAws' Schema for type `splunk_cloud_logstreaming`: $ref: '#/components/examples/LogStreamSchemaSplunk' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.logStreams.read tags: - Schema x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/meta/schemas/user/linkedObjects: get: x-okta-iam-permissions: - okta.apps.manage x-okta-iam-admin-roles: - API_ACCESS_MANAGEMENT_ADMIN - APP_ADMIN - ORG_ADMIN summary: List all linked object definitions description: Lists all Linked Object definitions operationId: listLinkedObjectDefinitions responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/LinkedObject' examples: ListLinkedObjectsEx: $ref: '#/components/examples/ListLinkedObjects' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.linkedObjects.read tags: - LinkedObject x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: x-okta-iam-permissions: - okta.apps.manage x-okta-iam-admin-roles: - API_ACCESS_MANAGEMENT_ADMIN - APP_ADMIN - ORG_ADMIN summary: Create a linked object definition description: Creates a Linked Object definition operationId: createLinkedObjectDefinition x-codegen-request-body-name: linkedObject requestBody: content: application/json: schema: $ref: '#/components/schemas/LinkedObject' examples: CreateLinkedObjectRequestEx: $ref: '#/components/examples/CreateLinkedObjectRequest' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/LinkedObject' examples: CreateLinkedObjectResponseEx: $ref: '#/components/examples/CreateLinkedObjectResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '409': description: Conflict content: application/json: schema: $ref: '#/components/schemas/Error' examples: ErrorInvalidLinkedObjectDefEx: $ref: '#/components/examples/ErrorInvalidLinkedObjectDef' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.linkedObjects.manage tags: - LinkedObject x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/meta/schemas/user/linkedObjects/{linkedObjectName}: parameters: - $ref: '#/components/parameters/pathLinkedObjectName' get: summary: Retrieve a linked object definition description: Retrieves a Linked Object definition operationId: getLinkedObjectDefinition responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/LinkedObject' examples: CreateLinkedObjectResponseEx: $ref: '#/components/examples/CreateLinkedObjectResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.linkedObjects.read tags: - LinkedObject x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: x-okta-iam-permissions: - okta.apps.manage x-okta-iam-admin-roles: - API_ACCESS_MANAGEMENT_ADMIN - APP_ADMIN - ORG_ADMIN summary: Delete a linked object definition description: Deletes the Linked Object definition specified by either the `primary` or `associated` name. The entire definition is removed, regardless of which name that you specify. operationId: deleteLinkedObjectDefinition responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.linkedObjects.manage tags: - LinkedObject x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/meta/schemas/user/{schemaId}: parameters: - $ref: '#/components/parameters/pathSchemaId' get: x-okta-iam-permissions: - okta.apps.manage x-okta-iam-admin-roles: - API_ACCESS_MANAGEMENT_ADMIN - APP_ADMIN - ORG_ADMIN summary: Retrieve a user schema description: Retrieves the schema for a user type operationId: getUserSchema responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserSchema' examples: Response with a subset of properties for brevity: $ref: '#/components/examples/UserSchemaResponse' Response using default with a subset of properties for brevity: $ref: '#/components/examples/UserSchemaDefaultResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.schemas.read tags: - Schema x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: x-okta-iam-admin-roles: - API_ACCESS_MANAGEMENT_ADMIN - ORG_ADMIN - APP_ADMIN summary: Update a user schema description: |- Updates a user schema. Use this request to update, add, or remove one or more profile properties in a user schema. If you specify `default` for the `schemaId`, updates will apply to the default user type. Unlike custom user profile properties, limited changes are allowed to base user profile properties (permissions, nullability of the `firstName` and `lastName` properties, or pattern for `login`). You can't remove a property from the default schema if it's being referenced as a [`matchAttribute`](/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/subject/matchAttribute&t=request) in `SAML2` IdPs. Currently, all validation of SAML assertions are only performed against the default user type. > **Note:** You must set properties explicitly to `null` to remove them from the schema; otherwise, `POST` is interpreted as a partial update. operationId: updateUserProfile x-codegen-request-body-name: userSchema requestBody: content: application/json: schema: $ref: '#/components/schemas/UserSchema' examples: Add a custom property to the user schema: $ref: '#/components/examples/UserSchemaAddRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserSchema' examples: Response with a subset of properties for brevity: $ref: '#/components/examples/UserSchemaResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.schemas.manage tags: - Schema x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/meta/types/user: get: summary: List all user types description: Lists all user types in your org operationId: listUserTypes responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/UserType' examples: ListsAllUserTypes: $ref: '#/components/examples/ListsAllUserTypes' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.userTypes.read tags: - UserType x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a user type description: |- Creates a new user type. Okta automatically creates a `default` user type for your org. You may add up to nine additional user types. > **Note**: New user types are based on the current default schema template. Modifications to this schema do not automatically propagate to previously created user types. operationId: createUserType x-codegen-request-body-name: userType requestBody: content: application/json: schema: $ref: '#/components/schemas/UserType' examples: CreateUserRequest: $ref: '#/components/examples/CreateUserRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserType' examples: CreateUserResponse: $ref: '#/components/examples/CreateUserResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.userTypes.manage tags: - UserType x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/meta/types/user/{typeId}: parameters: - $ref: '#/components/parameters/pathTypeId' get: summary: Retrieve a user type description: Retrieves a user type by ID. Use `default` to fetch the default user type. operationId: getUserType responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserType' examples: GetUserResponse: $ref: '#/components/examples/GetUserResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.userTypes.read tags: - UserType x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Update a user type description: |- Updates an existing user type. This operation is a partial update. > **Note**: You can only update the `displayName` and `description` elements. The `name` of an existing user type can't be changed. operationId: updateUserType x-codegen-request-body-name: userType requestBody: content: application/json: schema: $ref: '#/components/schemas/UserTypePostRequest' examples: UpdateUserTypePostRequest: $ref: '#/components/examples/UpdateUserTypePostRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserType' examples: UpdateUserTypePutRequest: $ref: '#/components/examples/UpdateUserTypePostResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.userTypes.manage tags: - UserType x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a user type description: |- Replaces an existing user type. This operation is a full update. > **Note**: The `name` of an existing user type can't be changed, but must be part of the request body. You can only replace the `displayName` and `description` elements. operationId: replaceUserType x-codegen-request-body-name: userType requestBody: content: application/json: schema: $ref: '#/components/schemas/UserTypePutRequest' examples: ReplaceUserTypePutRequest: $ref: '#/components/examples/ReplaceUserTypePutRequest' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserType' examples: ReplaceUserTypePutResponse: $ref: '#/components/examples/ReplaceUserTypePutResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.userTypes.manage tags: - UserType x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a user type description: |- Deletes a user type permanently. > **Note**: You can't delete the default user type or a user type that is currently assigned to users. operationId: deleteUserType responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.userTypes.manage tags: - UserType x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/meta/uischemas: get: summary: List all UI schemas description: Lists all UI Schemas in your org operationId: listUISchemas responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/UISchemasResponseObject' examples: UIISchemaList: summary: Lists all UI schemas response $ref: '#/components/examples/ListUISchemaResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.uischemas.read tags: - UISchema x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine post: summary: Create a UI schema description: Creates an input for an enrollment form operationId: createUISchema x-codegen-request-body-name: uischemabody requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateUISchema' examples: UISchemaCreate: $ref: '#/components/examples/CreateUISchemaBody' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UISchemasResponseObject' examples: UISchemaCreate: $ref: '#/components/examples/CreateUISchemaResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.uischemas.manage tags: - UISchema x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/meta/uischemas/{id}: parameters: - $ref: '#/components/parameters/UISchemaId' get: summary: Retrieve a UI schema description: Retrieves a UI Schema by `id` operationId: getUISchema responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UISchemasResponseObject' examples: UISchemaRetrieve: summary: Retrieves a UI schema response $ref: '#/components/examples/RetrieveUISchemaResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.uischemas.read tags: - UISchema x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Replace a UI schema description: Replaces a UI Schema by `id` operationId: replaceUISchemas x-codegen-request-body-name: updateUISchemaBody requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUISchema' examples: UISchemaPUT: $ref: '#/components/examples/CreateUISchemaBody' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UISchemasResponseObject' examples: UISchemaUpdate: $ref: '#/components/examples/CreateUISchemaResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.uischemas.manage tags: - UISchema x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine delete: summary: Delete a UI schema description: Deletes a UI Schema by `id` operationId: deleteUISchemas responses: '204': description: No Content content: {} '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.uischemas.manage tags: - UISchema x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/org: get: summary: Retrieve the Org general settings description: Retrieves the Org General Settings operationId: getOrgSettings parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgSetting' examples: example-1: $ref: '#/components/examples/OrgSettingResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - OrgSettingGeneral x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Update the Org general settings description: Updates partial Org General Settings operationId: updateOrgSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/OrgSetting' examples: example-1: $ref: '#/components/examples/UpdateOrgSettingEx' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgSetting' examples: example-1: $ref: '#/components/examples/OrgSettingResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingGeneral x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the Org general settings description: Replaces the Org General Settings for your Okta org operationId: replaceOrgSettings x-codegen-request-body-name: orgSetting requestBody: content: application/json: schema: $ref: '#/components/schemas/OrgSetting' examples: example-1: $ref: '#/components/examples/UpdateOrgSettingEx' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgSetting' examples: example-1: $ref: '#/components/examples/OrgSettingResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingGeneral x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/captcha: get: summary: Retrieve the org-wide CAPTCHA settings description: |- Retrieves the CAPTCHA settings object for your organization > **Note**: If the current organization hasn't configured CAPTCHA Settings, the request returns an empty object. operationId: getOrgCaptchaSettings responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgCAPTCHASettings' examples: configured: $ref: '#/components/examples/OrgCAPTCHASettingsConfigured' empty: $ref: '#/components/examples/OrgCAPTCHASettingsEmpty' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.captchas.read tags: - CAPTCHA x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Replace the org-wide CAPTCHA settings description: |- Replaces the CAPTCHA settings object for your organization > **Note**: You can disable CAPTCHA for your organization by setting `captchaId` and `enabledPages` to `null`. operationId: replacesOrgCaptchaSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/OrgCAPTCHASettings' examples: Update: $ref: '#/components/examples/OrgCAPTCHASettingsUpdate' Disable: $ref: '#/components/examples/OrgCAPTCHASettingsDisable' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgCAPTCHASettings' examples: Update: $ref: '#/components/examples/OrgCAPTCHASettingsUpdated' Disable: $ref: '#/components/examples/OrgCAPTCHASettingsDisabled' '400': description: Bad Request headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: NoDisable: $ref: '#/components/examples/ErrorCAPTCHAOrgWideSettingNull' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.captchas.manage tags: - CAPTCHA x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine delete: summary: Delete the org-wide CAPTCHA settings description: Deletes the CAPTCHA settings object for your organization operationId: deleteOrgCaptchaSettings responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.captchas.manage tags: - CAPTCHA x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/org/contacts: get: summary: List all org contact types description: Lists all org contact types for your Okta org operationId: listOrgContactTypes parameters: [] responses: '200': description: Success content: application/json: schema: items: $ref: '#/components/schemas/OrgContactTypeObj' type: array examples: orgContactTypeEx: $ref: '#/components/examples/orgContactTypeResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - OrgSettingContact x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/contacts/{contactType}: parameters: - $ref: '#/components/parameters/pathContactType' get: summary: Retrieve the contact type user description: Retrieves the ID and the user resource associated with the specified contact type operationId: getOrgContactUser responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgContactUser' examples: contactTypeUserEx: $ref: '#/components/examples/orgContactUserResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - OrgSettingContact x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the contact type user description: Replaces the user associated with the specified contact type operationId: replaceOrgContactUser x-codegen-request-body-name: orgContactUser requestBody: content: application/json: schema: $ref: '#/components/schemas/OrgContactUser' examples: contactTypeUserEx: summary: Contact user value: userId: 00ux3u0ujW1r5AfZC1d7 required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgContactUser' examples: contactTypeUserEx: $ref: '#/components/examples/orgContactUserResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingContact x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/email/bounces/remove-list: post: summary: Remove bounced emails description: | Removes emails from an email service bounce list. The emails submitted in this operation are removed from the bounce list by an asynchronous job. Any email address that passes validation is accepted for the removal process, even if there are other email addresses in the request that failed validation. > **Note:** If there are validation errors for all email addresses, a `200 OK` HTTP status is still returned. operationId: bulkRemoveEmailAddressBounces requestBody: content: application/json: schema: $ref: '#/components/schemas/BouncesRemoveListObj' examples: example-1: summary: Request example value: emailAddresses: - name@company.com - unknown.email@okta.com - name@okta@com responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/BouncesRemoveListResult' examples: example-1: summary: Response example value: errors: - emailAddress: unknown.email@okta.com reason: This email address does not belong to any user in your organization. - emailAddress: name@okta@com reason: Invalid email address. The provided email address failed validation against RFC 3696. '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - EmailCustomization x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/factors/yubikey_token/tokens: parameters: - name: after in: query description: Specifies the pagination cursor for the next page of tokens schema: type: string - name: expand in: query description: Embeds the [user](/openapi/okta-management/management/tag/User/) resource if the YubiKey token is assigned to a user and `expand` is set to `user` schema: type: string - name: filter in: query description: The expression used to filter tokens schema: type: string enum: - profile.email - profile.serial - activated - user.id - created - status - lastVerified - name: forDownload in: query description: Returns tokens in a CSV to download instead of in the response. When you use this query parameter, the `limit` default changes to 1000. schema: type: boolean default: false - name: limit in: query description: Specifies the number of results per page schema: type: integer default: 20 maximum: 200 - name: sortBy in: query description: The value of how the tokens are sorted schema: type: string enum: - profile.email - profile.serial - activated - user.id - created - status - lastVerified - name: sortOrder in: query description: Specifies the sort order, either `ASC` or `DESC` schema: type: string enum: - ASC - DESC get: summary: List all YubiKey OTP tokens description: Lists all YubiKey OTP tokens operationId: listYubikeyOtpTokens responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/UserFactorYubikeyOtpToken' examples: ListYubikeyOptTokensResponse: $ref: '#/components/examples/ListYubikeyOptTokensResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Upload a YubiKey OTP seed description: Uploads a seed for a user to enroll a YubiKey OTP operationId: uploadYubikeyOtpTokenSeed requestBody: content: application/json: schema: type: object properties: serialNumber: type: string description: The unique identifier assigned to each YubiKey device publicId: type: string description: The YubiKey's public ID privateId: type: string description: The YubiKey's private ID aesKey: type: string description: The cryptographic key used in the AES (Advanced Encryption Standard) algorithm to encrypt and decrypt the YubiKey OTP examples: uploadYubikeyOtpSeedRequest: $ref: '#/components/examples/UploadYubikeyTokenSeedRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserFactorYubikeyOtpToken' examples: yubikeyToken: $ref: '#/components/examples/UploadYubikeyTokenSeedResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/factors/yubikey_token/tokens/{tokenId}: parameters: - $ref: '#/components/parameters/yubikeyTokenId' get: summary: Retrieve a YubiKey OTP token description: Retrieves the specified YubiKey OTP token by `id` operationId: getYubikeyOtpTokenById parameters: - name: tokenId in: path required: true description: The YubiKey OTP token ID schema: type: string responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserFactorYubikeyOtpToken' examples: Token: $ref: '#/components/examples/GetYubikeyOptTokenResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/orgSettings/thirdPartyAdminSetting: get: summary: Retrieve the org third-party admin setting description: Retrieves the third-party admin setting. See [Configure third-party administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) in the Okta product documentation. operationId: getThirdPartyAdminSetting parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ThirdPartyAdminSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - OrgSettingAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Update the org third-party admin setting description: | Updates the third-party admin setting. This setting allows third-party admins to perform administrative actions in the Admin Console, but they can't do any of the following: * Receive Okta admin email notifications * Contact Okta support * Sign in to the Okta Help Center See [Configure third-party administrators](https://help.okta.com/okta_help.htm?type=oie&id=csh_admin-third) in the Okta product documentation. operationId: updateThirdPartyAdminSetting parameters: [] requestBody: content: application/json: schema: $ref: '#/components/schemas/ThirdPartyAdminSetting' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ThirdPartyAdminSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/preferences: get: summary: Retrieve the org preferences description: Retrieves preferences of your Okta org operationId: getOrgPreferences parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgPreferences' examples: retrieveOrgPrefEx: $ref: '#/components/examples/orgShowFooterPrefResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - OrgSettingCustomization x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/preferences/hideEndUserFooter: post: summary: Set the hide dashboard footer preference description: Sets the preference to hide the Okta End-User Dashboard footer for all end users of your org operationId: setOrgHideOktaUIFooter parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgPreferences' examples: hideOrgPrefEx: $ref: '#/components/examples/orgHideFooterPrefResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingCustomization x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/preferences/showEndUserFooter: post: summary: Set the show dashboard footer preference description: Sets the preference to show the Okta UI footer for all end users of your org operationId: setOrgShowOktaUIFooter parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgPreferences' examples: showOrgPrefEx: $ref: '#/components/examples/orgShowFooterPrefResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingCustomization x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/aerial: get: x-okta-iam-admin-roles: - SUPER_ADMIN summary: Retrieve Okta Aerial consent for your org description: Retrieves the Okta Aerial consent grant details for your Org. Returns a 404 Not Found error if no consent has been granted. operationId: getAerialConsent parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgAerialConsentDetails' examples: example-read-grant-response: $ref: '#/components/examples/AerialConsentDetails' '400': description: Can't complete request due to errors content: application/json: schema: $ref: '#/components/schemas/Error' examples: example-no-already-present-response: $ref: '#/components/examples/AerialGrantAlreadyPresentErrorResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Consent hasn't been given and there are no grants to any Aerial Accounts content: application/json: schema: $ref: '#/components/schemas/Error' examples: example-no-grant-found-response: $ref: '#/components/examples/AerialGrantNotFoundResponse' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/aerial/grant: post: x-okta-iam-admin-roles: - SUPER_ADMIN summary: Grant Okta Aerial access to your org description: Grants an Okta Aerial account consent to manage your org. If the org is a child org, consent is taken from the parent org. Grant calls directly to the child are not allowed. operationId: grantAerialConsent parameters: [] requestBody: content: application/json: schema: $ref: '#/components/schemas/OrgAerialConsent' examples: example-grant-call: description: Request body to grant an Okta Aerial account access to your Org value: accountId: 0200bs0617vvhv2v675mch1cukp responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgAerialConsentDetails' examples: example-grant-success-response: $ref: '#/components/examples/AerialConsentDetails' '400': description: Can't complete request due to errors content: application/json: schema: $ref: '#/components/schemas/Error' examples: example-invalid-account-id: $ref: '#/components/examples/AerialConsentInvalidAccountIdResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/aerial/revoke: post: x-okta-iam-admin-roles: - SUPER_ADMIN summary: Revoke Okta Aerial access to your org description: Revokes access of an Okta Aerial account to your Org. The revoke operation will fail if the org has already been added to an Aerial account. operationId: revokeAerialConsent parameters: [] requestBody: content: application/json: schema: $ref: '#/components/schemas/OrgAerialConsent' examples: example-revoke-request: description: Request body for revoking an Okta Aerial account value: accountId: 0200bs0617vvhv2v675mch1cukp responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgAerialConsentRevoked' '400': description: Can't complete request due to errors content: application/json: schema: $ref: '#/components/schemas/Error' examples: example-org-is-linked: $ref: '#/components/examples/AerialConsentOrgAlreadyLinkedResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication: get: summary: Retrieve the Okta communication settings description: Retrieves Okta Communication Settings of your org operationId: getOktaCommunicationSettings parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' examples: retrieveOktaCommSettingsEx: $ref: '#/components/examples/orgCommunicationOptOutResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - OrgSettingCommunication x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication/optIn: post: summary: Opt in to Okta user communication emails description: Opts in all users of this org to Okta communication emails operationId: optInUsersToOktaCommunicationEmails parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' examples: optInOktaCommSettingsEx: $ref: '#/components/examples/orgCommunicationOptInResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingCommunication x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaCommunication/optOut: post: summary: Opt out of Okta user communication emails description: Opts out all users of this org from Okta communication emails operationId: optOutUsersFromOktaCommunicationEmails parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgOktaCommunicationSetting' examples: optOutOktaCommSettingsEx: $ref: '#/components/examples/orgCommunicationOptOutResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingCommunication x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport: get: x-okta-iam-admin-roles: - SUPER_ADMIN summary: Retrieve the Okta Support settings description: Retrieves Okta Support Settings for your org operationId: getOrgOktaSupportSettings parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OrgOktaSupportSettingsObj' examples: OktaSupportWithCaseNumberEx: $ref: '#/components/examples/orgSupportSettingsWithCaseNumberResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/cases: get: summary: List all Okta Support cases description: Lists all Okta Support cases that the requesting principal has permission to view operationId: listOktaSupportCases responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OktaSupportCases' examples: OktaSupportCasesEx: $ref: '#/components/examples/OktaSupportCases' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/cases/{caseNumber}: parameters: - $ref: '#/components/parameters/caseNumber' patch: x-okta-iam-permissions: - okta.support.cases.manage x-okta-iam-admin-roles: - SUPER_ADMIN summary: Update an Okta Support case description: |- Updates access to the org for an Okta Support case: * You can enable, disable, or extend access to your org for an Okta Support case. * You can approve Okta Support access to your org for self-assigned cases. A self-assigned case is created and assigned by the same Okta Support user. operationId: updateOktaSupportCase requestBody: content: application/json: schema: $ref: '#/components/schemas/OktaSupportCase' examples: AllowOktaSupportAccessStatus: $ref: '#/components/examples/AllowOktaSupportAccessStatusRequest' ExtendOktaSupportAccessStatus: $ref: '#/components/examples/ExtendOktaSupportAccessStatusRequest' RevokeOktaSupportAccessStatus: $ref: '#/components/examples/RevokeOktaSupportAccessStatusRequest' AllowSelfAssigned: $ref: '#/components/examples/AllowSelfAssignedRequest' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OktaSupportCase' examples: AllowOktaSupportAccessStatus: $ref: '#/components/examples/AllowOktaSupportAccessStatus' ExtendOktaSupportAccessStatus: $ref: '#/components/examples/ExtendOktaSupportAccessStatus' RevokeOktaSupportAccessStatus: $ref: '#/components/examples/RevokeOktaSupportAccessStatus' AllowSelfAssigned: $ref: '#/components/examples/AllowSelfAssigned' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/extend: post: deprecated: true x-okta-iam-admin-roles: - SUPER_ADMIN summary: Extend Okta Support access description: |- Extends the length of time that Okta Support can access your org by 24 hours. This means that 24 hours are added to the remaining access time. > **Note:** This resource is deprecated. Use the [Update an Okta Support case](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/updateOktaSupportCase) resource to extend Okta Support access for a support case. > For the corresponding Okta Admin Console feature, see [Give access to Okta Support](https://help.okta.com/okta_help.htm?type=oie&id=settings-support-access). operationId: extendOktaSupport parameters: [] responses: '301': description: Moved Permanently security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/grant: post: deprecated: true x-okta-iam-admin-roles: - SUPER_ADMIN summary: Grant Okta Support access description: |- Grants Okta Support temporary access to your org as an administrator for eight hours > **Note:** This resource is deprecated. Use the [Update an Okta Support case](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/updateOktaSupportCase) resource to grant Okta Support access for a support case. > For the corresponding Okta Admin Console feature, see [Give access to Okta Support](https://help.okta.com/okta_help.htm?type=oie&id=settings-support-access). operationId: grantOktaSupport parameters: [] responses: '301': description: Moved Permanently security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/privacy/oktaSupport/revoke: post: deprecated: true x-okta-iam-admin-roles: - SUPER_ADMIN summary: Revoke Okta Support access description: |- Revokes Okta Support access to your org > **Note:** This resource is deprecated. Use the [Update an Okta Support case](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/updateOktaSupportCase) resource to revoke Okta Support access for a support case. > For the corresponding Okta Admin Console feature, see [Give access to Okta Support](https://help.okta.com/okta_help.htm?type=oie&id=settings-support-access). operationId: revokeOktaSupport parameters: [] responses: '301': description: Moved Permanently security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingSupport x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/settings/autoAssignAdminAppSetting: get: summary: Retrieve the Okta Admin Console assignment setting description: Retrieves the org setting to automatically assign the Okta Admin Console when an admin role is assigned operationId: getAutoAssignAdminAppSetting parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AutoAssignAdminAppSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - OrgSettingAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Update the Okta Admin Console assignment setting description: |- Updates the org setting to automatically assign the Okta Admin Console when an admin role is assigned > **Note:** This setting doesn't apply to the `SUPER_ADMIN` role. > When you assign the `SUPER_ADMIN` role to a user, the Admin Console is always assigned to the user regardless of the `autoAssignAdminAppSetting` setting. operationId: updateAutoAssignAdminAppSetting requestBody: content: application/json: schema: $ref: '#/components/schemas/AutoAssignAdminAppSetting' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AutoAssignAdminAppSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/org/settings/clientPrivilegesSetting: get: summary: Retrieve the default public client app role setting description: Retrieves the org setting to assign the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) to new public client apps operationId: getClientPrivilegesSetting parameters: [] responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ClientPrivilegesSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - OrgSettingAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Assign the default public client app role setting description: Assigns the [Super Admin role](https://help.okta.com/okta_help.htm?type=oie&id=ext_superadmin) as the default role for new public client apps operationId: assignClientPrivilegesSetting requestBody: content: application/json: schema: $ref: '#/components/schemas/ClientPrivilegesSetting' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ClientPrivilegesSetting' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgSettingAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/orgs: post: summary: Create an org description: |- Creates an org (child org) that has the same features as the current requesting org (parent org). A child org inherits any new features added to the parent org, but new features added to the child org aren't propagated back to the parent org. > **Notes:** > * Some features associated with products, such as Atspoke, Workflows, and Okta Identity Governance, aren't propagated to the child org. > * Wait at least 30 seconds after a 201-Created response before you make API requests to the new child org. > * For rate limits, see [Org creation rate limits](https://developer.okta.com/docs/reference/rl-additional-limits/#org-creation-rate-limits). operationId: createChildOrg requestBody: content: application/json: schema: $ref: '#/components/schemas/ChildOrg' examples: CreateChildOrg: $ref: '#/components/examples/CreateChildOrgRequestEx' responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/ChildOrg' examples: CreateChildOrg: $ref: '#/components/examples/CreateChildOrgResponseEx' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' '500': $ref: '#/components/responses/ErrorInternalServer500' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - OrgCreator x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/policies: get: summary: List all policies description: Lists all policies with the specified type operationId: listPolicies parameters: - name: type in: query required: true schema: type: string enum: - OKTA_SIGN_ON - PASSWORD - MFA_ENROLL - IDP_DISCOVERY - ACCESS_POLICY - DEVICE_SIGNAL_COLLECTION - PROFILE_ENROLLMENT - POST_AUTH_SESSION - ENTITY_RISK description: Specifies the type of policy to return. The following policy types are available only with the Okta Identity Engine - `ACCESS_POLICY`, `DEVICE_SIGNAL_COLLECTION`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION` and `ENTITY_RISK`. - name: status in: query schema: type: string description: Refines the query by the `status` of the policy - `ACTIVE` or `INACTIVE` - name: q in: query schema: type: string description: Refines the query by policy name prefix (startWith method) passed in as `q=string` - name: expand in: query schema: type: string default: '' - name: sortBy in: query schema: type: string description: Refines the query by sorting on the policy `name` in ascending order - name: limit in: query schema: type: string description: Defines the number of policies returned, see [Pagination](https://developer.okta.com/docs/api/#pagination) - name: resourceId in: query schema: type: string description: Reference to the associated authorization server - name: after in: query schema: type: string description: End page cursor for pagination, see [Pagination](https://developer.okta.com/docs/api/#pagination) responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Policy' examples: password: $ref: '#/components/examples/password-policy-response' mfa-enroll: $ref: '#/components/examples/mfa-enroll-policy-with-grace-period-response' idp-discovery: $ref: '#/components/examples/idp-discovery-policy-response' profile-enrollment: $ref: '#/components/examples/profile-enrollment-policy-response' access-policy: $ref: '#/components/examples/list-access-policy-response' device-signal-collection-policy: $ref: '#/components/examples/list-device-signal-collection-policy-response' okta-sign-on-policy: $ref: '#/components/examples/list-okta-sign-on-policy-response' entity-risk-policy: $ref: '#/components/examples/list-entity-risk-policy-response' post-auth-session-policy: $ref: '#/components/examples/list-post-auth-session-policy-response' passwordWithBreachedProtection: $ref: '#/components/examples/password-policy-with-breached-protection-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.read tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a policy description: Creates a policy. There are many types of policies that you can create. See [Policies](https://developer.okta.com/docs/concepts/policies/) for an overview of the types of policies available and links to more indepth information. operationId: createPolicy parameters: - name: activate description: This query parameter is only valid for Classic Engine orgs. in: query schema: type: boolean default: true x-codegen-request-body-name: policy requestBody: content: application/json: schema: $ref: '#/components/schemas/Policy' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Policy' examples: password: $ref: '#/components/examples/password-policy-response' mfa-enroll: $ref: '#/components/examples/mfa-enroll-policy-with-grace-period-response' idp-discovery: $ref: '#/components/examples/idp-discovery-policy-response' profile-enrollment: $ref: '#/components/examples/profile-enrollment-policy-response' access-policy: $ref: '#/components/examples/create-access-policy-response' device-signal-collection-policy: $ref: '#/components/examples/device-signal-collection-policy-response' okta-sign-on-policy: $ref: '#/components/examples/create-okta-sign-on-policy-response' passwordWithBreachedProtection: $ref: '#/components/examples/password-policy-with-breached-protection-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/policies/simulate: parameters: - $ref: '#/components/parameters/simulateParameter' post: summary: Create a policy simulation description: |- Creates a policy or policy rule simulation. The access simulation evaluates policy and policy rules based on the existing policy rule configuration. The evaluation result simulates what the real-world authentication flow is and what policy rules have been applied or matched to the authentication flow. operationId: createPolicySimulation x-codegen-request-body-name: simulatePolicy requestBody: content: application/json: schema: type: array items: $ref: '#/components/schemas/SimulatePolicyBody' examples: SimulatePolicy: $ref: '#/components/examples/SimulatePolicyBody' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/SimulatePolicyResponse' examples: SimulatePolicy: $ref: '#/components/examples/SimulatePolicyResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.read tags: - Policy x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/policies/{policyId}: parameters: - $ref: '#/components/parameters/pathPolicyId' get: summary: Retrieve a policy description: Retrieves a policy operationId: getPolicy parameters: - name: expand in: query schema: type: string default: '' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Policy' examples: password: $ref: '#/components/examples/password-policy-response' mfa-enroll: $ref: '#/components/examples/mfa-enroll-policy-with-grace-period-response' idp-discovery: $ref: '#/components/examples/idp-discovery-policy-response' profile-enrollment: $ref: '#/components/examples/profile-enrollment-policy-response' access-policy: $ref: '#/components/examples/create-access-policy-response' device-signal-collection-policy: $ref: '#/components/examples/device-signal-collection-policy-response' okta-sign-on-policy: $ref: '#/components/examples/create-okta-sign-on-policy-response' entity-risk-policy: $ref: '#/components/examples/get-entity-risk-policy-response' post-auth-session-policy: $ref: '#/components/examples/get-post-auth-session-policy-response' passwordWithBreachedProtection: $ref: '#/components/examples/password-policy-with-breached-protection-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.read tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a policy description: Replaces the properties of a policy identified by `policyId` operationId: replacePolicy x-codegen-request-body-name: policy requestBody: content: application/json: schema: $ref: '#/components/schemas/Policy' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Policy' examples: password: $ref: '#/components/examples/password-policy-response' mfa-enroll: $ref: '#/components/examples/mfa-enroll-policy-with-grace-period-response' idp-discovery: $ref: '#/components/examples/idp-discovery-policy-response' profile-enrollment: $ref: '#/components/examples/profile-enrollment-policy-response' access-policy: $ref: '#/components/examples/create-access-policy-response' device-signal-collection-policy: $ref: '#/components/examples/device-signal-collection-policy-response' okta-sign-on-policy: $ref: '#/components/examples/create-okta-sign-on-policy-response' passwordWithBreachedProtection: $ref: '#/components/examples/password-policy-with-breached-protection-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a policy description: Deletes a policy operationId: deletePolicy responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/policies/{policyId}/app: parameters: - $ref: '#/components/parameters/pathPolicyId' get: deprecated: true summary: List all apps mapped to a policy description: |- Lists all applications mapped to a policy identified by `policyId` > **Note:** Use [List all resources mapped to a Policy](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyMappings) to list all applications mapped to a policy. operationId: listPolicyApps responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Application' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.read tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/policies/{policyId}/clone: parameters: - $ref: '#/components/parameters/pathPolicyId' post: summary: Clone an existing policy description: Clones an existing policy operationId: clonePolicy responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Policy' examples: password: $ref: '#/components/examples/password-policy-response' mfa-enroll: $ref: '#/components/examples/mfa-enroll-policy-with-grace-period-response' idp-discovery: $ref: '#/components/examples/idp-discovery-policy-response' profile-enrollment: $ref: '#/components/examples/profile-enrollment-policy-response' access-policy: $ref: '#/components/examples/create-access-policy-response' okta-sign-on-policy: $ref: '#/components/examples/create-okta-sign-on-policy-response' passwordWithBreachedProtection: $ref: '#/components/examples/password-policy-with-breached-protection-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/policies/{policyId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathPolicyId' post: summary: Activate a policy description: Activates a policy operationId: activatePolicy responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/policies/{policyId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathPolicyId' post: summary: Deactivate a policy description: Deactivates a policy operationId: deactivatePolicy responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/policies/{policyId}/mappings: parameters: - $ref: '#/components/parameters/pathPolicyId' get: summary: List all resources mapped to a policy description: Lists all resources mapped to a policy identified by `policyId` operationId: listPolicyMappings responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/PolicyMapping' examples: policy-mapping-response: $ref: '#/components/examples/policy-mapping-list-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.read tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Map a resource to a policy description: |- Maps a resource to a policy identified by `policyId` > **Note:** Use the [Assign an app sign-in policy](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationPolicies/#tag/ApplicationPolicies/operation/assignApplicationPolicy) endpoint to assign an app sign-in policy to an app. operationId: mapResourceToPolicy requestBody: content: application/json: schema: $ref: '#/components/schemas/PolicyMappingRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/PolicyMapping' examples: policy-mapping-response: $ref: '#/components/examples/policy-mapping-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/policies/{policyId}/mappings/{mappingId}: parameters: - $ref: '#/components/parameters/pathPolicyId' - $ref: '#/components/parameters/pathPolicyMappingId' get: summary: Retrieve a policy resource mapping description: Retrieves a resource mapping for a policy identified by `policyId` and `mappingId` operationId: getPolicyMapping responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/PolicyMapping' examples: policy-mapping-response: $ref: '#/components/examples/policy-mapping-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.read tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a policy resource mapping description: Deletes the resource mapping for a policy identified by `policyId` and `mappingId` operationId: deletePolicyResourceMapping responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/policies/{policyId}/rules: parameters: - $ref: '#/components/parameters/pathPolicyId' - $ref: '#/components/parameters/limitParameter' get: summary: List all policy rules description: Lists all policy rules operationId: listPolicyRules responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/PolicyRule' examples: okta-sign-on: $ref: '#/components/examples/list-all-sign-on-policy-rule-response' access: $ref: '#/components/examples/list-all-access-policy-rule-response' device-signal-collection: $ref: '#/components/examples/list-all-device-signal-collection-rule-response' entity-risk: $ref: '#/components/examples/list-all-entity-risk-policy-rule-response' post-auth-session: $ref: '#/components/examples/list-all-post-auth-session-policy-rule-response' password: $ref: '#/components/examples/list-all-password-policy-rule-response' idp-discovery: $ref: '#/components/examples/list-all-idp-discovery-policy-rule-response' mfa-enroll: $ref: '#/components/examples/list-all-mfa-enroll-policy-rule-response' profile-enrollment: $ref: '#/components/examples/list-all-profile-enrollment-policy-rule-response' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.read tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a policy rule description: |- Creates a policy rule > **Note:** You can't create additional rules for the `PROFILE_ENROLLMENT` or `POST_AUTH_SESSION` policies. operationId: createPolicyRule parameters: - name: activate description: Set this parameter to `false` to create an `INACTIVE` rule. in: query schema: type: boolean default: true x-codegen-request-body-name: policyRule requestBody: content: application/json: schema: $ref: '#/components/schemas/PolicyRule' examples: EnableSsprSecurityQuestionStepUp: $ref: '#/components/examples/sspr-enabled-sq-step-up' EnableSsprSSOStepUp: $ref: '#/components/examples/sspr-enabled-sso-step-up' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up' EnableSsprOAMP: $ref: '#/components/examples/sspr-enabled-OAMP' Enable2FAPreciseAuth: $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing' DeviceSignalCollectionRule: $ref: '#/components/examples/create-device-signal-collection-rule' EnableSpecificRoutingRule: $ref: '#/components/examples/idp-discovery-specific-routing-rule' EnableDynamicRoutingRule: $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' CreateAuthPolicyRuleDevicePlatformCondition: $ref: '#/components/examples/create-auth-policy-rule-condition' SignOnPolicy: $ref: '#/components/examples/sign-on-policy-rule' SkipFactorChallengeOnPremRule: $ref: '#/components/examples/skip-factor-challenge-on-prem-rule' RadiusRule: $ref: '#/components/examples/radius-rule' CloudRule: $ref: '#/components/examples/cloud-rule' DenyRule: $ref: '#/components/examples/deny-rule' CreateAuthPolicyRule2FAEnablePostAuthKmsi: $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-enabled' CreateAuthPolicyRule2FADisablePostAuthKmsi: $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-disabled' CreateAuthPolicyRuleAmc2Chains: $ref: '#/components/examples/amc-two-chain' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints' EnableIdProofingForOamp: $ref: '#/components/examples/oamp-id-proofing-policy-rule' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/PolicyRule' examples: EnableSsprSecurityQuestionStepUp: $ref: '#/components/examples/sspr-enabled-sq-step-up-response' EnableSsprSSOStepUp: $ref: '#/components/examples/sspr-enabled-sso-step-up-response' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up-response' EnableSsprWithOAMP: $ref: '#/components/examples/sspr-enabled-OAMP-response' Enable2FAPreciseAuth: $ref: '#/components/examples/twofa-enabled-disallow-password-allow-phishing-response' EnableSpecificRoutingRule: $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' EnableDynamicRoutingRule: $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' DeviceSignalCollectionRule: $ref: '#/components/examples/device-signal-collection-rule-response' CreateAuthPolicyRuleDevicePlatformCondition: $ref: '#/components/examples/create-auth-policy-rule-condition-response' SignOnPolicy: $ref: '#/components/examples/sign-on-policy-rule-response' SkipFactorChallengeOnPremRule: $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' RadiusRule: $ref: '#/components/examples/radius-rule-response' CloudRule: $ref: '#/components/examples/cloud-rule-response' DenyRule: $ref: '#/components/examples/deny-rule-response' CreateAuthPolicyRule2FAEnablePostAuthKmsi: $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-enabled-response' CreateAuthPolicyRule2FADisablePostAuthKmsi: $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-disabled-response' CreateAuthPolicyRuleAmc2Chains: $ref: '#/components/examples/amc-two-chain' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' EnableIdProofingForOamp: $ref: '#/components/examples/oamp-id-proofing-policy-rule-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/policies/{policyId}/rules/{ruleId}: parameters: - $ref: '#/components/parameters/pathPolicyId' - $ref: '#/components/parameters/pathRuleId' get: summary: Retrieve a policy rule description: Retrieves a policy rule operationId: getPolicyRule responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/PolicyRule' examples: EnableSsprSecurityQuestionStepUp: $ref: '#/components/examples/sspr-enabled-sq-step-up-update' EnableSsprSSOStepUp: $ref: '#/components/examples/sspr-enabled-sso-step-up-update' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up-update' EnableSsprWithOAMP: $ref: '#/components/examples/sspr-enabled-OAMP-update' EnableSpecificRoutingRule: $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' EnableDynamicRoutingRule: $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' SignOnPolicy: $ref: '#/components/examples/sign-on-policy-rule-response' SkipFactorChallengeOnPremRule: $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' RadiusRule: $ref: '#/components/examples/radius-rule-response' CloudRule: $ref: '#/components/examples/cloud-rule-response' DenyRule: $ref: '#/components/examples/deny-rule-response' DeviceSignalCollectionRule: $ref: '#/components/examples/device-signal-collection-rule-response' AuthenticationPolicyRuleWithPlatformDeviceConstraints: $ref: '#/components/examples/update-auth-policy-rule-condition-response' AuthPolicyRule2FAEnablePostAuthKmsi: $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-enabled-response' AuthPolicyRule2FADisablePostAuthKmsi: $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-disabled-response' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.read tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a policy rule description: Replaces the properties for a policy rule identified by `policyId` and `ruleId` operationId: replacePolicyRule x-codegen-request-body-name: policyRule requestBody: content: application/json: schema: $ref: '#/components/schemas/PolicyRule' examples: EnableSsprSecurityQuestionStepUp: $ref: '#/components/examples/sspr-enabled-sq-step-up-update' EnableSsprSSOStepUp: $ref: '#/components/examples/sspr-enabled-sso-step-up-update' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up-update' UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints: $ref: '#/components/examples/update-auth-policy-rule-condition' UpdateAllowedIdentifiersInUserProfilePolicy: $ref: '#/components/examples/update-identifiers-in-user-profile-policy' UpdateAuthPolicyRule2FAEnablePostAuthKmsi: $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-enabled' UpdateAuthPolicyRule2FADisablePostAuthKmsi: $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-disabled' UpdateDeviceSignalCollectionRule: $ref: '#/components/examples/update-device-signal-collection-rule' EnableSpecificRoutingRule: $ref: '#/components/examples/idp-discovery-specific-routing-rule' EnableDynamicRoutingRule: $ref: '#/components/examples/idp-discovery-dynamic-routing-rule' SignOnPolicy: $ref: '#/components/examples/sign-on-policy-rule' SkipFactorChallengeOnPremRule: $ref: '#/components/examples/skip-factor-challenge-on-prem-rule' RadiusRule: $ref: '#/components/examples/radius-rule' CloudRule: $ref: '#/components/examples/cloud-rule' DenyRule: $ref: '#/components/examples/deny-rule' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-update' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/PolicyRule' examples: EnableSsprSecurityQuestionStepUp: $ref: '#/components/examples/sspr-enabled-sq-step-up-response' EnableSsprSSOStepUp: $ref: '#/components/examples/sspr-enabled-sso-step-up-response' EnableSsprNoStepUp: $ref: '#/components/examples/sspr-enabled-no-step-up-response' UpdateAuthenticationPolicyRuleWithPlatformDeviceConstraints: $ref: '#/components/examples/update-auth-policy-rule-condition-response' UpdateAllowedIdentifiersInUserProfilePolicy: $ref: '#/components/examples/update-identifiers-in-user-profile-policy-response' UpdateAuthPolicyRule2FAEnablePostAuthKmsi: $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-enabled-response' UpdateAuthPolicyRule2FADisablePostAuthKmsi: $ref: '#/components/examples/twofa-enabled-post-auth-kmsi-disabled-response' UpdateDeviceSignalCollectionRule: $ref: '#/components/examples/update-device-signal-collection-rule-response' EnableSpecificRoutingRule: $ref: '#/components/examples/idp-discovery-specific-routing-rule-response' EnableDynamicRoutingRule: $ref: '#/components/examples/idp-discovery-dynamic-routing-rule-response' SignOnPolicy: $ref: '#/components/examples/sign-on-policy-rule-response' SkipFactorChallengeOnPremRule: $ref: '#/components/examples/skip-factor-challenge-on-prem-rule-response' RadiusRule: $ref: '#/components/examples/radius-rule-response' CloudRule: $ref: '#/components/examples/cloud-rule-response' DenyRule: $ref: '#/components/examples/deny-rule-response' EnableSsprWithConstraints: $ref: '#/components/examples/sspr-enabled-sso-step-up-with-constraints-response' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a policy rule description: Deletes a policy rule identified by `policyId` and `ruleId` operationId: deletePolicyRule responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathPolicyId' - $ref: '#/components/parameters/pathRuleId' post: summary: Activate a policy rule description: Activates a policy rule identified by `policyId` and `ruleId` operationId: activatePolicyRule responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathPolicyId' - $ref: '#/components/parameters/pathRuleId' post: summary: Deactivate a policy rule description: Deactivates a policy rule identified by `policyId` and `ruleId` operationId: deactivatePolicyRule responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.policies.manage tags: - Policy x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/principal-rate-limits: get: summary: List all principal rate limits description: Lists all Principal Rate Limit entities considering the provided parameters operationId: listPrincipalRateLimitEntities parameters: - name: filter in: query description: |- Filters the list of principal rate limit entities by the provided principal type (`principalType`). For example, `filter=principalType eq "SSWS_TOKEN"` or `filter=principalType eq "OAUTH_CLIENT"`. schema: type: string required: true - name: after in: query description: The cursor to use for pagination. It's an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query description: Specifies the number of items to return in a single response page. schema: type: integer format: int32 default: 20 maximum: 50 responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/PrincipalRateLimitEntity' examples: SSWSListAll: $ref: '#/components/examples/PrincipalRateLimitsSSWSListAllExample' OAuthClientListAll: $ref: '#/components/examples/PrincipalRateLimitsOAuthClientListAllExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.principalRateLimits.read tags: - PrincipalRateLimit x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a principal rate limit description: Creates a new principal rate limit entity. Okta only allows one principal rate limit entity per org and principal. operationId: createPrincipalRateLimitEntity x-codegen-request-body-name: entity requestBody: content: application/json: schema: $ref: '#/components/schemas/PrincipalRateLimitEntity' examples: SSWSToken: $ref: '#/components/examples/PrincipalRateLimitEntityRequestSSWSToken' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/PrincipalRateLimitEntity' examples: SSWSToken: $ref: '#/components/examples/PrincipalRateLimitEntityResponseSSWSToken' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.principalRateLimits.manage tags: - PrincipalRateLimit x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/principal-rate-limits/{principalRateLimitId}: parameters: - $ref: '#/components/parameters/pathPrincipalRateLimitId' get: summary: Retrieve a principal rate limit description: Retrieves a principal rate limit entity by `principalRateLimitId` operationId: getPrincipalRateLimitEntity responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PrincipalRateLimitEntity' examples: SSWSToken: $ref: '#/components/examples/PrincipalRateLimitEntityResponseSSWSToken' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.principalRateLimits.read tags: - PrincipalRateLimit x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a principal rate limit description: Replaces a principal rate limit entity by `principalRateLimitId` operationId: replacePrincipalRateLimitEntity x-codegen-request-body-name: entity requestBody: content: application/json: schema: $ref: '#/components/schemas/PrincipalRateLimitEntity' examples: SSWSToken: $ref: '#/components/examples/PrincipalRateLimitEntityReplaceRequestSSWSToken' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PrincipalRateLimitEntity' examples: SSWSToken: $ref: '#/components/examples/PrincipalRateLimitEntityReplaceResponseSSWSToken' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.principalRateLimits.manage tags: - PrincipalRateLimit x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/push-providers: get: summary: List all push providers description: Lists all push providers operationId: listPushProviders parameters: - name: type in: query description: Filters push providers by `providerType` schema: $ref: '#/components/schemas/ProviderType' responses: '200': description: OK content: application/json: example: value: - id: ppchvbeucdTgqeiGxR0g4 providerType: APNS name: Example Push Provider 1 lastUpdatedDate: '2022-01-00T00:00:00.000Z' configuration: keyId: ABC123DEFG teamId: DEF123GHIJ fileName: fileName.p8 _links: self: href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} hints: allow: - DELETE - GET - PUT - id: ppctekcmngGaqeiBxB0g4 providerType: FCM name: Example Push Provider 2 lastUpdatedDate: '2022-01-00T00:00:00.000Z' configuration: projectId: PROJECT_ID fileName: fileName.json _links: self: href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} hints: allow: - DELETE - GET - PUT schema: type: array items: $ref: '#/components/schemas/PushProvider' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.pushProviders.read tags: - PushProvider x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine post: summary: Create a push provider description: Creates a new push provider. Each Push Provider must have a unique `name`. operationId: createPushProvider x-codegen-request-body-name: pushProvider requestBody: content: application/json: schema: $ref: '#/components/schemas/PushProvider' examples: APNs: $ref: '#/components/examples/PushProviderAPNsRequest' FCM: $ref: '#/components/examples/PushProviderFCMRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PushProvider' examples: APNs: $ref: '#/components/examples/PushProviderAPNsResponse' FCM: $ref: '#/components/examples/PushProviderFCMResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.pushProviders.manage tags: - PushProvider x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/push-providers/{pushProviderId}: parameters: - $ref: '#/components/parameters/pathPushProviderId' get: summary: Retrieve a push provider description: Retrieves a push provider by `pushProviderId` operationId: getPushProvider responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PushProvider' examples: APNs: $ref: '#/components/examples/PushProviderAPNsResponse' FCM: $ref: '#/components/examples/PushProviderFCMResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.pushProviders.read tags: - PushProvider x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Replace a push provider description: Replaces a push provider by `pushProviderId` operationId: replacePushProvider x-codegen-request-body-name: pushProvider requestBody: content: application/json: schema: $ref: '#/components/schemas/PushProvider' examples: APNs: $ref: '#/components/examples/PushProviderAPNsRequest' FCM: $ref: '#/components/examples/PushProviderFCMRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PushProvider' examples: APNs: $ref: '#/components/examples/PushProviderAPNsResponse' FCM: $ref: '#/components/examples/PushProviderFCMResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.pushProviders.manage tags: - PushProvider x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine delete: summary: Delete a push provider description: Deletes a push provider by `pushProviderId`. If the push provider is currently being used in the org by a custom authenticator, the delete will not be allowed. operationId: deletePushProvider responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '409': description: Conflict headers: {} content: application/json: schema: $ref: '#/components/schemas/Error' examples: Cannot remove push provider in use by a custom app authenticator: $ref: '#/components/examples/ErrorPushProviderUsedByCustomAppAuthenticator' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.pushProviders.manage tags: - PushProvider x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/rate-limit-settings/admin-notifications: get: summary: Retrieve the rate limit admin notification settings description: Retrieves the currently configured Rate Limit Admin Notification Settings operationId: getRateLimitSettingsAdminNotifications responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/RateLimitAdminNotifications' examples: Enabled: $ref: '#/components/examples/RateLimitAdminNotificationsEnabled' Disabled: $ref: '#/components/examples/RateLimitAdminNotificationsDisabled' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.rateLimits.read tags: - RateLimitSettings x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the rate limit admin notification settings description: Replaces the Rate Limit Admin Notification Settings and returns the configured properties operationId: replaceRateLimitSettingsAdminNotifications x-codegen-request-body-name: RateLimitAdminNotifications requestBody: content: application/json: schema: $ref: '#/components/schemas/RateLimitAdminNotifications' examples: Enabled: $ref: '#/components/examples/RateLimitAdminNotificationsEnabled' Disabled: $ref: '#/components/examples/RateLimitAdminNotificationsDisabled' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/RateLimitAdminNotifications' examples: Enabled: $ref: '#/components/examples/RateLimitAdminNotificationsEnabled' Disabled: $ref: '#/components/examples/RateLimitAdminNotificationsDisabled' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.rateLimits.manage tags: - RateLimitSettings x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/rate-limit-settings/per-client: get: summary: Retrieve the per-client rate limit settings description: Retrieves the currently configured Per-Client Rate Limit Settings operationId: getRateLimitSettingsPerClient responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PerClientRateLimitSettings' examples: EnforceDefault: $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefault' EnforceDefaultWithOverrides: $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefaultWithOverrides' PreviewDefaultWithOverrides: $ref: '#/components/examples/PerClientRateLimitSettingsPreviewDefaultWithOverrides' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.rateLimits.read tags: - RateLimitSettings x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the per-client rate limit settings description: Replaces the Per-Client Rate Limit Settings and returns the configured properties operationId: replaceRateLimitSettingsPerClient x-codegen-request-body-name: perClientRateLimitSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/PerClientRateLimitSettings' examples: EnforceDefault: $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefault' EnforceDefaultWithOverrides: $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefaultWithOverrides' PreviewDefaultWithOverrides: $ref: '#/components/examples/PerClientRateLimitSettingsPreviewDefaultWithOverrides' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/PerClientRateLimitSettings' examples: EnforceDefault: $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefault' EnforceDefaultWithOverrides: $ref: '#/components/examples/PerClientRateLimitSettingsEnforceDefaultWithOverrides' PreviewDefaultWithOverrides: $ref: '#/components/examples/PerClientRateLimitSettingsPreviewDefaultWithOverrides' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.rateLimits.manage tags: - RateLimitSettings x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/rate-limit-settings/warning-threshold: get: summary: Retrieve the rate limit warning threshold percentage description: Retrieves the currently configured threshold for warning notifications when the API's rate limit is exceeded operationId: getRateLimitSettingsWarningThreshold responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/RateLimitWarningThresholdResponse' examples: ExampleThreshold: $ref: '#/components/examples/RateLimitWarningThresholdValidExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.rateLimits.read tags: - RateLimitSettings x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the rate limit warning threshold percentage description: Replaces the Rate Limit Warning Threshold Percentage and returns the configured property operationId: replaceRateLimitSettingsWarningThreshold x-codegen-request-body-name: RateLimitWarningThreshold requestBody: content: application/json: schema: $ref: '#/components/schemas/RateLimitWarningThresholdRequest' examples: ExampleThreshold: $ref: '#/components/examples/RateLimitWarningThresholdValidExample' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/RateLimitWarningThresholdResponse' examples: ExampleThreshold: $ref: '#/components/examples/RateLimitWarningThresholdValidExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.rateLimits.manage tags: - RateLimitSettings x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/realm-assignments: get: x-okta-lifecycle: lifecycle: GA summary: List all realm assignments description: Lists all realm assignments operationId: listRealmAssignments parameters: - $ref: '#/components/parameters/queryLimit' - name: after in: query description: The cursor used for pagination. It represents the priority of the last realm assignment returned in the previous fetch operation. schema: type: string responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/RealmAssignment' examples: AssignmentLists: $ref: '#/components/examples/ListRealmAssignmentsResponse' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realmAssignments.read tags: - RealmAssignment post: x-okta-lifecycle: lifecycle: GA summary: Create a realm assignment description: Creates a new realm assignment operationId: createRealmAssignment x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateRealmAssignmentRequest' examples: Create Realm Assignments: $ref: '#/components/examples/CreateRealmAssignmentRequest' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/RealmAssignment' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realmAssignments.manage tags: - RealmAssignment /api/v1/realm-assignments/operations: get: x-okta-lifecycle: lifecycle: GA summary: List all realm assignment operations description: Lists all realm assignment operations. The upper limit is 200 and operations are sorted in descending order from most recent to oldest by ID. operationId: listRealmAssignmentOperations parameters: - $ref: '#/components/parameters/queryLimit' - $ref: '#/components/parameters/queryAfter' responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/RealmAssignmentOperationResponse' examples: Executions: value: - id: rre4mje4ez6B2a7B60g7 type: realm:assignment status: COMPLETED created: '2023-10-25T21:02:54.000Z' started: '2023-10-25T21:02:54.000Z' completed: '2023-10-25T21:02:54.000Z' realmId: 00g1b7rvh0xPLKXFf0g5 realmName: Realm Name assignmentOperation: configuration: id: 0pr1b7rxZj2ibQzfP0g5 name: Realm Assignment 1 conditions: profileSourceId: 0oa4enoRyjwSCy5hx0g4 expression: value: string actions: assignUserToRealm: realmId: 00g1b7rvh0xPLKXFf0g5 numUserMoved: 50 _links: self: rel: self href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7 method: GET - id: rre4mje4ez7B2a7B60g7 type: realm:assignment status: COMPLETED created: '2023-10-25T21:02:54.000Z' started: '2023-10-25T21:02:54.000Z' completed: '2023-10-25T21:02:54.000Z' assignmentOperation: configuration: id: ALL name: All Assignments numUserMoved: 50 _links: self: rel: self href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez7B2a7B60g7 method: GET '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realmAssignments.read tags: - RealmAssignment post: x-okta-lifecycle: lifecycle: GA summary: Execute a realm assignment description: Executes a realm assignment operationId: executeRealmAssignment x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/OperationRequest' examples: ExecuteSpecificAssignment: value: assignmentId: 0pr1b7rxZj2ibQzfP0g5 ExecuteAllAssignments: value: assignmentId: ALL required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/RealmAssignmentOperationResponse' examples: Execution: $ref: '#/components/examples/OperationResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realmAssignments.manage tags: - RealmAssignment /api/v1/realm-assignments/{assignmentId}: parameters: - $ref: '#/components/parameters/assignmentId' get: x-okta-lifecycle: lifecycle: GA summary: Retrieve a realm assignment description: Retrieves a realm assignment operationId: getRealmAssignment responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/RealmAssignment' examples: RealmAssignment: $ref: '#/components/examples/GetRealmAssignmentResponse' CatchAllRealmAssignment: $ref: '#/components/examples/DefaultRealmAssignment' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realmAssignments.read tags: - RealmAssignment put: x-okta-lifecycle: lifecycle: GA summary: Replace a realm assignment description: Replaces a realm assignment operationId: replaceRealmAssignment x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateRealmAssignmentRequest' examples: Replace Realm Assignment: $ref: '#/components/examples/CreateRealmAssignmentRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/RealmAssignment' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realmAssignments.manage tags: - RealmAssignment delete: x-okta-lifecycle: lifecycle: GA summary: Delete a realm assignment description: Deletes a realm assignment operationId: deleteRealmAssignment responses: '204': description: No Content content: {} '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realmAssignments.manage tags: - RealmAssignment /api/v1/realm-assignments/{assignmentId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/assignmentId' post: x-okta-lifecycle: lifecycle: GA summary: Activate a realm assignment description: Activates a realm assignment operationId: activateRealmAssignment responses: '204': description: No Content content: {} '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realmAssignments.manage tags: - RealmAssignment /api/v1/realm-assignments/{assignmentId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/assignmentId' post: x-okta-lifecycle: lifecycle: GA summary: Deactivate a realm assignment description: Deactivates a realm assignment operationId: deactivateRealmAssignment responses: '204': description: No Content content: {} '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realmAssignments.manage tags: - RealmAssignment /api/v1/realms: get: x-okta-lifecycle: lifecycle: GA summary: List all realms description: |- Lists all realms. > **Note:** The `search` parameter results are sourced from an eventually consistent datasource and may not reflect the latest information. operationId: listRealms parameters: - name: limit in: query description: Specifies the number of results returned. Defaults to 10 if `search` is provided. schema: type: integer format: int32 default: 200 - $ref: '#/components/parameters/queryAfter' - name: search in: query description: |- Searches for realms with a supported filtering expression for most properties. Searches for realms can be filtered by the contains (`co`) operator. You can only use `co` with the `profile.name` property. See [Operators](https://developer.okta.com/docs/api/#operators). schema: type: string - name: sortBy in: query description: Specifies the field to sort by and can be any single property (for search queries only) schema: type: string example: profile.name - $ref: '#/components/parameters/querySortOrder' responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/Realm' examples: Realm Lists: $ref: '#/components/examples/ListRealmsResponse' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realms.read tags: - Realm post: x-okta-lifecycle: lifecycle: GA summary: Create a realm description: Creates a new realm operationId: createRealm x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateRealmRequest' examples: Create a realm: $ref: '#/components/examples/CreateRealmRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Realm' examples: Realm Lists: $ref: '#/components/examples/ListRealmsResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realms.manage tags: - Realm /api/v1/realms/{realmId}: parameters: - $ref: '#/components/parameters/pathRealmId' get: x-okta-lifecycle: lifecycle: GA summary: Retrieve a realm description: Retrieves a realm operationId: getRealm responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Realm' examples: DefaultRealm: $ref: '#/components/examples/DefaultRealmResponse' NonDefaultRealm: $ref: '#/components/examples/RealmResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realms.read tags: - Realm put: x-okta-lifecycle: lifecycle: GA summary: Replace the realm profile description: Replaces the realm profile operationId: replaceRealm x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateRealmRequest' examples: Replace a realm: $ref: '#/components/examples/CreateRealmRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Realm' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realms.manage tags: - Realm delete: x-okta-lifecycle: lifecycle: GA summary: Delete a realm description: Deletes a realm permanently. This operation can only be performed after disassociating other entities like users and identity providers from a realm. operationId: deleteRealm responses: '204': description: No Content content: {} '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.realms.manage tags: - Realm /api/v1/roles/{roleRef}/subscriptions: parameters: - $ref: '#/components/parameters/pathRoleRef' get: summary: List all subscriptions for a role description: Lists all subscriptions available to a specified Role operationId: listSubscriptionsRole responses: '200': description: Success content: application/json: schema: items: $ref: '#/components/schemas/Subscription' type: array '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - Subscription x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/roles/{roleRef}/subscriptions/{notificationType}: parameters: - $ref: '#/components/parameters/pathRoleRef' - $ref: '#/components/parameters/pathNotificationType' get: summary: Retrieve a subscription for a role description: Retrieves a subscription by `notificationType` for a specified Role operationId: getSubscriptionsNotificationTypeRole responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Subscription' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - Subscription x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/roles/{roleRef}/subscriptions/{notificationType}/subscribe: parameters: - $ref: '#/components/parameters/pathRoleRef' - $ref: '#/components/parameters/pathNotificationType' post: summary: Subscribe a role to a specific notification type description: Subscribes a Role to a specified notification type. Changes to Role subscriptions override the subscription status of any individual users with the Role. operationId: subscribeByNotificationTypeRole responses: '200': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - Subscription x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/roles/{roleRef}/subscriptions/{notificationType}/unsubscribe: parameters: - $ref: '#/components/parameters/pathRoleRef' - $ref: '#/components/parameters/pathNotificationType' post: summary: Unsubscribe a role from a specific notification type description: Unsubscribes a Role from a specified notification type. Changes to Role subscriptions override the subscription status of any individual users with the Role. operationId: unsubscribeByNotificationTypeRole responses: '200': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - Subscription x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/security-events-providers: get: summary: List all security events providers description: Lists all Security Events Provider instances operationId: listSecurityEventsProviderInstances responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/SecurityEventsProviderResponse' examples: list: $ref: '#/components/examples/ListOfSecurityEventsProviderInstances' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.securityEventsProviders.read tags: - SSFReceiver x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine post: summary: Create a security events provider description: Creates a Security Events Provider instance operationId: createSecurityEventsProviderInstance x-codegen-request-body-name: instance requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/SecurityEventsProviderRequest' examples: well-known-URL-provided: $ref: '#/components/examples/SecurityEventsProviderRequestWellKnownUrl' issuer-and-JWKS-URL-provided: $ref: '#/components/examples/SecurityEventsProviderRequestIssuerAndJwksUrl' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SecurityEventsProviderResponse' examples: well-known-URL-provided: $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' issuer-and-JWKS-URL-provided: $ref: '#/components/examples/SecurityEventsProviderResponseIssuerAndJwksUrl' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.securityEventsProviders.manage tags: - SSFReceiver x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/security-events-providers/{securityEventProviderId}: parameters: - $ref: '#/components/parameters/pathSecurityEventProviderId' get: summary: Retrieve the security events provider description: Retrieves the Security Events Provider instance specified by `id` operationId: getSecurityEventsProviderInstance responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SecurityEventsProviderResponse' examples: get: $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.securityEventsProviders.read tags: - SSFReceiver x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Replace a security events provider description: Replaces a Security Events Provider instance specified by `id` operationId: replaceSecurityEventsProviderInstance x-codegen-request-body-name: instance requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/SecurityEventsProviderRequest' examples: well-known-URL-provided: $ref: '#/components/examples/SecurityEventsProviderRequestWellKnownUrl' issuer-and-JWKS-URL-provided: $ref: '#/components/examples/SecurityEventsProviderRequestIssuerAndJwksUrl' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SecurityEventsProviderResponse' examples: well-known-URL-provided: $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' issuer-and-JWKS-URL-provided: $ref: '#/components/examples/SecurityEventsProviderResponseIssuerAndJwksUrl' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.securityEventsProviders.manage tags: - SSFReceiver x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine delete: summary: Delete a security events provider description: Deletes a Security Events Provider instance specified by `id` operationId: deleteSecurityEventsProviderInstance responses: '204': description: No Content content: {} '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.securityEventsProviders.manage tags: - SSFReceiver x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathSecurityEventProviderId' post: summary: Activate a security events provider description: |- Activates a Security Events Provider instance by setting its status to `ACTIVE`. This operation resumes the flow of events from the Security Events Provider to Okta. operationId: activateSecurityEventsProviderInstance responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SecurityEventsProviderResponse' examples: activatedInstance: $ref: '#/components/examples/SecurityEventsProviderResponseWellKnownUrl' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.securityEventsProviders.manage tags: - SSFReceiver x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/security-events-providers/{securityEventProviderId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathSecurityEventProviderId' post: summary: Deactivate a security events provider description: |- Deactivates a Security Events Provider instance by setting its status to `INACTIVE`. This operation stops the flow of events from the Security Events Provider to Okta. operationId: deactivateSecurityEventsProviderInstance responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SecurityEventsProviderResponse' examples: deactivatedInstance: $ref: '#/components/examples/DeactivatedSecurityEventsProviderResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.securityEventsProviders.manage tags: - SSFReceiver x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/sessions/{sessionId}: parameters: - $ref: '#/components/parameters/pathSessionId' get: summary: Retrieve a session description: Retrieves information about the Session specified by the given session ID operationId: getSession responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Session' examples: SessionsRetrieve: summary: Retrieve session information for a single session ID $ref: '#/components/examples/RetrieveSessionResponse' '400': description: Bad Request '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.sessions.read tags: - Session x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke a session description: Revokes the specified Session operationId: revokeSession responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.sessions.manage tags: - Session x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/sessions/{sessionId}/lifecycle/refresh: parameters: - $ref: '#/components/parameters/pathSessionId' post: summary: Refresh a session description: Refreshes an existing Session using the `id` for that Session. A successful response contains the refreshed Session with an updated `expiresAt` timestamp. operationId: refreshSession responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Session' examples: SessionsRefresh: summary: Refresh an existing session using the session ID $ref: '#/components/examples/RefreshSessionResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.sessions.manage tags: - Session x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/ssf/stream: get: summary: Retrieve the SSF stream configuration(s) description: |- Retrieves either a list of all known SSF Stream configurations or the individual configuration if specified by ID. As Stream configurations are tied to a Client ID, only the Stream associated with the Client ID of the request OAuth 2.0 access token can be viewed. operationId: getSsfStreams parameters: - in: query name: stream_id schema: type: string example: esc1k235GIIztAuGK0g5 description: The ID of the specified SSF Stream configuration responses: '200': description: OK content: application/json: schema: oneOf: - type: array title: List of Stream Configurations items: $ref: '#/components/schemas/StreamConfiguration' - $ref: '#/components/schemas/StreamConfiguration' examples: listResponse: $ref: '#/components/examples/listStreamConfigurationExample' individualStreamResponse: $ref: '#/components/examples/streamConfigurationExample' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - oauth2: - ssf.read tags: - SSFTransmitter x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine post: summary: Create an SSF stream description: |- Creates an SSF Stream for an event receiver to start receiving security events in the form of Security Event Tokens (SETs) from Okta. An SSF Stream is associated with the Client ID of the OAuth 2.0 access token used to create the stream. The Client ID is provided by Okta for an [OAuth 2.0 app integration](https://help.okta.com/okta_help.htm?id=ext_Apps_App_Integration_Wizard-oidc). One SSF Stream is allowed for each Client ID, hence, one SSF Stream is allowed for each app integration in Okta. A maximum of 10 SSF Stream configurations can be created for one org. operationId: createSsfStream x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/StreamConfigurationCreateRequest' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/StreamConfiguration' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '409': $ref: '#/components/responses/ErrorApiValidationConflict409' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - oauth2: - ssf.manage tags: - SSFTransmitter x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Replace an SSF stream description: |- Replaces all properties for an existing SSF Stream configuration. If the `stream_id` isn't provided in the request body, the associated stream with the Client ID (through the request OAuth 2.0 access token) is replaced. operationId: replaceSsfStream x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/StreamConfiguration' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/StreamConfiguration' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - oauth2: - ssf.manage tags: - SSFTransmitter x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine patch: summary: Update an SSF stream description: |- Updates properties for an existing SSF Stream configuration. If the `stream_id` isn't provided in the request body, the associated stream with the Client ID (through the request OAuth 2.0 access token) is updated. operationId: updateSsfStream x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/StreamConfiguration' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/StreamConfiguration' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - oauth2: - ssf.manage tags: - SSFTransmitter x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine delete: summary: Delete an SSF stream description: |- Deletes the specified SSF Stream. If the `stream_id` is not provided in the query string, the associated stream with the Client ID (through the request OAuth 2.0 access token) is deleted. Otherwise, the SSF Stream with the `stream_id` is deleted, if found. operationId: deleteSsfStream parameters: - in: query name: stream_id schema: type: string example: esc1k235GIIztAuGK0g5 description: The ID of the specified SSF Stream configuration responses: '204': description: No Content content: {} '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - oauth2: - ssf.manage tags: - SSFTransmitter x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/ssf/stream/status: get: summary: Retrieve the SSF Stream status description: Retrieves the status of an SSF Stream. The status indicates whether the transmitter is able to transmit events over the stream. operationId: getSsfStreamStatus parameters: - in: query name: stream_id schema: type: string example: esc1k235GIIztAuGK0g5 description: The ID of the specified SSF Stream configuration required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/StreamStatus' examples: streamStatusEnabledExample: $ref: '#/components/examples/streamStatusEnabledExample' streamStatusDisabledExample: $ref: '#/components/examples/streamStatusDisabledExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - oauth2: - ssf.read tags: - SSFTransmitter x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/ssf/stream/verification: post: summary: Verify an SSF stream description: |- Verifies an SSF Stream by publishing a Verification Event requested by a Security Events Provider. > **Note:** A successful response doesn't indicate that the Verification Event was transmitted successfully, only that Okta has transmitted the event or will at some point in the future. The SSF Receiver is responsible for validating and acknowledging successful transmission of the request by responding with HTTP Response Status Code 202. operationId: verifySsfStream x-codegen-request-body-name: instance requestBody: content: application/json: schema: $ref: '#/components/schemas/StreamVerificationRequest' required: true responses: '204': description: No Content content: {} '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - oauth2: - ssf.manage tags: - SSFTransmitter x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/templates/sms: get: summary: List all SMS templates description: Lists all custom SMS templates. A subset of templates can be returned that match a template type. operationId: listSmsTemplates parameters: - name: templateType in: query schema: $ref: '#/components/schemas/SmsTemplateType' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/SmsTemplate' examples: SMS Template List response: $ref: '#/components/examples/SMSTemplateListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.read tags: - Template x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an SMS template description: Creates a new custom SMS template operationId: createSmsTemplate x-codegen-request-body-name: smsTemplate requestBody: content: application/json: schema: $ref: '#/components/schemas/SmsTemplate' examples: Create an SMS Template request: $ref: '#/components/examples/CreateOrReplaceSMSTemplateRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/SmsTemplate' examples: Create an SMS Template response: $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.manage tags: - Template x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/templates/sms/{templateId}: parameters: - $ref: '#/components/parameters/pathTemplateId' get: summary: Retrieve an SMS template description: Retrieves a specific template by `id` operationId: getSmsTemplate responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/SmsTemplate' examples: Get an SMS template response: $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.read tags: - Template x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Update an SMS template description: | Updates only some of the SMS Template properties: * All properties within the custom SMS Template that have values are updated. * Any translation that doesn't exist is added. * Any translation with a null or empty value is removed. * Any translation with non-empty/null value is updated. operationId: updateSmsTemplate x-codegen-request-body-name: smsTemplate requestBody: content: application/json: schema: $ref: '#/components/schemas/SmsTemplate' examples: Update an SMS Template request: $ref: '#/components/examples/UpdateSMSTemplateRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/SmsTemplate' examples: Update an SMS Template response: $ref: '#/components/examples/UpdateSMSTemplateResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.manage tags: - Template x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace an SMS template description: | Replaces the SMS Template > **Notes:** You can't update the default SMS Template. operationId: replaceSmsTemplate x-codegen-request-body-name: smsTemplate requestBody: content: application/json: schema: $ref: '#/components/schemas/SmsTemplate' examples: Replace an SMS Template request: $ref: '#/components/examples/CreateOrReplaceSMSTemplateRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/SmsTemplate' examples: Replace an SMS Template response: $ref: '#/components/examples/CreateOrReplaceSMSTemplateResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.manage tags: - Template x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an SMS template description: Deletes an SMS template operationId: deleteSmsTemplate responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.templates.manage tags: - Template x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/threats/configuration: get: summary: Retrieve the ThreatInsight configuration description: Retrieves the ThreatInsight configuration for the org operationId: getCurrentConfiguration responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ThreatInsightConfiguration' examples: ThreatInsightResponseEx: $ref: '#/components/examples/ThreatInsightResponseExample' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.threatInsights.read tags: - ThreatInsight x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Update the ThreatInsight configuration description: Updates the ThreatInsight configuration for the org operationId: updateConfiguration x-codegen-request-body-name: threatInsightConfiguration requestBody: content: application/json: schema: $ref: '#/components/schemas/ThreatInsightConfiguration' examples: ThreatInsightUpdateEx: $ref: '#/components/examples/ThreatInsightUpdateRequestExample' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ThreatInsightConfiguration' examples: ThreatInsightUpdateEx: $ref: '#/components/examples/ThreatInsightUpdateResponseExample' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.threatInsights.manage tags: - ThreatInsight x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/trustedOrigins: get: summary: List all trusted origins description: Lists all trusted origins operationId: listTrustedOrigins parameters: - name: q description: A search string that prefix matches against the `name` and `origin` in: query schema: type: string - name: filter description: | [Filter](https://developer.okta.com/docs/api/#filter) trusted origins with a supported expression for a subset of properties. You can filter on the following properties: `name`, `origin`, `status`, and `type` (type of scopes). in: query schema: type: string examples: By name: value: name eq "Example trusted origin" - name: after description: After cursor provided by a prior request in: query schema: type: string - name: limit description: Specifies the number of results in: query schema: type: integer format: int32 default: 20 maximum: 200 responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/TrustedOrigin' examples: TrustedOriginsResponse: $ref: '#/components/examples/TrustedOriginsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.trustedOrigins.read tags: - TrustedOrigin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a trusted origin description: Creates a trusted origin operationId: createTrustedOrigin x-codegen-request-body-name: trustedOrigin requestBody: content: application/json: schema: $ref: '#/components/schemas/TrustedOriginWrite' examples: TrustedOriginBody: $ref: '#/components/examples/TrustedOriginBody' TrustedOriginBodyWithIframeEmbedding: $ref: '#/components/examples/TrustedOriginBodyWithIframeEmbedding' TrustedOriginBodyWithIframeEmbeddingSignIn: $ref: '#/components/examples/TrustedOriginBodyWithIframeEmbeddingSignIn' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' examples: TrustedOriginResponse: $ref: '#/components/examples/TrustedOriginResponse' TrustedOriginResponseWithIframeEmbedding: $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbedding' TrustedOriginResponseWithIframeEmbeddingSignIn: $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbeddingSignIn' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.trustedOrigins.manage tags: - TrustedOrigin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/trustedOrigins/{trustedOriginId}: parameters: - $ref: '#/components/parameters/pathTrustedOriginId' get: summary: Retrieve a trusted origin description: Retrieves a trusted origin operationId: getTrustedOrigin responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' examples: TrustedOriginResponse: $ref: '#/components/examples/TrustedOriginResponse' TrustedOriginResponseWithIframeEmbedding: $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbedding' TrustedOriginResponseWithIframeEmbeddingSignIn: $ref: '#/components/examples/TrustedOriginResponseWithIframeEmbeddingSignIn' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.trustedOrigins.read tags: - TrustedOrigin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a trusted origin description: Replaces a trusted origin operationId: replaceTrustedOrigin x-codegen-request-body-name: trustedOrigin requestBody: content: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' examples: TrustedOriginPutBody: $ref: '#/components/examples/TrustedOriginPutBody' TrustedOriginPutBodyWithIframeEmbedding: $ref: '#/components/examples/TrustedOriginPutBodyWithIframeEmbedding' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' examples: TrustedOriginPutResponse: $ref: '#/components/examples/TrustedOriginPutResponse' TrustedOriginPutResponseWithIFrameEmbedding: $ref: '#/components/examples/TrustedOriginPutResponseWithIframeEmbedding' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.trustedOrigins.manage tags: - TrustedOrigin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a trusted origin description: Deletes a trusted origin operationId: deleteTrustedOrigin responses: '204': description: Success content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.trustedOrigins.manage tags: - TrustedOrigin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathTrustedOriginId' post: summary: Activate a trusted origin description: Activates a trusted origin. Sets the `status` to `ACTIVE`. operationId: activateTrustedOrigin responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' examples: TrustedOriginResponse: $ref: '#/components/examples/TrustedOriginResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.trustedOrigins.manage tags: - TrustedOrigin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/trustedOrigins/{trustedOriginId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathTrustedOriginId' post: summary: Deactivate a trusted origin description: Deactivates a trusted origin. Sets the `status` to `INACTIVE`. operationId: deactivateTrustedOrigin responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/TrustedOrigin' examples: TrustedOriginInactiveResponse: $ref: '#/components/examples/TrustedOriginInactiveResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.trustedOrigins.manage tags: - TrustedOrigin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users: get: summary: List all users description: |- Lists users in your org, with pagination in most cases. A subset of users can be returned that match a supported filter expression or search criteria. Different results are returned depending on specified queries in the request. > **Notes:** > * This operation omits users that have a status of `DEPROVISIONED` in the response. To return all users, use a filter or search query instead. > * The `search` parameter results are sourced from an eventually consistent datasource and may not reflect the latest information. operationId: listUsers parameters: - $ref: '#/components/parameters/OktaResponse' - name: search in: query description: |- Searches for users with a supported filtering expression for most properties. Okta recommends this query parameter because it provides the largest range of search options and optimal performance. > **Note:** Using an overly complex or long search query can result in an error. This operation supports [pagination](https://developer.okta.com/docs/api/#pagination). Use an ID lookup for records that you update to ensure your results contain the latest data. Returned users include those with the `DEPROVISIONED` status. Property names in the search parameter are case sensitive, whereas operators (`eq`, `sw`, and so on) and string values are case insensitive. Unlike with user logins, diacritical marks are significant in search string values: a search for `isaac.brock` finds `Isaac.Brock`, but doesn't find a property whose value is `isáàc.bröck`. This operation requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). See [Special characters](https://developer.okta.com/docs/api/#special-characters). This operation searches many properties: * Any user profile attribute, including custom-defined attributes * The top-level properties: `id`, `status`, `created`, `activated`, `statusChanged`, and `lastUpdated` * The [user type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType/operation/updateUserType) accessed as `type.id` * Properties that have array values > **Note:** The ability to search by user classification is available as an [Early Access](https://developer.okta.com/docs/api/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature. The `classification.type` property cannot be used in conjunction with other search terms. You can search using `classification.type eq "LITE"` or `classification.type eq "STANDARD"`. You can also use `sortBy` and `sortOrder` parameters. The `ne` (not equal) operator isn't supported, but you can obtain the same result by using `lt ... or ... gt`. For example, to see all users except those that have a status of `STAGED`, use `(status lt "STAGED" or status gt "STAGED")`. You can search properties that are arrays. If any element matches the search term, the entire array (object) is returned. Okta follows the [SCIM Protocol Specification](https://tools.ietf.org/html/rfc7644#section-3.4.2.2) for searching arrays. You can search multiple arrays, multiple values in an array, as well as using the standard logical and filtering operators. See [Filter](https://developer.okta.com/docs/reference/core-okta-api/#filter). Searches for users can be filtered by the following operators: `sw`, `eq`, and `co`. You can only use `co` with these select user profile attributes: `profile.firstName`, `profile.lastName`, `profile.email`, and `profile.login`. See [Operators](https://developer.okta.com/docs/api/#operators). schema: type: string examples: searchByStatus: value: status%20eq%20%22STAGED%22 summary: Search for a specific status description: Search for users that have a status of STAGED searchByLastUpdatedAfterDate: value: lastUpdated%20gt%20%222014-01-01T00%3A00%3A00.000Z%22 summary: Search after a specific time description: Search for users that were last updated after a specific timestamp searchById: value: id%20eq%20%2200u1ero7vZFVEIYLWPBN%22 summary: Search for a specific ID description: Search for users with the specified ID (00gak46y5hydV6NdM0g4) searchByProfileDepartmentCreatedAndStatus: value: profile.department%20eq%20%22Engineering%22%20and%20%28created%20lt%20%222014-01-01T00%3A00%3A00.000Z%22%20or%20status%20eq%20%22ACTIVE%22%29 summary: Search with multiple criteria description: Search for users in the department of Engineering who were created before 01/01/2014 or have a status of ACTIVE searchArrayAttributes: value: profile.arrayAttr%20eq%20%22arrayAttrVal1%22 summary: Search for property arrays description: Searches for properties that are arrays. In this example, if a user has a custom user profile attribute "arrayAttr" that contains values ["arrayAttrVal1", "arrayAttrVal2"...], then this user is returned. searchArrayAttributesLiteUser: value: classification.type eq "LITE" summary: Search by classification description: 'Searches for users with the classification type LITE. Supported values: STANDARD or LITE.' - name: filter in: query description: |- Filters users with a supported expression for a subset of properties. > **Note:** Returned users include those with the `DEPROVISIONED` status. This requires [URL encoding](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding). For example, `filter=lastUpdated gt "2013-06-01T00:00:00.000Z"` is encoded as `filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22`. Filtering is case-sensitive for property names and query values, while operators are case-insensitive. Filtering supports the following limited number of properties: `status`, `lastUpdated`, `id`, `profile.login`, `profile.email`, `profile.firstName`, and `profile.lastName`. Additionally, filtering supports only the equal `eq` operator from the standard Okta API filtering semantics, except in the case of the `lastUpdated` property. This property can also use the inequality operators (`gt`, `ge`, `lt`, and `le`). For logical operators, only the logical operators `and` and `or` are supported. The `not` operator isn't supported. See [Filter](https://developer.okta.com/docs/api/#filter) and [Operators](https://developer.okta.com/docs/api/#operators). schema: type: string examples: filterByStatus: value: status%20eq%20%22LOCKED_OUT%22 summary: Filter by status description: Filter users with a status of LOCKED_OUT filterByLogin: value: profile.login%20eq%20%22login%40example.com%22 summary: Filter by login description: Filter users with a specified login filterByDateRange: value: lastUpdated%20gt%20%222013-06-01T00%3A00%3A00.000Z%22%20and%20lastUpdated%20lt%20%222014-01-01T00%3A00%3A00.000Z%22 summary: Filter by date range description: Filter users updated after 06/01/2013 but before 01/01/2014 filterByTypeAndProfileLastUpdatedAfterDate: value: lastUpdated%20gt%20%222013-06-01T00%3A00%3A00.000Z%22%20and%20%28status%20eq%20%22LOCKED_OUT%22%20or%20status%20eq%20%22RECOVERY%22%29 summary: Filter by multiple criteria description: Filter users updated after 06/01/2013 but with a status of LOCKED_OUT or RECOVERY - name: q in: query description: |- Finds users who match the specified query. Use the `q` parameter for simple queries, such as a lookup of users by name when creating a people picker. The value of `q` is matched against `firstName`, `lastName`, or `email`. This performs a `startsWith` match, but this is an implementation detail and can change without notice. You don't need to specify `firstName`, `lastName`, or `email`. > **Notes:** > * Using the `q` parameter in a request omits users that have a status of `DEPROVISIONED`. To return all users, use a `filter` or `search` query instead. > * This doesn't support pagination, but you can use `limit`. > * This isn't designed for large data sets. For optimal performance, use the `search` parameter instead. schema: type: string - $ref: '#/components/parameters/queryAfter' - name: limit in: query description: |- Specifies the number of results returned. Defaults to 10 if `q` is provided. You can use `limit` with `after` to define the cursor location in the data set and manage the user records per page. schema: type: integer format: int32 default: 200 - name: sortBy in: query description: Specifies the field to sort by (for search queries only). This can be any single property, for example `sortBy=profile.lastName`. Users with the same value for the `sortBy` property are ordered by `id`. Use with `sortOrder` to control the order of results. schema: type: string - $ref: '#/components/parameters/querySortOrder' - name: fields in: query description: |- Specifies a select set of user properties to query. Any other properties will be filtered out of the returned users. This is often called field projections in APIs, which can reduce payload size, improve performance, and limit unneccessary data exposure. Requested fields should be comma-separated. Comma-separate the fields and place sub-fields in the profile object inside a `profile:()` directive, for example `profile:(firstName, city)`. The `id` field is always included, regardless of whether it's specified in the `fields` parameter. schema: type: string examples: filterByProperties: value: id,status,profile:(firstName,lastName,city) summary: Request a subset of user fields description: 'Returned users should only show the following properties: id, status, profile.firstName, profile.lastName, profile.city' - name: expand in: query description: 'A parameter to include metadata in the `_embedded` property. Supported value: `classification`.' required: false schema: type: string example: classification x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/User' examples: ListUsers: $ref: '#/components/examples/ListUsersResponse' UsersProjections: $ref: '#/components/examples/ListUsersFieldsResponse' UsersSearch: $ref: '#/components/examples/ListUsersSearchResponse' UsersQ: $ref: '#/components/examples/ListUsersQResponse' UsersFilter: $ref: '#/components/examples/ListUsersFilterResponse' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - User x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true post: summary: Create a user description: |- Creates a new user in your Okta org with or without credentials.
> **Legal Disclaimer** > > After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, > you agreed not to use Okta's service/product to spam and/or send unsolicited messages. > Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all > liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. All responses return the created user. Activation of a user is an asynchronous operation. The system performs group reconciliation during activation and assigns the user to all apps via direct or indirect relationships (group memberships). * The user's `transitioningToStatus` property is `ACTIVE` during activation to indicate that the user hasn't completed the asynchronous operation. * The user's `status` is `ACTIVE` when the activation process is complete. The user is emailed a one-time activation token if activated without a password. > **Note:** If the user is assigned to an app that is configured for provisioning, the activation process triggers downstream provisioning to the app. It is possible for a user to sign in before these apps have been successfully provisioned for the user. > **Important:** Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password. For more information about the various scenarios of creating a user listed in the examples, see the [User creation scenarios](/openapi/okta-management/management/tag/User/#user-creation-scenarios) section. operationId: createUser parameters: - name: activate in: query description: Executes an [activation lifecycle](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser) operation when creating the user schema: type: boolean default: true - name: provider in: query description: Indicates whether to create a user with a specified authentication provider schema: type: boolean default: false - name: nextLogin in: query description: With `activate=true`, if `nextLogin=changePassword`, a user is created, activated, and the password is set to `EXPIRED`. The user must change it the next time they sign in. schema: $ref: '#/components/schemas/UserNextLogin' x-okta-added-version: 0.14.0 x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateUserRequest' examples: Create user without credentials: $ref: '#/components/examples/create-user-without-credentials-request' Create user with recovery question: $ref: '#/components/examples/create-user-with-recovery-question-request' Create user with password: $ref: '#/components/examples/create-user-with-password-request' Create user with imported hashed password: $ref: '#/components/examples/create-user-with-imported-hashed-password-request' Create user with password import inline hook: $ref: '#/components/examples/create-user-with-password-import-inline-hook-request' Create user with password and recovery question: $ref: '#/components/examples/create-user-with-password-and-recovery-question-request' Create user with authentication provider: $ref: '#/components/examples/create-user-with-authentication-provider-request' Create user in group: $ref: '#/components/examples/create-user-in-group-request' Create user with non-default user type: $ref: '#/components/examples/create-user-with-non-default-user-type-request' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/User' examples: Create user without credentials: $ref: '#/components/examples/create-user-without-credentials-response' Create user with recovery question: $ref: '#/components/examples/create-user-with-recovery-question-response' Create user with password: $ref: '#/components/examples/create-user-with-password-response' Create user with imported hashed password: $ref: '#/components/examples/create-user-with-imported-hashed-password-response' Create user with password import inline hook: $ref: '#/components/examples/create-user-with-password-import-inline-hook-response' Create user with password and recovery question: $ref: '#/components/examples/create-user-with-password-and-recovery-question-response' Create user with authentication provider: $ref: '#/components/examples/create-user-with-authentication-provider-response' Create user in group: $ref: '#/components/examples/create-user-in-group-response' Create user with non-default user type: $ref: '#/components/examples/create-user-with-non-default-user-type-response' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: Create user with too many groups specified: $ref: '#/components/examples/ErrorCreateUserWithTooManyManyGroupsResponse' Create user with expired password and activate set to `false`: $ref: '#/components/examples/ErrorCreateUserWithExpiredPasswordWithoutActivation' Create user with expired password and `null` password: $ref: '#/components/examples/ErrorCreateUserWithExpiredPasswordWithNullPassword' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - User x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}: parameters: - $ref: '#/components/parameters/pathId' get: summary: Retrieve a user description: |- Retrieves a user from your Okta org. You can substitute `me` for the `id` to fetch the current user linked to an API token or session cookie. * The request returns the user linked to the API token that is specified in the Authorization header, not the user linked to the active session. Details of the admin user who granted the API token is returned. * When the end user has an active Okta session, it is typically a CORS request from the browser. Therefore, it's possible to retrieve the current user without the Authorization header. When fetching a user by `login` or `login shortname`, [URL encode](https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding) the request parameter to ensure that special characters are escaped properly. Logins with a `/` character can only be fetched by `id` due to URL issues with escaping the `/` character. If you don't know a user's ID, you can use the [List all users](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) endpoint to find it. > **Note:** Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See [Mitigate the impact of third-party cookie deprecation](https://help.okta.com/okta_help.htm?type=oie&id=ext-third-party-cookies). operationId: getUser parameters: - $ref: '#/components/parameters/OktaResponse' - $ref: '#/components/parameters/queryUserExpand' responses: '200': description: Success headers: Etag: description: An HTTP entity tag (`ETag`) is an identifier for a specific version of a resource. See [Conditional Requests and Entity Tags](/#conditional-requests-and-entity-tags). schema: type: string example: W/"1234567890abcdef" content: application/json: schema: $ref: '#/components/schemas/User' examples: GetUserExample: $ref: '#/components/examples/user-example' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - User x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true post: summary: Update a user description: |- Updates a user's profile or credentials with partial update semantics. > **Important:** Use the `POST` method for partial updates. Unspecified properties are set to null with `PUT`. `profile` and `credentials` can be updated independently or together with a single request. > **Note**: Currently, the user type of a user can only be changed via a full replacement PUT operation. If the request parameters of a partial update include the type element from the user object, the value must match the existing type of the user. Only admins are permitted to change the user type of a user; end users are not allowed to change their own user type. > **Note**: To update a current user's profile with partial semantics, the `/api/v1/users/me` endpoint can be invoked. > > A user can only update profile properties for which the user has write access. Within the profile, if the user tries to update the primary or the secondary email IDs, verification emails are sent to those email IDs, and the fields are updated only upon verification. If you are using this endpoint to set a password, it sets a password without validating existing user credentials. This is an administrative operation. For operations that validate credentials, refer to the [Reset password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword), [Start forgot password flow](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/forgotPassword), and [Update password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/changePassword) endpoints. operationId: updateUser parameters: - name: strict in: query schema: type: boolean description: If true, validates against minimum age and history password policy - name: If-Match in: header required: false description: The ETag value of the user's expected current state. This becomes a conditional request used for concurrency control. See [Conditional Requests and Entity Tags](/#conditional-requests-and-entity-tags). schema: type: string example: W/"1234567890abcdef" x-codegen-request-body-name: user requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserRequest' examples: Update user Profile: $ref: '#/components/examples/update-user-profile-request' Update user password: $ref: '#/components/examples/update-user-set-password-request' Set recovery question and answer: $ref: '#/components/examples/update-user-set-recovery-question-and-answer' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/User' examples: Update user Response: $ref: '#/components/examples/user-example' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - User x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true put: summary: Replace a user description: |- Replaces a user's profile, credentials, or both using strict-update semantics. All profile properties must be specified when updating a user's profile with a `PUT` method. Any property not specified in the request is deleted. > **Important:** Don't use a `PUT` method for partial updates. operationId: replaceUser parameters: - name: strict in: query description: If `true`, validates against minimum age and history password policy schema: type: boolean x-okta-added-version: 1.10.0 - name: If-Match in: header required: false description: The ETag value of the user's expected current state. This becomes a conditional request used for concurrency control. See [Conditional Requests and Entity Tags](/#conditional-requests-and-entity-tags). schema: type: string example: W/"1234567890abcdef" x-codegen-request-body-name: user requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserRequest' examples: Replace user Request: $ref: '#/components/examples/replace-user-request' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/User' examples: Replace user Response: $ref: '#/components/examples/user-example' '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - User x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a user description: |- Deletes a user permanently. This operation can only be performed on users that have a `DEPROVISIONED` status. > **Warning:** This action can't be recovered! This operation on a user that hasn't been deactivated causes that user to be deactivated. A second delete operation is required to delete the user. > **Note:** You can also perform user deletion asynchronously. To invoke asynchronous user deletion, pass an HTTP header `Prefer: respond-async` with the request. This header is also supported by user deactivation, which is performed if the delete endpoint is invoked on a user that hasn't been deactivated. operationId: deleteUser parameters: - name: sendEmail in: query description: Sends a deactivation email to the admin if `true` schema: type: boolean default: false x-okta-added-version: 1.5.0 - name: Prefer in: header required: false schema: type: string enum: - respond-async responses: '204': description: No Content content: {} '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - User x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/appLinks: parameters: - $ref: '#/components/parameters/pathId' get: summary: List all assigned app links description: |- Lists all app links for all direct or indirect (through group membership) assigned apps. > **Note:** To list all apps in an org, use the [List all applications endpoint in the Applications API](/openapi/okta-management/management/tag/Application/#tag/Application/operation/listApplications). operationId: listAppLinks responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/AssignedAppLink' examples: List App Links: $ref: '#/components/examples/ListAppLinks' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserResources x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/blocks: parameters: - $ref: '#/components/parameters/pathId' get: summary: List all user blocks description: Lists information about how the user is blocked from accessing their account operationId: listUserBlocks responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/UserBlock' examples: BlocksUnknownDevices: $ref: '#/components/examples/ListUserBlocksUnknownDevicesResponse' BlocksAnyDevices: $ref: '#/components/examples/ListUserBlocksAnyDevicesResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - User x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/groups: parameters: - $ref: '#/components/parameters/pathId' get: summary: List all groups description: |- Lists all groups of which the user is a member. > **Note:** To list all groups in your org, use the [List all groups endpoints in the Groups API](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups). operationId: listUserGroups responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Group' examples: List user groups: $ref: '#/components/examples/ListUserGroups' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserResources x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/idps: parameters: - $ref: '#/components/parameters/pathId' get: summary: List all IdPs for user description: Lists the identity providers (IdPs) associated with the user operationId: listUserIdentityProviders responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/IdentityProvider' examples: MultipleIdPsResponse: $ref: '#/components/examples/MultipleIdPsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - IdentityProviderUsers x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathId' post: summary: Activate a user description: |- Activates a user. Perform this operation only on users with a `STAGED` or `DEPROVISIONED` status. Activation of a user is an asynchronous operation. * The user has the `transitioningToStatus` property with an `ACTIVE` value during activation. This indicates that the user hasn't completed the asynchronous operation. * The user has an `ACTIVE` status when the activation process completes. Users who don't have a password must complete the welcome flow by visiting the activation link to complete the transition to `ACTIVE` status. > **Note:** If you want to send a branded user activation email, change the subdomain of your request to the custom domain that's associated with the brand. > For example, change `subdomain.okta.com` to `custom.domain.one`. See [Multibrand and custom domains](https://developer.okta.com/docs/concepts/brands/#multibrand-and-custom-domains). > **Note:** If you have optional password enabled, visiting the activation link is optional for users who aren't required to enroll a password. > See [Create user with optional password](/openapi/okta-management/management/tag/User/#create-user-with-optional-password). > **Legal disclaimer** > After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, > you agreed not to use Okta's service/product to spam and/or send unsolicited messages. > Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all > liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients. operationId: activateUser parameters: - name: sendEmail in: query description: Sends an activation email to the user if `true` required: false schema: type: boolean default: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserActivationToken' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathId' post: summary: Deactivate a user description: |- Deactivates a user. Perform this operation only on users that do not have a `DEPROVISIONED` status. * The user's `transitioningToStatus` property is `DEPROVISIONED` during deactivation to indicate that the user hasn't completed the asynchronous operation. * The user's status is `DEPROVISIONED` when the deactivation process is complete. > **Important:** Deactivating a user is a **destructive** operation. The user is deprovisioned from all assigned apps, which might destroy their data such as email or files. **This action cannot be recovered!** You can also perform user deactivation asynchronously. To invoke asynchronous user deactivation, pass an HTTP header `Prefer: respond-async` with the request. operationId: deactivateUser parameters: - name: sendEmail in: query description: Sends a deactivation email to the admin if `true` schema: type: boolean default: false x-okta-added-version: 1.5.0 - name: Prefer in: header required: false schema: type: string enum: - respond-async description: Request asynchronous processing responses: '200': description: OK content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/lifecycle/expire_password: parameters: - $ref: '#/components/parameters/pathId' post: summary: Expire the password description: |- Expires the password. This operation transitions the user status to `PASSWORD_EXPIRED` so that the user must change their password the next time that they sign in.
If you have integrated Okta with your on-premises Active Directory (AD), then setting a user's password as expired in Okta also expires the password in AD. When the user tries to sign in to Okta, delegated authentication finds the password-expired status in AD, and the user is presented with the password-expired page where they can change their password. > **Note:** The Okta account management policy doesn't support the `/users/{id}/lifecycle/expire_password` endpoint. See [Configure an Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). operationId: expirePassword responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/User' examples: Expire password response: $ref: '#/components/examples/ExpirePwdResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/lifecycle/expire_password_with_temp_password: parameters: - $ref: '#/components/parameters/pathId' post: summary: Expire the password with a temporary password description: |- Expires the password and resets the user's password to a temporary password. This operation transitions the user status to `PASSWORD_EXPIRED` so that the user must change their password the next time that they sign in. The user's password is reset to a temporary password that's returned, and then the user's password is expired. If `revokeSessions` is included in the request with a value of `true`, the user's current outstanding sessions are revoked and require re-authentication.
If you have integrated Okta with your on-premises Active Directory (AD), then setting a user's password as expired in Okta also expires the password in AD. When the user tries to sign in to Okta, delegated authentication finds the password-expired status in AD, and the user is presented with the password-expired page where they can change their password. operationId: expirePasswordWithTempPassword parameters: - name: revokeSessions in: query description: Revokes the user's existing sessions if `true` required: false schema: type: boolean default: false responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/TempPassword' examples: Expire password with temp password response: $ref: '#/components/examples/ExpirePwdWithTempPwdResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/lifecycle/reactivate: parameters: - $ref: '#/components/parameters/pathId' post: summary: Reactivate a user description: |- Reactivates a user. Perform this operation only on users with a `PROVISIONED` or `RECOVERY` [status](/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers!c=200&path=status&t=response). This operation restarts the activation workflow if for some reason the user activation wasn't completed when using the `activationToken` from [Activate User](/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/activateUser). Users that don't have a password must complete the flow by completing the [Reset password](/openapi/okta-management/management/tag/UserCred/#tag/UserCred/operation/resetPassword) flow and MFA enrollment steps to transition the user to `ACTIVE` status. If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link. operationId: reactivateUser parameters: - name: sendEmail in: query description: Sends an activation email to the user if `true` schema: type: boolean default: false responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserActivationToken' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/lifecycle/reset_factors: parameters: - $ref: '#/components/parameters/pathId' post: summary: Reset the factors description: Resets all factors for the specified user. All MFA factor enrollments return to the unenrolled state. The user's status remains `ACTIVE`. This link is present only if the user is currently enrolled in one or more MFA factors. operationId: resetFactors responses: '200': description: OK content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/lifecycle/reset_password: parameters: - $ref: '#/components/parameters/pathId' post: summary: Reset a password description: |- Resets a password. Generates a one-time token (OTT) that you can use to reset a user's password. You can automatically email the OTT link to the user or return the OTT to the API caller and distribute using a custom flow. This operation transitions the user to the `RECOVERY` status. The user is then not able to sign in or initiate a forgot password flow until they complete the reset flow. This operation provides an option to delete all the user's sessions. However, if the request is made in the context of a session owned by the specified user, that session isn't cleared. > **Note:** You can also use this API to convert a user with the Okta credential provider to use a federated provider. After this conversion, the user can't directly sign in with a password. > To convert a federated user back to an Okta user, use the default API call. If an email address is associated with multiple users, keep in mind the following to ensure a successful password recovery lookup: * Okta no longer includes deactivated users in the lookup. * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses. If `sendEmail` is `false`, returns a link for the user to reset their password. operationId: resetPassword parameters: - name: sendEmail in: query required: true schema: type: boolean - name: revokeSessions description: Revokes all user sessions, except for the current session, if set to `true` in: query required: false schema: type: boolean default: false responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ResetPasswordToken' examples: Reset password without sending email response: $ref: '#/components/examples/ResetPwdWithoutSendingEmailResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/lifecycle/suspend: parameters: - $ref: '#/components/parameters/pathId' post: summary: Suspend a user description: |- Suspends a user. Perform this operation only on users with an `ACTIVE` status. The user has a `SUSPENDED` status when the process completes. Suspended users can't sign in to Okta. They can only be unsuspended or deactivated. Their group and app assignments are retained. operationId: suspendUser responses: '200': description: OK content: {} '400': $ref: '#/components/responses/ErrorMissingRequiredParameter400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/lifecycle/unlock: parameters: - $ref: '#/components/parameters/pathId' post: summary: Unlock a user description: |- Unlocks a user with a `LOCKED_OUT` status or unlocks a user with an `ACTIVE` status that's blocked from unknown devices. Unlocked users have an `ACTIVE` status and can sign in with their current password. > **Note:** This operation works with Okta-sourced users. It doesn't support directory-sourced accounts such as Active Directory. operationId: unlockUser responses: '200': description: Success content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{id}/lifecycle/unsuspend: parameters: - $ref: '#/components/parameters/pathId' post: summary: Unsuspend a user description: Unsuspends a user and returns them to the `ACTIVE` state. This operation can only be performed on users that have a `SUSPENDED` status. operationId: unsuspendUser responses: '200': description: Success content: {} '400': $ref: '#/components/responses/ErrorMissingRequiredParameter400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserLifecycle x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userIdOrLogin}/linkedObjects/{primaryRelationshipName}/{primaryUserId}: parameters: - $ref: '#/components/parameters/pathUserIdOrLogin' - $ref: '#/components/parameters/pathPrimaryRelationshipName' - $ref: '#/components/parameters/pathPrimaryUserId' put: summary: Assign a linked object value for primary description: |- Assigns the first user as the `associated` and the second user as the `primary` for the specified relationship. If the first user is already associated with a different `primary` for this relationship, the previous link is removed. A linked object relationship can specify only one primary user for an associated user. operationId: assignLinkedObjectValueForPrimary responses: '204': description: Success content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - oauth2: - okta.users.manage tags: - UserLinkedObject x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userIdOrLogin}/linkedObjects/{relationshipName}: parameters: - $ref: '#/components/parameters/pathUserIdOrLogin' - $ref: '#/components/parameters/pathRelationshipName' get: summary: List the primary or all of the associated linked object values description: |- Lists either the `self` link for the primary user or all associated users in the relationship specified by `relationshipName`. If the specified user isn't associated in any relationship, an empty array is returned. Use `me` instead of `id` to specify the current session user. operationId: listLinkedObjectsForUser responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/ResponseLinks' examples: GetPrimaryLinkedObjectResponse: $ref: '#/components/examples/GetPrimaryLinkedObjectResponse' GetAssociatedLinkedObjectResponse: $ref: '#/components/examples/GetAssociatedLinkedObjectsResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserLinkedObject x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a linked object value description: |- Deletes any existing relationship between the `associated` and `primary` user. For the `associated` user, this is specified by the ID. The `primary` name specifies the relationship. The operation is successful if the relationship is deleted. The operation is also successful if the specified user isn't in the `associated` relationship for any instance of the specified `primary` and thus, no relationship is found. operationId: deleteLinkedObjectForUser responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserLinkedObject x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/authenticator-enrollments: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/queryDiscloseIdentifiers' get: summary: List all authenticator enrollments description: Lists all authenticator enrollments of the specified user operationId: listAuthenticatorEnrollments responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AuthenticatorEnrollment' examples: AuthenticatorEnrollmentsListAllEx: $ref: '#/components/examples/AuthenticatorEnrollmentResponseListAll' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserAuthenticatorEnrollments x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/users/{userId}/authenticator-enrollments/phone: parameters: - $ref: '#/components/parameters/pathUserId' post: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine summary: Create an auto-activated Phone authenticator enrollment description: Creates a Phone authenticator enrollment that's automatically activated operationId: createAuthenticatorEnrollment parameters: - $ref: '#/components/parameters/pathUserId' x-codegen-request-body-name: authenticator requestBody: $ref: '#/components/requestBodies/PhoneAuthenticatorEnrollmentRequestBody' responses: '200': $ref: '#/components/responses/PhoneAuthenticatorCreateEnrollmentResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserAuthenticatorEnrollments /api/v1/users/{userId}/authenticator-enrollments/tac: parameters: - $ref: '#/components/parameters/pathUserId' post: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] x-okta-iam-permissions: - okta.users.credentials.manageTemporaryAccessCode summary: Create an auto-activated TAC authenticator enrollment description: Creates an auto-activated Temporary access code (TAC) authenticator enrollment operationId: createTacAuthenticatorEnrollment parameters: - $ref: '#/components/parameters/pathUserId' x-codegen-request-body-name: authenticator requestBody: $ref: '#/components/requestBodies/TacAuthenticatorEnrollmentRequestBody' responses: '200': $ref: '#/components/responses/TacAuthenticatorCreateEnrollmentResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserAuthenticatorEnrollments /api/v1/users/{userId}/authenticator-enrollments/{enrollmentId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathEnrollmentId' get: summary: Retrieve an authenticator enrollment description: Retrieves a user's authenticator enrollment by `enrollmentId` operationId: getAuthenticatorEnrollment parameters: - $ref: '#/components/parameters/queryDiscloseIdentifiers' responses: '200': $ref: '#/components/responses/AuthenticatorEnrollmentResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserAuthenticatorEnrollments x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine delete: summary: Delete an authenticator enrollment description: Deletes an existing enrollment for the specified user. The user can enroll the authenticator again. operationId: deleteAuthenticatorEnrollment responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserAuthenticatorEnrollments x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/users/{userId}/classification: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: Retrieve a user's classification description: Retrieves a user's classification operationId: getUserClassification responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserClassification' examples: Get classification of user: $ref: '#/components/examples/Get-User-Classification-Example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserClassification x-okta-lifecycle: isCorsEnabled: true lifecycle: EA isGenerallyAvailable: false SKUs: [] put: summary: Replace the user's classification description: Replaces the user's classification operationId: replaceUserClassification requestBody: content: application/json: schema: $ref: '#/components/schemas/ReplaceUserClassification' examples: Set user to LITE: $ref: '#/components/examples/Set-User-Classification-Example' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserClassification' examples: Get classification of user: $ref: '#/components/examples/Get-User-Classification-Example' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserClassification x-okta-lifecycle: isCorsEnabled: true lifecycle: EA isGenerallyAvailable: false SKUs: [] /api/v1/users/{userId}/clients: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: List all clients description: |- Lists all client resources for which the specified user has grants or tokens. > **Note:** To list all client resources for which a specified authorization server has tokens, use the [List all client resources for an authorization server in the Authorization Servers API](/openapi/okta-management/management/tag/AuthorizationServerClients/#tag/AuthorizationServerClients/operation/listOAuth2ClientsForAuthorizationServer). operationId: listUserClients responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2Client' examples: List user clients: $ref: '#/components/examples/ListUserClients' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserResources x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/clients/{clientId}/grants: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathClientId' get: summary: List all grants for a client description: Lists all grants for a specified user and client operationId: listGrantsForUserAndClient parameters: - name: expand in: query description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string - name: after in: query description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query description: Specifies the number of tokens to return schema: type: integer format: int32 minimum: 1 maximum: 200 default: 20 responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke all grants for a client description: Revokes all grants for the specified user and client operationId: revokeGrantsForUserAndClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/clients/{clientId}/tokens: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathClientId' get: summary: List all refresh tokens for a client description: Lists all refresh tokens issued for the specified user and client operationId: listRefreshTokensForUserAndClient parameters: - name: expand in: query description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string example: scope - name: after in: query description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query description: Specifies the number of tokens to return schema: type: integer format: int32 minimum: 1 maximum: 200 default: 20 responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2RefreshToken' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserOAuth x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke all refresh tokens for a client description: Revokes all refresh tokens issued for the specified user and client operationId: revokeTokensForUserAndClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserOAuth x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathClientId' - $ref: '#/components/parameters/pathTokenId' get: summary: Retrieve a refresh token for a client description: Retrieves a refresh token issued for the specified user and client operationId: getRefreshTokenForUserAndClient parameters: - name: expand in: query description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string example: scope responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2RefreshToken' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserOAuth x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke a token for a client description: Revokes the specified refresh and access tokens operationId: revokeTokenForUserAndClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserOAuth x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/credentials/change_password: parameters: - $ref: '#/components/parameters/pathUserId' post: summary: Update password description: |- Updates a user's password by validating the user's current password. This operation provides an option to delete all the sessions of the specified user. However, if the request is made in the context of a session owned by the specified user, that session isn't cleared. You can only perform this operation on users in `STAGED`, `ACTIVE`, `PASSWORD_EXPIRED`, or `RECOVERY` status that have a valid [password credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). The user transitions to `ACTIVE` status when successfully invoked in `RECOVERY` status. > **Note:** The Okta account management policy doesn't support the `/users/{userId}/credentials/change_password` endpoint. See [Configure an Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). operationId: changePassword parameters: - name: strict in: query description: If true, validates against the password minimum age policy schema: type: boolean default: false x-okta-added-version: 1.10.0 x-codegen-request-body-name: changePasswordRequest requestBody: content: application/json: schema: $ref: '#/components/schemas/ChangePasswordRequest' examples: Change password request: $ref: '#/components/examples/ChangePwdRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserCredentials' examples: Change password response: $ref: '#/components/examples/ChangePwdResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/credentials/change_recovery_question: parameters: - $ref: '#/components/parameters/pathUserId' post: summary: Update recovery question description: |- Updates a user's recovery question and answer credential by validating the user's current password. You can only perform this operation on users in `STAGED`, `ACTIVE`, or `RECOVERY` status that have a valid [password credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/password&t=request). operationId: changeRecoveryQuestion x-codegen-request-body-name: userCredentials requestBody: content: application/json: schema: $ref: '#/components/schemas/UserCredentials' examples: Update recovery question request: $ref: '#/components/examples/UpdateRecQuestionRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserCredentials' examples: Update recovery question response: $ref: '#/components/examples/UpdateRecQuestionResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/credentials/forgot_password: parameters: - $ref: '#/components/parameters/pathUserId' post: summary: Start forgot password flow description: |- Starts the forgot password flow. Generates a one-time token (OTT) that you can use to reset a user's password. The user must validate their security question's answer when visiting the reset link. Perform this operation only on users with an `ACTIVE` status and a valid [recovery question credential](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/createUser!path=credentials/recovery_question&t=request). > **Note:** If you have migrated to Identity Engine, you can allow users to recover passwords with any enrolled MFA authenticator. See [Self-service account recovery](https://help.okta.com/oie/en-us/content/topics/identity-engine/authenticators/configure-sspr.htm?cshid=ext-config-sspr). If an email address is associated with multiple users, keep in mind the following to ensure a successful password recovery lookup: * Okta no longer includes deactivated users in the lookup. * The lookup searches sign-in IDs first, then primary email addresses, and then secondary email addresses. If `sendEmail` is `false`, returns a link for the user to reset their password. This operation doesn't affect the status of the user. operationId: forgotPassword parameters: - name: sendEmail in: query description: Sends a forgot password email to the user if `true` required: false schema: type: boolean default: true responses: '200': description: Reset URL content: application/json: schema: $ref: '#/components/schemas/ForgotPasswordResponse' examples: Forgot password response: $ref: '#/components/examples/ForgotPwdResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/credentials/forgot_password_recovery_question: parameters: - $ref: '#/components/parameters/pathUserId' post: summary: Reset password with recovery question description: |- Resets the user's password to the specified password if the provided answer to the recovery question is correct. You must include the recovery question answer with the submission. operationId: forgotPasswordSetNewPassword parameters: - name: sendEmail in: query required: false schema: type: boolean default: true x-codegen-request-body-name: userCredentials requestBody: content: application/json: schema: $ref: '#/components/schemas/UserCredentials' examples: Forgot password recovery question request: $ref: '#/components/examples/ForgotPwdRecoveryQuestionRequest' required: true responses: '200': description: Credentials content: application/json: schema: $ref: '#/components/schemas/UserCredentials' examples: Forgot password recovery question response: $ref: '#/components/examples/ForgotPwdRecoveryQuestionResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserCred x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/devices: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: List all devices description: |- Lists all devices enrolled by a user. > **Note:** To list all devices registered to an org, use the [List all devices endpoint in the Devices API](/openapi/okta-management/management/tag/Device/#tag/Device/operation/listDevices). operationId: listUserDevices responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/UserDevice' examples: APIUsersListDevicesResponseExample: summary: List all devices for a specific user $ref: '#/components/examples/APIUserListDevicesResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserResources x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/users/{userId}/factors: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: List all enrolled factors description: |- Lists all enrolled factors for the specified user that are included in the highest priority [authenticator enrollment policy](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) that applies to the user. Only enrolled factors that are `REQUIRED` or `OPTIONAL` in the highest priority authenticator enrollment policy can be returned. > **Note:** When admins use this endpoint for other users, the authenticator enrollment policy that's evaluated can vary depending on how client-specific conditions are configured in the rules of an authenticator enrollment policy. The client-specific conditions of the admin's client are used during policy evaluation instead of the client-specific conditions of the user. This can affect which authenticator enrollment policy is evaluated and which factors are returned. > > For example, an admin in Europe lists all enrolled factors for a user in North America. The network zone of the admin's client (in Europe) is used during policy evaluation instead of the network zone of the user (in North America). operationId: listFactors responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/UserFactor' examples: ListFactorsResponse: $ref: '#/components/examples/ListFactorsResults' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Enroll a factor description: |- Enrolls a supported factor for the specified user > **Notes:** > * All responses return the enrolled factor with a status of either `PENDING_ACTIVATION` or `ACTIVE`. > * You can't use the Factors API to enroll Okta Fastpass (`signed_nonce`) for a user. See [Configure Okta Fastpass](https://help.okta.com/okta_help.htm?type=oie&id=ext-fp-configure). #### Additional SMS/Call factor information * **Rate limits**: Okta may return a `429 Too Many Requests` status code if you attempt to resend an SMS or a voice call challenge (OTP) within the same time window. The current [rate limit](https://developer.okta.com/docs/reference/rate-limits/) is one SMS/CALL challenge per phone number every 30 seconds. * **Existing phone numbers**: Okta may return a `400 Bad Request` status code if a user attempts to enroll with a different phone number when the user has an existing mobile phone or has an existing phone with voice call capability. A user can enroll only one mobile phone for `sms` and enroll only one voice call capable phone for `call` factor. #### Additional WebAuthn factor information * For detailed information on the WebAuthn standard, including an up-to-date list of supported browsers, see [webauthn.me](https://a0.to/webauthnme-okta-docs). * When you enroll a WebAuthn factor, the `activation` object in `_embedded` contains properties used to help the client to create a new WebAuthn credential for use with Okta. See the [WebAuthn spec for PublicKeyCredentialCreationOptions](https://www.w3.org/TR/webauthn/#dictionary-makecredentialoptions). #### Additional Custom TOTP factor information * The enrollment process involves passing both the `factorProfileId` and `sharedSecret` properties for a token. * A factor profile represents a particular configuration of the Custom TOTP factor. It includes certain properties that match the hardware token that end users possess, such as the HMAC algorithm, passcode length, and time interval. There can be multiple Custom TOTP factor profiles per org, but users can only enroll in one Custom TOTP factor. Admins can [create Custom TOTP factor profiles](https://help.okta.com/okta_help.htm?id=ext-mfa-totp) in the Admin Console. Then, copy the `factorProfileId` from the Admin Console into the API request. * For Custom TOTP enrollment, Okta automaticaly enrolls a user with a `token:software:totp` factor and the `push` factor if the user isn't currently enrolled with these factors. operationId: enrollFactor parameters: - name: updatePhone description: If `true`, indicates that you are replacing the currently registered phone number for the specified user. This parameter is ignored if the existing phone number is used by an activated factor. in: query schema: type: boolean default: false - name: templateId in: query description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` factors. If the provided ID doesn't exist, the default template is used instead. schema: type: string example: cstk2flOtuCMDJK4b0g3 - name: tokenLifetimeSeconds description: Defines how long the token remains valid in: query schema: type: integer format: int32 minimum: 1 maximum: 86400 default: 300 x-okta-added-version: 1.3.0 - name: activate description: If `true`, the factor is immediately activated as part of the enrollment. An activation process isn't required. Currently auto-activation is supported by `sms`, `call`, `email` and `token:hotp` (Custom TOTP) factors. in: query schema: type: boolean default: false x-okta-added-version: 1.3.0 - name: Accept-Language description: An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead. in: header schema: type: string example: fr x-codegen-request-body-name: body requestBody: description: Factor content: application/json: schema: $ref: '#/components/schemas/UserFactor' examples: question: $ref: '#/components/examples/EnrollFactorQuestionRequest' sms: $ref: '#/components/examples/EnrollFactorSmsRequest' call: $ref: '#/components/examples/EnrollFactorCallRequest' token:software:totp: $ref: '#/components/examples/EnrollFactorOVTotpRequest' push: $ref: '#/components/examples/EnrollFactorOVPushRequest' google: $ref: '#/components/examples/EnrollFactorGoogleRequest' rsa_securId: $ref: '#/components/examples/EnrollFactorRsaSecurIdRequest' symantec_vip: $ref: '#/components/examples/EnrollFactorSymantecVipRequest' yubikey: $ref: '#/components/examples/EnrollFactorYubikeyRequest' email: $ref: '#/components/examples/EnrollFactorEmailRequest' u2f: $ref: '#/components/examples/EnrollFactorU2fRequest' webAuthn: $ref: '#/components/examples/EnrollFactorWebauthnRequest' customTotp: $ref: '#/components/examples/EnrollFactorCustomTotpRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserFactor' examples: question: $ref: '#/components/examples/EnrollFactorQuestionResponse' sms: $ref: '#/components/examples/EnrollFactorSmsResponse' call: $ref: '#/components/examples/EnrollFactorCallResponse' token:software:totp: $ref: '#/components/examples/EnrollFactorOVTotpResponse' push: $ref: '#/components/examples/EnrollFactorOVPushResponse' google: $ref: '#/components/examples/EnrollFactorGoogleResponse' rsa_securId: $ref: '#/components/examples/EnrollFactorRsaSecurIdResponse' symantec_vip: $ref: '#/components/examples/EnrollFactorSymantecVipResponse' yubikey: $ref: '#/components/examples/EnrollFactorYubikeyResponse' email: $ref: '#/components/examples/EnrollFactorEmailResponse' u2f: $ref: '#/components/examples/EnrollFactorU2fResponse' webAuthn: $ref: '#/components/examples/EnrollFactorWebauthnResponse' customTotp: $ref: '#/components/examples/EnrollFactorCustomTotpResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/factors/catalog: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: List all supported factors description: |- Lists all the supported factors that can be enrolled for the specified user that are included in the highest priority [authenticator enrollment policy](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) that applies to the user. Only factors that are `REQUIRED` or `OPTIONAL` in the highest priority authenticator enrollment policy can be returned. > **Note:** When admins use this endpoint for other users, the authenticator enrollment policy that's evaluated can vary depending on how client-specific conditions are configured in the rules of an authenticator enrollment policy. The client-specific conditions of the admin's client are used during policy evaluation instead of the client-specific conditions of the user. This can affect which authenticator enrollment policy is evaluated and which factors are returned. > > For example, an admin in Europe lists all supported factors for a user in North America. The network zone of the admin's client (in Europe) is used during policy evaluation instead of the network zone of the user (in North America). operationId: listSupportedFactors responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/UserFactorSupported' examples: List of supported factors: $ref: '#/components/examples/SupportedFactorResults' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/factors/questions: parameters: - $ref: '#/components/parameters/pathUserId' get: x-okta-no-scope-required: true summary: List all supported security questions description: Lists all available security questions for the specified user operationId: listSupportedSecurityQuestions responses: '200': description: Success content: application/json: example: - question: disliked_food questionText: What is the food you least liked as a child? - question: name_of_first_plush_toy questionText: What is the name of your first stuffed animal? - question: first_award questionText: What did you earn your first medal or award for? schema: type: array items: $ref: '#/components/schemas/UserFactorSecurityQuestionProfile' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] tags: - UserFactor x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathFactorId' get: summary: Retrieve a factor description: Retrieves an existing factor for the specified user operationId: getFactor responses: '200': $ref: '#/components/responses/GetFactorResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unenroll a factor description: |- Unenrolls an existing factor for the specified user. You can't unenroll a factor from a deactivated user. Unenrolling a factor allows the user to enroll a new factor. > **Note:** If you unenroll the `push` or the `signed_nonce` factors, Okta also unenrolls any other `totp`, `signed_nonce`, or Okta Verify `push` factors associated with the user. operationId: unenrollFactor parameters: - name: removeRecoveryEnrollment description: If `true`, removes the phone number as both a recovery method and a factor. This parameter is only used for the `sms` and `call` factors. in: query schema: type: boolean default: false responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathFactorId' post: summary: Activate a factor description: |- Activates a factor. Some factors (`call`, `email`, `push`, `sms`, `token:software:totp`, `u2f`, and `webauthn`) require activation to complete the enrollment process. Okta enforces a rate limit of five activation attempts within five minutes. After a user exceeds the rate limit, Okta returns an error message. > **Notes:** > * If the user exceeds their SMS, call, or email factor activation rate limit, then an [OTP resend request](./#tag/UserFactor/operation/resendEnrollFactor) isn't allowed for the same factor. > * You can't use the Factors API to activate Okta Fastpass (`signed_nonce`) for a user. See [Configure Okta Fastpass](https://help.okta.com/okta_help.htm?type=oie&id=ext-fp-configure). operationId: activateFactor x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/UserFactorActivateRequest' examples: token:software:totp: $ref: '#/components/examples/FactorPasscodeRequest' sms: $ref: '#/components/examples/FactorPasscodeRequest' call: $ref: '#/components/examples/FactorPasscodeRequest' email: $ref: '#/components/examples/FactorPasscodeRequest' u2f: $ref: '#/components/examples/ActivateFactorU2fRequest' webauthn: $ref: '#/components/examples/ActivateFactorWebauthnRequest' required: false responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserFactorActivateResponse' examples: token:software:totp: $ref: '#/components/examples/ActivateFactorTotpResponse' sms: $ref: '#/components/examples/ActivateFactorSmsResponse' call: $ref: '#/components/examples/ActivateFactorCallResponse' push: $ref: '#/components/examples/ActivateFactorPushResponse' email: $ref: '#/components/examples/ActivateFactorEmailResponse' u2f: $ref: '#/components/examples/ActivateFactorU2fResponse' webauthn: $ref: '#/components/examples/ActivateFactorWebauthnResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}/resend: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathFactorId' post: summary: Resend a factor enrollment description: |- Resends an `sms`, `call`, or `email` factor challenge as part of an enrollment flow. For `call` and `sms` factors, Okta enforces a rate limit of one OTP challenge per device every 30 seconds. You can configure your `sms` and `call` factors to use a third-party telephony provider. See the [Telephony inline hook reference](https://developer.okta.com/docs/reference/telephony-hook/). Okta alternates between SMS providers with every resend request to ensure delivery of SMS and Call OTPs across different carriers. > **Note:** Resend operations aren't allowed after a factor exceeds the activation rate limit. See [Activate a factor](./#tag/UserFactor/operation/activateFactor). operationId: resendEnrollFactor parameters: - name: templateId in: query description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` factors. schema: example: cstk2flOtuCMDJK4b0g3 type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/ResendUserFactor' examples: sms: value: factorType: sms provider: OKTA profile: phoneNumber: +1-555-415-1337 required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/ResendUserFactor' examples: sms: $ref: '#/components/examples/EnrollFactorSmsResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}/transactions/{transactionId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathFactorId' - $ref: '#/components/parameters/pathTransactionId' get: summary: Retrieve a factor transaction status description: |- Retrieves the status of a `push` factor verification transaction > **Note:** > The response body for a number matching push challenge to an Okta Verify `push` factor enrollment is different from the response body of a standard push challenge. > The number matching push challenge [response body](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/getFactorTransactionStatus!c=200&path=1/_embedded&t=response) contains the correct answer for the challenge. > Use [Verify a factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor) to configure which challenge is sent. operationId: getFactorTransactionStatus responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserFactorPushTransaction' examples: WAITING (with number matching challenge): $ref: '#/components/examples/UserFactorVerifyPushTransactionWaitingNMC' WAITING: $ref: '#/components/examples/UserFactorVerifyPushTransactionWaiting' SUCCESS: $ref: '#/components/examples/UserFactorVerifyPushTransactionApproved' REJECTED: $ref: '#/components/examples/UserFactorVerifyPushTransactionRejected' TIMEOUT: $ref: '#/components/examples/UserFactorVerifyPushTransactionTimeout' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/factors/{factorId}/verify: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathFactorId' post: summary: Verify a factor description: |- Verifies an OTP for a factor. Some factors (`call`, `email`, `push`, `sms`, `u2f`, and `webauthn`) must first issue a challenge before you can verify the factor. Do this by making a request without a body. After a challenge is issued, make another request to verify the factor. > **Notes:** > - You can send standard push challenges or number matching push challenges to Okta Verify `push` factor enrollments. Use a [request body](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor!path=2/useNumberMatchingChallenge&t=request) for number matching push challenges. > - To verify a `push` factor, use the **poll** link returned when you issue the challenge. See [Retrieve a factor transaction status](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/getFactorTransactionStatus). operationId: verifyFactor parameters: - name: templateId description: ID of an existing custom SMS template. See the [SMS Templates API](../Template). This parameter is only used by `sms` factors. in: query schema: type: string example: cstk2flOtuCMDJK4b0g3 - name: tokenLifetimeSeconds description: Defines how long the token remains valid in: query schema: type: integer format: int32 minimum: 1 maximum: 86400 default: 300 x-okta-added-version: 1.3.0 - name: X-Forwarded-For description: Public IP address for the user agent in: header schema: type: string x-okta-added-version: 1.11.0 - name: User-Agent description: Type of user agent detected when the request is made. Required to verify `push` factors. in: header schema: type: string x-okta-added-version: 1.11.0 - name: Accept-Language description: An ISO 639-1 two-letter language code that defines a localized message to send. This parameter is only used by `sms` factors. If a localized message doesn't exist or the `templateId` is incorrect, the default template is used instead. in: header schema: type: string example: fr x-codegen-request-body-name: body requestBody: description: |- Verifies an OTP for a factor. Some factors (`call`, `email`, `push`, `sms`, `u2f`, and `webauthn`) must first issue a challenge before you can verify the factor. Do this by making a request without a body. After a challenge is issued, make another request to verify the factor. > **Note:** > Unlike standard push challenges that don't require a request body, a number matching [`push`](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor!path=2/useNumberMatchingChallenge&t=request) challenge requires a request body. `useNumberMatchingChallenge` must be set to `true`. > When a number matching challenge is issued for an Okta Verify `push` factor enrollment, a `correctAnswer` challenge object is returned in the [`_embedded`](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor!c=200&path=_embedded&t=response) object. content: application/json: schema: $ref: '#/components/schemas/UserFactorVerifyRequest' examples: sms verify: $ref: '#/components/examples/FactorPasscodeRequest' call verify: $ref: '#/components/examples/FactorPasscodeRequest' push challenge with number matching: $ref: '#/components/examples/NumberMatchingChallengeRequest' email verify: $ref: '#/components/examples/FactorPasscodeRequest' u2f verify: $ref: '#/components/examples/UserFactorVerifyU2fRequest' webAuthn verify: $ref: '#/components/examples/UserFactorVerifyWebauthnRequest' security question verify: $ref: '#/components/examples/UserFactorVerifySecurityQuestionRequest' totp verify: $ref: '#/components/examples/FactorPasscodeRequest' token verify: $ref: '#/components/examples/FactorPasscodeRequest' yubikey verify: $ref: '#/components/examples/FactorPasscodeRequest' required: false responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/UserFactorVerifyResponse' examples: sms challenge: $ref: '#/components/examples/UserFactorChallengeSmsResponse' sms verify: $ref: '#/components/examples/UserFactorVerifySuccessSmsResponse' call challenge: $ref: '#/components/examples/UserFactorChallengeCallResponse' call verify: $ref: '#/components/examples/UserFactorVerifyCallSuccessResponse' email challenge: $ref: '#/components/examples/UserFactorChallengeEmailResponse' email verify: $ref: '#/components/examples/UserFactorVerifyEmailSuccessResponse' u2f challenge: $ref: '#/components/examples/UserFactorChallengeU2fResponse' u2f verify: $ref: '#/components/examples/UserFactorVerifyU2fResponse' webAuthn challenge: $ref: '#/components/examples/UserFactorChallengeWebauthnResponse' webAuthn verify: $ref: '#/components/examples/UserFactorVerifyWebauthnResponse' security question verify: $ref: '#/components/examples/UserFactorVerifySuccessSqResponse' totp verify: $ref: '#/components/examples/UserFactorVerifySuccessTotpResponse' token verify: $ref: '#/components/examples/UserFactorVerifySuccessTokenResponse' yubikey verify: $ref: '#/components/examples/UserFactorVerifySuccessYubikeyResponse' '201': description: Created content: application/json: schema: $ref: '#/components/schemas/UserFactorVerifyResponseWaiting' examples: push challenge with number matching: $ref: '#/components/examples/UserFactorChallengePushResponseWithNumberMatchingChallenge' push challenge: $ref: '#/components/examples/UserFactorChallengePushResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserFactor x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/grants: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: List all user grants description: Lists all grants for the specified user operationId: listUserGrants parameters: - name: scopeId in: query description: The scope ID to filter on schema: type: string - name: expand in: query description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string example: scope - name: after in: query description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination). schema: type: string - name: limit in: query description: Specifies the number of grants to return schema: type: integer format: int32 minimum: 1 maximum: 200 default: 20 responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke all user grants description: Revokes all grants for a specified user operationId: revokeUserGrants responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/grants/{grantId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathGrantId' get: summary: Retrieve a user grant description: Retrieves a grant for the specified user operationId: getUserGrant parameters: - name: expand in: query description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' schema: type: string example: scope responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/OAuth2ScopeConsentGrant' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true delete: summary: Revoke a user grant description: Revokes one grant for a specified user operationId: revokeUserGrant responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserGrant x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/risk: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: Retrieve the user's risk description: Retrieves the user risk object for a user ID operationId: getUserRisk responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserRiskGetResponse' examples: UserRiskResponseExample: $ref: '#/components/examples/UserRiskResponse' UserRiskNoneResponseExample: $ref: '#/components/examples/UserRiskNoneResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.userRisk.read tags: - UserRisk x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Upsert the user's risk description: Upserts (creates or updates) the user risk object for a user ID operationId: upsertUserRisk requestBody: content: application/json: schema: $ref: '#/components/schemas/UserRiskRequest' examples: RiskProviderRequestExample: $ref: '#/components/examples/UserRiskRequest' required: true responses: '200': description: Updated the user's risk content: application/json: schema: $ref: '#/components/schemas/UserRiskPutResponse' examples: UserRiskResponseExample: $ref: '#/components/examples/UserRiskResponse' '201': description: Created the user's risk content: application/json: schema: $ref: '#/components/schemas/UserRiskPutResponse' examples: UserRiskResponseExample: $ref: '#/components/examples/UserRiskResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.userRisk.manage tags: - UserRisk x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /api/v1/users/{userId}/roles: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: List all user role assignments description: Lists all roles assigned to a user (identified by `userId`) operationId: listAssignedRolesForUser parameters: - $ref: '#/components/parameters/pathQueryRoleExpand' responses: '200': description: Success content: application/json: schema: type: array items: oneOf: - $ref: '#/components/schemas/StandardRole' - $ref: '#/components/schemas/CustomRole' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRole' APP_ADMIN: '#/components/schemas/StandardRole' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRole' HELP_DESK_ADMIN: '#/components/schemas/StandardRole' MOBILE_ADMIN: '#/components/schemas/StandardRole' ORG_ADMIN: '#/components/schemas/StandardRole' READ_ONLY_ADMIN: '#/components/schemas/StandardRole' REPORT_ADMIN: '#/components/schemas/StandardRole' SUPER_ADMIN: '#/components/schemas/StandardRole' USER_ADMIN: '#/components/schemas/StandardRole' WORKFLOWS_ADMIN: '#/components/schemas/CustomRole' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/CustomRole' ACCESS_REQUESTS_ADMIN: '#/components/schemas/CustomRole' CUSTOM: '#/components/schemas/CustomRole' examples: Standard roles: $ref: '#/components/examples/StandardRolesListResponse' Custom roles: $ref: '#/components/examples/StandardAndCustomRolesListResponse' IAM-based standard roles: $ref: '#/components/examples/IAMStandardRolesListResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Assign a user role description: |- Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a user. You can also assign a custom role to a user, but the preferred method to assign a custom role to a user is to create a binding between the custom role, the resource set, and the user. See [Create a role resource set binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). > **Notes:** > * The request payload is different for standard and custom role assignments. > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. operationId: assignRoleToUser parameters: - name: disableNotifications description: Setting this to `true` grants the user third-party admin status in: query schema: type: boolean default: false x-codegen-request-body-name: assignRoleRequest requestBody: content: application/json: schema: type: object oneOf: - $ref: '#/components/schemas/StandardRoleAssignmentSchema' - $ref: '#/components/schemas/CustomRoleAssignmentSchema' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' APP_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' HELP_DESK_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' ORG_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' READ_ONLY_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' REPORT_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' SUPER_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' USER_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' WORKFLOWS_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' ACCESS_REQUESTS_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' CUSTOM: '#/components/schemas/CustomRoleAssignmentSchema' required: true responses: '201': description: Created content: application/json: schema: type: object oneOf: - $ref: '#/components/schemas/StandardRole' - $ref: '#/components/schemas/CustomRole' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRole' APP_ADMIN: '#/components/schemas/StandardRole' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRole' HELP_DESK_ADMIN: '#/components/schemas/StandardRole' ORG_ADMIN: '#/components/schemas/StandardRole' READ_ONLY_ADMIN: '#/components/schemas/StandardRole' REPORT_ADMIN: '#/components/schemas/StandardRole' SUPER_ADMIN: '#/components/schemas/StandardRole' USER_ADMIN: '#/components/schemas/StandardRole' WORKFLOWS_ADMIN: '#/components/schemas/CustomRole' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/CustomRole' ACCESS_REQUESTS_ADMIN: '#/components/schemas/CustomRole' CUSTOM: '#/components/schemas/CustomRole' examples: Standard roles: $ref: '#/components/examples/StandardRoleResponseUser' Custom roles: $ref: '#/components/examples/CustomRoleResponseUser' IAM-based standard roles: $ref: '#/components/examples/IAMStandardRoleResponseUser' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleAssignmentId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathRoleAssignmentId' get: summary: Retrieve a user role assignment description: Retrieves a role assigned to a user (identified by `userId`). The `roleAssignmentId` parameter is the unique identifier for either a standard role assignment object or a custom role resource set binding object. operationId: getUserAssignedRole responses: '200': description: Success content: application/json: schema: oneOf: - $ref: '#/components/schemas/StandardRole' - $ref: '#/components/schemas/CustomRole' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRole' APP_ADMIN: '#/components/schemas/StandardRole' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRole' HELP_DESK_ADMIN: '#/components/schemas/StandardRole' ORG_ADMIN: '#/components/schemas/StandardRole' READ_ONLY_ADMIN: '#/components/schemas/StandardRole' REPORT_ADMIN: '#/components/schemas/StandardRole' SUPER_ADMIN: '#/components/schemas/StandardRole' USER_ADMIN: '#/components/schemas/StandardRole' WORKFLOWS_ADMIN: '#/components/schemas/CustomRole' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/CustomRole' ACCESS_REQUESTS_ADMIN: '#/components/schemas/CustomRole' CUSTOM: '#/components/schemas/CustomRole' examples: Standard roles: $ref: '#/components/examples/StandardRoleResponseUser' Custom roles: $ref: '#/components/examples/CustomRoleResponseUser' IAM-based standard roles: $ref: '#/components/examples/IAMStandardRoleResponseUser' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign a user role description: Unassigns a role assignment (identified by `roleAssignmentId`) from a user (identified by `userId`) operationId: unassignRoleFromUser responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleAssignmentId}/governance: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathRoleAssignmentId' get: summary: Retrieve all user role governance sources description: Retrieves the governance sources of a role (identified by `roleAssignmentId`) that's assigned to a user (identified by `userId`) operationId: getUserAssignedRoleGovernance responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/RoleGovernance' examples: Example Response: $ref: '#/components/examples/GetUseRoleGovernanceResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathGrantId' get: summary: Retrieve a user role governance source description: Retrieves a governance source (identified by `grantId`) for a role (identified by `roleAssignmentId`) that's assigned to a user (identified by `userId`) operationId: getRoleAssignmentGovernanceGrant responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/RoleGovernanceSource' examples: Example Response: $ref: '#/components/examples/GetRoleAssignmentGovernanceGrantResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/users/{userId}/roles/{roleAssignmentId}/governance/{grantId}/resources: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathGrantId' get: summary: Retrieve the user role governance source resources description: Retrieves the resources of a governance source (identified by `grantId`) for a role (identified by `roleAssignmentId`) that's assigned to a user (identified by `userId`) operationId: getRoleAssignmentGovernanceGrantResources responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/RoleGovernanceResources' examples: Example Response: $ref: '#/components/examples/GetRoleAssignmentGovernanceGrantResources' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleAssignmentAUser x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathRoleAssignmentId' get: summary: List all admin role app targets description: Lists all app targets for an `APP_ADMIN` role assigned to a user. The response is a list that includes OIN-cataloged apps or app instances. The response payload for an app instance contains the `id` property, but an OIN-cataloged app payload doesn't. operationId: listApplicationTargetsForApplicationAdministratorRoleForUser parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/CatalogApplication' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Assign all apps as target to admin role description: Assigns all apps as target to an `APP_ADMIN` role operationId: assignAllAppsAsTargetToRoleForUser responses: '200': description: Success content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' put: summary: Assign an admin role app target description: | Assigns an OIN app target for an `APP_ADMIN` role assignment to an admin user. When you assign the first app target, you reduce the scope of the role assignment. The role no longer applies to all app targets, but applies only to the specified target. Assigning an OIN app target overrides any existing app instance targets of the OIN app. For example, if a user was assigned to administer a specific Facebook instance, a successful request to add an OIN app target with `facebook` for `appName` makes that user the admin for all Facebook instances. operationId: assignAppTargetToAdminRoleForUser responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign an admin role app target description: | Unassigns an OIN app target from an `APP_ADMIN` role assignment to an admin user. > **Note:** You can't remove the last OIN app target from a role assignment since this causes an exception. > If you need a role assignment that applies to all apps, delete the `APP_ADMIN` role assignment to the user and recreate a new one. operationId: unassignAppTargetFromAppAdminRoleForUser responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' - $ref: '#/components/parameters/pathAppId' put: summary: Assign an admin role app instance target description: | Assigns an app instance target to an `APP_ADMIN` role assignment to an admin user. When you assign the first OIN app or app instance target, you reduce the scope of the role assignment. The role no longer applies to all app targets, but applies only to the specified target. > **Note:** You can target a mixture of both OIN app and app instance targets, but can't assign permissions to manage all instances of an OIN app and then assign a subset of permission to the same OIN app. > For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage specific configurations of the Salesforce app. operationId: assignAppInstanceTargetToAppAdminRoleForUser responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign an admin role app instance target description: |- Unassigns an app instance target from an `APP_ADMIN` role assignment to an admin user. > **Note:** You can't remove the last app instance target from a role assignment since this causes an exception. > If you need a role assignment that applies to all apps, delete the `APP_ADMIN` role assignment and recreate a new one. operationId: unassignAppInstanceTargetFromAdminRoleForUser responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathRoleAssignmentId' get: summary: List all admin role group targets description: | Lists all group targets for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. If the role isn't scoped to specific group targets, an empty array `[]` is returned. operationId: listGroupTargetsForRole parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Group' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleAssignmentId}/targets/groups/{groupId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathGroupId' put: summary: Assign an admin role group target description: | Assigns a group target for a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. When you assign the first group target, you reduce the scope of the role assignment. The role no longer applies to all targets but applies only to the specified target. operationId: assignGroupTargetToUserRole responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign an admin role group target description: | Unassigns a group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user. > **Note:** You can't remove the last group target from a role assignment since this causes an exception. > If you need a role assignment that applies to all groups, delete the role assignment to the user and recreate a new one. operationId: unassignGroupTargetFromUserAdminRole responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/roles/{roleIdOrEncodedRoleId}/targets: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathRoleIdOrEncodedRoleId' get: summary: Retrieve a role target by assignment type description: | Retrieves all role targets for an `APP_ADMIN`, `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to an admin user by user or group assignment type. If the role isn't scoped to specific group targets or any app targets, an empty array `[]` is returned. operationId: getRoleTargetsByUserIdAndRoleId parameters: - $ref: '#/components/parameters/assignmentType' - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/RoleTarget' examples: Group Target: $ref: '#/components/examples/RoleTargetGroupResponse' App Target: $ref: '#/components/examples/RoleTargetAppResponse' App Instance Target: $ref: '#/components/examples/RoleTargetAppInstanceResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleBTargetAdmin x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/sessions: parameters: - $ref: '#/components/parameters/pathUserId' delete: summary: Revoke all user sessions description: |- Revokes all active identity provider sessions of the user. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user. You can also clear the user's remembered factors for all devices using the `forgetDevices` parameter. See [forgetDevices](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserSessions/#tag/UserSessions/operation/revokeUserSessions!in=query&path=forgetDevices&t=request). > **Note:** This operation doesn't clear the sessions created for web or native apps. operationId: revokeUserSessions parameters: - name: oauthTokens in: query description: Revokes issued OpenID Connect and OAuth refresh and access tokens schema: type: boolean default: false - name: forgetDevices in: query description: |- Clears the user's remembered factors for all devices. > **Note:** This parameter defaults to false in Classic Engine. schema: type: boolean default: true responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - UserSessions x-okta-lifecycle: isCorsEnabled: true lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: List all subscriptions for a user description: Lists all subscriptions available to a specified user. Returns an `AccessDeniedException` message if requests are made for another user. operationId: listSubscriptionsUser parameters: - in: path name: userId required: true schema: type: string description: The unique ID of the user responses: '200': description: Success content: application/json: schema: items: $ref: '#/components/schemas/Subscription' type: array '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - Subscription x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions/{notificationType}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathNotificationType' get: summary: Retrieve a subscription for a user description: Retrieves a subscription by `notificationType` for a specified user. Returns an `AccessDeniedException` message if requests are made for another user. operationId: getSubscriptionsNotificationTypeUser parameters: - in: path name: userId required: true schema: type: string description: The unique ID of the user - $ref: '#/components/parameters/pathNotificationType' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/Subscription' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - Subscription x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions/{notificationType}/subscribe: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathNotificationType' post: summary: Subscribe a user to a specific notification type description: Subscribes the current user to a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. operationId: subscribeByNotificationTypeUser parameters: - in: path name: userId required: true schema: type: string description: The unique ID of the user - $ref: '#/components/parameters/pathNotificationType' responses: '200': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - Subscription x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/users/{userId}/subscriptions/{notificationType}/unsubscribe: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/pathNotificationType' post: summary: Unsubscribe a user from a specific notification type description: Unsubscribes the current user from a specified notification type. Returns an `AccessDeniedException` message if requests are made for another user. operationId: unsubscribeByNotificationTypeUser parameters: - in: path name: userId required: true schema: type: string description: The unique ID of the user - $ref: '#/components/parameters/pathNotificationType' responses: '200': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': description: Not Found '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - Subscription x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/zones: get: summary: List all network zones description: |- Lists all Network Zones with pagination. A subset of zones can be returned that match a supported filter expression or query. This operation requires URL encoding. For example, `filter=(id eq "nzoul0wf9jyb8xwZm0g3" or id eq "nzoul1MxmGN18NDQT0g3")` is encoded as `filter=%28id+eq+%22nzoul0wf9jyb8xwZm0g3%22+or+id+eq+%22nzoul1MxmGN18NDQT0g3%22%29`. Okta supports filtering on the `id`, `usage`, and `system` properties. See [Filter](https://developer.okta.com/docs/api/#filter) for more information on the expressions that are used in filtering. operationId: listNetworkZones parameters: - name: after in: query schema: type: string description: Specifies the pagination cursor for the next page of Network Zones example: BlockedIpZones - name: limit in: query schema: type: integer description: Specifies the number of results for a page format: int32 example: 5 default: -1 - name: filter in: query schema: type: string description: Filters zones by usage, ID, or system expression example: id eq "nzowc1U5Jh5xuAK0o0g3" responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/NetworkZone' examples: RetrieveAllZonesWithFilter: $ref: '#/components/examples/RetrieveAllZonesWithFilter' RetrieveAllZones: $ref: '#/components/examples/RetrieveAllZones' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.networkZones.read tags: - NetworkZone x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create a network zone description: |- Creates a Network Zone * For an IP Network Zone, you must define either `gateways` or `proxies`. * For a Dynamic Network Zone, you must define at least one of the following: `asns`, `locations`, or `proxyType`. * For an Enhanced Dynamic Network Zone, you must define at least one of the following: `asns`, `locations`, or `ipServiceCategories`. > **Note:** To view all properties for an Enhanced Dynamic Network Zone, select `DYNAMIC_V2` from the `type` dropdown list. operationId: createNetworkZone x-codegen-request-body-name: zone requestBody: content: application/json: schema: $ref: '#/components/schemas/NetworkZone' examples: CreateIPPolicyNetworkZone: $ref: '#/components/examples/CreateIPPolicyNetworkZone' CreateIPPolicyBlocklistNetworkZone: $ref: '#/components/examples/CreateIPPolicyBlockListNetworkZone' CreateEDNetworkZone: $ref: '#/components/examples/CreateEDNZRequest' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/NetworkZone' examples: CreateIPPolicyNetworkZone: $ref: '#/components/examples/CreateIPPolicyNetworkZoneResponse' CreateIPPolicyBlocklistNetworkZone: $ref: '#/components/examples/CreateIPPolicyBlockListNetworkZoneResponse' CreateEDNetworkZone: $ref: '#/components/examples/CreateEDNZResponse' '400': $ref: '#/components/responses/NzErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.networkZones.manage tags: - NetworkZone x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/zones/{zoneId}: parameters: - $ref: '#/components/parameters/pathZoneId' get: summary: Retrieve a network zone description: Retrieves a Network Zone by `zoneId` operationId: getNetworkZone responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/NetworkZone' examples: RetrieveNetworkZoneIP: $ref: '#/components/examples/RetrieveNetworkZoneIP' RetrieveNetworkZoneDynamic: $ref: '#/components/examples/RetrieveNetworkZoneDynamic' RetrieveNetworkZoneEnhancedDynamic: $ref: '#/components/examples/CreateEDNZResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/NzErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.networkZones.read tags: - NetworkZone x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace a network zone description: |- Replaces a Network Zone by `zoneId`. The replaced Network Zone type must be the same as the existing type. You can replace the usage (`POLICY`, `BLOCKLIST`) of a Network Zone by updating the `usage` attribute. **IP exempt zone**
If you have the IP exempt zone feature enabled, you can allow traffic from specific gateway IPs irrespective of Okta ThreatInsight configurations, blocked network zones, or IP change events within Identity Threat Protection with Okta AI.

When you enable this feature, Okta creates a zone called `DefaultExemptIpZone`. Gateway IPs that you add to this zone always have access to Okta resources. See [IP exempt zone](https://help.okta.com/okta_help.htm?type=oie&id=csh-about-ip-exempt-zone). > **Note:** You can't add trusted proxy IPs to this zone, delete the zone, or create additional exempt IP zones. operationId: replaceNetworkZone x-codegen-request-body-name: zone requestBody: content: application/json: schema: $ref: '#/components/schemas/NetworkZone' examples: ReplaceNetworkZone: $ref: '#/components/examples/ReplaceNetworkZone' UpdateDefaultExemptIpZone: $ref: '#/components/examples/UpdateDefaultExemptIpZone' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/NetworkZone' examples: ReplaceNetworkZone: $ref: '#/components/examples/ReplaceNetworkZoneResponse' UpdateDefaultExemptIpZoneResponse: $ref: '#/components/examples/UpdateDefaultExemptIpZoneResponse' '400': $ref: '#/components/responses/NzErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/NzErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.networkZones.manage tags: - NetworkZone x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete a network zone description: |- Deletes a Network Zone by `zoneId` > **Notes:** > * You can't delete a Network Zone that's used by a [Policy](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/) or [Rule](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicyRules). > * For Okta Identity Engine orgs, you can't delete a Network Zone with an ACTIVE `status`. operationId: deleteNetworkZone responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/NzErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.networkZones.manage tags: - NetworkZone x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/zones/{zoneId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathZoneId' post: summary: Activate a network zone description: Activates a Network Zone by `zoneId` operationId: activateNetworkZone responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/NetworkZone' examples: ActivateNetworkZone: $ref: '#/components/examples/ActivateNetworkZone' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/NzErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.networkZones.manage tags: - NetworkZone x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /api/v1/zones/{zoneId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathZoneId' post: summary: Deactivate a network zone description: Deactivates a Network Zone by `zoneId` operationId: deactivateNetworkZone responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/NetworkZone' examples: DeactivateNetworkZone: $ref: '#/components/examples/DeactivateNetworkZone' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/NzErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.networkZones.manage tags: - NetworkZone x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /attack-protection/api/v1/authenticator-settings: get: summary: Retrieve the authenticator settings description: Retrieves the Authenticator Settings for an org operationId: getAuthenticatorSettings responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - AttackProtection x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine put: summary: Replace the authenticator settings description: Replaces the Authenticator Settings for an org operationId: replaceAuthenticatorSettings x-codegen-request-body-name: authenticatorSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/AttackProtectionAuthenticatorSettings' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - AttackProtection x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /attack-protection/api/v1/user-lockout-settings: get: summary: Retrieve the user lockout settings description: Retrieves the User Lockout Settings for an org operationId: getUserLockoutSettings responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/UserLockoutSettings' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.read tags: - AttackProtection x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the user lockout settings description: Replaces the User Lockout Settings for an org operationId: replaceUserLockoutSettings x-codegen-request-body-name: lockoutSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/UserLockoutSettings' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserLockoutSettings' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: Access Denied: $ref: '#/components/examples/ErrorAccessDenied' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.orgs.manage tags: - AttackProtection x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /integrations/api/v1/api-services: get: summary: List all API service integration instances description: Lists all API Service Integration instances with a pagination option operationId: listApiServiceIntegrationInstances parameters: - $ref: '#/components/parameters/queryAfter' responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/APIServiceIntegrationInstance' examples: APIServiceIntegrationResponseExample: $ref: '#/components/examples/APIServiceIntegrationListResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.oauthIntegrations.read tags: - ApiServiceIntegrations x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an API service integration instance description: Creates and authorizes an API Service Integration instance operationId: createApiServiceIntegrationInstance requestBody: content: application/json: schema: $ref: '#/components/schemas/postAPIServiceIntegrationInstanceRequest' examples: postAPIServiceIntegrationRequestExample: $ref: '#/components/examples/postAPIServiceIntegrationRequest' postAPIServiceWithPropertiesIntegrationRequestExample: $ref: '#/components/examples/postAPIServiceWithPropertiesIntegrationRequest' required: true responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/postAPIServiceIntegrationInstance' examples: APIServiceIntegrationResponseExample: $ref: '#/components/examples/postAPIServiceIntegrationResponse' APIServiceWithPropertiesIntegrationResponseExample: $ref: '#/components/examples/postAPIServiceWithPropertiesIntegrationResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.oauthIntegrations.manage tags: - ApiServiceIntegrations x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /integrations/api/v1/api-services/{apiServiceId}: parameters: - $ref: '#/components/parameters/pathApiServiceId' get: summary: Retrieve an API service integration instance description: Retrieves an API Service Integration instance by `id` operationId: getApiServiceIntegrationInstance responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/APIServiceIntegrationInstance' examples: APIServiceIntegrationResponseExample: $ref: '#/components/examples/APIServiceIntegrationResponse' APIServiceWithPropertiesIntegrationResponseExample: $ref: '#/components/examples/APIServiceWithPropertiesIntegrationResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.oauthIntegrations.read tags: - ApiServiceIntegrations x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Delete an API service integration instance description: Deletes an API Service Integration instance by `id`. This operation also revokes access to scopes that were previously granted to this API Service Integration instance. operationId: deleteApiServiceIntegrationInstance responses: '204': description: No Content '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.oauthIntegrations.manage tags: - ApiServiceIntegrations x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets: parameters: - $ref: '#/components/parameters/pathApiServiceId' get: summary: List all API service integration instance secrets description: Lists all client secrets for an API Service Integration instance by `apiServiceId` operationId: listApiServiceIntegrationInstanceSecrets responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' examples: APIServiceIntegrationResponseExample: $ref: '#/components/examples/APIServiceIntegrationInstanceSecretListResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.oauthIntegrations.read tags: - ApiServiceIntegrations x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Create an API service integration instance secret description: Creates an API Service Integration instance Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects. operationId: createApiServiceIntegrationInstanceSecret responses: '201': description: Created content: application/json: schema: $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' examples: newAPIServiceIntegrationInstanceSecretResponse: $ref: '#/components/examples/newAPIServiceIntegrationInstanceSecretResponse' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.oauthIntegrations.manage tags: - ApiServiceIntegrations x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}: parameters: - $ref: '#/components/parameters/pathApiServiceId' - $ref: '#/components/parameters/pathSecretId' delete: summary: Delete an API service integration instance secret description: Deletes an API Service Integration instance Secret by `secretId`. You can only delete an inactive Secret. operationId: deleteApiServiceIntegrationInstanceSecret responses: '204': description: No Content '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.oauthIntegrations.manage tags: - ApiServiceIntegrations x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathApiServiceId' - $ref: '#/components/parameters/pathSecretId' post: summary: Activate an API service integration instance secret description: Activates an API Service Integration instance Secret by `secretId` operationId: activateApiServiceIntegrationInstanceSecret responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' examples: activeAPIServiceIntegrationInstanceSecretResponse: $ref: '#/components/examples/activeAPIServiceIntegrationInstanceSecretResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.oauthIntegrations.manage tags: - ApiServiceIntegrations x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /integrations/api/v1/api-services/{apiServiceId}/credentials/secrets/{secretId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathApiServiceId' - $ref: '#/components/parameters/pathSecretId' post: summary: Deactivate an API service integration instance secret description: Deactivates an API Service Integration instance Secret by `secretId` operationId: deactivateApiServiceIntegrationInstanceSecret responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/APIServiceIntegrationInstanceSecret' examples: inactiveAPIServiceIntegrationInstanceSecretResponse: $ref: '#/components/examples/inactiveAPIServiceIntegrationInstanceSecretResponse' '401': $ref: '#/components/responses/ErrorInvalidToken401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.oauthIntegrations.manage tags: - ApiServiceIntegrations x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /integrations/api/v1/submissions/{submissionId}: parameters: - $ref: '#/components/parameters/pathSubmissionId' /integrations/api/v1/submissions/{submissionId}/capabilities: parameters: - $ref: '#/components/parameters/pathSubmissionId' /integrations/api/v1/submissions/{submissionId}/capabilities/{capability}/protocols/actions: parameters: - $ref: '#/components/parameters/pathSubmissionId' - $ref: '#/components/parameters/pathCapability' /integrations/api/v1/submissions/{submissionId}/capabilities/{capability}/protocols/actions/actions-provider/{actionsProviderType}/validate-actions: parameters: - $ref: '#/components/parameters/pathSubmissionId' - $ref: '#/components/parameters/pathCapability' - $ref: '#/components/parameters/pathActionsProviderType' /integrations/api/v1/submissions/{submissionId}/submit: parameters: - $ref: '#/components/parameters/pathSubmissionId' /integrations/api/v1/submissions/{submissionId}/testing: parameters: - $ref: '#/components/parameters/pathSubmissionId' /oauth2/v1/clients/{clientId}/roles: parameters: - $ref: '#/components/parameters/pathClientId' get: summary: List all client role assignments description: Lists all roles assigned to a client app identified by `clientId` operationId: listRolesForClient responses: '200': description: Success content: application/json: schema: type: array items: oneOf: - $ref: '#/components/schemas/StandardRole' - $ref: '#/components/schemas/CustomRole' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRole' APP_ADMIN: '#/components/schemas/StandardRole' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRole' HELP_DESK_ADMIN: '#/components/schemas/StandardRole' ORG_ADMIN: '#/components/schemas/StandardRole' READ_ONLY_ADMIN: '#/components/schemas/StandardRole' REPORT_ADMIN: '#/components/schemas/StandardRole' SUPER_ADMIN: '#/components/schemas/StandardRole' USER_ADMIN: '#/components/schemas/StandardRole' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/CustomRole' ACCESS_REQUESTS_ADMIN: '#/components/schemas/CustomRole' WORKFLOWS_ADMIN: '#/components/schemas/CustomRole' CUSTOM: '#/components/schemas/CustomRole' examples: Standard roles: $ref: '#/components/examples/StandardRolesListResponseClient' Custom roles: $ref: '#/components/examples/CustomRolesListResponseClient' IAM-based standard roles: $ref: '#/components/examples/IAMStandardRolesListResponseClient' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleAssignmentClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true post: summary: Assign a client role description: |- Assigns a [standard role](/openapi/okta-management/guides/roles/#standard-roles) to a client app. You can also assign a custom role to a client app, but the preferred method to assign a custom role to a client is to create a binding between the custom role, the resource set, and the client app. See [Create a role resource set binding](/openapi/okta-management/management/tag/RoleDResourceSetBinding/#tag/RoleDResourceSetBinding/operation/createResourceSetBinding). > **Notes:** > * The request payload is different for standard and custom role assignments. > * For IAM-based standard role assignments, use the request payload for standard roles. However, the response payload for IAM-based role assignments is similar to the custom role's assignment response. operationId: assignRoleToClient requestBody: required: true content: application/json: schema: oneOf: - $ref: '#/components/schemas/StandardRoleAssignmentSchema' - $ref: '#/components/schemas/CustomRoleAssignmentSchema' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' APP_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' HELP_DESK_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' ORG_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' READ_ONLY_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' REPORT_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' SUPER_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' USER_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' ACCESS_REQUESTS_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' WORKFLOWS_ADMIN: '#/components/schemas/StandardRoleAssignmentSchema' CUSTOM: '#/components/schemas/CustomRoleAssignmentSchema' examples: Standard role: $ref: '#/components/examples/StandardRoleAssignmentRequest' Custom role assignment: $ref: '#/components/examples/CustomRoleAssignmentRequest' responses: '200': description: Success content: application/json: schema: oneOf: - $ref: '#/components/schemas/StandardRole' - $ref: '#/components/schemas/CustomRole' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRole' APP_ADMIN: '#/components/schemas/StandardRole' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRole' HELP_DESK_ADMIN: '#/components/schemas/StandardRole' ORG_ADMIN: '#/components/schemas/StandardRole' READ_ONLY_ADMIN: '#/components/schemas/StandardRole' REPORT_ADMIN: '#/components/schemas/StandardRole' SUPER_ADMIN: '#/components/schemas/StandardRole' USER_ADMIN: '#/components/schemas/StandardRole' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/CustomRole' ACCESS_REQUESTS_ADMIN: '#/components/schemas/CustomRole' WORKFLOWS_ADMIN: '#/components/schemas/CustomRole' CUSTOM: '#/components/schemas/CustomRole' examples: Standard role: $ref: '#/components/examples/StandardRoleResponseClient' Custom role assignment: $ref: '#/components/examples/CustomRoleResponseClient' IAM-based role assignment: $ref: '#/components/examples/IAMStandardRolesListResponseClient' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleAssignmentClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}: parameters: - $ref: '#/components/parameters/pathClientId' - $ref: '#/components/parameters/pathRoleAssignmentId' get: summary: Retrieve a client role description: Retrieves a role assignment (identified by `roleAssignmentId`) for a client app (identified by `clientId`) operationId: retrieveClientRole responses: '200': description: Success content: application/json: schema: oneOf: - $ref: '#/components/schemas/StandardRole' - $ref: '#/components/schemas/CustomRole' discriminator: propertyName: type mapping: API_ACCESS_MANAGEMENT_ADMIN: '#/components/schemas/StandardRole' APP_ADMIN: '#/components/schemas/StandardRole' GROUP_MEMBERSHIP_ADMIN: '#/components/schemas/StandardRole' HELP_DESK_ADMIN: '#/components/schemas/StandardRole' ORG_ADMIN: '#/components/schemas/StandardRole' READ_ONLY_ADMIN: '#/components/schemas/StandardRole' REPORT_ADMIN: '#/components/schemas/StandardRole' SUPER_ADMIN: '#/components/schemas/StandardRole' USER_ADMIN: '#/components/schemas/StandardRole' ACCESS_CERTIFICATIONS_ADMIN: '#/components/schemas/CustomRole' ACCESS_REQUESTS_ADMIN: '#/components/schemas/CustomRole' WORKFLOWS_ADMIN: '#/components/schemas/CustomRole' CUSTOM: '#/components/schemas/CustomRole' examples: Standard role: $ref: '#/components/examples/StandardRoleResponseClient' Custom role assignment: $ref: '#/components/examples/CustomRoleResponseClient' IAM-based standard role assignment: $ref: '#/components/examples/IAMStandardRoleResponseClient' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleAssignmentClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign a client role description: Unassigns a role assignment (identified by `roleAssignmentId`) from a client app (identified by `clientId`) operationId: deleteRoleFromClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleAssignmentClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps: parameters: - $ref: '#/components/parameters/pathClientId' - $ref: '#/components/parameters/pathRoleAssignmentId' get: summary: List all client role app targets description: Lists all OIN app targets for an `APP_ADMIN` role that's assigned to a client (by `clientId`). operationId: listAppTargetRoleToClient parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/CatalogApplication' examples: ClientRoleTargetExample: $ref: '#/components/examples/ClientRoleTargetResponseFacebookEx' ClientRoleTargetNonOINExample: $ref: '#/components/examples/ClientRoleTargetResponseInstanceEx' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleBTargetClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}: parameters: - $ref: '#/components/parameters/pathClientId' - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' put: summary: Assign a client role app target description: |- Assigns an OIN app target for an `APP_ADMIN` role assignment to a client. When you assign an app target from the OIN catalog, you reduce the scope of the role assignment. The role assignment applies to only app instances that are included in the specified OIN app target. An assigned OIN app target overrides any existing app instance targets. For example, if a user is assigned to administer a specific Facebook instance, a successful request to add an OIN app target with `facebook` for `appName` makes that user the administrator for all Facebook instances. operationId: assignAppTargetRoleToClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign a client role app target description: |- Unassigns an OIN app target for a role assignment to a client app > **Note:** You can't remove the last OIN app target from a role assignment. > If you need a role assignment that applies to all apps, delete the role assignment with the target and create another one. See [Unassign a client role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). operationId: removeAppTargetRoleFromClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/catalog/apps/{appName}/{appId}: parameters: - $ref: '#/components/parameters/pathClientId' - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathAppName' - $ref: '#/components/parameters/pathAppId' put: summary: Assign a client role app instance target description: |- Assigns an app instance target to an `APP_ADMIN` role assignment to a client. When you assign the first OIN app or app instance target, you reduce the scope of the role assignment. The role no longer applies to all app targets, but applies only to the specified target. > **Note:** You can target a mixture of both OIN app and app instance targets, but you can't assign permissions to manage all instances of an OIN app and then assign a subset of permissions to the same app. For example, you can't specify that an admin has access to manage all instances of the Salesforce app and then also manage only specific configurations of the Salesforce app. operationId: assignAppTargetInstanceRoleForClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign a client role app instance target description: |- Unassigns an app instance target from a role assignment to a client app > **Note:** You can't remove the last app instance target from a role assignment. > If you need a role assignment that applies to all the apps, delete the role assignment with the instance target and create another one. See [Unassign a client role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). operationId: removeAppTargetInstanceRoleForClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups: parameters: - $ref: '#/components/parameters/pathClientId' - $ref: '#/components/parameters/pathRoleAssignmentId' get: summary: List all client role group targets description: Lists all group targets for a [`USER_ADMIN`](/openapi/okta-management/guides/roles/#standard-roles), `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to a client. If the role isn't scoped to specific group targets, Okta returns an empty array `[]`. operationId: listGroupTargetRoleForClient parameters: - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/queryLimit' responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/Group' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.read tags: - RoleBTargetClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /oauth2/v1/clients/{clientId}/roles/{roleAssignmentId}/targets/groups/{groupId}: parameters: - $ref: '#/components/parameters/pathClientId' - $ref: '#/components/parameters/pathRoleAssignmentId' - $ref: '#/components/parameters/pathGroupId' put: summary: Assign a client role group target description: Assigns a group target to a [`USER_ADMIN`](/openapi/okta-management/guides/roles/#standard-roles), `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to a client app. When you assign the first group target, you reduce the scope of the role assignment. The role no longer applies to all targets, but applies only to the specified target. operationId: assignGroupTargetRoleForClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true delete: summary: Unassign a client role group target description: |- Unassigns a Group target from a `USER_ADMIN`, `HELP_DESK_ADMIN`, or `GROUP_MEMBERSHIP_ADMIN` role assignment to a client app. > **Note:** You can't remove the last group target from a role assignment. If you need a role assignment that applies to all groups, delete the role assignment with the target and create another one. See [Unassign a client role](/openapi/okta-management/management/tag/RoleAssignmentClient/#tag/RoleAssignmentClient/operation/deleteRoleFromClient). operationId: removeGroupTargetRoleFromClient responses: '204': description: No Content content: {} '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.roles.manage tags: - RoleBTargetClient x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /okta-personal-settings/api/v1/edit-feature: put: summary: Replace the Okta Personal admin settings description: Replaces Okta Personal admin settings in a Workforce org operationId: replaceOktaPersonalAdminSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/OktaPersonalAdminFeatureSettings' examples: exampleSettings: $ref: '#/components/examples/editFeatureExample' required: true responses: '204': description: No Content content: {} '401': $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.personal.adminSettings.manage tags: - OktaPersonalSettings x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /okta-personal-settings/api/v1/export-blocklists: get: summary: List all blocked email domains description: Lists all blocked email domains which are excluded from app migration operationId: listPersonalAppsExportBlockList responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PersonalAppsBlockList' examples: exampleSettings: $ref: '#/components/examples/getBlockListExample' '401': $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.personal.adminSettings.read tags: - OktaPersonalSettings x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true put: summary: Replace the blocked email domains description: Replaces the list of blocked email domains which are excluded from app migration operationId: replaceBlockedEmailDomains requestBody: content: application/json: schema: $ref: '#/components/schemas/PersonalAppsBlockList' examples: exampleSettings: $ref: '#/components/examples/getBlockListExample' required: true responses: '204': description: No Content content: {} '401': $ref: '#/components/responses/Error-FF-NotEnabled-Response-401' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.personal.adminSettings.manage tags: - OktaPersonalSettings x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true /privileged-access/api/v1/containers/{containerId}/prepare-resources: parameters: - $ref: '#/components/parameters/containerId' - $ref: '#/components/parameters/privQueryLastUpdated' /privileged-access/api/v1/containers/{containerId}/resource-filter-criteria: parameters: - $ref: '#/components/parameters/containerId' /privileged-access/api/v1/containers/{containerId}/resources: parameters: - $ref: '#/components/parameters/containerId' - $ref: '#/components/parameters/privQueryLastUpdated' - $ref: '#/components/parameters/privQueryStatus' - $ref: '#/components/parameters/privQueryLimit' - $ref: '#/components/parameters/privQueryAfter' /privileged-access/api/v1/resources/{id}: parameters: - $ref: '#/components/parameters/privilegedResourceId' /privileged-access/api/v1/resources/{id}/claim: parameters: - $ref: '#/components/parameters/privilegedResourceId' /privileged-access/api/v1/resources/{id}/rotate-password: parameters: - $ref: '#/components/parameters/privilegedResourceId' /privileged-access/api/v1/service-accounts: get: summary: List all app service accounts description: Lists all app service accounts operationId: listAppServiceAccounts parameters: - $ref: '#/components/parameters/queryLimit' - $ref: '#/components/parameters/queryAfter' - $ref: '#/components/parameters/matchQueryFilter' responses: '200': description: Success content: application/json: examples: ListAppServiceAccounts: $ref: '#/components/examples/ListAppServiceAccounts' schema: type: array items: $ref: '#/components/schemas/AppServiceAccount' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.serviceAccounts.read tags: - ServiceAccount x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] post: summary: Create an app service account description: Creates a new app service account for managing an app account operationId: createAppServiceAccount x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/AppServiceAccount' required: true responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AppServiceAccount' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.serviceAccounts.manage tags: - ServiceAccount x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] /privileged-access/api/v1/service-accounts/{id}: parameters: - $ref: '#/components/parameters/serviceAccountId' get: summary: Retrieve an app service account description: Retrieves an app service account specified by ID operationId: getAppServiceAccount responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AppServiceAccount' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.serviceAccounts.read tags: - ServiceAccount x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] patch: summary: Update an existing app service account description: Updates an existing app service account specified by ID operationId: updateAppServiceAccount x-codegen-request-body-name: body requestBody: content: application/json: schema: $ref: '#/components/schemas/AppServiceAccountForUpdate' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/AppServiceAccount' '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.serviceAccounts.manage tags: - ServiceAccount x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] delete: summary: Delete an app service account description: Deletes an app service account specified by ID operationId: deleteAppServiceAccount responses: '204': description: No Content '400': $ref: '#/components/responses/ErrorApiValidationFailed400' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.serviceAccounts.manage tags: - ServiceAccount x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] /security/api/v1/security-events: post: summary: Publish a security event token description: Publishes a Security Event Token (SET) sent by a Security Events Provider. After the token is verified, Okta ingests the event and performs any appropriate action. operationId: publishSecurityEventTokens x-codegen-request-body-name: Security Event Token requestBody: required: true description: | The request body is a signed [SET](https://datatracker.ietf.org/doc/html/rfc8417), which is a type of JSON Web Token (JWT). For SET JWT header and body descriptions, see [SET JWT header](/openapi/okta-management/management/tag/SSFSecurityEventToken/#tag/SSFSecurityEventToken/schema/SecurityEventTokenRequestJwtHeader) and [SET JWT body payload](/openapi/okta-management/management/tag/SSFSecurityEventToken/#tag/SSFSecurityEventToken/schema/SecurityEventTokenRequestJwtBody). content: application/secevent+jwt: schema: type: string examples: SET: value: eyJraWQiOiJzYW1wbGVfa2lkIiwidHlwIjoic2ZXZlbnQra ... mrtmw responses: '202': description: Accepted '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/SecurityEventTokenError' security: [] tags: - SSFSecurityEventToken x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /webauthn-registration/api/v1/activate: post: summary: Activate a preregistered WebAuthn factor description: Activates a preregistered WebAuthn factor. As part of this operation, Okta first decrypts and verifies the factor PIN and enrollment data sent by the fulfillment provider. operationId: activatePreregistrationEnrollment x-codegen-request-body-name: body requestBody: description: Enrollment activation request content: application/json: schema: $ref: '#/components/schemas/EnrollmentActivationRequest' examples: Activate Preregistration Enrollment Request: $ref: '#/components/examples/EnrollmentActivationRequestExample' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/EnrollmentActivationResponse' examples: Activate Preregistration Enrollment Response: $ref: '#/components/examples/EnrollmentActivationResponseExample' '400': description: PIN or cred requests generation failed content: application/json: schema: $ref: '#/components/schemas/Error' examples: NoDisable: $ref: '#/components/examples/ErrorPinOrCredResponsesProcessingFailure' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - WebAuthnPreregistration x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /webauthn-registration/api/v1/enroll: post: summary: Enroll a preregistered WebAuthn factor description: Enrolls a preregistered WebAuthn factor. This WebAuthn factor has a longer challenge timeout period to accommodate the fulfillment request process. As part of this operation, Okta generates elliptic curve (EC) key-pairs used to encrypt the factor PIN and enrollment data sent by the fulfillment provider. operationId: enrollPreregistrationEnrollment x-codegen-request-body-name: body requestBody: description: Enrollment initialization request content: application/json: schema: $ref: '#/components/schemas/EnrollmentInitializationRequest' examples: Initialize Preregistration Enrollment Request: $ref: '#/components/examples/EnrollmentInitializationRequestExample' responses: '200': description: Success content: application/json: schema: $ref: '#/components/schemas/EnrollmentInitializationResponse' examples: Initialize Preregistration Enrollment Response: $ref: '#/components/examples/EnrollmentInitializationResponseExample' '400': description: PIN or cred requests generation failed content: application/json: schema: $ref: '#/components/schemas/Error' examples: NoDisable: $ref: '#/components/examples/ErrorPinOrCredRequestsGenerationFailure' '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - WebAuthnPreregistration x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /webauthn-registration/api/v1/initiate-fulfillment-request: post: summary: Generate a fulfillment request description: Generates a fulfillment request by sending a WebAuthn preregistration event to start the flow. The WebAuthn preregistration integration for Okta Workflows uses a preregistration event to populate the fulfillment request. operationId: generateFulfillmentRequest x-codegen-request-body-name: body requestBody: description: Fulfillment request content: application/json: schema: $ref: '#/components/schemas/FulfillmentRequest' examples: Generate Fulfillment Request: $ref: '#/components/examples/GenerateFulfillmentRequestExample' responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - WebAuthnPreregistration x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /webauthn-registration/api/v1/send-pin: post: summary: Send a PIN to user description: Sends the decoded PIN for the specified WebAuthn preregistration enrollment. PINs are sent to the user's email. To resend the PIN, call this operation again. operationId: sendPin x-codegen-request-body-name: body requestBody: description: Send PIN request content: application/json: schema: $ref: '#/components/schemas/PinRequest' examples: Send PIN Request: $ref: '#/components/examples/SendPinRequestExample' responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - WebAuthnPreregistration x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /webauthn-registration/api/v1/users/{userId}/enrollments: parameters: - $ref: '#/components/parameters/pathUserId' get: summary: List all WebAuthn preregistration factors description: Lists all WebAuthn preregistration factors for the specified user operationId: listWebAuthnPreregistrationFactors responses: '200': description: Success content: application/json: schema: type: array items: $ref: '#/components/schemas/WebAuthnPreregistrationFactor' example: - id: fwf23789dfs9asdf782 factorType: webauthn provider: FIDO vendorName: FIDO fulfillmentProvider: yubico status: ACTIVE created: '2018-05-24T20:43:19.000Z' lastUpdated: '2018-05-24T21:43:32.000Z' profile: credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA authenticatorName: YubiKey 5C presetPinAvailable: true _links: self: href: https://example.okta.com/webauthn-registration/api/v1/users/00u15s1KDETTQMQYABRL/enrollments/fwf23789dfs9asdf782 hints: allow: - DELETE '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.read tags: - WebAuthnPreregistration x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /webauthn-registration/api/v1/users/{userId}/enrollments/{authenticatorEnrollmentId}: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/authenticatorEnrollmentId' delete: summary: Delete a WebAuthn preregistration factor description: Deletes a specific WebAuthn preregistration factor for a user operationId: deleteWebAuthnPreregistrationFactor responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - WebAuthnPreregistration x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /webauthn-registration/api/v1/users/{userId}/enrollments/{authenticatorEnrollmentId}/mark-error: parameters: - $ref: '#/components/parameters/pathUserId' - $ref: '#/components/parameters/authenticatorEnrollmentId' post: summary: Assign the fulfillment error status to a WebAuthn preregistration factor description: Assigns the fulfillment error status to a WebAuthn preregistration factor for a user. The `/mark-error` path indicates that the specific `FULFILLMENT_ERRORED` AuthFactor status is set on the enrollment. operationId: assignFulfillmentErrorWebAuthnPreregistrationFactor responses: '204': description: No Content '403': $ref: '#/components/responses/ErrorAccessDenied403' '404': $ref: '#/components/responses/ErrorResourceNotFound404' '429': $ref: '#/components/responses/ErrorTooManyRequests429' security: - apiToken: [] - oauth2: - okta.users.manage tags: - WebAuthnPreregistration x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine /workload-principals/api/v1/ai-agents/{agentId}: parameters: - $ref: '#/components/parameters/pathAIAgentId' /workload-principals/api/v1/ai-agents/{agentId}/connections: parameters: - $ref: '#/components/parameters/managedConnectionsAgentId' /workload-principals/api/v1/ai-agents/{agentId}/connections/{connectionId}: parameters: - $ref: '#/components/parameters/managedConnectionsAgentId' - $ref: '#/components/parameters/managedConnectionId' /workload-principals/api/v1/ai-agents/{agentId}/connections/{connectionId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/managedConnectionsAgentId' - $ref: '#/components/parameters/managedConnectionId' /workload-principals/api/v1/ai-agents/{agentId}/connections/{connectionId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/managedConnectionsAgentId' - $ref: '#/components/parameters/managedConnectionId' /workload-principals/api/v1/ai-agents/{agentId}/credentials/jwks: parameters: - $ref: '#/components/parameters/pathAIAgentId' /workload-principals/api/v1/ai-agents/{agentId}/credentials/jwks/{keyId}: parameters: - $ref: '#/components/parameters/pathAIAgentId' - $ref: '#/components/parameters/pathAIAgentJsonWebKeyId' /workload-principals/api/v1/ai-agents/{agentId}/credentials/jwks/{keyId}/lifecycle/activate: parameters: - $ref: '#/components/parameters/pathAIAgentId' - $ref: '#/components/parameters/pathAIAgentJsonWebKeyId' /workload-principals/api/v1/ai-agents/{agentId}/credentials/jwks/{keyId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAIAgentId' - $ref: '#/components/parameters/pathAIAgentJsonWebKeyId' /workload-principals/api/v1/ai-agents/{agentId}/lifecycle/deactivate: parameters: - $ref: '#/components/parameters/pathAIAgentId' /workload-principals/api/v1/operations/{operationId}: parameters: - $ref: '#/components/parameters/aiAgentOperationId' x-webhooks: CreateTelephonyInlineHook: post: summary: Create a telephony inline hook description: |- Creates an Okta telephony inline hook request. This is an automated request from Okta to your third-party service endpoint. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute. >**Note:** The size of your response payload must be less than 256 KB. See also: * For a general introduction to Okta inline hooks, see [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) * For information on the API for registering external service endpoints with Okta, see [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) * For an example implementation of a telephony inline hook, see [Telephony inline hook ](https://developer.okta.com/docs/guides/telephony-inline-hook) ### About The Okta telephony inline hook allows you to integrate your own custom code into Okta flows that send SMS or voice call messages. You can integrate this hook with enrollment, authentication, and recovery flows that involve the phone authenticator. Okta uses your external provider to deliver the one-time passcode (OTP) to the Requester. The provider can respond with commands that indicate if the delivery was successful or not. You can have only one active telephony inline hook per org. When you create a telephony inline hook, you must include the `authScheme` parameter. See [Create inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createInlineHook) and the [authScheme object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createInlineHook!path=channel/0/config/authScheme&t=request). ### Time-out behavior If the provider response times out, Okta attempts to send the OTP using the Okta telephony providers. See [Troubleshoot](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createTelephonyInlineHook/#troubleshoot). >**Note:** The failover mechanism that uses the Okta telephony providers is heavily rate-limited. ### Troubleshoot This section explains several common causes of failure for telephony inline hooks. Note: Administrators can use the [Okta System Log](https://developer.okta.com/docs/reference/api/system-log/) to view errors. See the Troubleshooting section in the inline hooks topic for details on events captured by the Okta System Log. | Issue | Impact | Error Visibility | |-------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|-------------------------------------------| |External service fails to communicate or times out | Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider | Administrators only | |External service responds with any HTTP status code besides `200` | Inline hook operation is skipped, OTP is sent to the Requester using an Okta telephony provider | Administrators only | |External service returns an error object | Inline hook operation fails, OTP is sent to the Requester using an Okta telephony provider | Administrators, developers, and end users | |Hook response is malformed or can't be mapped to the expected API response | Inline hook operation is skipped | Administrators only | |Request header doesn't include an `authScheme` | Inline hook operation is skipped | Administrators only | |Response uses an invalid status | Inline hook operation is skipped | Administrators only | |Operation adds an active telephony inline hook when a hook exists | Inline hook operation is skipped | Administrators only | operationId: createTelephonyInlineHook requestBody: required: true content: application/json: schema: allOf: - $ref: '#/components/schemas/InlineHookBasePayload' - $ref: '#/components/schemas/TelephonyRequest' examples: TelephonyPayloadExample: $ref: '#/components/examples/TelephonyPayloadExample' responses: '200': description: Successful response content: application/json: schema: $ref: '#/components/schemas/TelephonyResponse' examples: TelephonySuccessResponse: $ref: '#/components/examples/TelephonySuccessResponse' TelephonyFailureResponse: $ref: '#/components/examples/TelephonyFailureResponse' '403': $ref: '#/components/responses/ErrorAccessDenied403' security: - apiToken: [] - oauth2: [] tags: - InlineHook CreatePasswordImportInlineHook: post: summary: Create a password import inline hook description: |- Creates a password import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute. >**Note:** The size of your response payload must be less than 256 KB. The password import inline hook allows you to migrate users from another data store where you want the users to retain their current passwords. Use this hook with the [Create user with password import inline hook flow](/openapi/okta-management/management/tag/User/#create-user-with-password-import-inline-hook) that's described in the [Users API](/openapi/okta-management/management/tag/User/). The password import inline hook is triggered when the user tries to sign in to Okta for the first time. Okta sends your external service the password that the user supplied. Your external service then needs to send a response to Okta indicating whether the password supplied by the end user is valid. If your service returns a response that indicates that the password is valid, Okta sets the password for the user. The password import inline hook won't need to call your service again. However, if the Okta service is in read-only mode, it might not be possible to set the password. Okta then needs to call your service again the next time the user attempts to sign in. See [Password inline hook and Okta read-only mode](#password-inline-hook-and-okta-read-only-mode) and [Removing password from existing user store](#password-removal-from-an-existing-user-store). >**Notes:** > * Password policies don't apply to the password import inline hook. That is, if your external service validates the password, the password is imported even if it doesn't meet the Okta password policy requirements. > * You can create only one password import inline hook per org. See also: * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console * [Password import inline hook](https://developer.okta.com/docs/guides/password-import-inline-hook/nodejs/main/) for an example implementation of this inline hook ### Enable a password import inline hook To enable a password import inline hook, you first need to register your external service endpoint with Okta and configure it as an inline hook of type `com.okta.user.credential.password.import`. You can enable the hook using the Admin Console, see [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) or through the [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/). When creating a user with the Users API, you need to use the [Create User with password import inline hook](/openapi/okta-management/management/tag/User/#create-user-with-password-import-inline-hook) use case. This involves specifying a `credentials.password.hook` property in the request body. When the user that you have added attempts to sign in to Okta for the first time, the hook is triggered and Okta calls your external service. The call sends the credentials that the end user provided. Your service can check the credentials and respond with a command to indicate whether the credentials are valid or not. ### Password inline hook and Okta read-only mode If your external service responds to Okta indicating that the credentials are valid, Okta saves the password and can authenticate the user independently from then on. However, if your Okta org is in a special [read-only mode](https://support.okta.com/help/s/article/What-is-Oktas-Readonly-Mode) at the time the user signs in, then saving the password might not be possible. The next time the end user attempts to sign in, the password import inline hook needs to be called again. ### Password removal from an existing user store Because of the possibility of your org being in a special service mode, you shouldn't attempt to permanently delete user passwords from your existing user store until you can verify the success of the password import . An Okta System Log Event, `user.import.password`, is available for this purpose. An event of this type is created every time a password import inline hook is fired, with its `Event.Outcome` property providing a status of `FAILURE` or `SUCCESS` for the password import operation. If the status is `SUCCESS`, Okta has successfully saved the end user's password, and it's safe to delete it from your previous user store. You can configure an [Event hook](https://developer.okta.com/docs/concepts/event-hooks/) to send this event type to you for use when triggering automated cleanup of end-user passwords after successful migration. operationId: createPasswordImportInlineHook requestBody: required: true content: application/json: schema: allOf: - $ref: '#/components/schemas/InlineHookBasePayload' - $ref: '#/components/schemas/PasswordImportRequest' examples: PasswordImportPayloadExample: $ref: '#/components/examples/PasswordImportPayloadExample' responses: '200': description: Successful response content: application/json: schema: $ref: '#/components/schemas/PasswordImportResponse' examples: PasswordImportVerifiedResponse: $ref: '#/components/examples/PasswordImportVerifiedResponse' PasswordImportUnVerifiedResponse: $ref: '#/components/examples/PasswordImportUnVerifiedResponse' '204': description: No content - Unverified user response '403': $ref: '#/components/responses/ErrorAccessDenied403' security: - apiToken: [] - oauth2: [] tags: - InlineHook create-registration-hook: post: summary: Create a registration inline hook description: |- Creates a registration inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute. The Okta registration inline hook allows you to integrate your own custom code into Okta's [Profile Enrollment](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-profile-enrollment) flow. The hook is triggered after Okta receives the registration or profile update request. Your custom code can: - Allow or deny the registration attempt, based on your own validation of the information the user has submitted - Set or override the values that are populated in attributes of the user's Okta profile > **Note:** Profile Enrollment and self-service registration (SSR) inline hooks only work with the [Okta Sign-In Widget](https://developer.okta.com/code/javascript/okta_sign-in_widget/) version 4.5 or later. See also: * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console * [Registration inline hook](https://developer.okta.com/docs/guides/registration-inline-hook) for an example implementation of this inline hook operationId: create-registration-hook requestBody: required: true content: application/json: schema: allOf: - $ref: '#/components/schemas/RegistrationInlineHookRequest' examples: ProfileEnrollmentRequest: $ref: '#/components/examples/ProfileEnrollmentRequest' ProgressiveProfileRequest: $ref: '#/components/examples/ProgressiveProfileRequest' responses: '200': description: Successful response content: application/json: schema: $ref: '#/components/schemas/RegistrationResponse' examples: ProfileEnrollmentResponse: $ref: '#/components/examples/ProfileEnrollmentResponse' ProgressiveProfileResponse: $ref: '#/components/examples/ProgressiveProfileResponse' ProfileEnrollmentResponseDeny: $ref: '#/components/examples/ProfileEnrollmentResponseDeny' ProgressiveProfileResponseDeny: $ref: '#/components/examples/ProgressiveProfileResponseDeny' '204': description: No content - Allow registration to proceed without any update. tags: - InlineHook security: - apiToken: [] - oauth2: [] x-okta-no-scope-required: true CreateUserImportInlineHook: post: summary: Create a user import inline hook description: |- Creates a user import inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute. The user import inline hook enables you to add custom logic to the process of importing new users into Okta from an app. You can resolve conflicts in user name or other profile attributes, modify values of profile attributes, and control whether the imported user is treated as a match for an existing user or not. The hook is invoked for each user being imported, at the point immediately after any applicable profile attribute mappings have been applied, and any potential matches with existing users have been found, but before the Okta user profile is created. >**Note:** If the external service times out after receiving an Okta request, the Okta process flow continues and the user is created. See also: * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks * [Inline Hooks Management API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta * [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook) for steps to enable this inline hook in the Admin Console >**Note:** The procedure for associating a user import inline hook with an app using the Admin Console can't be used with AD or LDAP. operationId: createUserImportInlineHook requestBody: required: true content: application/json: schema: allOf: - $ref: '#/components/schemas/InlineHookBasePayload' - $ref: '#/components/schemas/UserImportRequest' examples: UserImportPayloadExample: $ref: '#/components/examples/UserImportPayloadExample' responses: '200': description: Successful response content: application/json: schema: $ref: '#/components/schemas/UserImportResponse' examples: UserImportChangeAppUserProfileExample: $ref: '#/components/examples/UserImportChangeAppUserProfileExample' UserImportChangeUserProfileExample: $ref: '#/components/examples/UserImportChangeUserProfileExample' UserImportCreateANewUserExample: $ref: '#/components/examples/UserImportCreateANewUserExample' UserImportMatchExample: $ref: '#/components/examples/UserImportMatchExample' UserImportErrorExample: $ref: '#/components/examples/UserImportErrorExample' '204': description: No content - Use the default action '403': $ref: '#/components/responses/ErrorAccessDenied403' security: - apiToken: [] - oauth2: [] tags: - InlineHook create-saml-hook: post: summary: Create a SAML assertion inline hook description: |- Creates a SAML assertion inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. The objects that you return in the JSON payload of your response to this Okta request are an array of one or more objects, which specify the Okta commands to execute. This type of inline hook is triggered when Okta generates a SAML assertion in response to an authentication request. Before sending the SAML assertion to the app that will consume it, Okta calls out to your external service. Your external service can respond with commands to add attributes to the assertion or to modify its existing attributes. You can use this functionality to add data to assertions, which might be data that is sensitive, calculated at runtime, or complexly-structured and not appropriate for storing in Okta user profiles. Data added this way is never logged or stored by Okta. As an example, SAML assertions generated for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta. This inline hook works only when using custom SAML apps, not apps from the OIN. See also: * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks * [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta * For a use case example of how to implement a SAML assertion inline hook, see [SAML assertion inline hook](https://developer.okta.com/docs/guides/saml-inline-hook) * For steps to enable this inline hook, see [Add an inline hook](https://help.okta.com/okta_help.htm?type=oie&id=ext-add-inline-hook). ### Specify location within the assertion Specify the location within the assertion where you want to apply your operation using a slash-delimited path, which follows JSON Patch conventions. When you perform an `add` op to add a new attribute statement, begin with `/claims/` and follow that with the name of the new attribute that you're adding. When you modify an existing assertions statement, begin the path with `/subject/`, `/authentication/`, `/conditions/`, or `/claims/`, depending on which part of the assertion you want to modify. You then look deeper within the child elements using slash-delimited element names, for example, `/claims/array/attributeValues/1/value`. (The `/1/` in the path indicates the index of the array, using zero-based indexing.) ### URI claims Okta supports URI claims with SAML assertion hooks. When you need to replace or add a URI claim, encode the claim name within the command per the [JavaScript Object Notation (JSON) Pointer](https://tools.ietf.org/html/rfc6901) specification. Specifically, this replaces `~` with `~0` and `/` with `~1`. ### SessionNotOnOrAfter support In some scenarios, your service provider may require the `SessionNotOnOrAfter` attribute for the `` in the SAML assertion, which sets the provider session time correctly. Use `add` op with the path `/authentication/sessionLifetime` and a value for session lifetime in seconds to add this attribute. Okta calculates `SessionNotOnOrAfter` by adding the `/authentication/sessionLifetime` value to the `issueInstant` attribute and returns it in the SAML `data.assertion. operationId: createSAMLAssertionInlineHook requestBody: required: true content: application/json: schema: allOf: - $ref: '#/components/schemas/InlineHookBasePayload' - $ref: '#/components/schemas/SAMLPayLoad' examples: SAMLPayloadExample: $ref: '#/components/examples/SAMLPayLoadExample' responses: '200': description: Successful response content: application/json: schema: $ref: '#/components/schemas/SAMLHookResponse' examples: SAMLHookResponseExample: $ref: '#/components/examples/SAMLHookResponseExample' SAMLHookResponseWithURIFormat: $ref: '#/components/examples/SAMLHookResponseWithURIFormat' '204': description: No content - Use the default action '403': $ref: '#/components/responses/ErrorAccessDenied403' security: - apiToken: [] - oauth2: [] tags: - InlineHook create-token-hook: post: summary: Create a token inline hook description: |- Creates a token inline hook request, one type of inline hook supported by Okta. This is an automated request from Okta to your third-party service endpoint. This reference provides sample JSON objects that are contained in the outbound request from Okta to your external service, and sample JSON objects that you can include in your response. This type of inline hook is triggered when OAuth 2.0 and OpenID Connect (OIDC) tokens are minted by your Okta custom authorization server. Before sending the token to the requester, Okta calls out to your external service. Your service can then respond with commands to add custom claims to the token or to modify existing claims. Use this functionality to add data that is sensitive, calculated at runtime, or complexly structured and not appropriate for storing in Okta user profiles. Okta never logs nor stores data that is added this way. As an example, tokens minted for a medical app could be augmented with confidential patient data provided by your external service and not stored in Okta. In addition to adding custom claims, you can modify or remove an existing custom claim or an OIDC standard profile claim. You can also update how long an access token or an ID token is valid. This inline hook works only when using an [Okta custom authorization server](https://developer.okta.com/docs/guides/customize-authz-server/main/#create-an-authorization-server), not the built-in Okta org authorization server. See also: * [Inline hooks](https://developer.okta.com/docs/concepts/inline-hooks/) for a general introduction to Okta inline hooks * [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook/) for information on the API for registering external service endpoints with Okta * For an example implementation of this inline hook, see [Token inline hook](https://developer.okta.com/docs/guides/token-inline-hook) ### Timeout behavior After receiving the Okta request, if there's a response timeout, the Okta process flow proceeds with the original token returned. ### Enabling a token inline hook To activate the inline hook, you first need to register your external service endpoint with Okta using the [Inline Hooks Management API](/openapi/okta-management/management/tag/InlineHook). You then need to associate the registered inline hook with a custom authorization server policy rule by completing the following steps: 1. Go to **Security** > **API** > **Authorization Servers.** 2. Select a custom authorization server from the list. 3. Select **Access Policies** and select a policy to use with the hook. In most cases, pick the Default Policy. 4. One of the policy's rules needs to trigger the inline hook. Click the pencil icon for a rule to edit it. If you only have one rule, edit the Default Policy Rule. 5. Click the **Use this Inline Hook** dropdown menu. Any inline hooks that you have registered are listed. Select the hook that you would like to use. 6. Click **Update Rule**. > **Note:** You can associate only one inline hook with each rule. ### Troubleshoot This section covers what happens when a token inline hook flow fails either due to the external inline hook service returning an error object or not returning a successful response, or the inline hook patch fails. > **Note:** Administrators can use the [Okta System Log](https://developer.okta.com/docs/reference/api/system-log/) to view errors. See the [Troubleshooting](https://developer.okta.com/docs/concepts/inline-hooks/#troubleshooting) section in the inline hooks concept piece for more information on the events related to inline hooks that the Okta System Log captures. - When there's a communication failure with the external service, a timeout for example, the inline hook operation is skipped. The token is generated without any modification from the inline hook. **Who can see this error?** Administrators - When the external service returns a response with any other HTTP status code besides `200`, the inline hook operation is skipped. The token is generated without any modification from the inline hook. **Who can see this error?** Administrators - When the external service returns an error object in the response, the entire token inline hook flow fails with no token generated. **Who can see this error?** Administrators, developers, and end users. When the OAuth 2.0 client receives the error, the client developer can see that error if the client has the debug information. What the end user sees depends on how errors are handled within the client. > **Note:** See the [error](https://developer.okta.com/docs/reference/token-hook/#error) section on this page for more information on what to include in the error object of your response and what the OAuth 2.0 error includes that Okta returns to the requestor of the token. - When a hook command (for example, updating, adding, and deleting claims) can't be performed, the inline hook operation is skipped. The token is generated without any modification from the inline hook. **Who can see this error?** Administrators The following actions result in an error: - Using an invalid command. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`. - Using an invalid operation - Attempting to remove a system-specific claim - Attempting to update a claim that doesn't exist - Attempting to update an element within an array that doesn't exist or specifying an invalid index - Attempting to remove a claim that doesn't exist operationId: createTokenInlineHook requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/TokenRequest' examples: TokenPayLoadExample: $ref: '#/components/examples/TokenPayLoadExample' responses: '200': description: Successful response content: application/json: schema: $ref: '#/components/schemas/TokenHookResponse' examples: TokenHookResponse: $ref: '#/components/examples/TokenHookResponse' TokenHookResponseWithURIFormat: $ref: '#/components/examples/TokenHookResponseWithURIFormat' TokenHookResponseAppendArray: $ref: '#/components/examples/TokenHookResponseAppendArray' TokenHookReplaceExisting: $ref: '#/components/examples/TokenHookReplaceExisting' TokenHookReplaceInPath: $ref: '#/components/examples/TokenHookReplaceInPath' TokenHookModifyLifetime: $ref: '#/components/examples/TokenHookModifyLifetime' TokenHookRemoveClaim: $ref: '#/components/examples/TokenHookRemoveClaim' TokenHookRemoveFromArray: $ref: '#/components/examples/TokenHookRemoveFromArray' TokenHookRemoveFromObject: $ref: '#/components/examples/TokenHookRemoveFromObject' TokenHookErrorExample: $ref: '#/components/examples/TokenHookErrorExample' '204': description: No content - Unverified user response '403': $ref: '#/components/responses/ErrorAccessDenied403' security: - apiToken: [] - oauth2: [] tags: - InlineHook components: examples: AIAgentOperationCompletedResponse: summary: Completed AI agent operation response value: id: op-1a2b3c4d type: ai-agent:Register status: COMPLETED created: '2025-09-11T18:52:48.000Z' started: '2025-09-11T18:52:48.000Z' completed: '2025-09-11T18:52:49.000Z' resource: id: aiAgent_abc123def456 type: AI_AGENT status: ACTIVE _links: self: href: https://subdomain.okta.com/workload-principal/api/v1/ai-agents/aiAgent_abc123def456 AIAgentOperationFailedResponse: summary: Failed AI agent operation response value: id: op-2b3c4d5e type: ai-agent:Delete status: FAILED created: '2025-09-10T14:30:00.000Z' started: '2025-09-10T14:30:01.000Z' completed: '2025-09-10T14:30:05.000Z' errorDetails: code: E0000001 message: custom error message. AIAgentOperationInProgressResponse: summary: In-progress AI agent operation response value: id: op-0f1e2d3c type: ai-agent:Replace status: IN_PROGRESS created: '2025-09-10T15:00:00.000Z' started: '2025-09-10T15:00:01.000Z' AIAgentResponse: value: id: wlpx9jQ16k9V8IFEL0g3 created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' status: ACTIVE appId: 0oab1234EXAMPLEID5d6 profile: name: Demo Agent description: Demo Agent _links: self: rel: self href: https://your-subdomain.okta.com/workload-principals/api/v1/ai-agents/wlpx9jQ16k9V8IFEL0g3 method: GET AIAgentResponseStaged: value: id: wlpx9jQ16k9V8IFEL0g3 created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' status: STAGED profile: name: Demo Agent description: Demo Agent _links: self: rel: self href: https://your-subdomain.okta.com/workload-principals/api/v1/ai-agents/wlpx9jQ16k9V8IFEL0g3 method: GET APIDevicesListAllResponse: summary: List all devices with embedded users value: - id: guo4a5u7YAHhjXrMK0g4 status: CREATED created: '2019-10-02T18:03:07.000Z' lastUpdated: '2019-10-02T18:03:07.000Z' profile: displayName: Example device name 1 platform: WINDOWS serialNumber: XXDDRFCFRGF3M8MD6D sid: S-1-11-111 registered: true secureHardwarePresent: false diskEncryptionType: ALL_INTERNAL_VOLUMES resourceType: UDDevice resourceDisplayName: value: Example device name 1 sensitive: false resourceAlternateId: null resourceId: guo4a5u7YAHhjXrMK0g4 _links: activate: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4 hints: allow: - GET - PATCH - PUT users: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users hints: allow: - GET _embedded: users: [] - id: guo4a5u7YAHhjXrMK0g5 status: ACTIVE created: '2023-06-21T23:24:02.000Z' lastUpdated: '2023-06-21T23:24:02.000Z' profile: displayName: Example device name 2 platform: ANDROID manufacturer: Google model: Pixel 6 osVersion: 13:2023-05-05 registered: true secureHardwarePresent: true diskEncryptionType: USER resourceType: UDDevice resourceDisplayName: value: Example device name 2 sensitive: false resourceAlternateId: null resourceId: guo4a5u7YAHhjXrMK0g5 _links: activate: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5 hints: allow: - GET - PATCH - PUT users: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users hints: allow: - GET _embedded: users: - managementStatus: MANAGED created: '2021-10-01T16:52:41.000Z' screenLockType: BIOMETRIC user: id: 00u17vh0q8ov8IU881d7 status: ACTIVE created: '2020-08-12T06:46:50.000Z' activated: '2020-08-12T06:46:50.000Z' statusChanged: '2021-01-27T21:05:32.000Z' lastLogin: '2021-10-14T09:04:48.000Z' lastUpdated: '2021-01-27T21:05:32.000Z' passwordChanged: '2020-08-12T06:46:50.000Z' type: id: oty7ut9Uu76oHVUZc0w4 profile: firstName: fname lastName: lname mobilePhone: null secondEmail: null login: email@email.com email: email@email.com credentials: password: {} recovery_question: question: What is the food you least liked as a child? provider: type: OKTA name: OKTA _links: suspend: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend method: POST schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc7ut9Uu76oHVUZc0w4 resetPassword: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password method: POST forgotPassword: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password method: POST expirePassword: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password method: POST changeRecoveryQuestion: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question method: POST self: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 type: href: https://{yourOktaDomain}/api/v1/meta/types/user/oty7ut9Uu76oHVUZc0w4 changePassword: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password deactivate: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate APIDevicesListAllUserSummaryResponse: summary: List all devices with embedded user summaries value: - id: guo4a5u7YAHhjXrMK0g4 status: CREATED created: '2019-10-02T18:03:07.000Z' lastUpdated: '2019-10-02T18:03:07.000Z' profile: displayName: Example device name 1 platform: WINDOWS serialNumber: XXDDRFCFRGF3M8MD6D sid: S-1-11-111 registered: true secureHardwarePresent: false diskEncryptionType: ALL_INTERNAL_VOLUMES resourceType: UDDevice resourceDisplayName: value: Example device name 1 sensitive: false resourceAlternateId: null resourceId: guo4a5u7YAHhjXrMK0g4 _links: activate: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/lifecycle/activate hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4 hints: allow: - GET - PATCH - PUT users: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g4/users hints: allow: - GET _embedded: users: [] - id: guo4a5u7YAHhjXrMK0g5 status: ACTIVE created: '2023-06-21T23:24:02.000Z' lastUpdated: '2023-06-21T23:24:02.000Z' profile: displayName: Example device name 2 platform: ANDROID manufacturer: Google model: Pixel 6 osVersion: 13:2023-05-05 registered: true secureHardwarePresent: true diskEncryptionType: USER resourceType: UDDevice resourceDisplayName: value: Example device name 2 sensitive: false resourceAlternateId: null resourceId: guo4a5u7YAHhjXrMK0g5 _links: activate: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/lifecycle/activate hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5 hints: allow: - GET - PATCH - PUT users: href: https://{yourOktaDomain}/api/v1/devices/guo4a5u7YAHhjXrMK0g5/users hints: allow: - GET _embedded: users: - managementStatus: MANAGED created: '2021-10-01T16:52:41.000Z' screenLockType: BIOMETRIC user: id: 00u17vh0q8ov8IU881d7 realmId: 00u17vh0q8ov8IU8T0g5 profile: firstName: fname lastName: lname login: email@email.com email: email@email.com _links: self: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 APIDevicesListAllUsersResponse: summary: Response example value: - created: '2021-08-20T17:13:35.000Z' managementStatus: NOT_MANAGED screenLockType: BIOMETRIC user: id: 00u17vh0q8ov8IU881d7 status: ACTIVE created: '2021-08-20T16:08:25.000Z' activated: null statusChanged: '2021-08-20T16:39:41.000Z' lastLogin: '2023-04-18T17:54:12.000Z' lastUpdated: '2021-12-20T18:27:30.000Z' passwordChanged: '2021-12-20T18:27:30.000Z' type: id: oty17vh0n2EHVnbYF1d7 profile: firstName: Bunk lastName: Moreland mobilePhone: null secondEmail: null login: bunk.moreland@example.com email: bunk.moreland@example.com credentials: password: null provider: type: OKTA name: OKTA _links: suspend: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/suspend method: POST schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/osc17vh0n2EHVnbYF1d7 resetPassword: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_password method: POST forgotPassword: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/forgot_password method: POST expirePassword: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/expire_password method: POST changeRecoveryQuestion: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_recovery_question method: POST self: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7 resetFactors: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/reset_factors method: POST type: href: https://{yourOktaDomain}/api/v1/meta/types/user/oty17vh0n2EHVnbYF1d7 changePassword: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/credentials/change_password method: POST deactivate: href: https://{yourOktaDomain}/api/v1/users/00u17vh0q8ov8IU881d7/lifecycle/deactivate method: POST APIPushProvidersListAllResponse: value: - id: ppchvbeucdTgqeiGxR0g4 providerType: APNS name: Example Push Provider 1 lastUpdatedDate: '2022-01-00T00:00:00.000Z' configuration: keyId: ABC123DEFG teamId: DEF123GHIJ fileName: fileName.p8 _links: self: href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} hints: allow: - DELETE - GET - PUT - id: ppctekcmngGaqeiBxB0g4 providerType: FCM name: Example Push Provider 2 lastUpdatedDate: '2022-01-00T00:00:00.000Z' configuration: projectId: PROJECT_ID fileName: fileName.json _links: self: href: https://your-subdomain.okta.com/api/v1/push-providers/{pushProviderId} hints: allow: - DELETE - GET - PUT APIServiceIntegrationInstanceSecretListResponse: summary: Secrets list response example value: - id: ocs2f4zrZbs8nUa7p0g4 status: INACTIVE client_secret: '***DhOW' secret_hash: yk4SVx4sUWVJVbHt6M-UPA created: '2023-02-21T20:08:24.000Z' lastUpdated: '2023-02-21T20:08:24.000Z' _links: activate: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate hints: allow: - POST delete: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 hints: allow: - DELETE - id: ocs2f50kZB0cITmYU0g4 status: ACTIVE client_secret: '***MQGQ' secret_hash: 0WOOvBSzV9clc4Nr7Rbaug created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: deactivate: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate hints: allow: - POST APIServiceIntegrationListResponse: summary: List response example value: - id: 0oa72lrepvp4WqEET1d9 type: my_app_cie name: My App Cloud Identity Engine createdAt: '2023-02-21T20:08:24.000Z' createdBy: 00uu3u0ujW1P6AfZC2d5 configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide grantedScopes: - okta.logs.read - okta.groups.read - okta.users.read _links: self: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 hints: allow: - GET - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 hints: allow: - GET logo: name: small href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo APIServiceIntegrationResponse: summary: Response example value: id: 0oa72lrepvp4WqEET1d9 type: my_app_cie name: My App Cloud Identity Engine createdAt: '2023-02-21T20:08:24.000Z' createdBy: 00uu3u0ujW1P6AfZC2d5 configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide grantedScopes: - okta.logs.read - okta.groups.read - okta.users.read _links: self: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 hints: allow: - GET - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 hints: allow: - GET logo: name: small href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo APIServiceWithPropertiesIntegrationResponse: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Response example with app properties value: id: 0oa72lrepvp4WqEET1d9 type: my_app_cie name: My App Cloud Identity Engine createdAt: '2023-02-21T20:08:24.000Z' createdBy: 00uu3u0ujW1P6AfZC2d5 configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide grantedScopes: - okta.logs.read - okta.groups.read - okta.users.read properties: baseUrl: https://example.com orgId: '42' _links: self: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 hints: allow: - GET - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 hints: allow: - GET logo: name: small href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo APIUserListDevicesResponse: value: - created: '2020-11-03T21:47:01.000Z' deviceUserId: lnk46w61OLJz1uSQW0g4 device: id: guo8jx5vVoxfvJeLb0w4 status: ACTIVE created: '2020-11-03T21:47:01.000Z' lastUpdated: '2020-11-03T23:46:27.000Z' profile: displayName: DESKTOP-EHAD3IE platform: WINDOWS manufacturer: International Corp model: VMware7,1 osVersion: 10.0.18362 serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE sid: S-1-5-21-3992267483-1860856704-2413701314-500 registered: true secureHardwarePresent: false diskEncryptionType: NONE resourceId: guo8jx5vVoxfvJeLb0w4 resourceDisplayName: value: DESKTOP-EHAD3IE sensitive: false resourceType: UDDevice resourceAlternateId: null _links: suspend: href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4 hints: allow: - GET - PATCH - PUT users: href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate hints: allow: - POST ActivateFactorCallResponse: summary: call value: id: clf1o51EADOTFXHHBXBP factorType: call provider: OKTA vendorName: OKTA status: ACTIVE created: '2014-08-06T16:56:31.000Z' lastUpdated: '2014-08-06T16:56:31.000Z' profile: phoneNumber: +1-555-415-1337 phoneExtension: '1234' _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP/verify hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1o51EADOTFXHHBXBP hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET ActivateFactorEmailResponse: summary: email value: id: emfnf3gSScB8xXoXK0g3 factorType: email provider: OKTA vendorName: OKTA status: ACTIVE profile: email: changed@clouditude.net _links: verify: href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 hints: allow: - GET ActivateFactorPushResponse: summary: push value: id: opf3hkfocI4JTLAju0g4 factorType: push provider: OKTA vendorName: OKTA status: ACTIVE created: '2015-03-16T18:01:28.000Z' lastUpdated: '2015-08-27T14:25:17.000Z' profile: credentialId: dade.murphy@example.com deviceType: SmartPhone_IPhone name: Gibson platform: IOS version: '9.0' _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4/verify hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opf3hkfocI4JTLAju0g4 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET ActivateFactorSmsResponse: summary: sms value: id: sms1o51EADOTFXHHBXBP factorType: sms provider: OKTA vendorName: OKTA status: ACTIVE created: '2014-08-06T16:56:31.000Z' lastUpdated: '2014-08-06T16:56:31.000Z' profile: phoneNumber: +1-555-415-1337 _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP/verify hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms1o51EADOTFXHHBXBP hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET ActivateFactorTotpResponse: summary: token:software:totp value: id: ostf1fmaMGJLMNGNLIVG factorType: token:software:totp provider: OKTA vendorName: OKTA status: ACTIVE created: '2014-07-16T16:13:56.000Z' lastUpdated: '2014-08-06T00:31:07.000Z' profile: credentialId: dade.murphy@example.com _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/verify hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET ActivateFactorU2fRequest: summary: u2f value: registrationData: BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ ActivateFactorU2fResponse: summary: u2f value: id: fuf2rovRxogXJ0nDy0g4 factorType: u2f provider: FIDO vendorName: FIDO status: ACTIVE created: '2018-05-24T20:43:19.000Z' lastUpdated: '2018-05-24T21:43:32.000Z' profile: credentialId: WVO-QyHEi0eWmTNqESqJynDtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA version: U2F_V2 _links: self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 hints: allow: - GET - DELETE verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify hints: allow: - POST user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET ActivateFactorWebauthnRequest: summary: webAuthn value: attestation: o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ== clientData: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0= ActivateFactorWebauthnResponse: summary: webAuthn value: id: fwf2rovRxogXJ0nDy0g4 factorType: webauthn provider: FIDO vendorName: FIDO status: ACTIVE created: '2018-05-24T20:43:19.000Z' lastUpdated: '2018-05-24T21:43:32.000Z' profile: credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA authenticatorName: MacBook Touch ID _links: self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 hints: allow: - GET - DELETE verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify hints: allow: - POST user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET ActivateIdPResponse: summary: Activate an IdP value: id: 0oa62bfdiumsUndnZ0h7 type: GOOGLE name: Google status: ACTIVE created: '2016-03-24T23:21:49.000Z' lastUpdated: '2016-03-25T19:14:23.000Z' protocol: type: OIDC endpoints: authorization: url: https://accounts.google.com/o/oauth2/auth binding: HTTP-REDIRECT token: url: https://www.googleapis.com/oauth2/v3/token binding: HTTP-POST scopes: - profile - email - openid credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.email filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: |- https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& client_id={clientId}&response_type={responseType}&response_mode={responseMode}& scope={scopes}&redirect_uri={redirectUri}&state={state} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST ActivateNetworkZone: summary: Activated network zone value: type: IP id: nzowc1U5Jh5xuAK0o0g3 name: MyIpZone status: ACTIVE usage: POLICY created: '2021-06-24T20:37:32.000Z' lastUpdated: '2021-06-24T20:37:32.000Z' system: false gateways: - type: CIDR value: 1.2.3.4/24 proxies: - type: RANGE value: 3.3.4.5-3.3.4.15 _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate hints: allow: - POST ActiveAuthorizationServerKey: summary: Active authorization server key value: status: ACTIVE alg: RS256 e: AQAB 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc kty: RSA use: sig _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc hints: allow: - GET ActiveIdPSigningKeyCredentialResponse: summary: IdP active signing key credential value: - kty: RSA created: '2025-04-14T16:29:59.000Z' lastUpdated: '2025-04-14T16:29:59.000Z' expiresAt: '2035-04-14T16:29:59.000Z' kid: your-key-id use: sig x5c: - MIIDmDCCAoCgAwIBAgIGAZY1ItxEMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxDTALBgNVBAMMBHJhaW4xHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMjUwNDE0MTYyODU5WhcNMzUwNDE0MTYyOTU5WjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMQ0wCwYDVQQDDARyYWluMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwdmW7pNqxzmlrsWbHq6rQJDiMu4T344AKEzQ1jGffyCLCU+HKk5WqIVtQ4EJ5FU3Rk6kNeoTdkQbxn7t2QFj37ScHZkxXDbNEhFbZpvGh7+rYBG7TCnk8jO9ct/bpT+PCLCgC9L/67H2eCXXN+/gFVZAx7KEibb4NgUET2p34b5scGI2LwEefS+z8UBGlNkg9+SmI9PvjMXplFKazb6qlb27fp0PSfC4S5g8kOCqEGC9oNOCBHO5jyzlzcFq04AIaAX9N1X13UULrj+262O1+RCnQNTadbdrO6FXwfQ6lsLmvWCFBVzLTqxYxCGNY85lhAH1zjoEvXnInKYgnvmcuwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCXAU2SAJeWoQKz32ShqIwt2ESJS+IoIc+daB/e8mEPUoOgYscjdoUaWBsqXG7RizxrYNub0PXMb90f6Xdk5R4QjB/WqkR/+iupLfIxS1CbTNIzxudY2sfkSC0w8NOq77v4nE786NWDOlOaOOTn/aGLc57rBqwz6spQzNkabtAPw7umm7MpJBJ1K7yNAlwkoRTCM7rsxCvzjGf4OFe+1MaV0MlEr76wkIs6SqGodzPFFnbl2GzKf7NlL0FAdjWsJP9560b8MybAhHpXiQx8AsNW2Ggjvo2ejQKB3Yw/BaHLfcjgij/lcumfQD/P8Pox4trjSuQoRkKXxfdQvlnS9pB7 x5t#S256: pX0kpGWPotMaEqqtIoOH9L-sFBa-htNFu0MZiJz1Hi4 e: AQAB 'n': wdmW7pNqxzmlrsWbHq6rQJDiMu4T344AKEzQ1jGffyCLCU-HKk5WqIVtQ4EJ5FU3Rk6kNeoTdkQbxn7t2QFj37ScHZkxXDbNEhFbZpvGh7-rYBG7TCnk8jO9ct_bpT-PCLCgC9L_67H2eCXXN-_gFVZAx7KEibb4NgUET2p34b5scGI2LwEefS-z8UBGlNkg9+SmI9PvjMXplFKazb6qlb27fp0PSfC4S5g8kOCqEGC9oNOCBHO5jyzlzcFq04AIaAX9N1X13UULrj-262O1-RCnQNTadbdrO6FXwfQ6lsLmvWCFBVzLTqxYxCGNY85lhAH1zjoEvXnInKYgnvmcuw AddMappingBody: summary: Update an existing profile mapping by adding one or more properties value: properties: fullName: expression: user.firstName + user.lastName pushStatus: PUSH nickName: expression: user.nickName pushStatus: PUSH AddMappingResponse: summary: Update an existing profile mapping by adding one or more properties value: id: prm1k47ghydIQOTBW0g4 source: id: otysbePhQ3yqt4cVv0g3 name: user type: user _links: self: href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 target: id: 0oa1qmn4LZQQEH0wZ0g4 name: okta_org2org type: appuser _links: self: href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default properties: fullName: expression: user.firstName + user.lastName pushStatus: PUSH nickName: expression: user.nickName pushStatus: PUSH _links: self: href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 AddOAuth2ResourceServerJsonWebKeyRequest: summary: JSON Web Key request example value: kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA use: enc e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: INACTIVE AdminConsoleSettingsExample: summary: Default Okta Admin Console settings value: sessionMaxLifetimeMinutes: 720 sessionIdleTimeoutMinutes: 15 AerialConsentDetails: description: Example response of consent details value: accountId: 0200bs0617vvhv2v675mch1cukp grantDate: '2023-04-06T21:32:33.000Z' grantedBy: 00uabcdefg1234567890 AerialConsentInvalidAccountIdResponse: description: Aerial account ID is invalid value: errorCode: E0000001 errorSummary: 'API validation failed: account' errorLink: E0000001 errorId: oaewjePjfdBT7m71KkPz0Ipaw errorCauses: - errorSummary: Invalid aerial account ID. AerialConsentOrgAlreadyLinkedResponse: description: The revoke operation isn't possible when the org is already linked value: errorCode: E0000001 errorSummary: 'API validation failed: account' errorLink: E0000001 errorId: oae_wheRkaxRT-EFAXwBmBKLg errorCauses: - errorSummary: The org is already linked to an Account. AerialGrantAlreadyPresentErrorResponse: description: Grant is already present value: errorCode: E0000001 errorSummary: 'Api validation failed: account' errorLink: E0000001 errorId: oaewjePjfdBT7m71KkPz0Ipaw errorCauses: - errorSummary: The org already has a consent grant added to Aerial. AerialGrantNotFoundResponse: description: No grant found for org value: errorCode: E0000007 errorSummary: 'Not found: Resource not found: grant (String)' errorLink: E0000007 errorId: sampleFYH_dTSSTdpPYIAdHJw errorCauses: [] AllAssignmentsOperationResponse: value: id: rre4mje4ez7B2a7B60g7 type: realm:assignment status: COMPLETED created: '2023-10-25T21:02:54.000Z' started: '2023-10-25T21:02:54.000Z' completed: '2023-10-25T21:02:54.000Z' assignmentOperation: configuration: id: ALL name: All Assignments numUserMoved: 50 _links: self: rel: self href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez7B2a7B60g7 method: GET AllCustomAAGUIDResponse: value: - aaguid: cb69481e-8ff7-4039-93ec-0a272911111 name: My Security Key authenticatorCharacteristics: platformAttached: false fipsCompliant: false hardwareProtected: false attestationRootCertificates: - x5c: X5C... x5t#S256: SHA-256 x5t of the X.509 root certificate iss: Yubico U2F Root CA Serial 457200631 exp: '2035-05-26T16:04:58.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/aaguids/cb69481e-8ff7-4039-93ec-0a272911111 hints: allow: - GET - PUT - PATCH - DELETE AllowOktaSupportAccessStatus: summary: Allow Okta Support access value: impersonation: status: ENABLED expiration: '2024-01-24T11:13:14.000Z' caseNumber: '1011001' AllowOktaSupportAccessStatusRequest: summary: Allow Okta Support access value: impersonation: status: ENABLED AllowSelfAssigned: summary: Allow self-assigned Okta Support cases value: selfAssigned: status: APPROVED caseNumber: '1011001' AllowSelfAssignedRequest: summary: Allow self-assigned Okta Support cases value: selfAssigned: status: APPROVED ApiTokenListMetadataResponse: value: - name: My API Token userId: 00uabcdefg1234567890 tokenWindow: P30D network: connection: ANYWHERE id: 00Tabcdefg1234567890 clientName: Okta API expiresAt: '2021-12-11T20:38:10.000Z' created: '2021-11-09T20:38:10.000Z' lastUpdated: '2021-11-11T20:38:10.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 hints: allow: - GET - name: Another API Token userId: 00uabcdefg1234567890 tokenWindow: PT5M id: 00T1234567890abcdefg clientName: Okta API expiresAt: '2021-11-11T20:43:10.000Z' created: '2021-11-09T20:38:10.000Z' lastUpdated: '2021-11-11T20:38:10.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/api-tokens/00T1234567890abcdefg hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00uabcdefg1234567890 hints: allow: - GET ApiTokenMetadataResponse: value: name: My API Token userId: 00uXXXXXXXXXXXXXXXXX tokenWindow: P30D network: connection: ANYWHERE id: 00Tabcdefg1234567890 clientName: Okta API expiresAt: '2021-12-11T20:38:10.000Z' created: '2021-11-09T20:38:10.000Z' lastUpdated: '2021-11-11T20:38:10.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/api-tokens/00Tabcdefg1234567890 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00uXXXXXXXXXXXXXXXXX hints: allow: - GET AppCsrJsonResponse: summary: CSR object in JSON format value: id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 created: '2017-03-28T01:11:10.000Z' csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= kty: RSA _links: self: href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 hints: allow: - GET - DELETE publish: href: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish hints: allow: - POST AppCsrPkcs10Response: summary: CSR in DER format value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9 AppFeatureListResponseEx: summary: List app feature response value: - name: USER_PROVISIONING status: ENABLED description: User provisioning settings from Okta to a downstream application capabilities: create: lifecycleCreate: status: DISABLED update: profile: status: DISABLED lifecycleDeactivate: status: DISABLED password: status: DISABLED seed: RANDOM change: KEEP_EXISTING _links: self: href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING hints: allow: - GET - PUT AppFeatureResponseEx: summary: App feature response value: name: USER_PROVISIONING status: ENABLED description: User provisioning settings from Okta to a downstream application capabilities: create: lifecycleCreate: status: DISABLED update: profile: status: DISABLED lifecycleDeactivate: status: DISABLED password: status: DISABLED seed: RANDOM change: KEEP_EXISTING _links: self: href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING hints: allow: - GET - PUT AppGrantsEx: summary: App grants example value: id: oag91n9ruw3dsaXzP0h6 status: ACTIVE created: '2023-02-21T16:54:00.000Z' createdBy: id: 00u6eltha0nrSc47i0h7 type: User lastUpdated: '2023-02-21T16:54:00.000Z' issuer: '{yourOktaDomain}' clientId: '{clientId}' scopeId: okta.users.read source: ADMIN _embedded: scope: id: okta.users.read _links: app: href: https://{yourOktaDomain}/api/v1/apps/{appId} title: Application name self: href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6 hints: allow: - GET - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} title: Client name AppGrantsPostEx: summary: App grants example value: issuer: '{yourOktaDomain}' scopeId: okta.users.read AppResponseBaseEx: value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate AppUserAssignProvRequest: summary: SSO and provisioning application user request example value: id: 00u15s1KDETTQMQYABRL scope: USER credentials: userName: saml.jackson@example.com profile: salesforceGroups: - Employee role: Developer profile: Standard User AppUserAssignSSORequest: summary: SSO application user request example value: id: 00ud4tVDDXYVKPXKVLCO scope: USER credentials: userName: rae.cloud@example.com AppUserCredUpdateResponse: summary: Application user credential update value: id: 00ud4tVDDXYVKPXKVLCO externalId: null created: '2024-01-27T03:52:45.000Z' lastUpdated: '2024-01-27T05:15:30.000Z' scope: USER status: ACTIVE statusChanged: '2024-01-27T03:52:45.000Z' passwordChanged: '2024-01-27T05:15:30.000Z' syncState: DISABLED credentials": userName: rae.cloud@example.com password: {} profile: street_address: null country: null website: null zoneinfo: America/Los_Angeles birthdate: null gender: null formatted: null profile: null locality: null given_name: Rae middle_name: null locale: en_US picture: null name: Rae Cloud nickname: null phone_number: null region: null postal_code: null family_name: Cloud email: rae.cloud@example.com _links: app: href: https://{yourOktaDomain}/api/v1/apps/{appId} user: href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO AppUserListEx: summary: List application user example value: - id: 00u1dnq5S0CfjlkpABCD externalId: 00u5edt3PNbbjzvIABCD created: '2024-01-31T18:25:01.000Z' lastUpdated: '2024-01-31T18:25:03.000Z' scope: USER status: PROVISIONED statusChanged: '2024-01-31T18:25:03.000Z' passwordChanged: null syncState: SYNCHRONIZED lastSync: '2024-01-31T18:25:03.000Z' credentials: userName: saml.test@example.com profile: secondEmail: null lastName: Test mobilePhone: null displayName: Saml O Test email: saml.test@example.com salesforceGroups: [] role: Tester firstName: Saml streetAddress: null profile: Standard Platform User _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL user: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD _embedded: user: id: 00u1dnq5S0CfjlkpABCD status: ACTIVE created: '2024-01-09T15:36:04.000Z' activated: '2024-01-09T15:36:05.000Z' statusChanged: '2024-01-09T15:36:05.000Z' lastLogin: null lastUpdated: '2024-01-09T15:36:05.000Z' passwordChanged: '2024-01-09T15:36:05.000Z' type: id: otyzhh29g7Python90g3 profile: firstName: Saml lastName: Test mobilePhone: null secondEmail: null login: saml.test@example.com email: saml.test@example.com credentials: password: {} provider: type: OKTA name: OKTA _links: suspend: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend method: POST schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9 resetPassword: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password method: POST expirePassword: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password method: POST changeRecoveryQuestion: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question method: POST self: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD type: href: https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3 changePassword: href: https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password method: POST deactivate: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate method: POST AppUserProfUpdateResponse: summary: Application user profile update value: id: 00ud4tVDDXYVKPXKVLCO externalId: null created: '2024-01-27T03:52:45.000Z' lastUpdated: '2024-01-27T05:05:32.000Z' scope: USER status: ACTIVE statusChanged: '2024-01-27T03:52:45.000Z' passwordChanged: null syncState: DISABLED credentials": userName: rae.cloud@example.com profile: street_address: null country: null website: null zoneinfo: America/Los_Angeles birthdate: null gender: null formatted: null profile: null locality: null given_name: Rae middle_name: Mae locale: en_US picture: null name: Rae Mae Cloud nickname: null phone_number: null region: null postal_code: null family_name: Cloud email: rae.cloud@example.com _links: app: href: https://{yourOktaDomain}/api/v1/apps/{appId} user: href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO AppUserProvExpandResponse: summary: Application user expand example value: id: 00u1dnq5S0CfjlkpABCD externalId: 00u5edt3PNbbjzvIABCD created: '2024-01-31T18:25:01.000Z' lastUpdated: '2024-01-31T18:25:03.000Z' scope: USER status: PROVISIONED statusChanged: '2024-01-31T18:25:03.000Z' passwordChanged: null syncState: SYNCHRONIZED lastSync: '2024-01-31T18:25:03.000Z' credentials: userName: saml.test@example.com profile: secondEmail: null lastName: Test mobilePhone: null displayName: Saml O Test email: saml.test@example.com salesforceGroups: [] role: Tester firstName: Saml streetAddress: null profile: Standard Platform User _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oajiqIRNXPPJBNZMGYL user: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD _embedded: user: id: 00u1dnq5S0CfjlkpABCD status: ACTIVE created: '2024-01-09T15:36:04.000Z' activated: '2024-01-09T15:36:05.000Z' statusChanged: '2024-01-09T15:36:05.000Z' lastLogin: null lastUpdated: '2024-01-09T15:36:05.000Z' passwordChanged: '2024-01-09T15:36:05.000Z' type: id: otyzhh29g7Python90g3 profile: firstName: Saml lastName: Test mobilePhone: null secondEmail: null login: saml.test@example.com email: saml.test@example.com credentials: password: {} provider: type: OKTA name: OKTA _links: suspend: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/suspend method: POST schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscarho9g7PythoN23z9 resetPassword: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/reset_password method: POST expirePassword: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/expire_password method: POST changeRecoveryQuestion: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_recovery_question method: POST self: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD type: href: https://{yourOktaDomain}/api/v1/meta/types/user/otyzhh29g7Python90g3 changePassword: href: https://rain.okta1.com/api/v1/users/00u1dnq5S0CfjlkpABCD/credentials/change_password method: POST deactivate: href: https://{yourOktaDomain}/api/v1/users/00u1dnq5S0CfjlkpABCD/lifecycle/deactivate method: POST AppUserProvResponse: summary: SSO and provisioning application user response example value: id: 00u15s1KDETTQMQYABRL externalId: 005o0000000ogQ9AAI created: '2014-08-16T02:35:14.000Z' lastUpdated: '2014-08-16T02:56:49.000Z' scope: USER status: PROVISIONED statusChanged: '2014-08-16T02:56:49.000Z' passwordChanged: null syncState: SYNCHRONIZED lastSync: '2014-08-16T02:56:49.000Z' credentials: userName: saml.jackson@example.com profile: secondEmail: null lastName: Jackson mobilePhone: null email: saml.jackson@example.com salesforceGroups: - Employee role: Developer firstName: Saml profile: Standard User _links: app: href: https://{yourOktaDomain}/api/v1/apps/{appId} user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL AppUserSSOResponse: summary: SSO application user response example value: id: 00ud4tVDDXYVKPXKVLCO externalId: null created: '2024-01-27T03:52:45.000Z' lastUpdated: '2024-01-27T03:52:45.000Z' scope: USER status: ACTIVE statusChanged: '2024-01-27T03:52:45.000Z' passwordChanged: null syncState: DISABLED credentials": userName: rae.cloud@example.com profile: street_address: null country: null website: null zoneinfo: America/Los_Angeles birthdate: null gender: null formatted: null profile: null locality: null given_name: Rae middle_name: null locale: en_US picture: null name: Rae Cloud nickname: null phone_number: null region: null postal_code: null family_name: Cloud email: rae.cloud@example.com _links: app: href: https://{yourOktaDomain}/api/v1/apps/{appId} user: href: https://{yourOktaDomain}/api/v1/users/00ud4tVDDXYVKPXKVLCO AppUserSchemaAddRequest: value: definitions: custom: id: '#custom' type: object properties: salesforceUserName: title: Salesforce username externalName: salesforceUserName description: User's username for Salesforce type: string required: false minLength: 1 maxLength: 20 required: [] AppUserSchemaResponse: value: id: https://{yourOktaDomain}/meta/schemas/apps/0oa25gejWwdXNnFH90g4/default $schema: http://json-schema.org/draft-04/schema# name: Example app title: Example app user lastUpdated: '2017-07-18T23:18:43.000Z' created: '2017-07-18T22:35:30.000Z' definitions: base: id: '#base' type: object properties: userName: title: Username type: string required: true scope: NONE maxLength: 100 required: - userName custom: id: '#custom' type: object properties: salesforceUserName: title: Salesforce username externalName: salesforceUserName description: User's username for Salesforce type: string scope: NONE minLength: 1 maxLength: 20 required: [] type: object properties: profile: allOf: - $ref: '#/definitions/base' - $ref: '#/definitions/custom' AppUserUpdateCredRequest: summary: Application User credentials update value: credentials: userName: rae.cloud@example.com password: value: updatedP@55word AppUserUpdateProfileRequest: summary: Application user profile update value: profile: name: Rae Mae Cloud middle_name: Mae AppleIdPResponse: summary: Apple IdP value: id: 0oa18hsHsG3boVejU0g4 type: APPLE issuerMode: ORG_URL name: Apple IdP status: ACTIVE created: '2020-06-05T20:57:51.000Z' lastUpdated: '2020-06-05T20:57:51.000Z' protocol: type: OIDC endpoints: authorization: url: https://appleid.apple.com/auth/authorize binding: HTTP-REDIRECT token: url: https://appleid.apple.com/auth/token binding: HTTP-POST scopes: - openid - email - name credentials: client: client_id: your-client-id signing: teamId: test team ID privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ kid: test key ID policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.email filter: null matchType: USERNAME matchAttribute: null mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa18hsHsG3boVejU0g4&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri=${redirectUri}&state={state}&nonce={nonce} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST AssignGroupOwnerRequest: summary: Assign a group owner request example value: id: 00u1cmc03xjzePoWD0h8 type: USER AssignGroupOwnerResponse: summary: Assign a group owner response example value: id: 00u1cmc03xjzePoWD0h8 type: USER resolved: true originId: null originType: OKTA_DIRECTORY displayName: Oliver Putnam lastUpdated: Wed Mar 29 18:34:31 UTC 2023 AuthenticatorEnrollmentCreateRequestPhone: summary: Enroll phone - SMS authenticator request value: authenticatorId: aut5l4ttFyGEWdy6V0k7 profile: phoneNumber: '+14086673418' AuthenticatorEnrollmentCreateRequestTac: summary: Enroll TAC authenticator request value: authenticatorId: autnmtl4xbt8RQVzA0g4 profile: ttl: 11 multiUse: false AuthenticatorEnrollmentResponseListAll: summary: List of authenticator enrollments value: - type: email id: eae4za57woixzodEK0g7 key: okta_email status: ACTIVE name: Email profile: email: joe@example.com nickname: null created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-28T21:45:52.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/eae4za57woixzodEK0g7 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 hints: allow: - GET authenticator: href: https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6 hints: allow: - GET - type: password id: laeh60xfl7VbebsFr0g6 key: okta_password status: ACTIVE name: Password nickname: null created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-26T21:05:23.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/laeh60xfl7VbebsFr0g6 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 hints: allow: - GET authenticator: href: https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6 hints: allow: - GET - type: phone id: sms8evhwh0Ne35iPR0g7 key: phone_number status: ACTIVE name: Phone created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-29T00:21:29.000Z' profile: phoneNumber: +1 XXX-XXX-6065 nickname: Joe's Work Phone _links: self: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/laeh60xfl7VbebsFr0g6 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 hints: allow: - GET authenticator: href: https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6 hints: allow: - GET AuthenticatorEnrollmentResponsePhoneDisclosed: summary: Phone number disclosed - SMS authenticator enrollment response value: type: phone id: sms8evhwh0Ne35iPR0g7 key: phone_number status: ACTIVE name: Phone created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-29T00:21:29.000Z' profile: phoneNumber: 14085551235 nickname: Ann's Home Phone _links: self: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/sms8evhwh0Ne35iPR0g7 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 hints: allow: - GET authenticator: href: https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6 hints: allow: - GET AuthenticatorEnrollmentResponsePhoneSms: summary: phone - SMS authenticator enrollment response value: type: phone id: sms8evhwh0Ne35iPR0g7 key: phone_number status: ACTIVE name: Phone created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-29T00:21:29.000Z' profile: phoneNumber: +1 XXX-XXX-6065 nickname: Joe's Work Phone _links: self: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/sms8evhwh0Ne35iPR0g7 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 hints: allow: - GET authenticator: href: https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6 hints: allow: - GET AuthenticatorEnrollmentResponsePhoneVoice: summary: phone - voice authenticator enrollment response value: type: phone id: clf8evhwh0Ne35iPR0g7 key: phone_number status: ACTIVE name: Phone created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-29T00:21:29.000Z' profile: phoneNumber: +1 XXX-XXX-6065 nickname: Joe's Work Phone _links: self: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/clf8evhwh0Ne35iPR0g7 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 hints: allow: - GET authenticator: href: https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6 hints: allow: - GET AuthenticatorEnrollmentResponseTac: summary: TAC authenticator enrollment response value: type: tac id: tac8evhwh0Ne35iPR0g7 key: tac status: ACTIVE name: Temporary Access Code created: '2025-05-28T17:21:14.000Z' lastUpdated: '2025-05-28T17:21:14.000Z' profile: tac: n@C*bU26 multiUse: true expiresAt: '2025-05-28T19:21:14' _links: self: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/clf8evhwh0Ne35iPR0g7 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7 hints: allow: - GET AuthenticatorMethodInactiveVoice: value: type: voice status: INACTIVE _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice hints: allow: - GET - PUT activate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate hints: allow: - POST AuthenticatorMethodPhone: value: - type: sms status: ACTIVE _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms hints: allow: - GET - PUT deactivate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate hints: allow: - POST - type: voice status: INACTIVE _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice hints: allow: - GET - PUT activate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/voice/lifecycle/activate hints: allow: - POST AuthenticatorMethodSms: value: type: sms status: ACTIVE _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms hints: allow: - GET - PUT deactivate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/sms/lifecycle/deactivate hints: allow": - POST AuthenticatorMethodTac: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] value: type: tac status: ACTIVE _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut3l0cm6voCtVWK20g7/methods/tac hints: allow: - GET - PUT deactivate: href: https://{yourOktaDomain}/api/v1/authenticators/aut3l0cm6voCtVWK20g7/methods/tac/lifecycle/deactivate hints: allow: - POST AuthenticatorMethodWebAuthn: value: type: webauthn status: ACTIVE settings: userVerification: DISCOURAGED attachment: ANY _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/webauthn hints: allow: - GET - PUT AuthenticatorMethodWebAuthnWithRpId: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] value: type: webauthn status: ACTIVE settings: userVerification: DISCOURAGED attachment: ANY rpId: enabled: false domain: name: mycustomdomain.com validationStatus: NOT_STARTED dnsRecord: recordType: TXT fqdn: _oktaverification.mycustomdomain.com verificationValue: 5e2dc662c8ce4f4aa4cd1cd292490d35 _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/webauthn hints: allow: - GET - PUT verify-rp-id-domain: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods/webauthn/verify-rp-id-domain hints: allow: - POST AuthenticatorRequestDuo: value: key: duo name: Duo Security provider: type: DUO configuration: userNameTemplate: template: oktaId integrationKey: testIntegrationKey secretKey: testSecretKey host: https://api-xxxxxxxx.duosecurity.com AuthenticatorRequestTac: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] value: key: tac name: Temporary Access Code provider: type: tac configuration: minTtl: 10 maxTtl: 14400 defaultTtl: 120 length: 16 complexity: numbers: true letters: true specialCharacters: true multiUseAllowed: true AuthenticatorResponseDuo: value: type: app id: aut9gnvcjUHIWb37J0g4 key: duo status: ACTIVE name: Duo Security created: '2022-07-15T21:14:02.000Z' lastUpdated: '2022-07-15T21:14:02.000Z' settings: {} provider: type: DUO configuration: host: https://api-xxxxxxxx.duosecurity.com userNameTemplate: template: oktaId _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4 hints: allow: - GET - PUT deactivate: href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/lifecycle/deactivate hints: allow: - POST methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut5gnvcjUHIWb25J0g4/methods hints: allow: - GET AuthenticatorResponseEmail: value: type: email id: aut1nbsPHh7jNjjyP0g4 key: okta_email status: ACTIVE name: Email created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-28T21:45:52.000Z' settings: allowedFor: any tokenLifetimeInMinutes: 5 _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 hints: allow: - GET - PUT methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate hints: allow: - POST AuthenticatorResponseInactiveWebAuthn: value: type: security_key id: aut1nd8PQhGcQtSxB0g4 key: webauthn status: INACTIVE name: Security Key or Biometric created: '2020-07-26T21:16:37.000Z' lastUpdated: '2020-07-27T18:59:30.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 hints: allow: - GET - PUT methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate hints: allow: - POST AuthenticatorResponsePassword: value: type: password id: aut1nbtrJKKA9m45a0g4 key: okta_password status: ACTIVE name: Password created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-26T21:05:23.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 hints: allow: - GET - PUT methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods hints: allow: - GET AuthenticatorResponsePhone: value: type: phone id: aut1nbuyD8m1ckAYc0g4 key: phone_number status: INACTIVE name: Phone created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-29T00:21:29.000Z' settings: allowedFor: none _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 hints: allow: - GET - PUT methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods hints: allow: - GET activate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate hints: allow: - POST AuthenticatorResponseSecurityQuestion: summary: Security question value: type: security_question id: aut1nbvIgEenhwE6c0g4 key: security_question status: ACTIVE name: Security Question created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-26T21:05:23.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4 hints: allow: - GET methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/methods hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbvIgEenhwE6c0g4/lifecycle/deactivate hints: allow: - POST AuthenticatorResponseTac: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] value: type: tac id: aut3l0cm6voCtVWK20g7 key: tac status: ACTIVE name: Temporary Access Code created: '2022-07-15T21:14:02.000Z' lastUpdated: '2022-07-15T21:14:02.000Z' provider: type: tac configuration: minTtl: 10 maxTtl: 14400 defaultTtl: 120 length: 16 complexity: numbers: true letters: true specialCharacters: true multiUseAllowed: true _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut3l0cm6voCtVWK20g7 hints: allow: - GET - PUT deactivate: href: https://{yourOktaDomain}/api/v1/authenticators/aut3l0cm6voCtVWK20g7/lifecycle/deactivate hints: allow: - POST methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut3l0cm6voCtVWK20g7/methods hints: allow: - GET AuthenticatorResponseWebAuthn: value: type: security_key id: aut1nd8PQhGcQtSxB0g4 key: webauthn status: ACTIVE name: Security Key or Biometric created: '2020-07-26T21:16:37.000Z' lastUpdated: '2020-07-27T18:59:30.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 hints: allow: - GET - PUT methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate hints: allow: - POST aaguids: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/aaguids hints: allow: - GET - POST AuthenticatorsResponse: summary: Org authenticators value: - type: email id: aut1nbsPHh7jNjjyP0g4 key: okta_email status: ACTIVE name: Email created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-28T21:45:52.000Z' settings: allowedFor: any tokenLifetimeInMinutes: 5 _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4 hints: allow: - GET - PUT methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/methods hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbsPHh7jNjjyP0g4/lifecycle/deactivate hints: allow: - POST - type: password id: aut1nbtrJKKA9m45a0g4 key: okta_password status: ACTIVE name: Password created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-26T21:05:23.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4 hints: allow: - GET - PUT methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbtrJKKA9m45a0g4/methods hints: allow: - GET - type: phone id: aut1nbuyD8m1ckAYc0g4 key: phone_number status: INACTIVE name: Phone created: '2020-07-26T21:05:23.000Z' lastUpdated: '2020-07-29T00:21:29.000Z' settings: allowedFor: none _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4 hints: allow: - GET - PUT methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/methods hints: allow: - GET activate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nbuyD8m1ckAYc0g4/lifecycle/activate hints: allow: - POST - type: security_key id: aut1nd8PQhGcQtSxB0g4 key: webauthn status: ACTIVE name: Security Key or Biometric created: '2020-07-26T21:16:37.000Z' lastUpdated: '2020-07-27T18:59:30.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4 hints: allow: - GET - PUT methods: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/methods hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/lifecycle/deactivate hints: allow: - POST aaguids: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/aaguids hints: allow: - GET - POST AuthorizationServerPolicy: summary: Authorization server policy value: type: OAUTH_AUTHORIZATION_POLICY id: 00palyaappA22DPkj0h7 status: ACTIVE name: Vendor2 Policy description: Vendor2 policy description priority: 1 system: false conditions: clients: include: - ALL_CLIENTS created: '2017-05-26T19:43:53.000Z' lastUpdated: '2017-06-07T15:28:17.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate hints: allow: - POST rules: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules hints: allow: - GET AuthorizationServerPolicyRule: summary: Authorization server policy rule value: type: RESOURCE_ACCESS id: 0prbsjfyl01zfSZ9K0h7 status: ACTIVE name: Default Policy Rule priority: 1 created: '2017-08-25T16:57:02.000Z' lastUpdated: '2017-08-30T14:51:05.000Z' system: false conditions: people: users: include: [] exclude: [] groups: include: - EVERYONE exclude: [] grantTypes: include: - implicit - client_credentials - authorization_code - password scopes: include: - '*' actions: token: accessTokenLifetimeMinutes: 60 refreshTokenLifetimeMinutes: 0 refreshTokenWindowMinutes: 10080 inlineHook: id: cal4egvp1mbMldrYN0g7 _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate hints: allow: - POST AutoLoginAppResponseEx: summary: AUTO_LOGIN value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: customswaapp_link: true name: customswaapp orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:customswaapp:0oafxqCAJWWGELFTYASJ label: Custom SWA App features: [] signOnMode: AUTO_LOGIN credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.email} type: BUILT_IN revealPassword: false signing: {} settings: app: {} notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED signOn: redirectUrl: http://swasecondaryredirecturl.okta.com loginUrl: http://swaprimaryloginurl.okta.com AutoLoginEx: summary: AUTO_LOGIN value: label: Custom SWA App signOnMode: AUTO_LOGIN visibility: autoSubmitToolbar: false hide: iOS: false web: false settings: signOn: redirectUrl: http://swasecondaryredirecturl.okta.com loginUrl: http://swaprimaryloginurl.okta.com AutoLoginPutEx: summary: AUTO_LOGIN value: label: Custom SWA App updated status: ACTIVE accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false features: [] signOnMode: AUTO_LOGIN credentials: scheme: ADMIN_SETS_CREDENTIALS userNameTemplate: template: ${source.email} type: BUILT_IN settings: signOn: redirectUrl: http://swasecondaryredirecturlupdated.okta.com loginUrl: http://swaprimaryloginurl.okta.com AutoLoginPutResponseEx: summary: AUTO_LOGIN value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: customswaapp_link: true name: customswaapp orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:customswaapp:0oafxqCAJWWGELFTYASJ label: Custom SWA App updated features: [] signOnMode: AUTO_LOGIN credentials: scheme: ADMIN_SETS_CREDENTIALS userNameTemplate: template: ${source.email} type: BUILT_IN revealPassword: false signing: {} settings: app: {} notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED signOn: redirectUrl: http://swasecondaryredirecturlupdated.okta.com loginUrl: http://swaprimaryloginurl.okta.com AvailableActions: summary: Available actions example value: actions: - id: okta:action1 provider: type: WORKFLOWS url: https://example.com/workflows/flow1 externalId: JKL490DQNV actionName: Provision User BaseSignOnModeEx: value: status: ACTIVE accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false features: [] BasicAuthEx: summary: BASIC_AUTH value: name: template_basic_auth label: Sample Basic Auth App signOnMode: BASIC_AUTH settings: app: url: https://example.com/login.html authURL: https://example.com/auth.html BasicAuthPutEx: summary: BASIC_AUTH value: label: Sample Basic Auth App updated signOnMode: BASIC_AUTH settings: app: url: https://example.com/loginUpdated.html authURL: https://example.com/auth.html BasicAuthPutResponseEx: summary: BASIC_AUTH value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: template_basic_auth orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_basic_auth:0oafxqCAJWWGELFTYASJ label: Sample Basic Auth App updated features: [] signOnMode: BASIC_AUTH credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.email} type: BUILT_IN revealPassword: false signing: {} settings: app: loginUrlRegex: null url: https://example.com/loginUpdated.html authURL: https://example.com/auth.html notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED BasicAuthResponseEx: summary: BASIC_AUTH value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: template_basic_auth orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_basic_auth:0oafxqCAJWWGELFTYASJ label: Sample Basic Auth App features: [] signOnMode: BASIC_AUTH credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.email} type: BUILT_IN revealPassword: false signing: {} settings: app: loginUrlRegex: null url: https://example.com/login.html authURL: https://example.com/auth.html notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED BasicAuthSettings: summary: Basic auth settings example value: authType: BASIC BehaviorRuleRequest: value: name: My Behavior Rule type: VELOCITY BehaviorRuleResponse: value: id: abcd1234 name: My Behavior Rule type: VELOCITY settings: velocityKph: 805 status: ACTIVE created: '2021-11-09 20:38:10.0' lastUpdated: '2021-11-11 20:38:10.0' _link: self: href: https://your-subdomain.okta.com/api/v1/behaviors/abcd1234 hints: allow: - GET - POST - PUT - DELETE BookmarkAppResponseEx: summary: BOOKMARK value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: bookmark orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:bookmark:0oafxqCAJWWGELFTYASJ label: Sample Bookmark App features: [] signOnMode: BOOKMARK credentials: userNameTemplate: template: ${source.email} type: BUILT_IN signing: {} settings: app: requestIntegration: false url: https://example.com/bookmark.html notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED BookmarkEx: summary: BOOKMARK value: name: bookmark label: Sample Bookmark App signOnMode: BOOKMARK settings: app: url: https://example.com/bookmark.html BookmarkPutEx: summary: BOOKMARK value: name: bookmark label: Sample Bookmark App updated signOnMode: BOOKMARK settings: app: requestIntegration: true url: https://example.com/bookmark.html BookmarkPutResponseEx: summary: BOOKMARK value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: bookmark orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:bookmark:0oafxqCAJWWGELFTYASJ label: Sample Bookmark App updated features: [] signOnMode: BOOKMARK credentials: userNameTemplate: template: ${source.email} type: BUILT_IN signing: {} settings: app: requestIntegration: true url: https://example.com/bookmark.html notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED BrowserPluginEx: summary: BROWSER_PLUGIN value: name: template_swa label: Sample Plugin App signOnMode: BROWSER_PLUGIN settings: app: buttonField: btn-login passwordField: txtbox-password usernameField: txtbox-username url: https://example.com/login.html BrowserPluginPutEx: summary: BROWSER_PLUGIN value: name: template_swa label: Sample Plugin App updated signOnMode: BROWSER_PLUGIN settings: app: buttonField: btn-login passwordField: txtbox-password usernameField: txtbox-username url: https://example_updated.com/login.html BrowserPluginPutResponseEx: summary: BROWSER_PLUGIN value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: template_swa orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_swa:0oafxqCAJWWGELFTYASJ label: Sample Plugin App updated features: [] signOnMode: BROWSER_PLUGIN credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.email} type: BUILT_IN revealPassword: false signing: {} settings: app: loginUrlRegex: null usernameField: txtbox-username buttonField: btn-login passwordField: txtbox-password url: https://example_updated.com/login.html notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED BrowserPluginResponseEx: summary: BROWSER_PLUGIN value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: template_swa orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_swa:0oafxqCAJWWGELFTYASJ label: Sample Plugin App features: [] signOnMode: BROWSER_PLUGIN credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.email} type: BUILT_IN revealPassword: false signing: {} settings: app: loginUrlRegex: null usernameField: txtbox-username buttonField: btn-login passwordField: txtbox-password url: https://example.com/login.html notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED BrowserPluginSwa3FieldEx: summary: BROWSER_PLUGIN with three CSS selectors value: name: template_swa3field label: Sample Plugin App signOnMode: BROWSER_PLUGIN settings: app: buttonSelector: '#btn-login' passwordSelector: '#txtbox-password' userNameSelector: '#txtbox-username' targetURL: https://example.com/login.html extraFieldSelector: .login extraFieldValue: SOMEVALUE BrowserPluginSwa3FieldPutEx: summary: BROWSER_PLUGIN with three CSS selectors value: name: template_swa3field label: Sample Plugin App updated signOnMode: BROWSER_PLUGIN settings: app: buttonSelector: '#btn-login' passwordSelector: '#txtbox-password' userNameSelector: '#txtbox-username' targetURL: https://exampleupdated.com/login.html extraFieldSelector: .login extraFieldValue: SOMEVALUE BrowserPluginSwa3FieldPutResponseEx: summary: BROWSER_PLUGIN with three CSS selectors value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: template_swa3field orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_swa3field:0oafxqCAJWWGELFTYASJ label: Sample Plugin App updated features: [] signOnMode: BROWSER_PLUGIN credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.email} type: BUILT_IN revealPassword: false signing: {} settings: app: loginUrlRegex: null extraFieldSelector: .login extraFieldValue: SOMEVALUE userNameSelector: '#txtbox-username' passwordSelector: '#txtbox-password' buttonSelector: '#btn-login' targetURL: https://exampleupdated.com/login.html notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED BrowserPluginSwa3FieldResponseEx: summary: BROWSER_PLUGIN with three CSS selectors value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: template_swa3field orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_swa3field:0oafxqCAJWWGELFTYASJ label: Sample Plugin App features: [] signOnMode: BROWSER_PLUGIN credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.email} type: BUILT_IN revealPassword: false signing: {} settings: app: loginUrlRegex: null extraFieldSelector: .login extraFieldValue: SOMEVALUE userNameSelector: '#txtbox-username' passwordSelector: '#txtbox-password' buttonSelector: '#btn-login' targetURL: https://example.com/login.html notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED BundleEntitlementsResponse: summary: List of governance bundle entitlements value: entitlements: - id: espfxqCAJWWGELFTYASJ role: GROUP_MEMBERSHIP_ADMIN name: Group Membership Admin description: Perform all admin activities for groups in the org _links: values: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements/espfxqCAJWWGELFTYASJ/values _links: self: href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 next: href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12 bundle: href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA CAPTCHAInstanceRequestHCaptcha: value: name: myHCaptcha secretKey: xxxxxxxxxxx siteKey: xxxxxxxxxxx type: HCAPTCHA CAPTCHAInstanceRequestReCaptcha: value: name: myReCaptcha secretKey: xxxxxxxxxxx siteKey: yyyyyyyyyyyyyyy type: RECAPTCHA_V2 CAPTCHAInstanceResponseHCaptcha: value: id: abcd1234 name: myHCaptcha siteKey: xxxxxxxxxxx type: HCAPTCHA _links: self: href: https://your-subdomain.okta.com/api/v1/captchas/abcd1234 hints: allow: - GET - POST - PUT - DELETE CAPTCHAInstanceResponseReCaptcha: value: id: abcd4567 name: myReCaptcha siteKey: yyyyyyyyyyyyyyy type: RECAPTCHA_V2 _links: self: href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 hints: allow: - GET - POST - PUT - DELETE CLEARIDVResponse: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: CLEAR Verified as IdP value: id: 0oab50jh0UPiB6xde0w6 name: CLEAR Verified IDV status: ACTIVE created: '2025-01-14T19:59:41.000Z' lastUpdated: '2025-01-14T19:59:41.000Z' protocol: type: ID_PROOFING endpoints: authorization: url: https://verified.clearme.com/oauth/idv_authorize binding: HTTP-REDIRECT token: url: https://verified.clearme.com/hydra/oauth2/token binding: HTTP-POST par: url: https://verified.clearme.com/oauth/par binding: HTTP-POST scopes: - openid - profile - identity_assurance credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: DISABLED profileMaster: false groups: null subject: userNameTemplate: template: source.userName filter: null matchType: USERNAME matchAttribute: null maxClockSkew: 0 type: IDV_CLEAR _links: users: href: https://{yourOktaDomain}/api/v1/idps/0oab50jh0UPiB6xde0w6/users hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/idps/0oab50jh0UPiB6xde0w6/lifecycle/deactivate hints: allow: - POST CannotUpdateWellKnownUriForDefaultBrandError: summary: Cannot update well-known URI for default brand value: errorCode: E0000257 errorSummary: 'Api validation failed: request' errorLink: E0000257 errorId: sampleiCF-8D5rLW6myqiPItW errorCauses: - errorSummary: Cannot update the content for the default brand. ChangePwdRequest: value: oldPassword: value: tlpWENT2m newPassword: value: uTVM,TPw55 revokeSessions: true ChangePwdResponse: value: password: {} recovery_question: question: Who's a major player in the cowboy scene? provider: type: OKTA name: OKTA ClientRoleTargetResponseFacebookEx: summary: Facebook target app example value: - name: facebook displayName: Facebook description: Giving people the power to share and make the world more open and connected. status: ACTIVE lastUpdated: '2021-03-18T17:37:56.000Z' category: SOCIAL verificationStatus: OKTA_VERIFIED website: https://www.facebook.com/ signOnModes: - BROWSER_PLUGIN _links: logo: - name: medium href: https://{oktaCDNDomain}/fs/bcg/4/abcdefghijABCC4V1234 self: href: https://{yourOktaDomain}/api/v1/catalog/apps/facebook ClientRoleTargetResponseInstanceEx: summary: Non-catalog target app example value: - name: My_access_app status: ACTIVE id: 0oasrudLtMlzAsTxk0g3 _links: self: href: https://{yourOktaDomain}/api/v1/apps/0oasrudLtMlzAsTxk0g3 CreateAIAgentRequest: value: appId: 0oab1234EXAMPLEID5d6 profile: name: Demo Agent description: Demo Conversational AI Agent CreateAnEventHook: summary: Create an event hook value: name: Event Hook Test events: type: EVENT_TYPE items: - group.user_membership.add channel: type: HTTP version: 1.0.0 config: uri: https://example_external_service/userAdded headers: - key: X-Other-Header value: my-header-value authScheme: type: HEADER key: Authorization value: my-shared-secret CreateAnEventHookWithFilter: summary: Create an event hook with a filter value: name: Event Hook with Filter description: An event hook using an Okta Expression Language filter events: type: EVENT_TYPE items: - group.user_membership.add filter: type: EXPRESSION_LANGUAGE eventFilterMap: - event: group.user_membership.add condition: expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 channel: type: HTTP version: 1.0.0 config: uri: https://example_external_service/userAdded authScheme: type: HEADER key: Authorization value: my-shared-secret CreateAppleIdPRequest: summary: Create Apple IdP value: type: APPLE name: Apple IdP protocol: type: OIDC scopes: - openid - email - name credentials: client: client_id: your-client-id signing: privateKey: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ kid: test key ID teamId: test team ID policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: action: AUTO subject: userNameTemplate: template: idpuser.email matchType: USERNAME CreateAssocAuthServerBody: summary: Create a trusted relationship between authorization servers value: - trusted: '{authorizationServerId}' CreateAssocAuthServerResponse: summary: Create a trusted relationship between authorization servers value: - id: '{authorizationServerId}' name: Sample Authorization Server description: Sample Authorization Server description audiences: - https://api.resource.com issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} issuerMode: CUSTOM_URL status: ACTIVE created: '2023-05-17T22:25:57.000Z' lastUpdated: '2023-05-17T22:25:57.000Z' credentials: signing: rotationMode: AUTO lastRotated: '2023-05-17T22:25:57.000Z' nextRotation: '2023-08-15T22:25:57.000Z' kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 use: sig _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - DELETE CreateAuthServerBody: summary: Create a custom authorization server value: name: Sample Authorization Server description: Sample Authorization Server description audiences: - api://default CreateAuthServerResponse: summary: Create a custom authorization server value: id: '{authorizationServerId}' name: Sample Authorization Server description: Sample Authorization Server description audiences: - https://api.resource.com issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} issuerMode: ORG_URL status: ACTIVE created: '2023-05-17T22:25:57.000Z' lastUpdated: '2023-05-17T22:25:57.000Z' credentials: signing: rotationMode: AUTO lastRotated: '2023-05-17T22:25:57.000Z' nextRotation: '2023-08-15T22:25:57.000Z' kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 _links: scopes: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes hints: allow: - GET claims: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims hints: allow: - GET policies: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies hints: allow: - GET self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - GET - DELETE - PUT metadata: - name: oauth-authorization-server href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server hints: allow: - GET - name: openid-configuration href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration hints: allow: - GET rotateKey: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate hints: allow: - POST deactivate: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate hints: allow: - POST CreateAuthServerWithAccessTokenEncryptionBody: summary: Create a custom authorization server with access token encryption enabled value: name: Sample Authorization Server description: Sample authorization server description audiences: - api://default accessTokenEncryptedResponseAlgorithm: RSA-OAEP-256 jwks: keys: - kty: RSA id: apk2g3sd6bqV5YZxu0h8 status: ACTIVE kid: encKey use: enc e: AQAB 'n': iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ CreateAuthServerWithAccessTokenEncryptionResponse: summary: Create a custom authorization server with access token encryption enabled value: id: '{authorizationServerId}' name: Sample Authorization Server description: Sample authorization server description audiences: - https://api.resource.com issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} issuerMode: ORG_URL status: ACTIVE created: '2023-05-17T22:25:57.000Z' lastUpdated: '2023-05-17T22:25:57.000Z' credentials: signing: rotationMode: AUTO lastRotated: '2023-05-17T22:25:57.000Z' nextRotation: '2023-08-15T22:25:57.000Z' kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 accessTokenEncryptedResponseAlgorithm: RSA-OAEP-256 jwks: keys: - kty: RSA id: apk2g3sd6bqV5YZxu0h8 status: ACTIVE kid: encKey use: enc e: AQAB 'n': iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ _links: scopes: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes hints: allow: - GET claims: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims hints: allow: - GET policies: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies hints: allow: - GET self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - GET - DELETE - PUT metadata: - name: oauth-authorization-server href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server hints: allow: - GET - name: openid-configuration href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration hints: allow: - GET rotateKey: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate hints: allow: - POST deactivate: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate hints: allow: - POST CreateAuthorizationServerPolicyRequest: summary: Create an authorization server policy value: type: OAUTH_AUTHORIZATION_POLICY status: ACTIVE name: Default Policy description: Default policy description priority: 1 system: false conditions: clients": include": - ALL_CLIENTS CreateAuthorizationServerPolicyRuleRequest: summary: Create authorization server policy rule value: type: RESOURCE_ACCESS name: Default Policy Rule priority: 1 conditions: people: groups: include: - EVERYONE grantTypes: include: - implicit - client_credentials - authorization_code - password scopes: include: - '*' actions: token: accessTokenLifetimeMinutes: 60 refreshTokenLifetimeMinutes: 0 refreshTokenWindowMinutes: 10080 inlineHook: id: cal4egvp1mbMldrYN0g7 CreateBrandRequest: value: name: My Awesome Brand CreateBrandResponse: value: id: bnd114iNkrcN6aR680g5 removePoweredByOkta: false customPrivacyPolicyUrl: null, agreeToCustomPrivacyPolicy: false, name: My Awesome Brand locale: en defaultApp: appInstanceId: null appLinkName: null classicApplicationUri: null isDefault: false _links: self: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5 hints: allow: - GET - PUT - DELETE themes: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g5/themes hints: allow: - GET CreateCLEARIDVRequest: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Create CLEAR Verified as IdP value: type: IDV_CLEAR name: CLEAR Verified IDV protocol: type: ID_PROOFING scopes: - profile - identity_assurance - openid credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: DISABLED profileMaster: false groups: null accountLink: filter: null action: AUTO subject: userNameTemplate: template: source.userName filter: null matchType: USERNAME matchAttribute: null maxClockSkew: 0 CreateChildOrgRequestEx: summary: Create org request value: subdomain: my-child-org-1 name: My Child Org 1 website: http://www.examplecorp.com edition: SKU admin: profile: firstName: First lastName: Last email: FirstLast@example.com login: FirstLast@example.com mobilePhone: null credentials: password: value: XXXX CreateChildOrgResponseEx: summary: Create org response value: id: 00o1n8sbwArJ7OQRw406 subdomain: my-child-org-1 name: My Child Org 1 website: http://www.examplecorp.com status: ACTIVE edition: SKU expiresAt: null created: '2024-08-27T15:42:52.000Z' lastUpdated: '2024-08-27T15:42:56.000Z' licensing: apps: [] settings: app: errorRedirectUrl: null interstitialUrl: null interstitialMinWaitTime: 1200 userAccount: attributes: secondaryEmail: true secondaryImage: true portal: errorRedirectUrl: null signOutUrl: null logs: level: INFO token: XXXXXXXXXXXXX tokenType: SSWS _links: administrator: href: https://my-child-org-1.oktapreview.com/api/v1/users/00u1n8sheI1WBQlDV406 uploadLogo: href: https://my-child-org-1.oktapreview.com/api/v1/org/logo organization: href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1 contacts: href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/contacts policy: href: https://my-child-org-1.oktapreview.com/api/v1/orgs/my-child-org-1/policy CreateCustomIDVRequest: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Create Custom IDV as IdP value: type: IDV_STANDARD name: Custom IDV protocol: type: ID_PROOFING endpoints: par: url: https://idv.example.com/par binding: HTTP-REDIRECT authorization: url: https://idv.example.com/authorize binding: HTTP-REDIRECT token: url: https://idv.example.com/token binding: HTTP-POST jwks: url: https://idv.example.com/jwks binding: HTTP-REDIRECT issuer: url: https://idv.example.com scopes: - profile - identity_assurance - openid credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: DISABLED profileMaster: false groups: null accountLink: filter: null action: AUTO subject: userNameTemplate: template: source.userName filter: null matchType: USERNAME matchAttribute: null maxClockSkew: 0 properties: idvMetadata: vendorDisplayName: Custom IDV termsOfUse: https://idv.example.com/terms privacyPolicy: https://idv.example.com/privacy CreateCustomRoleResponseGroup: value: id: irb1q92TFAHzySt3x0g4 role: cr0Yq6IJxGIr0ouum0g3 label: UserCreatorRole type: CUSTOM status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: GROUP resource-set: iamoJDFKaJxGIr0oamd9g _links: assignee: href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 permissions: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions CreateCustomTokenClaimBody: summary: Create a custom token claim value: - alwaysIncludeInToken: true claimType: IDENTITY conditions: scopes: - profile group_filter_type: CONTAINS name: Support status: ACTIVE system: false value: Support valueType: GROUPS CreateCustomTokenClaimResponse: summary: Create a custom token claim response value: - id: '{claimId}' name: Support status: ACTIVE claimType: IDENTITY valueType: GROUPS value: Support conditions: scopes: - profile system: false alwaysIncludeInToken: true apiResourceId: null group_filter_type: CONTAINS _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} hints: allow: - GET - PUT - DELETE CreateEDNZRequest: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: Create an enhanced dynamic network zone value: type: DYNAMIC_V2 name: testZone106 status: ACTIVE usage: BLOCKLIST locations: include: [] exclude: [] asns: include: [] exclude: [] ipServiceCategories: include: - ALL_ANONYMIZERS exclude: [] CreateEDNZResponse: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: Enhanced dynamic network zone value: type: DYNAMIC_V2 id: nzok0oz2xYHOZtIch0g4 name: testZone106 status: ACTIVE usage: BLOCKLIST create: '2024-05-13T16:33:44.000Z' lastUpdated: '2024-05-13T16:33:44.000Z' system: false locations: include: [] exclude: [] asns: include: [] exclude: [] ipServiceCategories: include: - ALL_ANONYMIZERS exclude: [] _links: self: href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4 hints: allow: - GET - PUT - DELETE deactivate: href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate hints: allow: - POST CreateEmailDomainRequest: value: displayName: Admin userName: admin domain: example.com brandId: bnd100iSrkcN6aR680g1 validationSubdomain: mail CreateFacebookIdPRequest: summary: Create Facebook IdP value: type: FACEBOOK name: Facebook protocol: type: OAUTH2 scopes: - public_profile - email credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.userPrincipalName filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 CreateGenericOidcIdPRequest: summary: Create generic OpenID Connect IdP value: type: OIDC name: Example OpenID Connect IdP protocol: algorithms: request: signature: algorithm: HS256 scope: REQUEST endpoints: acs: binding: HTTP-POST type: INSTANCE authorization: binding: HTTP-REDIRECT url: https://idp.example.com/authorize token: binding: HTTP-POST url: https://idp.example.com/token userInfo: binding: HTTP-REDIRECT url: https://idp.example.com/userinfo jwks: binding: HTTP-REDIRECT url: https://idp.example.com/keys slo: url: https://idp.example.com/slo scopes: - openid - profile - email settings: participateSlo: true type: OIDC credentials: client: client_id: your-client-id client_secret: your-client-secret pkce_required: 'true' issuer: url: https://idp.example.com policy: accountLink: action: AUTO filter: null provisioning: action: AUTO conditions: deprovisioned: action: NONE suspended: action: NONE groups: action: NONE mapAMRClaims: false maxClockSkew: 120000 subject: userNameTemplate: template: idpuser.email matchType: USERNAME CreateGoogleIdPRequest: summary: Create Google IdP value: type: GOOGLE name: Google protocol: type: OAUTH2 scopes: - profile - email - openid credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.userPrincipalName filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 CreateGroupPushMappingRequest_ExampleCreate: value: sourceGroupId: 00g00000000000000000 status: ACTIVE targetGroupName: NewGroup CreateGroupPushMappingRequest_ExampleCreate_ActiveDirectory: value: appConfig: type: ACTIVE_DIRECTORY distinguishedName: dc=example,dc=com groupScope: GLOBAL groupType: SECURITY samAccountName: NewGroup sourceGroupId: 00g00000000000000000 status: ACTIVE targetGroupName: NewGroup CreateGroupPushMappingRequest_ExampleLink: value: sourceGroupId: 00g00000000000000000 status: ACTIVE targetGroupId: 00g00000000000000001 CreateGroupPushMappingResponse_ExampleCreate: value: created: '2025-01-01T00:00:00Z' errorSummary: '' id: gPm00000000000000000 lastPush: '2025-01-01T00:00:00Z' lastUpdated: '2025-01-01T00:00:00Z' sourceGroupId: 00g00000000000000000 status: ACTIVE targetGroupId: 00g00000000000000001 _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 sourceGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 targetGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 CreateGroupPushMappingResponse_ExampleCreate_ActiveDirectory: value: appConfig: type: ACTIVE_DIRECTORY distinguishedName: dc=example,dc=com groupScope: GLOBAL groupType: SECURITY samAccountName: NewGroup created: '2025-01-01T00:00:00Z' errorSummary: '' id: gPm00000000000000000 lastPush: '2025-01-01T00:00:00Z' lastUpdated: '2025-01-01T00:00:00Z' sourceGroupId: 00g00000000000000000 status: ACTIVE targetGroupId: 00g00000000000000001 _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 sourceGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 targetGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 CreateGroupPushMappingResponse_ExampleLink: value: created: '2025-01-01T00:00:00Z' errorSummary: '' id: gPm00000000000000000 lastPush: '2025-01-01T00:00:00Z' lastUpdated: '2025-01-01T00:00:00Z' sourceGroupId: 00g00000000000000000 status: ACTIVE targetGroupId: 00g00000000000000001 _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 sourceGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 targetGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 CreateHookKeyResponse: summary: Create a key response example value: id: HKY1p7jWLndGQV9M60g4 keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad name: My new key created: '2022-08-31T18:09:58.000Z' lastUpdated: '2022-08-31T18:09:58.000Z' isUsed: 'false' _embedded: kty: RSA alg: RSA kid: 7fbc27fd-e3df-4522-86bf-1930110256ad use: 'null' e: AQAB 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` CreateIAMStandardRoleResponseGroup: value: id: irb1q92TFAHzySt3x0g4 role: ACCESS_REQUESTS_ADMIN label: Access Requests Administrator type: ACCESS_REQUESTS_ADMIN status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: GROUP resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY _links: assignee: href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY role: href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN permissions: href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions member: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7 CreateIPPolicyBlockListNetworkZone: summary: Create an IP blocklist network zone value: type: IP name: newBlockListNetworkZone status: ACTIVE usage: BLOCKLIST gateways: - type: CIDR value: 1.2.3.4/24 - type: CIDR value: 2.3.4.5/24 proxies: null CreateIPPolicyBlockListNetworkZoneResponse: summary: IP blocklist network zone value: type: IP id: nzo1qasnPb1kqEq0e0g4 name: newBlockListNetworkzone status: ACTIVE usage: BLOCKLIST created: '2021-08-09T20:22:09.000Z' lastUpdated: '2021-08-09T20:22:09.000Z' system: false gateways: - type: CIDR value: 1.2.3.4/24 - type: CIDR value: 2.3.4.5/24 proxies: null _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzo1qasnPb1kqEq0e0g4/lifecycle/deactivate hints: allow: - POST CreateIPPolicyNetworkZone: summary: Create an IP policy network zone value: type: IP name: newNetworkZone gateways: - type: CIDR value: 1.2.3.4/24 - type: CIDR value: 2.3.4.5/24 proxies: - type: CIDR value: 2.2.3.4/24 - type: CIDR value: 3.3.4.5/24 CreateIPPolicyNetworkZoneResponse: summary: IP policy network zone value: type: IP id: nzowb8T5Jh5xuAJ0o0g7 name: newNetworkZone status: ACTIVE usage: POLICY created: '2021-08-09T21:32:01.000Z' lastUpdated: '2021-08-09T21:32:01.000Z' system: false gateways: - type: CIDR value: 1.2.3.4/24' - type: CIDR value: 2.3.4.5/24 proxies: - type: CIDR value: 2.2.3.4/24 - type: CIDR value: 3.3.4.5/24 _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzowb8T5Jh5xuAJ0o0g7/lifecycle/deactivate hints: allow: - POST CreateIncodeIDVRequest: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Create Incode as IdP value: type: IDV_INCODE name: Incode IDV protocol: type: ID_PROOFING scopes: - profile - identity_assurance - openid credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: DISABLED profileMaster: false groups: null accountLink: filter: null action: AUTO subject: userNameTemplate: template: source.userName filter: null matchType: USERNAME matchAttribute: null maxClockSkew: 0 CreateLinkedObjectRequest: summary: Create manager-subordinate link request value: primary: name: manager title: manager description: Manager link property type: USER associated: name: subordinate title: subordinate description: Subordinate link property type: USER CreateLinkedObjectResponse: summary: Create manager-subordinate link property response value: primary: name: manager title: manager description: Manager link property type: USER associated: name: subordinate title: subordinate description: Subordinate link property type: USER _links: self: href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager CreateMicrosoftIdPRequest: summary: Create Microsoft IdP value: type: MICROSOFT name: Microsoft protocol: type: OIDC scopes: - openid - email - profile - https://graph.microsoft.com/User.Read credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.userPrincipalName filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 CreateOAuth2ScopeRequest: summary: Example scope value: name: car:drive description: Drive car consent: REQUIRED displayName: Saml Jackson CreateOktaIntegrationIdPRequest: summary: Create Okta Integration IdP value: type: OKTA_INTEGRATION name: Example Okta Integration IdP protocol: type: SAML2 credentials: client: token_endpoint_auth_method: private_key_jwt client_id: your-client-id oktaIdpOrgUrl: https://idp.example.com policy: accountLink: action: AUTO filter: null provisioning: action: AUTO conditions: deprovisioned: action: NONE suspended: action: NONE groups: action: NONE maxClockSkew: 120000 subject: userNameTemplate: template: idpuser.email matchType: USERNAME CreateOrReplaceSMSTemplateRequest: value: name: Custom type: SMS_VERIFY_CODE template: '${org.name}: your verification code is ${code}' translations: es: '${org.name}: el código de verificación es ${code}' fr: '${org.name}: votre code de vérification est ${code}' it: '${org.name}: il codice di verifica è ${code}' CreateOrReplaceSMSTemplateResponse: value: id: 6NQUJ5yR3bpgEiYmq8IC name: Custom type: SMS_VERIFY_CODE template: '${org.name}: your verification code is ${code}' translations: es: '${org.name}: el código de verificación es ${code}' fr: '${org.name}: votre code de vérification est ${code}' it: '${org.name}: il codice di verifica è ${code}' created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' CreatePersonaIDVRequest: summary: Create Persona as IdP value: type: IDV_PERSONA name: Persona IDV protocol: type: ID_PROOFING credentials: bearer: apiKey: your-api-key policy: provisioning: action: DISABLED profileMaster: false groups: null subject: userNameTemplate: template: source.userName filter: null matchType: USERNAME matchAttribute: null maxClockSkew: 0 properties: inquiryTemplateId: itmpl_HSctx8fNvXoHtrQfz2hxUVH8RBjG CreateRealmAssignmentRequest: value: actions: assignUserToRealm: realmId: 00g1b7rvh0xPLKXFf0g5 conditions: profileSourceId: 0oa4enoRyjwSCy5hx0g4 expression: value: user.profile.role ==\"Manager\" name: Realm Assignment 1 priority: 0 CreateRealmRequest: value: profile: name: Car Co realmType: PARTNER domains: - atko.com - user.com CreateSamlIdPRequest: summary: Create SAML 2.0 IdP value: type: SAML2 name: Example SAML IdP protocol: type: SAML2 endpoints: sso: url: https://idp.example.com binding: HTTP-POST destination: https://idp.example.com slo: url: https://idp.example.com/slo binding: HTTP-POST acs: binding: HTTP-POST type: INSTANCE settings: participateSlo: true algorithms: request: signature: algorithm: SHA-256 scope: REQUEST response: signature: algorithm: SHA-256 scope: ANY credentials: trust: issuer: https://idp.example.com audience: http://www.okta.com/123 kid: your-key-id additionalKids: - additional-key-id policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: saml.subjectNameId format: - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified filter: (\S+@example\.com) matchType: USERNAME CreateSessionBody: summary: Create a new session with a valid session token value: sessionToken: 00HiohZYpJgMSHwmL9TQy7RRzuY-q9soKp1SPmYYow CreateSessionResponse: summary: Create a new session with a valid session token value: amr: - pwd createdAt: '2019-08-24T14:15:22Z' expiresAt: '2019-08-24T14:15:22Z' id: l7FbDVqS8zHSy65uJD85 idp: id: 01a2bcdef3GHIJKLMNOP type: ACTIVE_DIRECTORY lastFactorVerification: '2019-08-24T14:15:22Z' lastPasswordVerification: '2019-08-24T14:15:22Z' login: user@example.com status: ACTIVE userId: 00u0abcdefGHIJKLMNOP _links: self: hints: allow: - DELETE href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 CreateSmartCardIdPRequest: summary: Create SmartCard IdP value: type: X509 status: ACTIVE name: Smart Card IDP Name properties: additionalAmr: - sc - hwk - pin - mfa protocol: type: MTLS credentials: trust: revocation: CRL revocationCacheLifetime: 2880 issuer: your-issuer kid: your-kid policy: provisioning: action: DISABLED mapAMRClaims: false maxClockSkew: 120000 subject: matchType: EMAIL matchAttribute: '' userNameTemplate: template: idpuser.subjectAltNameEmail CreateStandardRoleAssignmentResponseGroup: value: id: grasraHPx7i79ajaJ0g3 label: Organization Administrator type: ORG_ADMIN status: ACTIVE created: '2019-02-27T14:56:55.000Z' lastUpdated: '2019-02-27T14:56:55.000Z' assignmentType: GROUP _links: assignee: href: https://{yourOktaDomain}/api/v1/groups/00gsr2IepS8YhHRFf0g3 CreateUISchemaBody: summary: UI schema body request value: uiSchema: type: Group elements: - type: Control scope: '#/properties/firstName' label: First Name options: format: text - type: Control scope: '#/properties/lastName' label: Last Name options: format: text - type: Control scope: '#/properties/email' label: Primary email options: format: text buttonLabel: Submit label: Sign in CreateUISchemaResponse: summary: Returns full UI schema body value: id: uis4a7liocgcRgcxZ0g7 uiSchema: type: Group label: Sign in buttonLabel: Submit elements: - type: Control scope: '#/properties/firstName' label: First name options: format: text - type: Control scope: '#/properties/lastName' label: Last name options: format: text - type: Control scope: '#/properties/email' label: Primary email options: format: text created: '2022-07-25T12:56:31.000Z' lastUpdated: '2022-07-26T11:53:59.000Z' _links: self: href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 hints: allow: - GET - PUT - DELETE CreateUpdateEmailCustomizationRequest: value: language: fr subject: Bienvenue dans ${org.name}! body:

Bonjour ${user.profile.firstName}. Activer le compte

isDefault: false CreateUpdateEmailCustomizationResponse: value: language: fr subject: Bienvenue dans ${org.name}! body:

Bonjour ${user.profile.firstName}. Activer le compte

isDefault: false id: oel11u6DqUiMbQkpl0g4 created: '2021-11-09T20:38:10.000Z' lastUpdated: '2021-11-11T20:38:10.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 hints: allow: - GET - PUT - DELETE template: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET preview: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview hints: allow: - GET test: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test hints: allow: - POST CreateUpdateIamRolePermissionRequestExampleWithExclude: value: conditions: exclude: okta:ResourceAttribute/User/Profile: - zipCode CreateUpdateIamRolePermissionRequestExampleWithInclude: value: conditions: include: okta:ResourceAttribute/User/Profile: - city - state CreateUserRequest: summary: Create a user type request value: description: A new custom user type displayName: New user type name: newUserType CreateUserResponse: summary: Create a user type response value: id: otyfnly5cQjJT9PnR0g4 displayName: New user type name: newUserType description: A new custom user type createdBy: sprz9fj1ycBcsgopy1d6 lastUpdatedBy: sprz9fj1ycBcsgopy1d6 created: '2021-07-05T20:40:38.000Z' lastUpdated: '2021-07-05T20:40:38.000Z' default: false _links: self: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 CsrJsonResponse: summary: CSR object in JSON format value: id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 created: '2017-03-28T01:11:10.000Z' csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= kty: RSA _links: self: href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 hints: allow: - GET - DELETE publish: href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish hints: allow: - POST CsrPkcs10Response: summary: CSR in DER format value: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9 CustomAAGUIDRequest: value: aaguid: cb69481e-8ff7-4039-93ec-0a272911111 name: My Security Key authenticatorCharacteristics: platformAttached: false fipsCompliant: false hardwareProtected: false attestationRootCertificates: - x5c: X5C... CustomAAGUIDResponse: value: aaguid: cb69481e-8ff7-4039-93ec-0a272911111 name: My Security Key authenticatorCharacteristics: platformAttached: false fipsCompliant: false hardwareProtected: false attestationRootCertificates: - x5c: X5C... x5t#S256: SHA-256 x5t of the X.509 root certificate iss: Yubico U2F Root CA Serial 457200631 exp: '2035-05-26T16:04:58.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authenticators/aut1nd8PQhGcQtSxB0g4/aaguids/cb69481e-8ff7-4039-93ec-0a272911111 hints: allow: - GET - PUT - PATCH - DELETE CustomAAGUIDUpdateRequest: value: name: My Security Key authenticatorCharacteristics: platformAttached: false fipsCompliant: false hardwareProtected: false attestationRootCertificates: - x5c: X5C... CustomAuthSettings: summary: Custom auth settings example value: authType: CUSTOM customSettings: null appInstanceProperties: - name: apiKey label: API Key - name: apiSecret label: API Secret CustomIDVResponse: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Custom IDV as IdP value: id: 0oa2pstvoFV4GYCw30g5 name: Custom IDV IdP status: ACTIVE created: '2025-01-15T20:54:04.000Z' lastUpdated: '2025-01-15T20:54:05.000Z' protocol: type: ID_PROOFING endpoints: par: url: https://idv.example.com/par binding: HTTP-REDIRECT authorization: url: https://idv.example.com/authorize binding: HTTP-REDIRECT token: url: https://idv.example.com/token binding: HTTP-POST jwks: url: https://idv.example.com/jwks binding: HTTP-REDIRECT issuer: url: https://idv.example.com scopes: - openid - profile - identity_assurance credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: DISABLED profileMaster: false groups: null subject: userNameTemplate: template: source.userName filter: null matchType: USERNAME matchAttribute: null maxClockSkew: 0 properties: idvMetadata: vendorDisplayName: Custom IDV termsOfUse: https://idv.example.com/terms privacyPolicy: https://idv.example.com/privacy type: IDV_STANDARD _links: users: href: https://{yourOktaDomain}/api/v1/idps/0oa2pstvoFV4GYCw30g5/users hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/idps/0oa2pstvoFV4GYCw30g5/lifecycle/deactivate hints: allow: - POST CustomRoleAssignmentRequest: value: type: CUSTOM role: cr04cxy6yzSCtNciD0g7 resource-set: iam4cxy6z7hhaZCSk0g7 CustomRoleResponseClient: value: id: irb4ey26fpFI3vQ8y0g7 label: view_minimal type: CUSTOM status: ACTIVE created: '2023-05-01T15:16:47.000Z' lastUpdated: '2023-05-01T15:16:47.000Z' assignmentType: CLIENT resource-set: iam4cxy6z7hhaZCSk0g7 role: cr04cxy6yzSCtNciD0g7 _links: role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7 resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7 permissions: href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions member: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7 assignee: href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7 CustomRoleResponseUser: value: id: irb1q92TFAHzySt3x0g4 role: cr0Yq6IJxGIr0ouum0g3 label: UserCreatorRole type: CUSTOM status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: USER resource-set: iamoJDFKaJxGIr0oamd9g _links: assignee: href": https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 permissions: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions CustomRolesListResponseClient: value: - id: irb4ey26fpFI3vQ8y0g7 label: view_minimal type: CUSTOM status: ACTIVE created: '2023-05-01T15:16:47.000Z' lastUpdated: '2023-05-01T15:16:47.000Z' assignmentType: CLIENT resource-set: iam4cxy6z7hhaZCSk0g7 role: cr04cxy6yzSCtNciD0g7 _links: role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7 resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7 permissions: href: https://{yourOktaDomain}/api/v1/iam/roles/cr04cxy6yzSCtNciD0g7/permissions member: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iam4cxy6z7hhaZCSk0g7/bindings/cr04cxy6yzSCtNciD0g7/members/irb4ey26fpFI3vQ8y0g7 assignee: href: https://{yourOktaDomain}/oauth2/v1/clients/0oa4ee9vgbIuqTUvd0g7 CustomRolesListResponseGroup: value: - id: irb1q92TFAHzySt3x0g4 role: cr0Yq6IJxGIr0ouum0g3 label: UserCreatorRole type: CUSTOM status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: GROUP resource-set: iamoJDFKaJxGIr0oamd9g _links: assignee: href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g member: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 permissions: href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions DeactivateIdPResponse: summary: Deactivate an IdP value: id: 0oa62bfdiumsUndnZ0h7 type: GOOGLE name: Google status: INACTIVE created: '2016-03-24T23:21:49.000Z' lastUpdated: '2016-03-25T19:16:53.000Z' protocol: type: OIDC endpoints: authorization: url: https://accounts.google.com/o/oauth2/auth binding: HTTP-REDIRECT token: url: https://www.googleapis.com/oauth2/v3/token binding: HTTP-POST scopes: - profile - email - openid credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.userPrincipalName filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: |- https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& client_id={clientId}&response_type={responseType}&response_mode={responseMode}& scope={scopes}&redirect_uri={redirectUri}&state={state} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST DeactivateNetworkZone: summary: Deactivated network zone value: type: IP id: nzowc1U5Jh5xuAK0o0g3 name: MyIpZone status: INACTIVE usage: POLICY created: '2021-06-24T20:37:32.000Z' lastUpdated: '2021-06-24T20:37:32.000Z' system: false gateways: - type: CIDR value: 1.2.3.4/24 proxies: - type: RANGE value: 3.3.4.5-3.3.4.15 _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 hints: allow: - GET - PUT - DELETE activate: href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/activate hints: allow: - POST DeactivatedSecurityEventsProviderResponse: summary: Inactive security events provider value: id: sse1qg25RpusjUP6m0g5 name: Security Events Provider with well-known URL type: okta status: INACTIVE settings: well_known_url: https://example.okta.com/.well-known/ssf-configuration issuer: Issuer jwks_url: https://example.okta.com/jwks/path _links: self: href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 hints: allow: - GET - PUT - DELETE activate: href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/activate hints: allow: - POST DefaultAppUserSchemaResponse: value: id: https://{yourOktaDomain}/meta/schemas/apps/{appId}/default $schema: http://json-schema.org/draft-04/schema# name: Example app title: Example app User lastUpdated: '2015-09-05T10:40:45.000Z' created: '2015-02-02T10:27:36.000Z' definitions: custom: id: '#custom' type: object properties: {} base: id: '#base' type: object properties: userName: title: Username type: string required: true scope: SELF master: type: PROFILE_MASTER name: title: Name description: End-User's full name in displayable form. type: string scope: SELF master: type: PROFILE_MASTER email: title: Email description: End-User's preferred email address. type: string scope: SELF master: type: PROFILE_MASTER required: - userName type: object properties: profile: allOf: - $ref: '#/definitions/base' - $ref: '#/definitions/custom' DefaultEnhancedDynamicNetworkZone: summary: Default enhanced dynamic network zone value: type: DYNAMIC_V2 id: nzohcnxFrSgsiwyHp0g4 name: DefaultEnhancedDynamicZone status: ACTIVE usage: BLOCKLIST created: '2024-05-06T19:12:29.000Z' lastUpdated: '2024-05-09T21:02:31.000Z' system: true locations: include: [] exclude: [] ipServiceCategories: include: - ALL_ANONYMIZERS exclue: [] asns: include: [] exclude: [] _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate hints: allow: - POST DefaultIpBlocklistNetworkZone: summary: Default IP blocklist network zone value: type: IP id: nzou3u0stMCmgOzXK1d6 name: BlockedIpZone status: ACTIVE usage: BLOCKLIST created: '2021-06-09T21:32:46.000Z' lastUpdated: '2021-06-09T21:32:46.000Z' system: true gateways: null proxies: null _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate hints: allow: - POST DefaultIpNetworkZone: summary: Default IP network zone value: type: IP id: nzou3u0ssJfZjYsWL1d6 name: LegacyIpZone status: ACTIVE usage: POLICY created: '2021-06-09T21:32:46.000Z' lastUpdated: '2021-06-09T21:32:46.000Z' system: true gateways: null proxies: null _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6/lifecycle/deactivate hints: allow: - POST DefaultRealmAssignment: value: id: rul2jy7jLUlnO5ng00g4 status: ACTIVE name: Catch-all created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' isDefault: true conditions: profileSourceId: 0oa4enoRyjwSCy6hx0g4, expression: value: string actions: assignUserToRealm: realmId: 00g1b7rvh0xPLKXFf2g5 priority: 499 _links: self: rel: self href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4 method: GET DefaultRealmResponse: value: id: guox9jQ16k9V8IQWL0g3 created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' isDefault: true profile: name: Default realm _links: self: rel: self href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IQWL0g3 method: GET DeviceAssuranceAndroidRequest: summary: Android request value: name: Device assurance Android osVersion: minimum: 12 diskEncryptionType: include: - USER - FULL jailbreak: false platform: ANDROID screenLockType: include: - BIOMETRIC secureHardwarePresent: true DeviceAssuranceAndroidResponse: summary: Android response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Android lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5 diskEncryptionType: include: - USER - FULL jailbreak: false platform: ANDROID screenLockType: include: - BIOMETRIC secureHardwarePresent: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersRequest: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: Android with Android Device Trust as third-party signal provider request value: name: Device assurance Android with Android Device Trust third-party signals osVersion: dynamicVersionRequirement: type: EXACT distanceFromLatestMajor: 0 latestSecurityPatch: true diskEncryptionType: include: - USER - FULL jailbreak: false platform: ANDROID screenLockType: include: - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: androidDeviceTrust: playProtectVerdict: LOW deviceIntegrityLevel: MEETS_STRONG_INTEGRITY screenLockComplexity: HIGH usbDebuggingDisabled: true networkProxyDisabled: true wifiSecured: true requireMajorVersionUpdate: true DeviceAssuranceAndroidWithAndroidDeviceTrustThirdPartySignalProvidersResponse: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: Android with Android Device Trust as third-party signal provider response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Android with Android Device Trust third-party signals lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: dynamicVersionRequirement: type: EXACT distanceFromLatestMajor: 0 latestSecurityPatch: true diskEncryptionType: include: - USER - FULL jailbreak: false platform: ANDROID screenLockType: include: - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: androidDeviceTrust: playProtectVerdict: LOW deviceIntegrityLevel: MEETS_STRONG_INTEGRITY screenLockComplexity: HIGH usbDebuggingDisabled: true networkProxyDisabled: true wifiSecured: true requireMajorVersionUpdate: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersRequest: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Android with Device Posture IdP as third-party signal provider request value: name: Device assurance Android osVersion: dynamicVersionRequirement: type: EXACT distanceFromLatestMajor: 0 latestSecurityPatch: true diskEncryptionType: include: - USER - FULL jailbreak: false platform: ANDROID screenLockType: include: - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: devicePostureIdP: managed: true compliant: true DeviceAssuranceAndroidWithDevicePostureIdPThirdPartySignalProvidersResponse: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Android with Device Posture IdP as third-party signal provider response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Android lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: dynamicVersionRequirement: type: EXACT distanceFromLatestMajor: 0 latestSecurityPatch: true diskEncryptionType: include: - USER - FULL jailbreak: false platform: ANDROID screenLockType: include: - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: devicePostureIdP: managed: true compliant: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceAndroidWithDynamicVersionRequirementRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Android with dynamic version requirement request value: name: Device assurance Android osVersion: dynamicVersionRequirement: type: MINIMUM distanceFromLatestMajor: 0 diskEncryptionType: include: - USER - FULL jailbreak: false platform: ANDROID screenLockType: include: - BIOMETRIC secureHardwarePresent: true DeviceAssuranceAndroidWithDynamicVersionRequirementResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Android with dynamic version requirement response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Android lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: dynamicVersionRequirement: type: MINIMUM distanceFromLatestMajor: 0 diskEncryptionType: include: - USER - FULL jailbreak: false platform: ANDROID screenLockType: include: - BIOMETRIC secureHardwarePresent: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceAndroidWithGracePeriodRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Android with due by date grace period request value: name: Device assurance Android Grace Period osVersion: dynamicVersionRequirement: type: MINIMUM distanceFromLatestMajor: 0 diskEncryptionType: include: - USER - FULL jailbreak: false platform: ANDROID screenLockType: include: - BIOMETRIC secureHardwarePresent: true gracePeriod: type: BY_DATE_TIME expiry: '2024-12-01T00:00:00.00Z' displayRemediationMode: SHOW DeviceAssuranceAndroidWithGracePeriodResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Android with due by date grace period response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Android lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5 diskEncryptionType: include: - USER - FULL jailbreak: false platform: ANDROID screenLockType: include: - BIOMETRIC secureHardwarePresent: true gracePeriod: type: BY_DATE_TIME expiry: '2024-12-01T00:00:00.00Z' displayRemediationMode: SHOW _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersRequest: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: ChromeOS with Device Posture IdP as third-party signal provider request value: name: Device assurance ChromeOS platform: CHROMEOS thirdPartySignalProviders: devicePostureIdP: managed: true compliant: true DeviceAssuranceChromeOSWithDevicePostureIdPThirdPartySignalProvidersResponse: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: ChromeOS with Device Posture IdP as third-party signal provider response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance ChromeOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 platform: CHROMEOS thirdPartySignalProviders: devicePostureIdP: managed: true compliant: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: ChromeOS with Device Trust Connector as third-party signal provider request value: name: Device assurance ChromeOS platform: CHROMEOS thirdPartySignalProviders: dtc: osVersion: minimum: 10.0.19041.1110 diskEncrypted: true osFirewall: true screenLockSecured: true allowScreenLock: true browserVersion: minimum: 15393.27.0 deviceEnrollmentDomain: testDomain builtInDnsClientEnabled: true chromeRemoteDesktopAppBlocked: true safeBrowsingProtectionLevel: ENHANCED_PROTECTION siteIsolationEnabled: true passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF realtimeUrlCheckMode: true keyTrustLevel: CHROME_OS_VERIFIED_MODE DeviceAssuranceChromeOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: ChromeOS with Device Trust Connector as third-party signal provider response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance ChromeOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 platform: CHROMEOS thirdPartySignalProviders: dtc: osVersion: minimum: 10.0.19041.1110 diskEncrypted: true osFirewall: true screenLockSecured: true allowScreenLock: true browserVersion: minimum: 15393.27.0 deviceEnrollmentDomain: testDomain builtInDnsClientEnabled: true chromeRemoteDesktopAppBlocked: true safeBrowsingProtectionLevel: ENHANCED_PROTECTION siteIsolationEnabled: true passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF realtimeUrlCheckMode: true keyTrustLevel: CHROME_OS_VERIFIED_MODE _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceChromeOSWithGracePeriodRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: ChromeOS with 7 day grace period request value: name: Device assurance ChromeOS platform: CHROMEOS gracePeriod: type: BY_DURATION expiry: P7D displayRemediationMode: SHOW thirdPartySignalProviders: dtc: osVersion: minimum: 10.0.19041.1110 diskEncrypted: true osFirewall: true screenLockSecured: true allowScreenLock: true browserVersion: minimum: 15393.27.0 deviceEnrollmentDomain: testDomain builtInDnsClientEnabled: true chromeRemoteDesktopAppBlocked: true safeBrowsingProtectionLevel: ENHANCED_PROTECTION siteIsolationEnabled: true passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF realtimeUrlCheckMode: true keyTrustLevel: CHROME_OS_VERIFIED_MODE DeviceAssuranceChromeOSWithGracePeriodResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: ChromeOS with due by days grace period response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance ChromeOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 platform: CHROMEOS gracePeriod: type: BY_DURATION expiry: P7D displayRemediationMode: SHOW thirdPartySignalProviders: dtc: osVersion: minimum: 10.0.19041.1110 diskEncrypted: true osFirewall: true screenLockSecured: true allowScreenLock: true browserVersion: minimum: 15393.27.0 deviceEnrollmentDomain: testDomain builtInDnsClientEnabled: true chromeRemoteDesktopAppBlocked: true safeBrowsingProtectionLevel: ENHANCED_PROTECTION siteIsolationEnabled: true passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF realtimeUrlCheckMode: true keyTrustLevel: CHROME_OS_VERIFIED_MODE DeviceAssuranceIosRequest: summary: iOS request value: name: Device assurance iOS osVersion: minimum: 12.4.5 jailbreak: false platform: IOS screenLockType: include: - BIOMETRIC DeviceAssuranceIosResponse: summary: iOS response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance iOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5.9 jailbroken: false platform: IOS screenLockType: include: - BIOMETRIC _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceIosWithDevicePostureIdPSignalProvidersRequest: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: iOS with Device Posture IdP as third-party signal provider request value: name: Device assurance iOS osVersion: minimum: 12.4.5 jailbreak: false platform: IOS screenLockType: include: - BIOMETRIC thirdPartySignalProviders: devicePostureIdP: managed: true compliant: true DeviceAssuranceIosWithDevicePostureIdPSignalProvidersResponse: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: iOS with Device Posture IdP as third-party signal provider response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance iOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5 jailbroken: false platform: IOS screenLockType: include: - BIOMETRIC thirdPartySignalProviders: devicePostureIdP: managed: true compliant: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceIosWithDynamicVersionRequirementRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: iOS with dynamic version requirement request value: name: Device assurance iOS osVersion: dynamicVersionRequirement: type: EXACT_ANY_SUPPORTED latestSecurityPatch: true jailbreak: false platform: IOS screenLockType: include: - BIOMETRIC DeviceAssuranceIosWithDynamicVersionRequirementResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: iOS with dynamic version requirement response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance iOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: dynamicVersionRequirement: type: EXACT_ANY_SUPPORTED latestSecurityPatch: true jailbroken: false platform: IOS screenLockType: include: - BIOMETRIC _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceIosWithGracePeriodRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: iOS with 30 day grace period request value: name: Device assurance iOS Grace Period osVersion: minimum: 12.4.5 jailbreak: false platform: IOS screenLockType: include: - BIOMETRIC gracePeriod: type: BY_DURATION expiry: P30D displayRemediationMode: SHOW DeviceAssuranceIosWithGracePeriodResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: iOS with due by days grace period response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance iOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5.9 jailbroken: false platform: IOS screenLockType: include: - BIOMETRIC gracePeriod: type: BY_DURATION expiry: P30D displayRemediationMode: SHOW _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceMacOSRequest: summary: macOS request value: name: Device assurance macOS osVersion: minimum: 12.4.5 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true DeviceAssuranceMacOSResponse: summary: macOS response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance macOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceMacOSWithDevicePostureChecksRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: macOS request with OSQuery device posture check value: name: Device assurance macOS osVersion: minimum: 12.4.5 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true devicePostureChecks: include: - variableName: macOSFirewall value: '1' DeviceAssuranceMacOSWithDevicePostureChecksResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: macOS request with OSQuery device posture check value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance macOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true devicePostureChecks: include: - variableName: macOSFirewall value: '1' _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersRequest: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: macOS with Device Posture IdP as third-party signal provider request value: name: Device assurance macOS osVersion: minimum: 12.4.5 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: devicePostureIdP: managed: true compliant: true DeviceAssuranceMacOSWithDevicePostureIdPThirdPartySignalProvidersResponse: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: macOS with Device Posture IdP as third-party signal provider response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance macOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: devicePostureIdP: managed: true compliant: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersRequest: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: macOS with Device Trust Connector as third-party signal provider request value: name: Device assurance macOS osVersion: minimum: 12.4.5 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: dtc: osVersion: minimum: 10.0.19041.1110 diskEncrypted: true osFirewall: true screenLockSecured: true browserVersion: minimum: 15393.27.0 deviceEnrollmentDomain": testDomain builtInDnsClientEnabled": true chromeRemoteDesktopAppBlocked": true safeBrowsingProtectionLevel": true siteIsolationEnabled": true passwordProtectionWarningTrigger": PASSWORD_PROTECTION_OFF realtimeUrlCheckMode": true DeviceAssuranceMacOSWithDeviceTrustConnectorThirdPartySignalProvidersResponse: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: macOS with Device Trust Connector as third-party signal provider response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance macOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: dtc: osVersion: minimum: 10.0.19041.1110 diskEncrypted: true osFirewall: true screenLockSecured: true browserVersion: minimum: 15393.27.0 deviceEnrollmentDomain: testDomain builtInDnsClientEnabled: true chromeRemoteDesktopAppBlocked: true safeBrowsingProtectionLevel: ENHANCED_PROTECTION siteIsolationEnabled: true passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF realtimeUrlCheckMode: true keyTrustLevel: CHROME_BROWSER_HW_KEY _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceMacOSWithDynamicVersionRequirementRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: macOS with dynamic version requirement request value: name: Device assurance macOS osVersion: dynamicVersionRequirement: type: EXACT distanceFromLatestMajor: 0 latestSecurityPatch: true diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true DeviceAssuranceMacOSWithDynamicVersionRequirementResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: macOS with dynamic version requirement response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance macOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: dynamicVersionRequirement: type: EXACT distanceFromLatestMajor: 0 latestSecurityPatch: true diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceMacOSWithGracePeriodRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: macOS request with due by date grace period request value: name: Device assurance macOS osVersion: minimum: 12.4.5 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true gracePeriod: type: BY_DATE_TIME expiry: '2024-12-01T00:00:00.00Z' displayRemediationMode: SHOW DeviceAssuranceMacOSWithGracePeriodResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: macOS with due by date grace period response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance macOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: MACOS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true gracePeriod: type: BY_DATE_TIME expiry: '2024-12-01T00:00:00.00Z' displayRemediationMode: SHOW _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceWindowsRequest: summary: Windows request value: name: Device assurance Windows osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true DeviceAssuranceWindowsResponse: summary: Windows response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Windows lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceWindowsWithDevicePostureChecksRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows request with OSQuery device posture check value: name: Device assurance Windows osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true devicePostureChecks: include: - variableName: windowsFirewall value: '1' DeviceAssuranceWindowsWithDevicePostureChecksResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows request with OSQuery device posture check value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Windows lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true devicePostureChecks: include: - variableName: windowsFirewall value: '1' _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersRequest: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Windows with Device Posture IdP as third-party signal provider request value: name: Device assurance Windows osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: devicePostureIdP: managed: true compliant: true DeviceAssuranceWindowsWithDevicePostureIdPThirdPartySignalProvidersResponse: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Windows with Device Posture IdP as third-party signal provider response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Windows lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: devicePostureIdP: managed: true compliant: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabledRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows with Device Trust Connector as third-party signal provider and antivirus enabled request value: name: Device assurance Windows osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: dtc: osVersion: minimum: 10.0.19041.1110 diskEncrypted: true osFirewall: true screenLockSecured: true browserVersion: minimum: 15393.27.0 deviceEnrollmentDomain: testDomain builtInDnsClientEnabled: true chromeRemoteDesktopAppBlocked: true safeBrowsingProtectionLevel: ENHANCED_PROTECTION siteIsolationEnabled: true passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF realtimeUrlCheckMode: true secureBootEnabled: true windowsMachineDomain: testMachineDomain windowsUserDomain: testUserDomain crowdStrikeCustomerId: testCustomerId crowdStrikeAgentId": testAgentId keyTrustLevel: CHROME_BROWSER_HW_KEY antivirusEnabled: true DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersAndAntivirusEnabledResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows with Device Trust Connector as third-party signal provider and antivirus enabled response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Windows lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: dtc: osVersion: minimum: 10.0.19041.1110 diskEncrypted: true osFirewall: true screenLockSecured: true browserVersion: minimum: 15393.27.0 deviceEnrollmentDomain: testDomain builtInDnsClientEnabled: true chromeRemoteDesktopAppBlocked: true safeBrowsingProtectionLevel: ENHANCED_PROTECTION siteIsolationEnabled: true passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF realtimeUrlCheckMode: true secureBootEnabled: true windowsMachineDomain: testMachineDomain windowsUserDomain: testUserDomain crowdStrikeCustomerId: testCustomerId crowdStrikeAgentId": testAgentId keyTrustLevel: CHROME_BROWSER_HW_KEY antivirusEnabled: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersRequest: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: Windows with Device Trust Connector as third-party signal provider request value: name: Device assurance Windows osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: dtc: osVersion: minimum: 10.0.19041.1110 diskEncrypted: true osFirewall: true screenLockSecured: true browserVersion: minimum: 15393.27.0 deviceEnrollmentDomain: testDomain builtInDnsClientEnabled: true chromeRemoteDesktopAppBlocked: true safeBrowsingProtectionLevel: ENHANCED_PROTECTION siteIsolationEnabled: true passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF realtimeUrlCheckMode: true secureBootEnabled: true windowsMachineDomain: testMachineDomain windowsUserDomain: testUserDomain crowdStrikeCustomerId: testCustomerId crowdStrikeAgentId": testAgentId keyTrustLevel: CHROME_BROWSER_HW_KEY DeviceAssuranceWindowsWithDeviceTrustConnectorThirdPartySignalProvidersResponse: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: Windows with Device Trust Connector as third-party signal provider response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Windows lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true thirdPartySignalProviders: dtc: osVersion: minimum: 10.0.19041.1110 diskEncrypted: true osFirewall: true screenLockSecured: true browserVersion: minimum: 15393.27.0 deviceEnrollmentDomain: testDomain builtInDnsClientEnabled: true chromeRemoteDesktopAppBlocked: true safeBrowsingProtectionLevel: ENHANCED_PROTECTION siteIsolationEnabled: true passwordProtectionWarningTrigger: PASSWORD_PROTECTION_OFF realtimeUrlCheckMode: true secureBootEnabled: true windowsMachineDomain: testMachineDomain windowsUserDomain: testUserDomain crowdStrikeCustomerId: testCustomerId crowdStrikeAgentId": testAgentId keyTrustLevel: CHROME_BROWSER_HW_KEY _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceWindowsWithDynamicVersionRequirementsRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows with Windows 11 and Windows 10 dynamic version requirements request value: name: Device assurance Windows osVersionConstraints: - majorVersionConstraint: WINDOWS_11 dynamicVersionRequirement: type: MINIMUM distanceFromLatestMajor: 1 latestSecurityPatch: true - majorVersionConstraint: WINDOWS_10 dynamicVersionRequirement: type: EXACT_ANY_SUPPORTED diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true DeviceAssuranceWindowsWithDynamicVersionRequirementsResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows with Windows 11 and Windows 10 dynamic version requirements response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Windows lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersionConstraints: - majorVersionConstraint: WINDOWS_11 dynamicVersionRequirement: type: MINIMUM distanceFromLatestMajor: 1 latestSecurityPatch: true - majorVersionConstraint: WINDOWS_10 dynamicVersionRequirement: type: EXACT_ANY_SUPPORTED diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceWindowsWithGracePeriodRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows with 7 day grace period request value: name: Device assurance Windows osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true gracePeriod: type: BY_DURATION expiry: P7D displayRemediationMode: SHOW DeviceAssuranceWindowsWithGracePeriodResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows with due by days grace period response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Windows lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersion: minimum: 12.4.5.9 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC gracePeriod: type: BY_DURATION expiry: P7D displayRemediationMode: SHOW secureHardwarePresent: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version request value: name: Device assurance Windows osVersionConstraints: - majorVersionConstraint: WINDOWS_11 dynamicVersionRequirement: type: EXACT distanceFromLatestMajor: 1 - majorVersionConstraint: WINDOWS_10 minimum: 10.0.19045.0 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true DeviceAssuranceWindowsWithWin11DynamicVersionRequirementAndWin10MinimumVersionStringResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows with Windows 11 dynamic version requirement and Windows 10 minimum version response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Windows lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersionConstraints: - majorVersionConstraint: WINDOWS_11 dynamicVersionRequirement: type: EXACT distanceFromLatestMajor: 1 - majorVersionConstraint: WINDOWS_10 minimum: 10.0.19045.0 diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementRequest: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows with Windows 11 minimum version and a Windows 10 dynamic version requirement request value: name: Device assurance Windows osVersionConstraints: - majorVersionConstraint: WINDOWS_11 minimum: 10.0.22000.0 - majorVersionConstraint: WINDOWS_10 dynamicVersionRequirement: type: NOT_ALLOWED diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true DeviceAssuranceWindowsWithWin11MinimumVersionStringAndWin10DynamicVersionRequirementResponse: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Windows with Windows 11 minimum version and Windows 10 dynamic version requirement response value: id: dae3m8o4rWhwReDeM1c5 name: Device assurance Windows lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 osVersionConstraints: - majorVersionConstraint: WINDOWS_11 minimum: 10.0.22000.0 - majorVersionConstraint: WINDOWS_10 dynamicVersionRequirement: type: NOT_ALLOWED diskEncryptionType: include: - ALL_INTERNAL_VOLUMES platform: WINDOWS screenLockType: include: - PASSCODE - BIOMETRIC secureHardwarePresent: true _links: self: href: https://your-subdomain.okta.com/api/v1/device-assurances/dae3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceIntegrationAndroidZeroTrustResponse: summary: Response of device integration for Android Device Trust value: id: din9lzd33mvS9kjr60g4 name: com.android.zero.trust displayName: Android Device Trust status: ACTIVE platform: ANDROID _links: self: href: https://your-subdomain.okta.com/api/v1/device-integrations/din9lzd33mvS9kjr60g4 hints: allow: - GET deactivate: href: https://your-subdomain.okta.com/api/v1/device-integrations/din9lzd33mvS9kjr60g4/lifecycle/deactivate hints: allow: - POST DeviceIntegrationChromeDeviceTrustConnectorResponse: summary: Response of a device integration for Chrome Device Trust value: id: din15gaNrC7BvlBgx0g4 name: com.google.dtc displayName: Chrome Device Trust status: ACTIVE platform: CHROMEOS metadata: type: CHROME serviceAccountName: okta-gci-00o158oxTmBNgrgyM0g4 serviceAccountEmail: okta-gci-00o158oxTmBNgrgyM0g4@vocal-invention-346218.iam.gserviceaccount.com _links: self: href: https://your-subdomain.okta.com/api/v1/device-integrations/din15gaNrC7BvlBgx0g4 hints: allow: - GET deactivate: href: https://your-subdomain.okta.com/api/v1/device-integrations/din15gaNrC7BvlBgx0g4/lifecycle/deactivate hints: allow: - POST DeviceIntegrationCrowdStrikeResponse: summary: Response of a device integration for CrowdStrike value: id: dindyfy1f7Pv1eoVF0g4 name: com.okta.deviceidp displayName: Device Posture Provider status: DEACTIVATED platform: IOS metadata: type: DEVICE_IDP idpId: 0oa2owlGX5l74kjr60g4 _links: self: href: https://your-subdomain.okta.com/api/v1/device-integrations/dindyfy1f7Pv1eoVF0g4 hints: allow: - GET activate: href: https://your-subdomain.okta.com/api/v1/device-integrations/dindyfy1f7Pv1eoVF0g4/lifecycle/activate hints: allow: - POST DeviceIntegrationDevicePostureCheckResponse: summary: Response of device integration for Device Posture Check value: id: din9lzd33mvS9vBwN1c5 name: com.okta.device.osquery displayName: OSQuery status: ACTIVE platform: MACOS _links: self: href: https://your-subdomain.okta.com/api/v1/device-integrations/din9lzd33mvS9vBwN1c5 hints: allow: - GET deactivate: href: https://your-subdomain.okta.com/api/v1/device-integrations/din9lzd33mvS9vBwN1c5/lifecycle/deactivate hints: allow: - POST DeviceIntegrationDevicePostureIdPResponse: summary: Response of a device integration for Device Posture Provider value: id: dindyfzlaerjWVdqt0g4 name: com.okta.deviceidp displayName: Device Posture Provider status: ACTIVE platform: WINDOWS metadata: type: DEVICE_IDP idpId: 0oa2owlGX5l74kjr60g4 _links: self: href: https://your-subdomain.okta.com/api/v1/device-integrations/dindyfzlaerjWVdqt0g4 hints: allow: - GET deactivate: href: https://your-subdomain.okta.com/api/v1/device-integrations/dindyfzlaerjWVdqt0g4/lifecycle/deactivate hints: allow: - POST DeviceIntegrationWindowsSecurityCenterResponse: summary: Response of a device integration for Windows Security Center value: id: dinjihtR8qWZZF6qe0g4 name: com.okta.windowssecuritycenter displayName: Windows Security Center status: DEACTIVATED platform: WINDOWS _links: self: href: https://your-subdomain.okta.com/api/v1/device-integrations/dinjihtR8qWZZF6qe0g4 hints: allow: - GET activate: href: https://your-subdomain.okta.com/api/v1/device-integrations/dinjihtR8qWZZF6qe0g4/lifecycle/activate hints: allow: - POST DevicePostureChecksMacOSRequest: summary: macOS request value: name: Device posture check macOS description: Query macOS devices to check if firewall is enabled variableName: macOSFirewall platform: MACOS type: CUSTOM mappingType: CHECKBOX query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; remediationSettings: message: defaultI18nKey: null customText: It is our company policy that all devices must have a firewall enabled. link: defaultUrl: null customUrl: example.myremediationurl.com/docs DevicePostureChecksMacOSResponse: summary: macOS response value: id: dch3m8o4rWhwReDeM1c5 name: Device posture check macOS lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 description: Query macOS devices to check if firewall is enabled variableName: macOSFirewall query: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; platform: MACOS type: CUSTOM mappingType: CHECKBOX remediationSettings: message: defaultI18nKey: null customText: It is our company policy that all devices must have a firewall enabled. link: defaultUrl: null customUrl: example.myremediationurl.com/docs _links: self: href: https://your-subdomain.okta.com/api/v1/device-posture-checks/dch3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DevicePostureChecksWindowsRequest: summary: Windows request value: name: Device posture check Windows description: Query Windows devices to check if firewall is enabled variableName: windowsFirewall platform: WINDOWS type: CUSTOM mappingType: CHECKBOX query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles; remediationSettings: message: defaultI18nKey: null customText: It is our company policy that all devices must have a firewall enabled. link: defaultUrl: null customUrl: example.myremediationurl.com/docs DevicePostureChecksWindowsResponse: summary: Windows response value: id: dch3m8o4rWhwReDeM1c5 name: Device posture check Windows lastUpdate: '2022-01-01T00:00:00.000Z' createdUpdate: '2022-01-01T00:00:00.000Z' lastUpdatedBy: 00u217pyf72CdUrBt1c5 createdBy: 00u217pyf72CdUrBt1c5 description: Query Windows devices to check if firewall is enabled variableName: windowsFirewall query: SELECT CASE WHEN enabled = 1 THEN 1 ELSE 0 END AS firewall_enabled FROM windows_firewall_profiles; platform: WINDOWS type: CUSTOM mappingType: CHECKBOX remediationSettings: message: defaultI18nKey: null customText: It is our company policy that all devices must have a firewall enabled. link: defaultUrl: null customUrl: example.myremediationurl.com/docs _links: self: href: https://your-subdomain.okta.com/api/v1/device-posture-checks/dch3m8o4rWhwReDeM1c5 hints: allow: - DELETE - GET - PUT DeviceResponse: value: id: guo8jx5vVoxfvJeLb0w4 status: ACTIVE created: '2020-11-03T21:47:01.000Z' lastUpdated: '2020-11-03T23:46:27.000Z' profile: displayName: DESKTOP-EHAD3IE platform: WINDOWS manufacturer: International Corp model: VMware7,1 osVersion: 10.0.18362 serialNumber: 56 4d 4f 95 74 c5 d3 e7-fc 3a 57 9c c2 f8 5d ce udid: 954F4D56-C574-E7D3-FC3A-579CC2F85DCE sid: S-1-5-21-3992267483-1860856704-2413701314-500 registered: true secureHardwarePresent: false diskEncryptionType: NONE resourceId: guo8jx5vVoxfvJeLb0w4 resourceDisplayName: value: DESKTOP-EHAD3IE sensitive: false resourceType: UDDevice resourceAlternateId: null _links: suspend: href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/suspend hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4 hints: allow: - GET - PATCH - PUT users: href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/users hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/devices/guo8jx5vVoxfvJeLb0w4/lifecycle/deactivate hints: allow: - POST EmailCustomizationResponse: value: language: en isDefault: true subject: Welcome to ${org.name}! body:

Hello, ${user.profile.firstName}. Click here to activate your account. id: oel11u6DqUiMbQkpl0g4 created: '2021-11-09T20:38:10.000Z' lastUpdated: '2021-11-11T20:38:10.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 hints: allow: - GET - PUT - DELETE template: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET preview: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview hints: allow: - GET test: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test hints: allow: - POST EmailDomainResponse: value: id: OeD114iNkrcN6aR680g4 validationStatus: NOT_STARTED displayName: Admin userName: admin domain: example.com validationSubdomain: mail dnsValidationRecords: - recordType: TXT fqdn: _oktaverification.example.com verificationValue: 759080212bda43e3bc825a7d73b4bb64 - recordType: CNAME fqdn: mail.example.com verificationValue: u22224444.wl024.sendgrid.net - recordType: CNAME fqdn: t02._domainkey.example.com verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net - recordType: CNAME fqdn: t022._domainkey.example.com verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net EmailSettingsRequest: value: recipients: ALL_USERS EmailSettingsResponse: value: recipients: ALL_USERS _links: self: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings hints: allow: - GET - PUT template: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET EmailTemplateDefaultContentResponse: value: subject: Welcome to ${org.name}! body:

Hello, ${user.profile.firstName}. Click here to activate your account. _links: self: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content hints: allow: - GET template: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET preview: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview hints: allow: - GET EmbeddedGroupAssignmentSampleResponse: summary: Application group with an embedded group value: id: 00g15acRUy0SYb9GT0g4 priority: 0 lastUpdated: '2024-06-02T13:17:57.000Z' profile: preferredLanguage: English manager: Donald Glover securityQuestion: Who is the footballer to have played the game securityAnswer: Ronaldinho timezone: Canada/Eastern initialStatus: active_with_pass managerId: ike.ogb@gmail.com locale: en_US division: top organization: wazobia userType: null department: marketing _links: app: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 self: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 group: href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 _embedded: group: id: 00g15acRUy0SYb9GT0g4 created: '2024-06-02T13:02:12.000Z' lastUpdated: '2024-06-02T13:02:12.000Z' lastMembershipUpdated: '2024-06-02T13:03:13.000Z' objectClass: - okta:user_group type: OKTA_GROUP profile: name: Football Group description: Group with professional footballers _links: logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-medium.30ce6d4085dff29412984e4c191bc874.png type: image/png - name: large href: http://{yourOktaDomain}/assets/img/logos/groups/odyssey/okta-large.c3cb8cda8ae0add1b4fe928f5844dbe3.png type: image/png users: href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/users apps: href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4/apps EmbeddedMetadataGroupAssignmentSampleResponse: summary: Application group with embedded metadata value: id: 00g15acRUy0SYb9GT0g4 priority: 0 lastUpdated: '2024-06-02T13:17:57.000Z' profile: preferredLanguage: English manager: Donald Glover securityQuestion: Who is the footballer to have played the game securityAnswer: Ronaldinho timezone: Canada/Eastern initialStatus: active_with_pass managerId: ike.ogb@gmail.com locale: en_US division: top organization: wazobia userType: null department: marketing _links: app: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 self: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 group: href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 _embedded: metadata: credentials: {} profile: division: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null preferredLanguage: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null manager: source: type: MAPPING value: - id: null lastUpdated: null securityQuestion: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null securityAnswer: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null timezone: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null organization: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null initialStatus: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null managerId: source: type: MAPPING value: - id: null lastUpdated: null userType: source: type: MAPPING value: - id: null lastUpdated: null locale: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null department: source: type: MAPPING value: - id: null lastUpdated: null EnrollFactorCallRequest: summary: call value: factorType: call provider: OKTA profile: phoneNumber: +1-555-415-1337 phoneExtension: '1234' EnrollFactorCallResponse: summary: call value: id: clf1nz9JHJGHWRKMTLHP factorType: call provider: OKTA vendorName: OKTA status: PENDING_ACTIVATION created: '2014-08-05T20:59:49.000Z' lastUpdated: '2014-08-06T03:59:49.000Z' profile: phoneNumber: +1-555-415-1337 phoneExtension: '1234' _links: activate: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/lifecycle/activate hints: allow: - POST resend: - name: call href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP/resend hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clf1nz9JHJGHWRKMTLHP hints: allow: - GET user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET EnrollFactorCustomTotpRequest: summary: custom totp value: factorType: token:hotp provider: CUSTOM factorProfileId: fpr20l2mDyaUGWGCa0g4 profile: sharedSecret: 484f97be3213b117e3a20438e291540a EnrollFactorCustomTotpResponse: summary: custom totp value: id: chf20l33Ks8U2Zjba0g4 factorType: token:hotp provider: CUSTOM vendorName: Entrust Datacard status: ACTIVE created: '2019-07-22T23:22:36.000Z' lastUpdated: '2019-07-22T23:22:36.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4 hints: allow: - GET - DELETE verify: href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3/factors/chf20l33Ks8U2Zjba0g4/verify hints: allow: - POST user: href: https://{yourOktaDomain}/api/v1/users/00utf43LCCmTJVcsK0g3 hints: allow: - GET EnrollFactorEmailRequest: summary: email value: factorType: email provider: OKTA profile: email: test@gmail.com EnrollFactorEmailResponse: summary: email value: id: emfnf3gSScB8xXoXK0g3 factorType: email provider: OKTA vendorName: OKTA status: PENDING_ACTIVATION _links: activate: href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/lifecycle/activate hints: allow: - POST resend: - name: email href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/resend hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 hints: allow: - GET user: href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 hints: allow: - GET EnrollFactorGoogleRequest: summary: google token:software:totp value: factorType: token:software:totp provider: GOOGLE EnrollFactorGoogleResponse: value: id: ostf1fmaMGJLMNGNLIVG factorType: token:software:totp provider: GOOGLE vendorName: GOOGLE status: PENDING_ACTIVATION created: '2014-07-16T16:13:56.000Z' lastUpdated: '2014-07-16T16:13:56.000Z' profile: credentialId: dade.murphy@example.com _links: activate: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG hints: allow: - GET user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET _embedded: activation: timeStep: 30 sharedSecret: JBTWGV22G4ZGKV3N encoding: base32 keyLength: 16 _links: qrcode: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4 type: image/png EnrollFactorOVPushRequest: summary: token:software:totp push value: factorType: push provider: OKTA EnrollFactorOVPushResponse: summary: token:software:totp value: id: opfbtzzrjgwauUsxO0g4 factorType: push provider: OKTA vendorName: OKTA status: PENDING_ACTIVATION created: '2015-11-13T07:34:22.000Z' lastUpdated: '2015-11-13T07:34:22.000Z' _links: poll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/poll hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4 hints: allow: - GET user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET _embedded: activation: expiresAt: '2015-11-13T07:44:22.000Z' factorResult: WAITING _links: send: - name: email href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/email hints: allow: - POST - name: sms href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/lifecycle/activate/sms hints: allow: - POST qrcode: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfbtzzrjgwauUsxO0g4/qr/00Ji8qVBNJD4LmjYy1WZO2VbNqvvPdaCVua-1qjypa type: image/png EnrollFactorOVTotpRequest: summary: token:software:totp value: factorType: token:software:totp provider: OKTA EnrollFactorOVTotpResponse: summary: token:software:totp value: id: ostf1fmaMGJLMNGNLIVG factorType: token:software:totp provider: OKTA vendorName: OKTA status: PENDING_ACTIVATION created: '2014-07-16T16:13:56.000Z' lastUpdated: '2014-07-16T16:13:56.000Z' profile: credentialId: dade.murphy@example.com _links: activate: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/lifecycle/activate hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG hints: allow: - GET user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET _embedded: activation: timeStep: 30 sharedSecret: JBTWGV22G4ZGKV3N encoding: base32 keyLength: 6 _links: qrcode: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf1fmaMGJLMNGNLIVG/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4 type: image/png EnrollFactorQuestionRequest: summary: question value: question: summary: question factor value: factorType: question provider: OKTA profile: question: disliked_food answer: mayonnaise EnrollFactorQuestionResponse: summary: question value: id: ufs1o01OTMGHLAJPVHDZ factorType: question provider: OKTA vendorName: OKTA status: ACTIVE created: '2014-08-05T22:58:49.000Z' lastUpdated: '2014-08-05T22:58:49.000Z' profile: question: disliked_food questionText: What is the food you least liked as a child? _links: questions: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions hints: allow: - GET self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs1o01OTMGHLAJPVHDZ hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET EnrollFactorRsaSecurIdRequest: summary: RSA SecurID value: factorType: token provider: RSA profile: credentialId: dade.murphy@example.com verify: passCode: '5275875498' EnrollFactorRsaSecurIdResponse: summary: RSA SecurID value: id: rsabtznMn6cp94ez20g4 factorType: token provider: RSA vendorName: RSA status: ACTIVE created: '2015-11-13T07:05:53.000Z' lastUpdated: '2015-11-13T07:05:53.000Z' profile: credentialId: dade.murphy@example.com _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4/verify hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/rsabtznMn6cp94ez20g4 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET EnrollFactorSmsRequest: summary: sms value: factorType: sms provider: OKTA profile: phoneNumber: +1-555-415-1337 EnrollFactorSmsResponse: summary: sms value: id: mbl1nz9JHJGHWRKMTLHP factorType: sms provider: OKTA vendorName: OKTA status: PENDING_ACTIVATION created: '2014-08-05T20:59:49.000Z' lastUpdated: '2014-08-06T03:59:49.000Z' profile: phoneNumber: +1-555-415-1337 _links: activate: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/lifecycle/activate hints: allow: - POST resend: - name: sms href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP/resend hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/mbl1nz9JHJGHWRKMTLHP hints: allow: - GET user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET EnrollFactorSymantecVipRequest: summary: Symantec VIP value: factorType: token provider: SYMANTEC profile: credentialId: VSMT14393584 verify: passCode: '875498' nextPassCode: '678195' EnrollFactorSymantecVipResponse: summary: Symantec VIP value: id: ufvbtzgkYaA7zTKdQ0g4 factorType: token provider: SYMANTEC vendorName: SYMANTEC status: ACTIVE created: '2015-11-13T06:52:08.000Z' lastUpdated: '2015-11-13T06:52:08.000Z' profile: credentialId: VSMT14393584 _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4/verify hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufvbtzgkYaA7zTKdQ0g4 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET EnrollFactorU2fRequest: summary: u2f value: factorType: u2f provider: FIDO EnrollFactorU2fResponse: summary: u2f value: id: fuf2rovRxogXJ0nDy0g4 factorType: u2f provider: FIDO vendorName: FIDO status: PENDING_ACTIVATION created: '2018-05-24T20:43:19.000Z' lastUpdated: '2018-05-24T20:43:19.000Z' _links: activate: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/lifecycle/activate hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 hints: allow: - GET user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET _embedded: activation: version: U2F_V2 nonce: 9DmGJDLvaU6KWxJbfrZ0 timeoutSeconds: 20 EnrollFactorWebauthnRequest: summary: webAuthn value: factorType: webauthn provider: FIDO EnrollFactorWebauthnResponse: summary: webAuthn value: id: fwf2rovRxogXJ0nDy0g4 factorType: webauthn provider: FIDO vendorName: FIDO status: PENDING_ACTIVATION created: '2018-05-24T20:43:19.000Z' lastUpdated: '2018-05-24T20:43:19.000Z' _links: activate: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/lifecycle/activate hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 hints: allow: - GET user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET _embedded: activation: attestation: direct authenticatorSelection: userVerification: preferred requireResidentKey: false challenge: cdsZ1V10E0BGE4GcG3IK excludeCredentials: [] pubKeyCredParams: - type: public-key alg: -7 - type: public-key alg: -257 rp: name: Rain-Cloud59 user: displayName: First Last name: first.last@gmail.com id: 00u15s1KDETTQMQYABRL EnrollFactorYubikeyRequest: summary: yubikey value: factorType: token:hardware provider: YUBICO verify: passCode: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji EnrollFactorYubikeyResponse: value: id: ykfbty3BJeBgUi3750g4 factorType: token:hardware provider: YUBICO vendorName: YUBICO status: ACTIVE created: '2015-11-13T05:27:49.000Z' lastUpdated: '2015-11-13T05:27:49.000Z' profile: credentialId: '000004102994' _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4/verify hints: allow: - POST self: href: hhttps://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ykfbty3BJeBgUi3750g4 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET EnrollmentActivationRequestExample: summary: Enrollment activation request value: credResponses: - authenticatorEnrollmentId: fwf5ajzJEWqknX6lk0g4 credResponseJwe: eyJlcGsiOnsia3R5IjoiRUM... fulfillmentProvider: yubico pinResponseJwe: eyJl5IjoiRUMiLCJjcnYcGsiOnsia3... serial: '3632071' userId: 00us2hPODQncCkxef0g3 version: 5.4.3 yubicoSigningJwks: - crv: P-384 kid: APCS-Tsgnkey-C19881-H0027616953 kty: EC use: sig x: tJc-j5osUCP-75ihCOKsswTOj3XsekayG3x79K2ndyOIXu08gDMkvL8rks06tEAa 'y': hfVGbQeG4l2orqenn-GATWwTm8tLqHFHuwfJp33CCNOMtYYsgkAEnW60ORzt4YV- EnrollmentActivationResponseExample: summary: Enrollment activation response value: authenticatorEnrollmentIds: - fwf5ajzJEWqknX6lk0g4 fulfillmentProvider: yubico userId: 00us2hPODQncCkxef0g3 EnrollmentInitializationRequestExample: summary: Initialize preregistration enrollment request value: enrollmentRpIds: - myorg.okta.com fulfillmentProvider: yubico userId: 00us2hPODQncCkxef0g3 yubicoTransportKeyJWK: crv: P-384 kid: APCS-Ttrans-C19881-I009 kty: EC use: enc x: r6AzcX3OSiJk1yQaBVYiBOtzFS9gNSpMDPvnVvl0CAX7el1ZyzmPG_BZ7u8sqTmF 'y': RxPyGH1Xg74E2f5AQGkkddzsvTNY1R3R7mXTEM5wQtr1Y7C4XHlvITNZfU6G EnrollmentInitializationResponseExample: summary: Initialize preregistration enrollment request value: credRequests: - authenticatorEnrollmentId: fwf5ajzJEWqknX6lk0g4 credRequestJwe: eyJlcGsiOnsia3R5IjoiRUMiLCJ... keyId: h2r91gconqiai1vs0psg fulfillmentProvider: yubico pinRequestJwe: eyJlcGsa3R5IjoiRUMiLA... userId: 00us2hPODQncCkxef0g3 EntitlementValuesResponse: summary: List of bundle entitlement values value: entitlementValues: - id: entfxqCAJWWGELFTYAAA value: orn:okta:00o5rb5mt2H3d1TJd0h7:groups:00guaxWZ0AOa5NFAj0g3 name: Restricted users group _links: group: http://your-subdomain.okta.com/api/v1/groups/00guaxWZ0AOa5NFAj0g3 _links: self: href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 bundle: href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA entitlements: href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements ErrorAccessDenied: summary: Access Denied value: errorCode: E0000006 errorSummary: You do not have permission to perform the requested action errorLink: E0000006 errorId: sampleNUSD_8fdkFd8fs8SDBK errorCauses: [] ErrorAgentDeleteActiveJsonWebKey: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: You can't delete an active JSON Web Key. Deactivate the key before deleting it. ErrorAgentJsonWebKeyDuplicateKid: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: All keys in the `jwks` must have a unique `kid`. ErrorAgentJsonWebKeyKidLengthTooShort: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: RSA key length in the `jwks` is less than 2048 bits for the given key. ErrorAgentJsonWebKeyNonUniqueKid: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: Each key should have a unique `kid` when adding multiple keys. ErrorAgentJsonWebKeyTooManyKids: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: You can't create a new key. You have reached the maximum number of keys allowed (50). To add another key, you must first delete an existing one. ErrorAgentOnlyOneActiveEncryptionKeyAllowed: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: The client can have only one active encryption key in the `jwks`. ErrorAgentTimeOut: value: errorCode: E0000237 errorSummary: Timed out waiting for agent errorLink: E0000237 errorId: sampleMlLvGUj_YD5v16vkYWY errorCauses: [] ErrorApiValidationConflict: summary: Conflict value: errorCode: E0000195 errorSummary: 'Api validation failed due to conflict: {0}' errorLink: E0000195 errorId: sampleMlLvGUj_YD5v15vkYWX errorCauses: [] ErrorApiValidationFailed: summary: API Validation Failed value: errorCode: E0000001 errorSummary: 'Api validation failed: {0}' errorLink: E0000001 errorId: sampleiCF-8D5rLW6myqiPItW errorCauses: [] ErrorAppFeatureAPIValidationFailed: summary: API validation failed value: errorCode: E0000001 errorSummary: 'Api validation failed: feature' errorLink: E0000001 errorId: oaeZLxeiHUUQomPkM8xOqvu1A errorCauses: - errorSummary: Provisioning is not enabled for the app instance. ErrorAppUserForbiddenAction: summary: Forbidden action description: If the `PUSH_NEW_USERS` or `PUSH_PROFILE_UPDATES` feature is enabled and the request specifies a value for a profile-mapped (Universal Directory) attribute that doesn't match the mapped value, then a 403 error is returned. value: errorCode: E0000075 errorSummary: Cannot modify the firstName attribute because it has a field mapping and profile push is enabled. errorLink: E0000075 errorId: sampleWXiR_K-WwaTKhlgBQ errorCauses: [] ErrorAppUserUpdateBadRequest: summary: Bad request description: If you attempt to assign a username or password to an app with an incompatible authentication scheme, then a 400 error is returned. value: errorCode: E0000041 errorSummary: Credentials should not be set on this resource based on the scheme. errorLink: E0000041 errorId: oaeUM77NBynQQu4C_qT5ngjGQ errorCauses: errorSummary: User level credentials should not be provided for this scheme. ErrorCAPTCHALimitOfOne: value: errorCode: E0000165 errorSummary: CAPTCHA count limit reached. At most one CAPTCHA instance is allowed per Org. errorLink: E0000165 errorId: oaejrB1fWL1S7mc-2KcG-SOtw errorCauses: [] ErrorCAPTCHAOrgWideSetting: value: errorCode: E0000149 errorSummary: Current CAPTCHA is associated with org-wide settings, cannot be removed. errorLink: E0000149 errorId: samplezsusshPdiTWiITwqBt8 errorCauses: [] ErrorCAPTCHAOrgWideSettingNull: summary: captchaId is null, but enabledPages is defined value: errorCode: E0000001 errorSummary: 'Api validation failed: captchaId' errorLink: E0000001 errorId: oae-hk3rssXQmOWDRsaFfxe8A errorCauses: errorSummary: 'captchaId: Invalid CAPTCHA ID. The value of captchaId cannot be blank when enabledPages is not empty. Please resubmit with an existing CAPTCHA ID or disable CAPTCHA support on all supported pages.' ErrorClientJsonWebKeyDuplicateKid: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: All keys in the 'jwks' must have a unique `kid`. ErrorClientJsonWebKeyKidLengthTooShort: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: RSA key length in the 'jwks' is less than '2,048' bits for the given key. ErrorClientJsonWebKeyNonUniqueKid: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: Each key should have a unique kid when adding multiple keys. Use the Apps API to update the JWKS to add a kid for the existing key, or delete the existing key and re-add the key with a kid using the JWKS APIs. ErrorClientJsonWebKeyTooManyKids: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: You can't create a new key. You have reached the maximum number of keys allowed (50). To add another key, you must first delete an existing one. ErrorClientSecretNonAscii: summary: Client secret allows only ASCII error value: errorCode: E0000001 errorSummary: 'Api validation failed: client_secret' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: 'client_secret: ''''client_secret'''' must only contain printable ASCII: [x20-x7E]+' ErrorClientSecretTooLong: summary: Client secret too long error value: errorCode: E0000001 errorSummary: 'Api validation failed: client_secret' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: 'client_secret: ''client_secret'' can''t be more than ''100'' characters long.' ErrorClientSecretTooShort: summary: Client secret too short error value: errorCode: E0000001 errorSummary: 'Api validation failed: client_secret' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: 'client_secret: ''client_secret'' must be at least ''14'' characters long.' ErrorClientSecretTooShortWithClientSecretJWT: summary: Client secret is too short for JWT error value: errorCode: E0000001 errorSummary: 'Api validation failed: client_secret' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: 'client_secret: ''client_secret'' must be at least ''32'' characters long when ''token_endpoint_auth_method'' is ''client_secret_jwt''.' ErrorClientSecretWithPrivateKeyJWT: summary: Client secret can't be used for private key JWT error value: errorCode: E0000001 errorSummary: 'Api validation failed: client_secret' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: '''client_secret'' can''t be used when ''token_endpoint_auth_method'' is ''private_key_jwt''.' ErrorCreateBrandExists: value: errorCode: E0000202 errorSummary: Brand name already exists. errorLink: E0000202 errorId: oaeKABuesTdRvCXeCTpSpXAcQ errorCauses: [] ErrorCreateUserWithExpiredPasswordWithNullPassword: value: errorCode: E0000124 errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified. errorLink: E0000124 errorId: oaeXxuZgXBySvqi1FvtkwoYCA errorCauses: - errorSummary: Could not create user. To create a user and expire their password immediately, a password must be specified. ErrorCreateUserWithExpiredPasswordWithoutActivation: value: errorCode: E0000125 errorSummary: Could not create user. To create a user and expire their password immediately, `activate` must be true. errorLink: E0000125 errorId: oaeDd77L9R-TJaD7j_rXsQ31w errorCauses: - errorSummary: Could not create user. To create a user and expire their password immediately, `activate` must be true. ErrorCreateUserWithTooManyManyGroupsResponse: value: errorCode: E0000093 errorSummary: Target count limit exceeded errorLink: E0000093 errorId: oaePVSLIYnIQsC0B-ptBIllVA errorCauses: - errorSummary: The number of group targets is too large ErrorDeactivateActiveKey: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: You cannot deactivate the active key when access token encryption is enabled. ErrorDeactivateEncryptionKey: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: You can't deactivate the active encryption key. ErrorDeactivateTheOnlyClientSecret: value: errorCode: E0000001 errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: You can't deactivate the only active client secret. ErrorDeactivateTheOnlyKeyWithPrivateKeyJwtAuthMethod: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: Can't deactivate the only active JSON Web Key when the value for `token_endpoint_auth_method` is `private_key_jwt`. ErrorDeactivateTheOnlyKeyWithRequestObjectSignAlgorithm: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: The `jwks` must contain at least one key with an algorithm matching the `request_object_signature_algorithm`. ErrorDeleteActiveJsonWebKey: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: You can't delete an active JSON Web key. Deactivate the key before deleting it. ErrorDeleteActiveSecret: value: errorCode: E0000001 errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: You can't delete an active client secret. Deactivate the secret before deleting it. ErrorDeleteBrandAssociatedWithDomain: value: errorCode: E0000201 errorSummary: A brand associated with a domain cannot be deleted errorLink: E0000201 errorId: oaeAdRqprFuTyKokyYPbURJkA errorCauses: [] ErrorDeleteCustomAsActiveJsonWebKey: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: '''''ACTIVE'''' keys cannot be deleted. Activate another key before deleting this one.' ErrorDeleteDefaultBrand: value: errorCode: E0000200 errorSummary: A default brand cannot be deleted errorLink: E0000200 errorId: oaeAdRqprFuTyKokyYPbURJkA errorCauses: [] ErrorDeviceAssuranceInUse: summary: Can't delete device assurance policy in use by app sign-in policies value: errorSummary: Device assurance is in use and cannot be deleted. errorId: oaenwA1ra80S9W-pvbh4m6haA errorCauses: [] ErrorDevicePostureCheckInUse: summary: Can't delete device posture check in use by device assurance policies value: errorSummary: Device posture check is in use and can't be deleted. errorId: oaenwA1ra80S9W-pvbh4m6haA errorCauses: [] ErrorEmailCustomizationCannotClearDefault: value: errorCode: E0000185 errorSummary: The isDefault parameter of the default email template customization can't be set to false. errorLink: E0000185 errorId: oaejrB1fWL1S7mc-2KcG-SOtw errorCauses: [] ErrorEmailCustomizationCannotDeleteDefault: value: errorCode: E0000184 errorSummary: A default email template customization can't be deleted. errorLink: E0000184 errorId: oaeAdRqprFuTyKokyYPbURJkA errorCauses: [] ErrorEmailCustomizationDefaultAlreadyExists: value: errorCode: E0000182 errorSummary: A default email template customization already exists. errorLink: E0000182 errorId: oaeXYwTiMvASsC3O4HCzjFaCA errorCauses: [] ErrorEmailCustomizationLanguageAlreadyExists: value: errorCode: E0000183 errorSummary: An email template customization for that language already exists. errorLink: E0000183 errorId: oaeUcGELffqRay0u1OPdnPypw errorCauses: [] ErrorEmailDomainAlreadyExists: value: errorCode: E0000197 errorSummary: Email domain already exists. errorLink: E0000197 errorId: oaeEdRqprFuTyKokyYPbURJkA errorCauses: [] ErrorEmailDomainInUse: value: errorCode: E0000216 errorSummary: Email domain can't be deleted due to mail provider restrictions. errorLink: E0000216 errorId: oaeEdRqprFuTyKokyYPbURJkB errorCauses: [] ErrorEmailDomainInvalidStatus: value: errorCode: E0000217 errorSummary: Invalid status. Can't validate email domain with current status. errorLink: E0000217 errorId: oaeEdRqprFuTyKokyYPbURJkD errorCauses: [] ErrorEmailDomainNotVerified: value: errorCode: E0000218 errorSummary: Email domain couldn't be verified by mail provider. errorLink: E0000218 errorId: oaeEdRqprFuTyKokyYPbURJkC errorCauses: [] ErrorEmailSettingsRaceCondition: value: errorCode: E0000254 errorSummary: Another request has already been received for the settings for this email template. Please try again later. errorLink: E0000254 errorId: oaeUcGELffqRay0u1OPdnPypw errorCauses: [] ErrorInternalServer: summary: Internal Server Error value: errorCode: E0000009 errorSummary: Internal Server Error errorLink: E0000000 errorId: sampleAlJ82XS2SDB_vaNIWgcA errorCauses: [] ErrorInvalidEmailTemplateRecipients: value: errorCode: E0000189 errorSummary: This template does not support the recipients value. errorLink: E0000189 errorId: oae8L1-UkcNTeGi5xVQ28_lww errorCauses: [] ErrorInvalidLinkedObjectDef: summary: Invalid linked objection definition value: errorCode: E0000127 errorSummary: Invalid linked objection definition. Linked object identifier is already in use. errorLink: E0000127 errorId: oaeh5FICFF2RnqakoNofPadhw errorCauses: - errorSummary: Linked object identifier for primary is already in use. reason: UNIQUE_CONSTRAINT locationType: body domain: linkedObjects - errorSummary: Linked object identifier for associated is already in use. reason: UNIQUE_CONSTRAINT locationType: body domain: linkedObjects ErrorInvalidTokenProvided: summary: Invalid Token Provided value: errorCode: E0000011 errorSummary: Invalid token provided errorLink: E0000011 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: [] ErrorInvalidWellKnownPath: summary: Invalid path value: errorCode: E0000001 errorSummary: 'Api validation failed: request' errorLink: E0000001 errorId: sampleiCF-8D5rLW6myqiPItW errorCauses: - errorSummary: 'The specified path is not supported. Valid values: [apple-app-site-association, assetlinks.json, webauthn].' ErrorJsonWebKeyCannotAddActiveKey: value: errorCode: E0000001, errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001, errorId: sampleQPivGUj_ND5v78vbYWW, errorCauses: - errorSummary: Keys cannot be created with an ''ACTIVE'' status. Create an ''INACTIVE'' key and then activate it. ErrorJsonWebKeyKidLengthTooShort: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: RSA key length in the 'jwks' is less than '2,048' bits for the given key. ErrorJsonWebKeyNonUniqueKid: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: Each key must have a unique ''kid''. ErrorJsonWebKeyTooManyKids: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: You can't create a new key. You have reached the maximum number of keys allowed (5). To add another key, you must first delete an existing one. ErrorKeyCredentialCloneDuplicateKey: summary: Duplicate key credential error value: errorCode: E0000001 errorSummary: 'Api validation failed: cloneKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: Key already exists in the list of key credentials for the target app. ErrorKeyCredentialInvalidValidity: summary: Key credential invalid year error value: errorCode: E0000001 errorSummary: 'Api validation failed: generateKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: Validity years out of range. It should be 2 - 10 years. ErrorMaxNumberOfSecrets: summary: Maximum client secrets reached error value: errorCode: E0000001 errorSummary: 'Api validation failed: OAuth2ClientSecretMediated' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: You've reached the maximum number of client secrets per client. ErrorMissingRequiredParameter: summary: Missing Required Parameter value: errorCode: E0000028 errorSummary: The request is missing a required parameter. errorLink: E0000028 errorId: sampleiCF-l7mr9XqM1NQ errorCauses: [] ErrorNoConnectedAgents: value: errorCode: E0000236 errorSummary: There are no connected agents errorLink: E0000236 errorId: sampleMlLvGUj_YD5v16vkYWY errorCauses: [] ErrorOnlyOneActiveEncryptionKeyAllowed: value: errorCode: E0000001 errorSummary: 'Api validation failed: JsonWebKey' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: The client can have only one active encryption key in the 'jwks'. ErrorPinOrCredRequestsGenerationFailure: summary: PIN or cred requests generation failed value: errorCode: E0000001 errorSummary: 'Api validation failed: webAuthnPreregistrationPinRequest|webAuthnPreregistrationCredentialRequest' errorLink: E0000001 errorId: oaehk3rssXQmOWDRsaFfxe8A errorCauses: errorSummary: There was an unexpected internal error. Please try again. ErrorPinOrCredResponsesProcessingFailure: summary: PIN or cred response processing failed value: errorCode: E0000001 errorSummary: 'Api validation failed: pinResponseJwe|webAuthnCredResponse' errorLink: E0000001 errorId: oaehk3rssXQmOWDRsaFfxe8B errorCauses: errorSummary: There was an unexpected internal error. Please try again. ErrorPublishCSRCertDoesNotMatchCSR: summary: Mismatch certificate and CSR error value: errorCode: E0000001 errorSummary: 'Api validation failed: certificate' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: The certificate doesn't match the CSR. ErrorPublishCSRCertValidityLessThan90Days: summary: Certificate valid for 90 days error value: errorCode: E0000001 errorSummary: 'Api validation failed: certificate' errorLink: E0000001 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: - errorSummary: The certificate must be valid for more than 90 days. ErrorPushProviderUsedByCustomAppAuthenticator: value: errorCode: E0000187 errorSummary: Cannot delete push provider because it is being used by a custom app authenticator. errorLink: E0000187 errorId: oaenwA1ra80S9W-pvbh4m6haA errorCauses: [] ErrorResourceNotFound: summary: Resource Not Found value: errorCode: E0000007 errorSummary: 'Not found: {0}' errorLink: E0000007 errorId: sampleMlLvGUj_YD5v16vkYWY errorCauses: [] ErrorTargetAppType: value: errorCode: E0000001 errorSummary: 'Api validation failed: Interclient Trust Mappings' errorLink: E0000001 errorId: oae7oXKyr41R7yW8Q-gMZsTrA errorCauses: - errorSummary: The target application must be an OIDC or SAML app. ErrorTooManyAllowedApps: value: errorCode: E0000001 errorSummary: 'Api validation failed: Interclient Trust Mappings' errorLink: E0000001 errorId: oae7oXKyr41R7yW8Q-gMZsTrA errorCauses: - errorSummary: The target application cannot have more than 5 trusted apps. ErrorTooManyRequests: summary: Too Many Requests value: errorCode: E0000047 errorSummary: API call exceeded rate limit due to too many requests. errorLink: E0000047 errorId: sampleQPivGUj_ND5v78vbYWW errorCauses: [] ExampleOAuth2Scope: summary: Example scope value: id: scp5yu8kLOnDzo7lh0g4 name: car:drive description: Drive car system: false default: false displayName: Saml Jackson consent: REQUIRED optional: false metadataPublish: NO_CLIENTS _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 hints: allow: - GET - PUT - DELETE ExampleOAuth2Scopes: summary: All scopes value: - id: scp5yu8kLOnDzo7lh0g4 name: car:drive description: Drive car system: false default: false displayName: Saml Jackson consent: REQUIRED optional: false metadataPublish: NO_CLIENTS _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 hints: allow: - GET - PUT - DELETE ExpirePwdResponse: value: id: 00ub0oNGTSWTBKOLGLNR status: PASSWORD_EXPIRED created: '2013-06-24T16:39:18.000Z' activated: '2013-06-24T16:39:19.000Z' statusChanged: '2013-06-24T16:39:19.000Z' lastLogin: '2013-06-24T17:39:19.000Z' lastUpdated: '2013-06-27T16:35:28.000Z' passwordChanged: '2013-06-24T16:39:19.000Z' profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: password: {} recovery_question: question: Who's a major player in the cowboy scene? provider: type: OKTA name: OKTA _links: resetPassword: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_password resetFactors: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/reset_factors expirePassword: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/expire_password forgotPassword: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/forgot_password changeRecoveryQuestion: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_recovery_question deactivate: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/deactivate changePassword: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/credentials/change_password ExpirePwdWithTempPwdResponse: value: tempPassword: F46gy7X4 ExpiredAuthorizationServerKey: summary: Expired authorization server key value: status: EXPIRED alg: RS256 e: AQAB 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU kty: RSA use: sig _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU hints: allow: - GET ExtendOktaSupportAccessStatus: summary: Extend Okta Support access value: impersonation: status: ENABLED expiration: '2024-01-25T11:13:14.000Z' caseNumber: '1011001' ExtendOktaSupportAccessStatusRequest: summary: Extend Okta Support access value: impersonation: expiration: '2024-01-25T11:13:14.000Z' FacebookIdPResponse: summary: Facebook IdP value: id: 0oa62b57p7c8PaGpU0h7 type: FACEBOOK name: Facebook status: ACTIVE created: '2016-03-24T23:18:27.000Z' lastUpdated: '2016-03-24T23:18:27.000Z' protocol: type: OAUTH2 endpoints: authorization: url: https://www.facebook.com/dialog/oauth binding: HTTP-REDIRECT token: url: https://graph.facebook.com/v2.5/oauth/access_token binding: HTTP-POST scopes: - public_profile - email credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.userPrincipalName filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: |- https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7& client_id={clientId}&response_type={responseType}&response_mode={responseMode}& scope={scopes}&redirect_uri={redirectUri}&state={state} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST FactorEmail: value: id: emfnf3gSScB8xXoXK0g3 factorType: email provider: OKTA vendorName: OKTA status: ACTIVE profile: email: changed@clouditude.net _links: verify: href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3/verify hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3/factors/emfnf3gSScB8xXoXK0g3 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00umvfJKwXOQ1mEL50g3 hints: allow: - GET FactorPasscodeRequest: value: passCode: '123456' FactorResponseSms: value: id: sms2gt8gzgEBPUWBIFHN factorType: sms provider: OKTA vendorName: OKTA status: ACTIVE created: '2014-06-27T20:27:26.000Z' lastUpdated: '2014-06-27T20:27:26.000Z' profile: phoneNumber: +1-555-415-1337 _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET ForgotPwdRecoveryQuestionRequest: value: password: value: uTVM,TPw55 recovery_question: answer: Annie Oakley ForgotPwdRecoveryQuestionResponse: value: password: {} recovery_question: question: Who's a major player in the cowboy scene? provider: type: OKTA name: OKTA ForgotPwdResponse: value: resetPasswordUrl: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO GenerateFulfillmentRequestExample: summary: Generate fulfillment request value: userId: 00us2hPODQncCkxef0g3 fulfillmentProvider: yubico fulfillmentData: - productId: '55' customizationId: RXJN83 inventoryProductId: '106' GenericOidcIdpResponse: summary: Generic OpenID Connect IdP value: id: 0oaulob4BFVa4zQvt0g3 type: OIDC name: Example OpenID Connect IdP status: ACTIVE created: '2019-02-07T20:07:47.000Z' lastUpdated: '2019-02-07T20:07:47.000Z' protocol: type: OIDC endpoints: authorization: url: https://idp.example.com/authorize binding: HTTP-REDIRECT token: url: https://idp.example.com/token binding: HTTP-POST userInfo: url: https://idp.example.com/userinfo binding: HTTP-REDIRECT jwks: url: https://idp.example.com/keys binding: HTTP-REDIRECT slo: url: https://idp.example.com/slo binding: HTTP-REDIRECT algorithms: request: signature: algorithm: HS256 scope: REQUEST scopes: - openid settings: participateSlo: true issuer: url: https://idp.example.com credentials: client: client_id: your-client-id client_secret: your-client-secret pkce_required: 'true' policy: provisioning: action: AUTO profileMaster: false groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.email filter: null matchType: USERNAME matchAttribute: null mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST Get-User-Classification-Example: value: type: LITE lastUpdated: '2022-05-04T19:50:52.000Z' GetApplicationsByGroupResponseEx: summary: Retrieve apps assigned to a group value: - id: 0oa7vicdkRNrz59R80w6 name: workday orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:workday:0oa7vicdkRNrz59R80w6 label: hrportal2 status: ACTIVE lastUpdated: '2021-05-17T23:10:50.000Z' created: '2021-05-17T23:10:49.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null visibility: autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true features: [] signOnMode: SAML_2_0 credentials: userNameTemplate: template: ${source.login} type: BUILT_IN signing: kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg settings: app: siteURL: https://acme.workday.com notifications: vpn: network: connection: DISABLED message: null helpUrl: null signOn: defaultRelayState: null ssoAcsUrlOverride: null audienceOverride: null recipientOverride: null destinationOverride: null attributeStatements: [] _links: help: href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc type: text/html metadata: href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata type: application/xml appLinks: - name: login href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30 type: text/html groups: href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups logo: - name: medium href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 type: image/png users: href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users deactivate: href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate - id: 0oa7vicvor8YSr9Hc0w6 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:workday:0oa7vicvor8YSr9Hc0w6 name: workday label: hrportal1 status: ACTIVE lastUpdated: '2021-05-17T23:10:22.000Z' created: '2021-05-17T23:10:22.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null visibility: autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true features: [] signOnMode: SAML_2_0 credentials: userNameTemplate: template: ${source.login} type: BUILT_IN signing: kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg settings: app: siteURL: https://acme.workday.com notifications: vpn: network: connection: DISABLED message: null helpUrl: null signOn: defaultRelayState: null ssoAcsUrlOverride: null audienceOverride: null recipientOverride: null destinationOverride: null attributeStatements: [] _links: help: href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc type: text/html metadata: href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata type: application/xml appLinks: - name: login href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30 type: text/html groups: href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups logo: - name: medium href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 type: image/png users: href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users deactivate: href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate - id: 0oabkvBLDEKCNXBGYUAS name: template_swa orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_swa:0oabkvBLDEKCNXBGYUAS label: Sample Plugin App status: ACTIVE lastUpdated: '2013-09-11T17:58:54.000Z' created: '2013-09-11T17:46:08.000Z' accessibility: selfService: false errorRedirectUrl: null visibility: autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true features: [] signOnMode: BROWSER_PLUGIN credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.login} type: BUILT_IN settings: app: buttonField: btn-login passwordField: txtbox-password usernameField: txtbox-username url: https://example.com/login.html _links: logo: - href: https:/example.okta.com/img/logos/logo_1.png name: medium type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users groups: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups self: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate GetApplicationsByKeyResponseEx: summary: Retrieve apps using a key value: - id: 0oa1gjh63g214q0Hq0g4 name: testorgone_customsaml20app_1 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_customsaml20app_1:0oa1gjh63g214q0Hq0g4 label: Custom Saml 2.0 App status: ACTIVE lastUpdated: '2016-08-09T20:12:19.000Z' created: '2016-08-09T20:12:19.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null visibility: autoSubmitToolbar: false hide: iOS: false web: false appLinks: testorgone_customsaml20app_1_link: true features: [] signOnMode: SAML_2_0 credentials: userNameTemplate: template: ${fn:substringBefore(source.login, "@")} type: BUILT_IN signing: {} settings: app: {} notifications: vpn: network: connection: DISABLED message: null helpUrl: null signOn: defaultRelayState: '' ssoAcsUrl: https://{yourOktaDomain} idpIssuer: https://www.okta.com/${org.externalKey} audience: https://example.com/tenant/123 recipient: https://recipient.okta.com destination: https://destination.okta.com subjectNameIdTemplate: ${user.userName} subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress responseSigned: true assertionSigned: true signatureAlgorithm: RSA_SHA256 digestAlgorithm: SHA256 honorForceAuthn: true authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport slo: enabled: true spIssuer: https://testorgone.okta.com logoutUrl: https://testorgone.okta.com/logout participateSlo: enabled: true logoutRequestUrl: https://testorgone.okta.com/logout/participate sessionIndexRequired: true bindingType: REDIRECT spCertificate: x5c: - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" assertionEncryption: enabled: true keyTransportAlgorithm: RSA_15 encryptionAlgorithm: AES256_GCM x5c: - "MIIC6jCCAdKgAwIBAgIGAZKbFN7JMA0GCSqGSIb3DQEBCwUAMDYxNDAyBgNVBAMM\r\n" requestCompressed: false allowMultipleAcsEndpoints: false acsEndpoints: [] attributeStatements: [] _links: logo: - name: medium href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png appLinks: - name: testorgone_customsaml20app_1_link href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 type: text/html help: href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions type: text/html users: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users deactivate: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate groups: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups metadata: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata type: application/xml _embedded: user: id: 00ucw2RPGIUNTDQOYPOF externalId: null created: '2014-03-21T23:31:35.000Z' lastUpdated: '2014-03-21T23:31:35.000Z' scope: USER status: ACTIVE statusChanged: '2014-03-21T23:31:35.000Z' passwordChanged: null syncState: DISABLED lastSync: null credentials: userName: user@example.com _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD user: href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF id: 0oabkvBLDEKCNXBGYUAS name: template_swa label: Sample Plugin App status: ACTIVE lastUpdated: '2013-09-11T17:58:54.000Z' created: '2013-09-11T17:46:08.000Z' accessibility: selfService: false errorRedirectUrl: null visibility: autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true features: [] signOnMode: BROWSER_PLUGIN credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.login} type: BUILT_IN settings: app: buttonField: btn-login passwordField: txtbox-password usernameField: txtbox-username url: https://example.com/login.html _links: logo: - href: https://example.okta.com/img/logos/logo_1.png name: medium type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users groups: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups self: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate _embedded: user: id: 00ucw2RPGIUNTDQOYPOF externalId: null created: '2014-06-10T15:16:01.000Z' lastUpdated: '2014-06-10T15:17:38.000Z' scope: USER status: ACTIVE statusChanged: '2014-06-10T15:16:01.000Z' passwordChanged: '2014-06-10T15:17:38.000Z' syncState: DISABLED lastSync: null credentials: userName: user@example.com password: {} _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS user: href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF GetApplicationsByNameResponseEx: summary: Retrieve apps by name value: - id: 0oa7vicdkRNrz59R80w6 name: workday orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:workday:0oa7vicdkRNrz59R80w6 label: hrportal2 status: ACTIVE lastUpdated: '2021-05-17T23:10:50.000Z' created: '2021-05-17T23:10:49.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null visibility: autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true features: [] signOnMode: SAML_2_0 credentials: userNameTemplate: template: ${source.login} type: BUILT_IN signing: kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg settings: app: siteURL: https://acme.workday.com notifications: vpn: network: connection: DISABLED message: null helpUrl: null signOn: defaultRelayState: null ssoAcsUrlOverride: null audienceOverride: null recipientOverride: null destinationOverride: null attributeStatements: [] _links: help: href: https://testorgone-admin.okta.com/app/workday/0oa7vicdkRNrz59R80w6/setup/help/SAML_2_0/external-doc type: text/html metadata: href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/sso/saml/metadata type: application/xml appLinks: - name: login href: https://testorgone.okta.com/home/workday/0oa7vicdkRNrz59R80w6/30 type: text/html groups: href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/groups logo: - name: medium href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 type: image/png users: href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/users deactivate: href: https://testorgone.okta.com/api/v1/apps/0oa7vicdkRNrz59R80w6/lifecycle/deactivate - id: 0oa7vicvor8YSr9Hc0w6 name: workday orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:workday:0oa7vicdkRNrz59R80w6 label: hrportal1 status: ACTIVE lastUpdated: '2021-05-17T23:10:22.000Z' created: '2021-05-17T23:10:22.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null visibility: autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true features: [] signOnMode: SAML_2_0 credentials: userNameTemplate: template: ${source.login} type: BUILT_IN signing: kid: wRejFXWxFlK9nnLozx5qKWQa3fg-JRXw7dvdlTjs5Pg settings: app: siteURL: https://acme.workday.com notifications: vpn: network: connection: DISABLED message: null helpUrl: null signOn: defaultRelayState: null ssoAcsUrlOverride: null audienceOverride: null recipientOverride: null destinationOverride: null attributeStatements: [] _links: help: href: https://testorgone-admin.okta.com/app/workday/0oa7vicvor8YSr9Hc0w6/setup/help/SAML_2_0/external-doc type: text/html metadata: href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/sso/saml/metadata type: application/xml appLinks: - name: login href: https://testorgone.okta.com/home/workday/0oa7vicvor8YSr9Hc0w6/30 type: text/html groups: href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/groups logo: - name: medium href: https://tc2static.oktacdn.com/fs/bcg/4/gfs1wwhrwJR4LpB5X0w6 type: image/png users: href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/users deactivate: href: https://testorgone.okta.com/api/v1/apps/0oa7vicvor8YSr9Hc0w6/lifecycle/deactivate GetApplicationsByUserResponseEx: summary: Retrieve apps assigned to a user value: - id: 0oa1gjh63g214q0Hq0g4 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_customsaml20app_1:0oa1gjh63g214q0Hq0g4 name: testorgone_customsaml20app_1 label: Custom Saml 2.0 App status: ACTIVE lastUpdated: '2016-08-09T20:12:19.000Z' created: '2016-08-09T20:12:19.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null visibility: autoSubmitToolbar: false hide: iOS: false web: false appLinks: testorgone_customsaml20app_1_link: true features: [] signOnMode: SAML_2_0 credentials: userNameTemplate: template: ${fn:substringBefore(source.login, "@")} type: BUILT_IN signing: {} settings: app: {} notifications: vpn: network: connection: DISABLED message: null helpUrl: null signOn: defaultRelayState: '' ssoAcsUrl: https://{yourOktaDomain} idpIssuer: https://www.okta.com/${org.externalKey} audience: https://example.com/tenant/123 recipient: https://recipient.okta.com destination: https://destination.okta.com subjectNameIdTemplate: ${user.userName} subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress responseSigned: true assertionSigned: true signatureAlgorithm: RSA_SHA256 digestAlgorithm: SHA256 honorForceAuthn: true authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport slo: enabled: true spIssuer: https://testorgone.okta.com logoutUrl: https://testorgone.okta.com/logout participateSlo: enabled: true logoutRequestUrl: https://testorgone.okta.com/logout/participate sessionIndexRequired: true bindingType: REDIRECT spCertificate: x5c: - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" assertionEncryption: enabled: false requestCompressed: false allowMultipleAcsEndpoints: false acsEndpoints: [] attributeStatements: [] _links: logo: - name: medium href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png appLinks: - name: testorgone_customsaml20app_1_link href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 type: text/html help: href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions type: text/html users: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users deactivate: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate groups: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups metadata: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata type: application/xml _embedded: user: id: 00ucw2RPGIUNTDQOYPOF externalId: null created: '2014-03-21T23:31:35.000Z' lastUpdated: '2014-03-21T23:31:35.000Z' scope: USER status: ACTIVE statusChanged: '2014-03-21T23:31:35.000Z' passwordChanged: null syncState: DISABLED lastSync: null credentials: userName: user@example.com _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oabizCHPNYALCHDUIOD user: href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF id: 0oabkvBLDEKCNXBGYUAS name: template_swa label: Sample Plugin App status: ACTIVE lastUpdated: '2013-09-11T17:58:54.000Z' created: '2013-09-11T17:46:08.000Z' accessibility: selfService: false errorRedirectUrl: null visibility: autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true features: [] signOnMode: BROWSER_PLUGIN credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.login} type: BUILT_IN settings: app: buttonField: btn-login passwordField: txtbox-password usernameField: txtbox-username url: https://example.com/login.html _links: logo: - href: https://example.okta.com/img/logos/logo_1.png name: medium type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users groups: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups self: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate _embedded: user: id: 00ucw2RPGIUNTDQOYPOF externalId: null created: '2014-06-10T15:16:01.000Z' lastUpdated: '2014-06-10T15:17:38.000Z' scope: USER status: ACTIVE statusChanged: '2014-06-10T15:16:01.000Z' passwordChanged: '2014-06-10T15:17:38.000Z' syncState: DISABLED lastSync: null credentials: userName: user@example.com password: {} _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS user: href: https://{yourOktaDomain}/api/v1/users/00ucw2RPGIUNTDQOYPOF GetApplicationsResponseEx: summary: Retrieve an app value: id: 0oa1gjh63g214q0Hq0g4 name: testorgone_customsaml20app_1 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_customsaml20app_1:0oa1gjh63g214q0Hq0g4 label: Custom Saml 2.0 App status: ACTIVE lastUpdated: '2016-08-09T20:12:19.000Z' created: '2016-08-09T20:12:19.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null visibility: autoSubmitToolbar: false hide: iOS: false web: false appLinks: testorgone_customsaml20app_1_link: true features: [] signOnMode: SAML_2_0 credentials: userNameTemplate: template: ${fn:substringBefore(source.login, "@")} type: BUILT_IN signing: {} settings: app: {} notifications: vpn: network: connection: DISABLED message: null helpUrl: null signOn: defaultRelayState: '' ssoAcsUrl: https://{yourOktaDomain} idpIssuer: https://www.okta.com/${org.externalKey} audience: https://example.com/tenant/123 recipient: https://recipient.okta.com destination: https://destination.okta.com subjectNameIdTemplate: ${user.userName} subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress responseSigned: true assertionSigned: true signatureAlgorithm: RSA_SHA256 digestAlgorithm: SHA256 honorForceAuthn: true authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport slo: enabled: true spIssuer: https://testorgone.okta.com logoutUrl: https://testorgone.okta.com/logout participateSlo: enabled: true logoutRequestUrl: https://testorgone.okta.com/logout/participate sessionIndexRequired: true bindingType: REDIRECT spCertificate: x5c: - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" assertionEncryption: enabled: true keyTransportAlgorithm: RSA_15 encryptionAlgorithm: AES256_GCM x5c: - "MIIC6jCCAdKgAwIBAgIGAZKbFN7JMA0GCSqGSIb3DQEBCwUAMDYxNDAyBgNVBAMM\r\n" requestCompressed: false allowMultipleAcsEndpoints: false acsEndpoints: [] attributeStatements: [] inlineHooks: - id: cal3ughy17pylLxQB357 _links: self: href: https://{yourOktaDomain}/api/v1/inlineHooks/cal3ughy17pylLxQB357 hints: allow: - GET - PUT - DELETE universalLogout: status: ENABLED supportType: FULL identityStack: NOT_SHARED protocol: GLOBAL_TOKEN_REVOCATION expressConfiguration: supportedCapabilities: - SSO - PROVISIONING - UNIVERSAL_LOGOUT enabledCapabilities: - SSO _links: logo: - name: medium href: https://testorgone.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png appLinks: - name: testorgone_customsaml20app_1_link href: https://testorgone.okta.com/home/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/aln1gofChJaerOVfY0g4 type: text/html help: href: https://testorgone-admin.okta.com/app/testorgone_customsaml20app_1/0oa1gjh63g214q0Hq0g4/setup/help/SAML_2_0/instructions type: text/html users: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/users deactivate: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/lifecycle/deactivate groups: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/groups metadata: href: https://testorgone.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4/sso/saml/metadata type: application/xml GetAssociatedLinkedObjectsResponse: summary: Retrieve all associated linked object values response value: - _links: self: href: https://{yourOktaDomain}/api/v1/users/00u5zex6ztMbOZhF50h7 - _links: self: href: https://{yourOktaDomain}/api/v1/users/00u1tsf0nQKavLDUh0g5 GetBrandResponse: value: id: bnd114iNkrcN6aR680g4 agreeToCustomPrivacyPolicy: false removePoweredByOkta: false customPrivacyPolicyUrl: null name: Okta Default isDefault: true locale: en emailDomainId: OeD114iNkrcN6aR680g4 defaultApp: appInstanceId: 0oa114iNkrcN6aR680g4 appLinkName: null classicApplicationUri: null _links: self: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 hints: allow: - GET - PUT - DELETE themes: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes hints: allow: - GET emailDomain: href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 hints: allow: - GET - PUT GetEmailTemplateResponse: value: name: UserActivation _embedded: customizationCount: 0 settings: recipients: ALL_USERS _links: self: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings hints: allow: - GET - PUT template: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET _links: self: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET settings: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings hints: allow: - GET - PUT defaultContent: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content hints: allow: - GET customizations: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations hints: allow: - GET - POST - DELETE test: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test hints: allow: - POST GetPrimaryLinkedObjectResponse: summary: Retrieve primary linked object value response value: - _links: self: href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 GetRealmAssignmentResponse: value: id: rul2jy7jLUlnO3ng00g4 status: ACTIVE name: Realm Assignment 1 created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' isDefault: false domains: - atko.com - user.com conditions: profileSourceId: 0oa4enoRyjwSCy5hx0g4 expression: value: string actions: assignUserToRealm: realmId: 00g1b7rvh0xPLKXFf0g5 priority: 0 _links: self: rel: self href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4 method: GET GetRoleAssignmentGovernanceGrantResources: value: resources: - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g114290ar1oCC5A0g5 label: test-group-1 - resource: orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5B0g5 label: test-group-2 _links: next: href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources?after=orn:okta:directory:00ozmkUsqWxsUxhGO0g3:groups:00g118990hl1oCC5A0g5 self: href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources GetRoleAssignmentGovernanceGrantResponse: value: type: ENTITLEMENT-BUNDLE grantId: grai2556vZgWesWf10g4 bundleId: enbhz2pAwtts9UBes0g4 expirationDate: '2024-12-09 14:17:22.0' _links: resources: href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources self: href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4 GetSessionResponse: value: id: aps1qqonvr2SZv6o70h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: CREATED importType: INCREMENTAL created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T16:15:44.000Z' GetThemeResponse: value: id: thdul904tTZ6kWVhP0g3 logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png favicon: https://{yourOktaDomain}/favicon.ico backgroundImage: null primaryColorHex: '#1662dd' primaryColorContrastHex: '#000000' secondaryColorHex: '#ebebed' secondaryColorContrastHex: '#000000' signInPageTouchPointVariant: OKTA_DEFAULT endUserDashboardTouchPointVariant: OKTA_DEFAULT errorPageTouchPointVariant: OKTA_DEFAULT emailTemplateTouchPointVariant: OKTA_DEFAULT loadingPageTouchPointVariant: OKTA_DEFAULT GetUseRoleGovernanceResponse: value: grants: - type: CUSTOM grantId: grai24zWTjnDazeOI0g4 _links: resources: href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai24zWTjnDazeOI0g4/resources - type: ENTITLEMENT-BUNDLE grantId: grai2556vZgWesWf10g4 bundleId: enbhz2pAwtts9UBes0g4 expirationDate: '2024-12-09 14:17:22.0' _links: resources: href: https://{yourOktaDomain}//api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance/grai2556vZgWesWf10g4/resources _links: self: href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5/roles/KVJUKUS7IFCE2SKO/governance assignee: href: https://{yourOktaDomain}/api/v1/users/00u15r0i2hC4jeTne0g5" GetUserLinkedObjectResponse: summary: Retrieve user linked object value value: - _links: self: href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 GetUserResponse: summary: Retrieve a user type response value: id: otyfnly5cQjJT9PnR0g4 displayName: New user type name: newUserType description: A new custom user type createdBy: sprz9fj1ycBcsgopy1d6 lastUpdatedBy: sprz9fj1ycBcsgopy1d6 created: '2021-07-05T20:40:38.000Z' lastUpdated: '2021-07-05T20:40:38.000Z' default: false _links: self: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 GetYubikeyOptTokenResponse: summary: Get YubiKey OTP token response value: id: ykkxdtCA1fKVxyu6R0g3 created: '2020-06-09T23:42:05.000Z' activated: '2020-06-09T23:47:29.000Z' lastVerified: '2020-06-09T23:47:29.000Z' lastUpdated: '2020-06-09T23:47:29.000Z' status: ACTIVE profile: serial: '000009508427' _links: self: href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3 hints: allow: - GET user: href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3 hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3 hints: allow: - DELETE GoogleIdPResponse: summary: Google IdP value: id: 0oa62bfdiumsUndnZ0h7 type: GOOGLE name: Google status: ACTIVE created: '2016-03-24T23:21:49.000Z' lastUpdated: '2016-03-24T23:21:49.000Z' protocol: type: OIDC endpoints: authorization: url: https://accounts.google.com/o/oauth2/auth binding: HTTP-REDIRECT token: url: https://www.googleapis.com/oauth2/v3/token binding: HTTP-POST scopes: - profile - email - openid credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.userPrincipalName filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: |- https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7& client_id={clientId}&response_type={responseType}&response_mode={responseMode}& scope={scopes}&redirect_uri={redirectUri}&state={state} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST GovernanceBundle: summary: Governance bundle value: id: 0bbfxqCAJWWGELFTYAAA name: Group admin bundle description: Group bundle for administrative access status: ACTIVE orn: orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA _links: self: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA entitlements: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements GovernanceBundleCreateRequestCustomRole: summary: Create governance bundle with custom role value: name: Custom admin bundle description: Custom bundle for administrative access entitlements: role: cr0WxyzJxGIr0ouum0g4 resourceSets: - iamoJDFKaJxGIr0oamd9g GovernanceBundleCreateRequestScopedStandardRole: summary: Create governance bundle with scoped standard role value: name: Group admin bundle description: Group bundle for administrative access entitlements: role: GROUP_MEMBERSHIP_ADMIN targets: - 00guaxWZ0AOa5NFAj0g3 GovernanceBundleCreateRequestStandardRole: summary: Create governance bundle with non-scoped standard role value: name: Group admin bundle description: Group bundle for administrative access entitlements: role: GROUP_MEMBERSHIP_ADMIN GovernanceBundleUpdateRequestCustomRole: summary: Update governance bundle with custom role value: name: Custom admin bundle description: Custom bundle for administrative access entitlements: role: cr0WxyzJxGIr0ouum0g4 resourceSets: - iamoJDFKaJxGIr0oamd9g GovernanceBundleUpdateRequestScopedStandardRole: summary: Update governance bundle with scoped standard role value: name: Group admin bundle description: Group bundle for administrative access entitlements: role: GROUP_MEMBERSHIP_ADMIN targets: - 00guaxWZ0AOa5NFAj0g3 GovernanceBundleUpdateRequestStandardRole: summary: Update governance bundle with non-scoped standard role value: name: Group admin bundle description: Group bundle for administrative access entitlements: role: GROUP_MEMBERSHIP_ADMIN GovernanceBundlesResponse: summary: List of governance bundles value: bundles: - id: 0bbfxqCAJWWGELFTYAAA name: Group admin bundle description: Group bundle for administrative access status: ACTIVE orn: orn:okta:governance:00o5rb5mt2H3d1TJd0h7:bundles:0bbfxqCAJWWGELFTYAAA _links: entitlements: http://your-subdomain.okta.com/api/v1/iam/governance/bundles/0bbfxqCAJWWGELFTYAAA/entitlements _links: self: href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?limit=2&after=10 next: href: http://your-subdomain.okta.com/api/v1/iam/governance/bundles?after=bundleId12 GroupAssignmentExListResponse: summary: Application groups list with embedded metadata value: - id: 00g15acRUy0SYb9GT0g4 priority: 0 lastUpdated: '2024-06-02T13:17:57.000Z' profile: preferredLanguage: English manager: Donald Glover securityQuestion: Who is the footballer to have played the game securityAnswer: Ronaldinho timezone: Canada/Eastern initialStatus: active_with_pass managerId: ike.ogb@gmail.com locale: en_US division: top organization: wazobia userType: null department: marketing _links: app: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 self: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 group: href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 _embedded: metadata: credentials: {} profile: division: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null preferredLanguage: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null manager: source: type: MAPPING value: - id: null lastUpdated: null securityQuestion: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null securityAnswer: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null timezone: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null organization: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null initialStatus: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null managerId: source: type: MAPPING value: - id: null lastUpdated: null userType: source: type: MAPPING value: - id: null lastUpdated: null locale: source: type: USER value: - id: 00uzojLwDGgUynjJS0g3 self: href: http://{yourOktaDomain}/api/v1/users/00uzojLwDGgUynjJS0g3 lastUpdated: null department: source: type: MAPPING value: - id: null lastUpdated: null GroupAssignmentExResponse: summary: Application group response value: id: 00g15acRUy0SYb9GT0g4 priority: 0 lastUpdated: '2024-06-02T13:17:57.000Z' profile: preferredLanguage: English manager: Donald Glover securityQuestion: Who is the footballer to have played the game securityAnswer: Ronaldinho timezone: Canada/Eastern initialStatus: active_with_pass managerId: ike.ogb@gmail.com locale: en_US division: top organization: wazobia userType: null department: marketing _links: app: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 self: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 group: href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 GroupAssignmentPatchRequestExample: summary: Update app group request value: - op: replace path: /profile/manager value: Carlo Ancelotti GroupAssignmentPatchResponseExample: summary: Update application group response value: id: 00g15acRUy0SYb9GT0g4 priority: 0 lastUpdated: '2024-06-03T13:42:20.000Z' profile: preferredLanguage: English securityQuestion: Who is the footballer to have played the game securityAnswer: Jay Jay Okocha timezone: Canada/Eastern initialStatus: active_with_pass managerId: ike.ogb@gmail.com locale: en_US division: top organization: null userType: null department: Accounting manager: Carlo Ancelotti _links: app: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 self: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 group: href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 GroupAssignmentPutRequestExample: summary: Assign application group request value: id: 00g15acRUy0SYb9GT0g4 profile: preferredLanguage: English manager: Arsene Wenger securityQuestion: Who is the footballer to have played the game securityAnswer: Jay Jay Okocha timezone: Canada/Eastern initialStatus: active_with_pass managerId: ike.ogb@gmail.com locale: en_US division: top organization: null userType: null department: Accounting GroupAssignmentPutResponseExample: summary: Assign application group response value: id: 00g15acRUy0SYb9GT0g4 priority: 0 lastUpdated: '2024-06-03T13:52:07.000Z' profile: preferredLanguage: English manager: Arsene Wenger securityQuestion: Who is the footballer to have played the game securityAnswer: Jay Jay Okocha timezone: Canada/Eastern initialStatus: active_with_pass managerId: ike.ogb@gmail.com locale: en_US division: top organization: null userType: null department: Accounting _links: app: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4 self: href: http://{yourOktaDomain}/api/v1/apps/0oa15anjcUHSI6hTB0g4/groups/00g15acRUy0SYb9GT0g4 group: href: http://{yourOktaDomain}/api/v1/groups/00g15acRUy0SYb9GT0g4 GroupMemberships: value: memberExternalIds: - USEREXT123456784C2IFA - USEREXT123456784C3IFB - USEREXT123456784C4IFC GroupSchemaAddRequest: value: definitions: custom: id: '#custom' type: object properties: groupContact: title: Group administrative contact description: Group administrative contact type: string required: false minLength: 1 maxLength: 20 permissions: - principal: SELF action: READ_WRITE required: [] GroupSchemaResponse: value: $schema: http://json-schema.org/draft-04/schema# _links: self: href: https://{yourOktaDomain}/api/v1/meta/schemas/group/default method: GET rel: self created: '2021-01-30T00:18:24.000Z' definitions: base: id: '#base' properties: {} required: - name type: object custom: id: '#custom' properties: groupContact: description: Group administrative contact master: type: PROFILE_MASTER mutability: READ_WRITE permissions: - action: READ_WRITE principal: SELF scope: NONE title: Group administrative contact type: string required: [] type: object description: Okta group profile template id: https://{yourOktaDomain}/meta/schemas/group/default lastUpdated: '2021-02-25T23:05:31.000Z' name: group properties: profile: allOf: - $ref: '#/definitions/custom' - $ref: '#/definitions/base' title: Okta group type: object GroupsPayload: value: externalId: GROUPEXT123456784C2IF profile: displayName: West Coast users description: All users West of The Rockies GroupsResponse: value: id: 00gsl4xM9ys8TdnbZ0g4 externalId: GROUPEXT123456784C2IF profile: displayName: West Coast users description: All users West of The Rockies IAMStandardRoleResponseClient: value: id: irb4jlodtdN4yJ88b0g7 role: ACCESS_REQUESTS_ADMIN label: Access Requests Administrator type: ACCESS_REQUESTS_ADMIN status: ACTIVE created: '2023-07-06T21:52:48.000Z' lastUpdated: '2023-07-06T21:52:48.000Z' assignmentType: CLIENT resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY _links: assignee: href: https://{yourOktaDomain}/api/v1/client/0oa5vymVNCe2cPEeZ0g4 resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY role: href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN permissions: href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions member: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb4jlomnnDBuBDyJ0g7 IAMStandardRoleResponseUser: value: id: irb1q92TFAHzySt3x0g4 role: ACCESS_REQUESTS_ADMIN label: Access Requests administrator type: ACCESS_REQUESTS_ADMIN status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: USER resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY role: href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN permissions: href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_REQUESTS_ADMIN/permissions member: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_REQUESTS_ADMIN/members/irb1q92TFAHzySt3x0g4 IAMStandardRolesListResponse: value: - id: IFIFAX2BIRGUSTQ label: Application administrator type: APP_ADMIN status: ACTIVE created: '2019-02-06T16:17:40.000Z' lastUpdated: '2019-02-06T16:17:40.000Z' assignmentType: USER _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 - id: irb1q92TFAHzySt3x0g4 role: cr0Yq6IJxGIr0ouum0g3 label: UserCreatorRole type: CUSTOM status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: USER resource-set: iamoJDFKaJxGIr0oamd9g _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g member: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 permissions: href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions - id: irb5e92YgBazyyQ3x1q5 role: ACCESS_CERTIFICATIONS_ADMIN label: Access Certifications administrator type: ACCESS_CERTIFICATIONS_ADMIN status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: USER resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY member: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 role: href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN permissions: href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions IAMStandardRolesListResponseClient: value: - id: irb5e92YgBazyyQ3x1q5 role: ACCESS_CERTIFICATIONS_ADMIN label: Access Certifications Administrator type: ACCESS_CERTIFICATIONS_ADMIN status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: CLIENT resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY _links: assignee: href: https://{yourOktaDomain}/api/v1/clients/0oa4ee9vgbIuqTUvd0g7 resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY member: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 role: href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN permissions: href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissionsZ IAMStandardRolesListResponseGroup: value: - id: irb5e92YgBazyyQ3x1q5 role: ACCESS_CERTIFICATIONS_ADMIN label: Access Certifications Administrator type: ACCESS_CERTIFICATIONS_ADMIN status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: GROUP resource-set: ACCESS_CERTIFICATIONS_IAM_POLICY _links: assignee: href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY member: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/ACCESS_CERTIFICATIONS_IAM_POLICY/bindings/ACCESS_CERTIFICATIONS_ADMIN/members/irb1qe6PGuMc7Oh8N0g4 role: href: https://{yourOktaDomain}/api/v1/iam/roles/ACCESS_CERTIFICATIONS_ADMIN permissions: href: https://{yourOktaDomain}/api/v1/iam/permission-sets/OKTA_IAM_TEST_DELIVERED_ROLE/permissions IdPAppUserResponse: summary: IdP user value: id: 00u5t60iloOHN9pBi0h7 externalId: externalId created: '2017-12-19T17:30:16.000Z' lastUpdated: '2017-12-19T17:30:16.000Z' profile: profileUrl: null firstName: null lastName: null honorificSuffix: null displayName: null honorificPrefix: null middleName: null email: null _links: idp: href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7 self: href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdiumsUndnZ0h7/users/00u5t60iloOHN9pBi0h7 hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 IdPKeyCredentialRequest: summary: IdP key credential value: e: '65537' 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' x5c: - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE IdPKeyCredentialResponse: summary: IdP key credential value: kid: your-key-id created: '2016-01-03T18:15:47.000Z' lastUpdated: '2016-01-03T18:15:47.000Z' e: '65537' 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' kty: RSA use: sig x5c: - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE IdPSigningKeyCredentialResponse: summary: IdP signing key credential value: created: '2015-12-10T18:56:23.000Z' expiresAt: '2017-12-10T18:56:22.000Z' kid: akm5hvbbevE341ovl0h7 kty: RSA use: sig x5c: - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE IncodeIDVResponse: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] summary: Incode as IdP value: id: 0oaf35tu47hnH9mlZ0w6 name: Incode IdP status: ACTIVE created: '2025-01-15T20:54:04.000Z' lastUpdated: '2025-01-15T20:54:05.000Z' protocol: type: ID_PROOFING endpoints: authorization: url: https://auth.incode.com/oauth2/authorize binding: HTTP-REDIRECT token: url: https://auth.incode.com/oauth2/token binding: HTTP-POST par: url: https://auth.incode.com/oauth2/par binding: HTTP-POST scopes: - openid - profile - identity_assurance credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: DISABLED profileMaster: false groups: null subject: userNameTemplate: template: source.userName filter: null matchType: USERNAME matchAttribute: null maxClockSkew: 0 type: IDV_INCODE _links: users: href: https://{yourOktaDomain}/api/v1/idps/0oaf35tu47hnH9mlZ0w6/users hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/idps/0oaf35tu47hnH9mlZ0w6/lifecycle/deactivate hints: allow: - POST InlineHookMgmtCreateHTTPRequest: summary: Create an inline hook with HTTP authentication value: name: Token hook with HTTP authentication type: com.okta.oauth2.tokens.transform version: 1.0.0 channel: type: HTTP version: 1.0.0 config: uri: https://example.com/tokenHook headers: - key: x-any-key value: my-header-value method: POST authScheme: type: HEADER key: Authorization value: my-shared-secret InlineHookMgmtCreateHTTPResponse: summary: Inline hook with HTTP authentication response value: id: calb7gacafgwgE7hc5e4 status: ACTIVE name: Token hook with HTTP authentication type: com.okta.oauth2.tokens.transform version: 1.0.0 channel: type: HTTP version: 1.0.0 config: uri: https://example.com/tokenHook headers: [] method: POST authScheme: type: header key: authorization created: '2024-08-22T21:01:09.000Z' lastUpdated: '2024-09-05T16:06:09.000Z' _links: activate: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate hints: allow: - POST self: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 delete: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 hints: allow: - DELETE InlineHookMgmtCreateOAuthClientSecretRequest: summary: Create an inline hook with OAuth 2.0 Client Secret value: name: Registration hook with OAuth 2.0 Client Secret Post type: com.okta.oauth2.tokens.transform version: 1.0.0 channel: type: OAUTH version: 1.0.0 config: authType: client_secret_post clientId: 0oaj43vkrq7wKxZSI5e6 clientSecret: b-iATvTu7sIocvhWx95S9kF.....vfZhM6q6khSaojLBejF21cUn5bPm9abi uri: https://example.com/tokenHook headers: [] method: POST tokenUrl: https://example.okta.com/oauth2/default/v1/token InlineHookMgmtCreateOAuthClientSecretResponse: summary: Inline hook with OAuth 2.0 Client Secret response value: id: calj4fythrqj5Bxol5e5 status: ACTIVE name: Registration hook with OAuth 2.0 Client Secret Post type: com.okta.user.pre-registration version: 1.0.0 channel: type: OAUTH version: 1.0.0 config: uri: https://example.com/registrationHook headers: [] method: POST authScheme: null clientId: 0oaj43vkrq7wKxZSI5e6 tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" authType: client_secret_post scope: null created: '2024-08-22T21:01:09.000Z' lastUpdated: '2024-09-05T16:06:09.000Z' _links: self: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 execute: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute hints: allow: - POST deactivate: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate hints: allow: - POST InlineHookMgmtCreateOAuthPrivateKeyRequest: summary: Create an inline hook with OAuth 2.0 Private Key value: name: Token hook with OAuth 2.0 Private Key authentication type: com.okta.oauth2.tokens.transform version: 1.0.0 channel: type: OAUTH version: 1.0.0 config: authType: private_key_jwt clientId: 0oaj43vkrq7wKxZSI5e6 hookKeyId: HKYj4ft1a3fjmwZg05e6 uri: https://example.com/tokenHook headers: - key: x-any-key value: my-header-value method: POST tokenUrl: https://example.okta.com/oauth2/default/v1/token InlineHookMgmtCreateOAuthPrivateKeyResponse: summary: Inline hook with OAuth 2.0 Private Key response value: id: calj4fythrqj5Bxol4ai6 status: ACTIVE name: Token Hook with OAuth 2.0 Private Key JWT type: com.okta.oauth2.tokens.transform version: 1.0.0 channel: type: OAUTH version: 1.0.0 config: uri: https://example.com/tokenHook headers: [] method: POST authScheme: null clientId: 0oaj43vkrq7wKxZSI5d7 tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" authType: private_key_jwt scope: null hookKeyId: HKYj4ft1a3fjmwZg05d6 created: '2024-08-22T21:01:09.000Z' lastUpdated: '2024-09-05T16:06:09.000Z' _links: self: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 execute: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute hints: allow: - POST deactivate: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate hints: allow: - POST InlineHookMgmtHTTPexample: summary: An inline hook with HTTP authentication value: id: calb7gacafgwgE7hc5e4 status: ACTIVE name: Token hook with HTTP authentication type: com.okta.oauth2.tokens.transform version: 1.0.0 channel: type: HTTP version: 1.0.0 config: uri: https://example.com/tokenHook headers: [] method: POST authScheme: type: header key: authorization created: '2024-08-22T21:01:09.000Z' lastUpdated: '2024-09-05T16:06:09.000Z' _links: activate: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate hints: allow: - POST self: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 delete: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 hints: allow: - DELETE InlineHookMgmtHTTPexampleDeactivate: value: id: calb7gacafgwgE7hc5e4 status: INACTIVE name: Token hook with HTTP authentication type: com.okta.oauth2.tokens.transform version: 1.0.0 channel: type: HTTP version: 1.0.0 config: uri: https://example.com/tokenHook headers: [] method: POST authScheme: type: header key: authorization created: '2024-08-22T21:01:09.000Z' lastUpdated: '2024-09-05T16:06:09.000Z' _links: activate: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate hints: allow: - POST self: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 delete: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 hints: allow: - DELETE InlineHookMgmtOAuthCSPexample: summary: An inline hook example with OAuth 2.0 Client Secret Post value: id: calj4fythrqj5Bxol5e5 status: ACTIVE name: Registration hook with OAuth 2.0 Client Secret Post type: com.okta.user.pre-registration version: 1.0.0 channel: type: OAUTH version: 1.0.0 config: uri: https://example.com/registrationHook headers: [] method: POST authScheme: null clientId: 0oaj43vkrq7wKxZSI5e6 tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" authType: client_secret_post scope: null created: '2024-08-22T21:01:09.000Z' lastUpdated: '2024-09-05T16:06:09.000Z' _links: self: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 execute: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute hints: allow: - POST deactivate: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate hints: allow: - POST InlineHookMgmtOauthPKJexample: summary: An inline hook example with OAuth 2.0 Private Key JWT value: id: calj4fythrqj5Bxol4ai6 status: ACTIVE name: Token Hook with OAuth 2.0 Private Key JWT type: com.okta.oauth2.tokens.transform version: 1.0.0 channel: type: OAUTH version: 1.0.0 config: uri: https://example.com/tokenHook headers: [] method: POST authScheme: null clientId: 0oaj43vkrq7wKxZSI5d7 tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" authType: private_key_jwt scope: null hookKeyId: HKYj4ft1a3fjmwZg05d6 created: '2024-08-22T21:01:09.000Z' lastUpdated: '2024-09-05T16:06:09.000Z' _links: self: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 execute: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute hints: allow: - POST deactivate: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate hints: allow: - POST InlineHookMgmtPutHTTPRequest: summary: Update an inline hook name value: name: New name token hook with HTTP authentication version: 1.0.0 channel: type: HTTP version: 1.0.0 config: uri: https://example.com/tokenHook headers: - key: x-any-key value: my-header-value method: POST authScheme: type: HEADER key: Authorization value: my-shared-secret InlineHookMgmtPutResponse: value: id: calb7gacafgwgE7hc5e4 status: ACTIVE name: New name token hook with HTTP authentication type: com.okta.oauth2.tokens.transform version: 1.0.0 channel: type: HTTP version: 1.0.0 config: uri: https://example.com/tokenHook headers: [] method: POST authScheme: type: header key: authorization created: '2024-08-22T21:01:09.000Z' lastUpdated: '2024-09-05T16:06:09.000Z' _links: activate: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate hints: allow: - POST self: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 delete: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 hints: allow: - DELETE description: Inline hook response with a new name InlineHookTelephony: value: channel: type: HTTP version: 1.0.0 config: uri: https://your-external-webservice/sendOtp headers: [] method: POST authScheme: type: HEADER key: x-telephony-key created: '2024-03-28T17:30:25.000Z' id: caldpyulr3nbET2du1d7 lastUpdated: '2024-05-07T16:35:18.000Z' name: testTelephonyHook status: ACTIVE type: com.okta.telephony.provider version: null _links: self: href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7 execute: href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7/execute hints: allow": - POST deactivate: href: https://{yourOktaDomain}/api/v1/inlineHooks/caldpyulr3nbET2du1d7/lifecycle/deactivate hints: allow": - POST InlineHooktMgmtListAllexample: summary: List all inline hooks response value: - id: calb7gacafgwgE7hc5e4 status: ACTIVE name: Token hook with HTTP authentication type: com.okta.oauth2.tokens.transform version: 1.0.0 channel: type: HTTP version: 1.0.0 config: uri: https://example.com/tokenHook headers: [] method: POST authScheme: type: header key: authorization created: '2024-08-22T21:01:09.000Z' lastUpdated: '2024-09-05T16:06:09.000Z' _links: activate: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4/lifecycle/activate hints: allow: - POST self: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 delete: href: https://subdomain.okta.com/api/v1/inlineHooks/calb7gacafgwgE7hc5e4 hints: allow: - DELETE - id: calj4fythrqj5Bxol5e5 status: ACTIVE name: Registration hook with OAuth 2.0 Client Secret Post type: com.okta.user.pre-registration version: 1.0.0 channel: type: OAUTH version: 1.0.0 config: uri: https://example.com/registrationHook headers: [] method: POST authScheme: null clientId: 0oaj43vkrq7wKxZSI5e6 tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" authType: client_secret_post scope: null created: '2024-08-22T21:01:09.000Z' lastUpdated: '2024-09-05T16:06:09.000Z' _links: self: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5 execute: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/execute hints: allow: - POST deactivate: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol5e5/lifecycle/activate hints: allow: - POST - id: calj4fythrqj5Bxol4ai6 status: ACTIVE name: Token Hook with OAuth 2.0 Private Key JWT type: com.okta.oauth2.tokens.transform version: 1.0.0 channel: type: OAUTH version: 1.0.0 config: uri: https://example.com/tokenHook headers: [] method: POST authScheme: null clientId: 0oaj43vkrq7wKxZSI5d7 tokenUrl: https:/subdomain.okta.com/oauth2/default/v1/token" authType: private_key_jwt scope: null hookKeyId: HKYj4ft1a3fjmwZg05d6 created: '2024-08-22T21:01:09.000Z' lastUpdated: '2024-09-05T16:06:09.000Z' _links: self: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6 execute: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/execute hints: allow: - POST deactivate: href: https://subdomain.okta.com/api/v1/inlineHooks/calj4fythrqj5Bxol4ai6/lifecycle/activate hints: allow: - POST InterclientTrustMappingResponse: summary: Create an interclient target and allowed app mapping response value: - id: itmahqusSr3v8Kk3B0g5 orgId: 00o102n9p4vX126Gp0g5 appInstanceId: 0oa8ghelqWXs70qD80g5 trustedAppInstanceId: 0oa5kw6q51dFckBE70g5 created: '2025-11-25T22:44:06.000Z' lastUpdated: '2025-11-25T22:44:06.000Z' lastUpdatedBy: 00u102rhXmxEGFKiB0g5 InvalidRotateUse: summary: Invalid use value: errorCode: E0000001 errorSummary: 'Api validation failed: rotateKeys' errorLink: E0000001 errorId: oaeprak9qKHRlaWiclJ4oPJRQ errorCauses: - errorSummary: Invalid value specified for key 'use' parameter InvalidWellKnownAppleAppSiteRepresentationError: summary: apple-app-site-association representation contains authsrv value: errorCode: E0000001 errorSummary: 'Api validation failed: representation' errorLink: E0000001 errorId: sampleiCF-8D5rLW6myqiPItW errorCauses: - errorSummary: Content must not include any `authsrv` customization. InvalidWellKnownArrayTypeError: summary: Invalid content type for assetlinks.json value: errorCode: E0000001 errorSummary: 'Api validation failed: representation' errorLink: E0000001 errorId: sampleiCF-8D5rLW6myqiPItW errorCauses: - errorSummary: Content must be a JSON array of objects. InvalidWellKnownJsonTypeError: summary: Invalid content type for apple-app-site-association and webauthn value: errorCode: E0000001 errorSummary: 'Api validation failed: representation' errorLink: E0000001 errorId: sampleiCF-8D5rLW6myqiPItW errorCauses: - errorSummary: Content must be a JSON object. InvalidWellKnownWebauthnRepresentationError: summary: webauthn representation doesn't contain origins value: errorCode: E0000001 errorSummary: 'Api validation failed: representation' errorLink: E0000001 errorId: sampleiCF-8D5rLW6myqiPItW errorCauses: - errorSummary: Content must only contain `origins`. InvalidWellKnownWebauthnRepresentationOriginStringError: summary: webauthn representation - `origins` must be array of strings value: errorCode: E0000001 errorSummary: 'Api validation failed: representation' errorLink: E0000001 errorId: sampleiCF-8D5rLW6myqiPItW errorCauses: - errorSummary: The `origins` must be an array of strings. KeyCredentialExample: summary: Key credential example value: created: '2015-12-10T18:56:23.000Z' lastUpdated: '2024-08-13T18:26:57.000Z' expiresAt: '2017-12-10T18:56:22.000Z' x5c: - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== e: AQAB 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 kty: RSA use: sig x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps LinkIdPAppUserResponse: summary: Linked IdP user value: id: 00ub0oNGTSWTBKOLGLNR externalId: '121749775026145' created: '2017-03-30T02:19:51.000Z' lastUpdated: '2017-03-30T02:19:51.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7/users/00ub0oNGTSWTBKOLGLNR hints: allow: - GET - DELETE idp: href: https://{yourOktaDomain}/api/v1/idps/0oa62b57p7c8PaGpU0h7 user: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR ListAIAgentsResponse: summary: List of AI agents value: data: - id: wlpx9jQ16k9V8IFEL0g3 created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' status: ACTIVE appId: 0oab1234EXAMPLEID5d6 profile: name: Demo Agent description: Demo Agent _links: self: rel: self href: https://your-subdomain.okta.com/workload-principals/api/v1/ai-agents/wlpx9jQ16k9V8IFEL0g3 method: GET _links: self: rel: self href: https://your-subdomain.okta.com/workload-principals/api/v1/ai-agents?limit=1 next: rel: next href: https://your-subdomain.okta.com/workload-principals/api/v1/ai-agents?after=wlpx9jQ16k9V8IFEL0&limit=1 ListAllAgentPoolUpdatesResponse: summary: List all agent pool updates value: - id: poolId1 name: testSchedule agentType: AD agents: latestGAedVersion: true id: a533eu8npxdZ60Mvf5s6 type: AD operationalStatus: OPERATIONAL updateStatus: Scheduled updateMessage: Queued for update. version: 3.20.0 lastConnection: 1750462090000 isLatestGAedVersion: true poolId: 0oa3eu7ekG8tjbD9J5s6 name: N079-H069 isHidden: false enabled: true schedule: cron: 0 1 * * THU timezone: America/Los_Angeles duration: 420 notifyAdmin: true status: Scheduled targetVersion: 3.20.0 _links: self: href: /api/v1/agentPools/poolId1/updates ListAllAgentPoolsResponse: summary: List all agent pools value: - disruptedAgents: 0 inactiveAgents: 1 operationalStatus: OPERATIONAL id: poolId1 name: region1A.dc type: AD agents: id: agentId1 state: ACTIVE message: Agent connection is live indicator: green name: WIN-region1A-dc version: 3.18.0 upgradeRequired: false active: true supportAutoUpdate: true errorState: true isHidden: false isLatestGAedVersion: false lastConnection: 1628263766000 operationalStatus: OPERATIONAL poolId: poolId1 updateMessage: Queued for update. _links: self: href: /api/v1/agentPools/poolId1 ListAllKeyCredentialsExample: summary: List all key credentials example value: - created: '2015-12-10T18:56:23.000Z' lastUpdated: '2024-08-13T18:26:57.000Z' expiresAt: '2017-12-10T18:56:22.000Z' x5c: - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== e: AQAB 'n': mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ kid: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 kty: RSA use: sig x5t#S256": 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps - created: '2015-12-10T18:55:35.000Z' lastUpdated: '2024-08-13T18:26:57.000Z' expiresAt: '2045-01-23T02:15:23.000Z' x5c: - MIIDqDCCApCgAwIBAgIGAUsUkouzMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTAxMjMwMjE0MjNaFw00NTAxMjMwMjE1MjNaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhmkmKsu3FYeBiJg44aN6Ah3g9gof1cytXJVMnblDUWpLfe/FMUQCssh8Y8NCYRri5jni4efBgk6B3SkC7ymqsOXILIEHSwUYWnAaqDOTxO101mHzryowu1+0PldRNoyTthahpprvAPYlTin9zrDTqFT+WY/zwoaN8H+CfixlW1nM85qF18zYYekkW50MSoHPcfJKe2ywIhPXTYTSBEPcHh8dQEjBrZn7A4qOoDnfOXll8OL7j2O6EVyTtHA0tLJHVLpwI4gSPsXFwEnHltjN57odwYe9yds0BbM/YG9i+am1+3cmZ6Uyd16mLGclrr05o9BHcEZ4ZctV2hr6whbRsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAnNlF27gRmhGTQ+GRAvbvYToFRgsIbBAPvRqB2LmEIiQ6UJd602w6uP1sv/zEzBYg4SnMLuVyWgOJ6d71dCvXdIO9mgAq6BaEPjlo0WhGyt+zGrpkMnIX5EwRa64kHydcPRHNA607wVYA96sJdyNJEMzBvjY9fJnfevzzDCN3NWpMS2T6rk6HP5IziI1VuFWY2OUC1kbCqLj1dUgp8koe3ftLL55ZpkAocnVMnrzBveNjgAOAiKTMcyS0bhESph9aVWvuHVZSfTnUjnTPb/4jA2YlB3ED+qaU3aqHwft1KXwZskNXBKXy7lyC+CMoeB3/ncFhSg/UllBooPPS3wYlNA== e: AQAB 'n': htbi5H5MN_oYaKcZ8vlWRZn2oTrPY0v8_2Br_VZPJgJ57dCgguq5dDk1Me_ax-B3kjBPdXcW8wEoUFaU30spyVeQjZrdqsSvF0nMW4OzrMOIqrGLwCrAoDBS8tutfk5Y7qc-5xABzxgu4BjgSK5nWXbCt_UR0DzVTknotmMGeT8tAej8F6GAphLa0YhIxWT7Jy-y_pdANsiUPRiZBoLueGI0rrCqgYHIQVjNoj4-si105KCXbQuyYM9_Cd-dyyu5KJ4Ic0cOW61gpx4pnecMgSy8OX57FEd06W2hExBd49ah6jra2KFMeOGe3rkIXirdkofl1mBgeQ77ruKO1wW9Qw kid: mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo kty: RSA use: sig x5t#S256": 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ ListAllKeysResponse: summary: List all keys response example value: - id: HKY1i2htmXF5UNQhL0g4 keyId: bb5bed7d-6e4d-488f-9c86-59b93a2bb3fb name: My new key created: '2022-08-22T16:34:33.000Z' lastUpdated: '2022-08-22T16:34:33.000Z' isUsed: 'true' - id: HKY1p7jWLndGQV9M60g4 keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad name: Test key created: '2022-08-31T18:09:58.000Z' lastUpdated: '2022-08-31T18:09:58.000Z' isUsed: 'false' ListAppGrantsEx: summary: List all app grants example value: - id: oag91n9ruw3dsaXzP0h6 status: ACTIVE created: '2023-02-21T16:54:00.000Z' createdBy: id: 00u6eltha0nrSc47i0h7 type: User lastUpdated: '2023-02-21T16:54:00.000Z' issuer: '{yourOktaDomain}' clientId: '{clientId}' scopeId: okta.users.read source: ADMIN _embedded: scope: id: okta.users.read _links: app: href: https://{yourOktaDomain}/api/v1/apps/{appId} title: Application name self: href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oag91n9ruw3dsaXzP0h6 hints: allow: - GET - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} title: Client name - id: oaghm3sh9ukdkvDmO0h6 status: ACTIVE created: '2023-02-03T21:57:49.000Z' createdBy: id: 00u6eltha0nrSc47i0h7 type: User lastUpdated: '2023-02-03T21:57:49.000Z' issuer: '{yourOktaDomain}' clientId: '{clientId}' scopeId: okta.apps.manage source: ADMIN _embedded: scope: id: okta.apps.manage _links: app: href: https://{yourOktaDomain}/api/v1/apps/{appId} title: Application name self: href: https://{yourOktaDomain}/api/v1/apps/{appId}/grants/oaghm3sh9ukdkvDmO0h6 hints: allow: - GET - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} title: Client name ListAppLinks: value: - id: 00ub0oNGTSWTBKOLGLNR label: Google Apps Mail linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/50 logoUrl: https://{yourOktaDomain}/img/logos/google-mail.png appName: google appInstanceId: 0oa3omz2i9XRNSRIHBZO appAssignmentId: 0ua3omz7weMMMQJERBKY credentialsSetup: false hidden: false sortOrder: 0 - id: 00ub0oNGTSWTBKOLGLNR label: Google Apps Calendar linkUrl: https://{yourOktaDomain}/home/google/0oa3omz2i9XRNSRIHBZO/54 logoUrl: https://{yourOktaDomain}/img/logos/google-calendar.png appName: google appInstanceId: 0oa3omz2i9XRNSRIHBZO appAssignmentId: 0ua3omz7weMMMQJERBKY credentialsSetup: false hidden: false sortOrder: 1 - id: 00ub0oNGTSWTBKOLGLNR label: Box linkUrl: https://{yourOktaDomain}/home/boxnet/0oa3ompioiQCSTOYXVBK/72 logoUrl: https://{yourOktaDomain}/img/logos/box.png appName: boxnet appInstanceId: 0oa3ompioiQCSTOYXVBK appAssignmentId: 0ua3omx46lYEZLPPRWBO credentialsSetup: false hidden: false sortOrder: 3 - id: 00ub0oNGTSWTBKOLGLNR label: Salesforce.com linkUrl: https://{yourOktaDomain}/home/salesforce/0oa12ecnxtBQMKOXJSMF/46 logoUrl: https://{yourOktaDomain}/img/logos/salesforce_logo.png appName: salesforce appInstanceId: 0oa12ecnxtBQMKOXJSMF appAssignmentId: 0ua173qgj5VAVOBQMCVB credentialsSetup: true hidden: false sortOrder: 2 ListAppServiceAccounts: value: - id: a747a818-a4c4-4446-8a87-704216495a08 name: salesforce Prod-1 account description: This is for accessing salesforce Prod-1 username: testuser-salesforce-1@example.com containerOrn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 containerInstanceName: salesforce-1 containerGlobalName: salesforce ownerGroupIds: - 00g57qp78yZT2XBA40g7 ownerUserIds: - 00u11s48P9zGW8yqm0g5 status: NO_ISSUES statusDetail: ROTATED created: '2024-04-04T15:56:05.000Z' lastUpdated: '2024-04-05T18:15:44.000Z' - id: a747a818-a4c4-4446-8a87-704216495a09 name: salesforce Prod-5 account description: This is for accessing salesforce Prod-5 username: testuser-salesforce-5@example.com containerOrn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 containerInstanceName: salesforce-5 containerGlobalName: salesforce ownerGroupIds: - 00g57qp78yZT2XBA40g7 ownerUserIds: - 00u11s48P9zGW8yqm0g5 status: NO_ISSUES statusDetail: ROTATED created: '2024-04-04T15:56:05.000Z' lastUpdated: '2024-04-05T18:15:44.000Z' summary: List app service accounts ListAssocAuthServerResponse: summary: List associated authorization servers value: - id: '{authorizationServerId}' name: Sample Authorization Server description: Sample Authorization Server description audiences: - https://api.resource.com issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} issuerMode: CUSTOM_URL status: ACTIVE created: '2023-05-17T22:25:57.000Z' lastUpdated: '2023-05-17T22:25:57.000Z' credentials: signing: rotationMode: DYNAMIC lastRotated: '2023-05-17T22:25:57.000Z' nextRotation: '2023-08-15T22:25:57.000Z' kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 use: sig _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - DELETE ListAuthServersResponse: summary: List all custom authorization servers in your org value: - id: '{authorizationServerId}' name: Sample Authorization Server description: Sample Authorization Server description audiences: - https://api.resource.com issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} issuerMode: ORG_URL status: ACTIVE created: '2023-05-17T22:25:57.000Z' lastUpdated: '2023-05-17T22:25:57.000Z' credentials: signing: rotationMode: AUTO lastRotated: '2023-05-17T22:25:57.000Z' nextRotation: '2023-08-15T22:25:57.000Z' kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 _links: scopes: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes hints: allow: - GET claims: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims hints: allow: - GET policies: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies hints: allow: - GET self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - GET - DELETE - PUT metadata: - name: oauth-authorization-server href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server hints: allow: - GET - name: openid-configuration href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration hints: allow: - GET rotateKey: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate hints: allow: - POST deactivate: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate hints: allow: - POST ListAuthorizationServerKeys: summary: All credential keys value: - status: ACTIVE alg: RS256 e: AQAB 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc kty: RSA use: sig _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc hints: allow: - GET - status: NEXT alg: RS256 e: AQAB 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo kty: RSA use: sig _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo hints: allow: - GET - status: EXPIRED alg: RS256 e: AQAB 'n': lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7U GLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap - CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvp dMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu - DYhT0hmyFc wn - tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ kid: h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU kty: RSA use: sig _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU hints: allow: - GET ListAuthorizationServerPolicies: summary: List authorization server policies value: - type: OAUTH_AUTHORIZATION_POLICY id: 00palyaappA22DPkj0h7 status: ACTIVE name: Vendor2 Policy description: Vendor2 policy description priority: 1 system: false conditions: clients: include: - ALL_CLIENTS created: '2017-05-26T19:43:53.000Z' lastUpdated: '2017-06-07T15:28:17.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/lifecycle/deactivate hints: allow: - POST rules: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies/00palyaappA22DPkj0h7/rules hints: allow: - GET ListAuthorizationServerPolicyRules: summary: List authorization server policy rules value: - type: RESOURCE_ACCESS id: 0prbsjfyl01zfSZ9K0h7 status: ACTIVE name: Default Policy Rule priority: 1 created: '2017-08-25T16:57:02.000Z' lastUpdated: '2017-08-30T14:51:05.000Z' system: false conditions: people: users: include: [] exclude: [] groups: include: - EVERYONE exclude: [] grantTypes: include: - implicit - client_credentials - authorization_code - password scopes: include: - '*' actions: token: accessTokenLifetimeMinutes: 60 refreshTokenLifetimeMinutes: 0 refreshTokenWindowMinutes: 10080 inlineHook: id: cal4egvp1mbMldrYN0g7 _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authServerId}/policies/{policyId}/rules/0prbsjfyl01zfSZ9K0h7/lifecycle/deactivate hints: allow: - POST ListBrandsResponse: value: - id: bnd114iNkrcN6aR680g4 name: Okta Default isDefault: true agreeToCustomPrivacyPolicy: false removePoweredByOkta: false customPrivacyPolicyUrl: null locale: en emailDomainId: OeD114iNkrcN6aR680g4 defaultApp: appInstanceId: 0oa114iNkrcN6aR680g4 appLinkName: null classicApplicationUri: null _links: self: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 hints: allow: - GET - PUT - DELETE themes: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes hints: allow: - GET emailDomain: href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 hints: allow: - GET - PUT ListClientsResponse: summary: List all client resources for which an authorization server has tokens value: - client_id: '{clientId}' client_name: My Web App client_uri: null, logo_uri: null, _links: client: href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} title: My Web App tokens: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens hints: allow: - GET - DELETE ListCustomTokenClaimsResponse: summary: List all custom token claims for an authorization server value: - id: '{claimId}' name: sub status: ACTIVE claimType: RESOURCE valueType: EXPRESSION value: '(appuser != null) ? appuser.userName : app.clientId' conditions: scopes: - profile system: true alwaysIncludeInToken: true apiResourceId: null _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} hints: allow: - GET - PUT - DELETE ListEmailCustomizationResponse: value: - language: en isDefault: true subject: Welcome to ${org.name}! body:

Hello, ${user.profile.firstName}. Click here to activate your account. id: oel11u6DqUiMbQkpl0g4 created: '2021-11-09T20:38:10.000Z' lastUpdated: '2021-11-11T20:38:10.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4 hints: allow: - GET - PUT - DELETE template: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET preview: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel11u6DqUiMbQkpl0g4/preview hints: allow: - GET test: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test hints: allow: - POST ListEmailTemplateResponse: value: - name: UserActivation _embedded: customizationCount: 0 settings: recipients: ALL_USERS _links: self: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings hints: allow: - GET - PUT template: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET _links: self: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET settings: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/settings hints: allow: - GET - PUT defaultContent: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content hints: allow: - GET customizations: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations hints: allow: - GET - POST - DELETE test: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test hints: allow: - POST ListFactorsResults: summary: List of enrolled factors for the specified user value: - id: ufs2bysphxKODSZKWVCT factorType: question provider: OKTA vendorName: OKTA status: ACTIVE created: '2014-04-15T18:10:06.000Z' lastUpdated: '2014-04-15T18:10:06.000Z' profile: question: favorite_art_piece questionText: What is your favorite piece of art? _links: questions: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions hints: allow: - GET self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ufs2bysphxKODSZKWVCT hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET - id: ostf2gsyictRQDSGTDZE factorType: token:software:totp provider: OKTA status: PENDING_ACTIVATION created: '2014-06-27T20:27:33.000Z' lastUpdated: '2014-06-27T20:27:33.000Z' profile: credentialId: dade.murphy@example.com _links: next: name: activate href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE/lifecycle/activate hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/ostf2gsyictRQDSGTDZE hints: allow: - GET user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET _embedded: activation: timeStep: 30 sharedSecret: HE64TMLL2IUZW2ZLB encoding: base32 keyLength: 16 - id: sms2gt8gzgEBPUWBIFHN factorType: sms provider: OKTA status: ACTIVE created: '2014-06-27T20:27:26.000Z' lastUpdated: '2014-06-27T20:27:26.000Z' profile: phoneNumber: +1-555-415-1337 _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN/verify hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/sms2gt8gzgEBPUWBIFHN hints: allow: - GET - DELETE user: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL hints: allow: - GET ListFeatureDependenciesResponse: summary: List all dependencies for a feature value: - id: ftrZooGoT8b41iWRiQs7 description: Example feature description name: Example feature name stage: state: OPEN value: EA status: ENABLED type: self-service _links: self: hints: allow: - POST href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 dependents: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents dependencies: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies ListFeatureDependentsResponse: summary: List all feature dependents for the specified feature value: - id: ftrZooGoT8b41iWRiQs7 description: Example feature description name: Example feature name stage: state: OPEN value: EA status: ENABLED type: self-service _links: self: hints: allow: - POST href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 dependents: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents dependencies: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies ListFeaturesResponse: summary: List all self-service features for your org value: - id: ftrZooGoT8b41iWRiQs7 description: Example feature description name: Example feature name stage: state: CLOSED value: BETA status: DISABLED type: self-service _links: self: hints: allow: - POST href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 dependents: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents dependencies: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies ListGroupPushMappingsResponse_Example: value: - created: '2025-01-01T00:00:00Z' errorSummary: '' id: gPm00000000000000000 lastPush: '2025-01-01T00:00:00Z' lastUpdated: '2025-01-01T00:00:00Z' sourceGroupId: 00g00000000000000000 status: ACTIVE targetGroupId: 00g00000000000000001 _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 sourceGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 targetGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 - created: '2025-01-02T00:00:00Z' errorSummary: '' id: gPm00000000000000001 lastPush: '2025-01-02T00:00:00Z' lastUpdated: '2025-01-02T00:00:00Z' sourceGroupId: 00g00000000000000002 status: INACTIVE targetGroupId: 00g00000000000000003 _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 sourceGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000002 targetGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000003 ListGroupPushMappingsResponse_ExampleWithActiveFilter: value: - created: '2025-01-01T00:00:00Z' errorSummary: '' id: gPm00000000000000000 lastPush: '2025-01-01T00:00:00Z' lastUpdated: '2025-01-01T00:00:00Z' sourceGroupId: 00g00000000000000000 status: ACTIVE targetGroupId: 00g00000000000000001 _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 sourceGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 targetGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 ListIdPUsersResponse: summary: List of linked IdP users value: - id: 00u5cl9lo7nMjHjPr0h7 externalId: '109912936038778' created: '2015-11-03T19:10:11.000Z' lastUpdated: '2015-11-03T19:11:49.000Z' profile: firstName: Carol middleName: Lee lastName: Johnson email: carol_johnson@tfbnw.net displayName: Carol Johnson profile: https://www.facebook.com/app_scoped_user_id/109912936038778/ _links: self: href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7/users/00u5cl9lo7nMjHjPr0h7 hints: allow: - GET - DELETE idp: href: https://{yourOktaDomain}/api/v1/idps/0oa4lb6lbtmH355Hx0h7 user: href: https://{yourOktaDomain}/api/v1/users/00u5cl9lo7nMjHjPr0h7 ListInterclientAllowedAppsResponse: summary: List interclient allowed apps example value: - 0oa1elyw9EAkUNUrW0g5 - 0oa5mihmA6vMpXcm50g5 - 0oa89ks1irGAcYwXw0g5 ListInterclientTargetAppsResponse: summary: List interclient target apps value: - 0oa1elyw9EAkUNUrW0g5 - 0oa5mihmA6vMpXcm50g5 - 0oa89ks1irGAcYwXw0g5 ListLinkedObjects: summary: List all linked object definitions value: - primary: name: manager title: manager description: Manager link property type: USER associated: name: subordinate title: subordinate description: Subordinate link property type: USER _links: self: href: http://your-subdomain.okta.com/api/v1/meta/schemas/user/linkedObjects/manager ListLogs: summary: List all System Log events value: - actor: id: 00uttidj01jqL21aM1d6 type: User alternateId: john.doe@example.com displayName: John Doe detailEntry: null client: userAgent: rawUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 os: Mac OS X browser: CHROME zone: null device: Computer id: null ipAddress: 10.0.0.1 geographicalContext: city: New York state: New York country: United States postalCode: 10013 geolocation: lat: 40.3157 lon: -74.01 device: id: guofdhyjex1feOgbN1d9 name: Mac15,6 os_platform: OSX os_version: 14.6.0 managed: false registered: true device_integrator: null disk_encryption_type: ALL_INTERNAL_VOLUMES screen_lock_type: BIOMETRIC jailbreak: null secure_hardware_present: true authenticationContext: authenticationProvider: null credentialProvider: null credentialType: null issuer: null interface: null authenticationStep: 0 rootSessionId: idxBager62CSveUkTxvgRtonA externalSessionId: idxBager62CSveUkTxvgRtonA displayMessage: User login to Okta eventType: user.session.start outcome: result: SUCCESS reason: null published: '2024-08-13T15:58:20.353Z' securityContext: asNumber: 394089 asOrg: ASN 0000 isp: google domain: null isProxy: false severity: INFO debugContext: debugData: requestId: ab609228fe84ce59cdcbfa690bcce016 requestUri: /idp/idx/authenticators/poll url: /idp/idx/authenticators/poll legacyEventType: core.user_auth.login_success transaction: type: WEB id: ab609228fe84ce59cdcbfa690bgce016 detail: null uuid: dc9fd3c0-598c-11ef-8478-2b7584bf8d5a version: 0 request: ipChain: - ip: 10.0.0.1 geographicalContext: city: New York state: New York country: United States postalCode: 10013 geolocation: lat: 40.3157 lon: -74.01 version: V4 source: null target: - id: pfdfdhyjf0HMbkP2e1d7 type: AuthenticatorEnrollment alternateId: unknown displayName: Okta Verify detailEntry: null - id: 0oatxlef9sQvvqInq5d6 type: AppInstance alternateId: Okta Admin Console displayName: Okta Admin Console detailEntry: null ListMappingsResponse: summary: List all profile mappings response value: - id: prm1k47ghydIQOTBW0g4 source: id: otysbePhQ3yqt4cVv0g3 name: user type: user _links: self: href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 target: id: 0oa1qmn4LZQQEH0wZ0g4 name: okta_org2org type: appuser _links: self: href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default _links: self: href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 ListOAuth2ResourceServerJsonWebKeys: summary: All OAuth2 Resource Server JSON Web Keys value: - status: ACTIVE id: apk40n33xfjbPaf6D0g5 e: AQAB 'n': g0MirhrysJMPm_wK45jvMbbyanfhl-jmTBv0o69GeifPaISaXGv8LKn3-CyJvUJcjjeHE17KtumJWVxUDRzFqtIMZ1ctCZyIAuWO0n LKilg7_EIDXJrS8k14biqkPO1lXGFwtjo3zLHeFSLw6sWf-CEN9zv6Ff3IAXb-RMYpfh-bVrxIgWsWCxjLW-UKI3la-gs0nWHH2PJr5HLJuI JIOL5HLJuIJIOLWahqTnm_r1LSCSYr6N4C-fh--w2_BW8DzTHalBYe76bNr0d7AqtR4tGazmrvrc79Wa2bjyxmhhN1u9jSaZQqq-3VZEod8q3, WHH2PJ5v1LoXniJQ4a2W8nDVqb6h4E8MUKYOpljTfQ kid: RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc kty: RSA use: enc created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/resourceservercredentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc hints: allow: - GET - status: INACTIVE id: apk33a45xfjbDfg6D0g5 e: AQAB 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo kty: RSA use: enc created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/resourceservercredentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo hints: allow: - GET ListOfSecurityEventsProviderInstances: summary: List of security events providers value: - id: sse1qg25RpusjUP6m0g5 name: Security Events Provider with well-known URL type: okta status: ACTIVE settings: well_known_url: https://example.okta.com/.well-known/ssf-configuration issuer: Issuer jwks_url: https://example.okta.com/jwks/path _links: self: href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 hints: allow: - GET - PUT - DELETE deactivate: href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate hints: allow: - POST - id: sse1qu4fUtsoD12iF0g5 name: Security Events Provider with an issuer and a JWKS URL type: okta status: ACTIVE settings: issuer: Issuer jwks_url: https://example.okta.com/jwks/path _links: self: href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5 hints: allow: - GET - PUT - DELETE deactivate: href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate hints: allow: - POST ListRealmAssignmentsResponse: value: - id: rul2jy7jLUlnO3ng00g4 status: ACTIVE name: Realm Assignment 1 created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' isDefault: false domains: - atko.com - user.com conditions: profileSourceId: 0oa4enoRyjwSCy5hx0g4 expression: value: user.profile.role ==\"Manager\" actions: assignUserToRealm: realmId: 00g1b7rvh0xPLKXFf0g5 priority: 0 _links: self: rel: self href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO3ng00g4 method: GET - id: rul2jy7jLUlnO5ng00g4 status: ACTIVE name: Catch-all created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' isDefault: true domains: - atko.com - user.com conditions: profileSourceId: 0oa4enoRyjwSCy6hx0g4, expression: value: string actions: assignUserToRealm: realmId: 00g1b7rvh0xPLKXFf2g5 priority: 499 _links: self: rel: self href: http://your-subdomain.okta.com/api/v1/realm-assignments/rul2jy7jLUlnO5ng00g4 method: GET ListRealmAwareUsersResponse: summary: List all users value: - id: 00u118oQYT4TBGuay0g4 status: ACTIVE created: '2022-04-04T15:56:05.000Z' activated: null statusChanged: null lastLogin: '2022-05-04T19:50:52.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' passwordChanged: '2022-04-04T16:00:22.000Z' type: id: oty1162QAr8hJjTaq0g4 profile: firstName: Alice lastName: Smith mobilePhone: null secondEmail: null login: alice.smith@example.com email: alice.smith@example.com realmId: guo1afiNtSnZYILxO0g4 credentials: password: {} provider: type: OKTA name: OKTA _links: self: href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 ListRealmsResponse: value: - id: guox9jQ16k9V8IFEL0g3 created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' isDefault: false profile: name: Car Co realmType: PARTNER domains: - atko.com - user.com _links: self: rel: self href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 method: GET ListRefreshTokensClientsResponse: summary: List all refresh tokens for a client value: - id: '{refreshTokenId}' status: ACTIVE created: '2023-09-21T19:59:56.000Z' lastUpdated: '2023-09-21T20:00:38.000Z' expiresAt: '2023-09-28T20:00:38.000Z' issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} client_id: '{clientId}' userId: '{userId}' scopes: - offline_access - openid _embedded: scopes: - id: '{scopeId}' name: openid displayName: openid description: Signals that a request is an OpenID request _links: scope: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} title: openid - id: '{scopeID}' name: offline_access displayName: Keep you signed in to the app description: This keeps you signed in to the app, even when you aren't using it. _links: scope: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} itle: Keep you signed in to the app _links: app: href: https://{yourOktaDomain}/api/v1/apps/{appId} title: My Web App authorizationServer: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} title: Authorization Server name self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} revoke: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} hints: allow: - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} title: My Web App user: href: https://{yourOktaDomain}/api/v1/users/{userId} title: Joe User ListRiskProviderResponse: summary: List risk provider response example value: - id: 00rp12r4skkjkjgsn action: log_only name: Risk-Partner-X clientId: 00ckjsfgjkdkjdkkljjsd created: '2021-01-05 22:18:30' lastUpdated: '2021-01-05 22:18:30' _links: self: href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn hints: allow: - GET - PUT ListServiceAccounts: summary: List service accounts with mixed account types value: - accountType: APP_ACCOUNT description: This is for accessing AWS Prod-5 id: a747a818-a4c4-4446-8a87-704216495a08 name: AWS Prod-5 account ownerGroupIds: - 00g57qp78yZT2XBA40g7 ownerUserIds: - 00u11s48P9zGW8yqm0g5 status: NO_ISSUES statusDetail: ROTATED created: '2023-04-04T15:56:05.000Z' lastUpdated: '2023-05-05T18:15:44.000Z' details: credentials: username: testuser@example.com oktaApplicationId: aln1aqcs055ZRoizW0g8 appInstanceName: AWS Prod-5 appGlobalName: AWS Account Federation - accountType: OKTA_USER_ACCOUNT description: Shared admin account for managing AD integrations id: d1b65a78-21ed-429b-8ea3-eec96f2748d6 name: AD Integrations Admin ownerGroupIds: - 00g57qp78yZT2XBA40g7 ownerUserIds: - 00u11s48P9zGW8yqm0g5 status: INFO statusDetail: ROTATING created: '2023-04-04T15:56:05.000Z' lastUpdated: '2023-05-05T18:15:44.000Z' details: credentials: username: shr-ad-admin-01@example.com email: shr-ad-admin-01@example.com oktaUserId: 00u11s48P9zGW8yqm0g5 ListSessionsResponseForGetSessions: value: - id: aps1qqonvr2SZv6o70h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: CREATED importType: INCREMENTAL created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T16:15:44.000Z' - id: aps1quck606ngubVq0h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: TRIGGERED importType: INCREMENTAL created: '2022-04-04T16:56:05.000Z' lastUpdated: '2022-05-05T17:15:44.000Z' - id: aps1qzy2acb5jDlUc0h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: IN_PROGRESS importType: INCREMENTAL created: '2022-04-04T17:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' - id: aps1qqne8c1JHkMdF0h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: EXPIRED importType: INCREMENTAL created: '2022-04-04T18:56:05.000Z' lastUpdated: '2022-05-05T19:15:44.000Z' - id: aps1qqonvr2SZv6o70h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: CLOSED importType: INCREMENTAL created: '2022-04-04T19:56:05.000Z' lastUpdated: '2022-05-05T20:15:44.000Z' ListThemesResponse: value: - id: thdul904tTZ6kWVhP0g3 logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png favicon: https://{yourOktaDomain}/favicon.ico backgroundImage: null primaryColorHex: '#1662dd' primaryColorContrastHex: '#000000' secondaryColorHex: '#ebebed' secondaryColorContrastHex: '#000000' signInPageTouchPointVariant: OKTA_DEFAULT endUserDashboardTouchPointVariant: OKTA_DEFAULT errorPageTouchPointVariant: OKTA_DEFAULT emailTemplateTouchPointVariant: OKTA_DEFAULT loadingPageTouchPointVariant: OKTA_DEFAULT ListUISchemaResponse: summary: Lists all UI schemas response value: - id: uis4a7liocgcRgcxZ0g7 uiSchema: type: Group label: Sign in buttonLabel: Submit elements: - type: Control scope: '#/properties/firstName' label: First name options: format: text - type: Control scope: '#/properties/lastName' label: Last name options: format: text - type: Control scope: '#/properties/email' label: Email options: format: text - type: Control scope: '#/properties/countryCode' label: Country code options: format: select - type: Control scope: '#/properties/bool2' label: bool2 options: format: checkbox - type: Control scope: '#/properties/date' label: date options: format: text - type: Control scope: '#/properties/enum' label: enum options: format: radio created: '2022-07-25T12:56:31.000Z' lastUpdated: '2022-07-26T11:53:59.000Z' _links: self: href: https://example.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 hints: allow: - GET - PUT - DELETE - id: uis4abjqkkKXVPGAU0g7 uiSchema: type: Group label: Sign in 2 buttonLabel: Submit elements: - type: Control scope: '#/properties/firstName' label: First name options: format: text - type: Control scope: '#/properties/lastName' label: Last name options: format: text - type: Control scope: '#/properties/email' label: Email options: format: text - type: Control scope: '#/properties/countryCode' label: Country code options: format: select - type: Control scope: '#/properties/bool2' label: bool2 options: format: checkbox - type: Control scope: '#/properties/date' label: date - type: Control scope: '#/properties/enum' label: enum options: format: radio created: '2022-07-25T12:56:31.000Z' lastUpdated: '2022-07-26T11:53:59.000Z' _links: self: href: https://example.com/api/v1/meta/uischemas/uis4abjqkkKXVPGAU0g7 hints: allow: - GET - PUT - DELETE ListUserBlocksAnyDevicesResponse: value: - type: DEVICE_BASED appliesTo: ANY_DEVICES ListUserBlocksUnknownDevicesResponse: value: - type: DEVICE_BASED appliesTo: UNKNOWN_DEVICES ListUserClients: value: - client_id: 0oabskvc6442nkvQO0h7 client_name: My App client_uri: null logo_uri: null _links: grants: href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants tokens: href: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens ListUserGroups: value: - id: 0gabcd1234 profile: name: Cloud app users description: Users can access cloud apps - id: 0gefgh5678 profile: name: Internal app users description: Users can access internal apps ListUsersFieldsResponse: summary: List all users with API projections description: Response for query fields=status,profile:(firstName,city) value: - id: 00u1xke1apZnmHgpB1d7 status: ACTIVE profile: firstName: Alice city: Chicago - id: 00u269cmneNMFHCH51d7 status: ACTIVE profile: firstName: Bob city: New York ListUsersResponse: null ListUsersFilterResponse: summary: List all users with a filter description: Filtered response with filter=status+eq%22LOCKED_OUT%22 value: - id: 00u3m5wrdPjJYUFb81d6 status: LOCKED_OUT created: '2020-10-22T15:15:30.000Z' activated: '2020-10-22T15:15:30.000Z' statusChanged: '2020-10-22T16:09:13.000Z' lastLogin: null lastUpdated: '2020-10-22T16:09:13.000Z' passwordChanged: '2020-10-22T15:15:30.000Z' type: id: oty2di92xFgQTiKEJ1d6 profile: firstName: John lastName: Richards mobilePhone: null secondEmail: null login: johnrichards@example.com email: johnrichards@example.com credentials: password: {} emails: - value: johntest@example.com status: VERIFIED type: PRIMARY provider: type: IMPORT name: IMPORT _links: self: href: https://{yourOktaDomain}/api/v1/users/00u3m5wrdPjJYUFb81d6 ListUsersQResponse: summary: Find a user (q) description: Response for query q=john value: - id: 00u3ojhmm3cCa3a221d7 status: ACTIVE created: '2022-05-13T20:05:39.000Z' activated: '2022-05-13T20:05:41.000Z' statusChanged: '2022-05-13T20:05:41.000Z' lastLogin: null lastUpdated: '2022-05-13T20:05:41.000Z' passwordChanged: '2022-05-13T20:05:41.000Z' type: id: oty2di92xFgQTiKEJ1d6 profile: firstName: Tony lastName: Johnson mobilePhone: null secondEmail: null login: tony.johnson@example.com email: tony.johnson@example.com credentials: password: {} emails: - value: tony.johnson@example.com status: VERIFIED type: PRIMARY provider: type: OKTA name: OKTA _links: self: href: https://{yourOktaDomain}/api/v1/users/00u3ojhmm3cCa3a221d7 - id: 00u3m5wrdPjJYUFb81d6 status: LOCKED_OUT created: '2020-10-22T15:15:30.000Z' activated: '2020-10-22T15:15:30.000Z' statusChanged: '2020-10-22T16:09:13.000Z' lastLogin: null lastUpdated: '2020-10-22T16:09:13.000Z' passwordChanged: '2020-10-22T15:15:30.000Z' type: id: oty2di92xFgQTiKEJ1d6 profile: firstName: John lastName: Mclean mobilePhone: null secondEmail: null login: johnmclean@example.com email: johnmclean@example.com credentials: password: {} emails: - value: johnmclean@example.com status: VERIFIED type: PRIMARY provider: type: IMPORT name: IMPORT _links: self: href: https://{yourOktaDomain}/api/v1/users/00u3m5wrdPjJYUFb81d6 - id: 00u3ojdzgjrAhuYGg1d7 status: ACTIVE created: '2022-05-13T20:06:20.000Z' activated: '2022-05-13T20:06:22.000Z' statusChanged: '2022-05-13T20:06:22.000Z' lastLogin: null lastUpdated: '2022-05-13T20:06:22.000Z' passwordChanged: '2022-05-13T20:06:21.000Z' type: id: oty2di92xFgQTiKEJ1d6 profile: firstName: Jack lastName: Phillips mobilePhone: null secondEmail: null login: john.j.phillips@example.com email: john.j.phillips@example.com credentials: password: {} emails: - value: john.j.phillips@example.com status: VERIFIED type: PRIMARY provider: type: OKTA name: OKTA _links: self: href: https://{yourOktaDomain}/api/v1/users/00u3ojdzgjrAhuYGg1d7 ListUsersResponse: summary: List all users value: - id: 00u118oQYT4TBTemp0g4 status: ACTIVE created: '2022-04-04T15:56:05.000Z' activated: null statusChanged: null lastLogin: '2022-05-04T19:50:52.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' passwordChanged: '2022-04-04T16:00:22.000Z' type: id: oty1162QAr8hJjTaq0g4 profile: firstName: Alice lastName: Smith mobilePhone: null secondEmail: null login: alice.smith@example.com email: alice.smith@example.com credentials: password: {} provider: type: OKTA name: OKTA _links: self: href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 ListUsersSearchResponse: summary: List all users with search description: Response for search=profile.department%20eq%20%22Engineering%22 value: - id: 00u1xke1apZnmHgpB1d7 status: STAGED created: '2021-11-17T16:11:16.000Z' activated: null statusChanged: null lastLogin: null lastUpdated: '2022-05-24T15:39:09.000Z' passwordChanged: null type: id: oty2di92xFgQTiKEJ1d6 profile: firstName: Ben lastName: Richler mobilePhone: null secondEmail: '' department: Engineering login: ben.richler@example.com email: ben.richler@example.com - id: 00u269cmneNMFHCH51d7 status: PROVISIONED created: '2021-12-17T15:16:55.000Z' activated: null statusChanged: null lastLogin: null lastUpdated: '2022-05-24T15:38:04.000Z' passwordChanged: '2021-12-17T15:16:56.000Z' type: id: oty2di92xFgQTiKEJ1d6 profile: firstName: Janice lastName: Benson mobilePhone: null secondEmail: null department: Engineering login: janice.benson@gmail.com email: janice.benson@gmail.com ListYubikeyOptTokensResponse: summary: List YubiKey OTP token response value: - id: ykkwcx13nrDq8g4oy0g3 created: '2020-01-14T21:53:09.000Z' lastVerified: '2020-01-14T21:53:06.000Z' lastUpdated: '2020-01-14T21:53:09.000Z' status: UNASSIGNED profile: serial: '000003632071' _links: self: href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkwcx13nrDq8g4oy0g3 hints: allow: - GET - DELETE - id: ykkxdtCA1fKVxyu6R0g3 created: '2020-06-09T23:42:05.000Z' activated: '2020-06-09T23:47:29.000Z' lastVerified: '2020-06-09T23:47:29.000Z' lastUpdated: '2020-06-09T23:47:29.000Z' status: ACTIVE profile: serial: '000009508427' _links: self: href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkxdtCA1fKVxyu6R0g3 hints: allow: - GET user: href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3 hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/users/00uu0x8sxTr9HcHOo0g3/factors/ykfxduQAhl89YyPrV0g3 hints: allow: - DELETE ListsAllUserTypes: summary: Lists all user types value: - id: otyfnly5cQjJT9PnR0g4 displayName: New user type name: newUserType description: A new custom user type createdBy: sprz9fj1ycBcsgopy1d6 lastUpdatedBy: sprz9fj1ycBcsgopy1d6 created: '2021-07-05T20:40:38.000Z' lastUpdated: '2021-07-05T20:40:38.000Z' default: false _links: self: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 - id: otyz9fj2jMiRBC1ZT1d6 displayName: User name: user description: Okta user profile template with default permission settings createdBy: sprz9fj1ycBcsgopy1d6 lastUpdatedBy: sprz9fj1ycBcsgopy1d6 created: '2021-07-05T20:40:38.000Z' lastUpdated: '2021-07-05T20:40:38.000Z' default: true _links: self: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 ListsOwnerOneResponse: summary: Lists a response with one owner value: - id: 00g1gae1k0znUcLuU0h8 type: GROUP resolved: true originId: 'null' originType: OKTA_DIRECTORY displayName: Product & Engineering lastUpdated: '2023-03-29 18:18:37.0' ListsOwnersMultipleResponse: summary: Lists a response with multiple owners value: - id: 00u1cmbqjkkmFXeqb0h8 type: USER resolved: true originId: 'null' originType: OKTA_DIRECTORY displayName: Mabel Mora lastUpdated: '2023-03-29T18:30:58.000Z' - id: 00u1cmc52x5B86cnZ0h8 type: USER resolved: true originId: 'null' originType: OKTA_DIRECTORY displayName: Cinda Canning lastUpdated: '2023-03-29T18:30:55.000Z' LogStreamActivateResponse: summary: Activate log stream response value: id: 0oa1orqUGCIoCGNxf0g4 type: aws_eventbridge name: Example AWS EventBridge lastUpdated: '2023-03-24T21:22:43.000Z' created: '2023-03-24T21:02:43.000Z' status: ACTIVE settings: accountId: '123456789012' eventSourceName: your-event-source-name region: us-east-2 _links: self: href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 method: GET deactivate: href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate method: POST LogStreamDeactivateResponse: summary: Deactivate log stream response value: id: 0oa7agphh5FT7H521d7 type: splunk_cloud_logstreaming name: Splunk Cloud Example lastUpdated: '2023-03-24T21:23:00.000Z' created: '2023-03-24T21:15:13.000Z' status: INACTIVE settings: edition: aws host: okexample.splunkcloud.com _links: self: href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7 method: GET activate: href: http://{yourOktaDomain}/api/v1/logStreams/0oa7agphh5FT7H521d7/lifecycle/activate method: POST LogStreamGetAllResponse: summary: Lists all log streams value: - id: 0oa1orqUGCIoCGNxf0g4 type: aws_eventbridge name: Example AWS EventBridge lastUpdated: '2023-03-24T21:02:43.000Z' created: '2023-03-24T21:02:43.000Z' status: ACTIVE settings: accountId: '123456789012' eventSourceName: your-event-source-name region: us-east-2 _links: self: href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 method: GET deactivate: href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate method: POST LogStreamPostRequest: summary: Create an AWS EventBridge log stream value: type: aws_eventbridge name: Example AWS EventBridge settings: eventSourceName: your-event-source-name accountId: '123456789012' region: us-east-2 LogStreamPostResponse: summary: AWS EventBridge log stream response value: id: 0oa1orqUGCIoCGNxf0g4 type: aws_eventbridge name: Example AWS EventBridge lastUpdated: '2023-03-24T21:02:43.000Z' created: '2023-03-24T21:02:43.000Z' status: ACTIVE settings: accountId: '123456789012' eventSourceName: your-event-source-name region: us-east-2 _links: self: href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 method: GET deactivate: href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate method: POST LogStreamPutRequest: summary: Replace AWS EventBridge name value: type: aws_eventbridge name: Updated AWS EventBridge settings: eventSourceName: your-event-source-name accountId: '123456789012' region: us-east-2 LogStreamPutResponse: summary: Replace AWS EventBridge name response value: id: 0oa1orqUGCIoCGNxf0g4 type: aws_eventbridge name: Updated AWS EventBridge lastUpdated: '2023-03-24T21:12:43.000Z' created: '2023-03-24T21:02:43.000Z' status: ACTIVE settings: accountId: '123456789012' eventSourceName: your-event-source-name region: us-east-2 _links: self: href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4 method: GET deactivate: href: http://{yourOktaDomain}/api/v1/logStreams/0oa1orqUGCIoCGNxf0g4/lifecycle/deactivate method: POST LogStreamSchemaAws: value: $schema: https://json-schema.org/draft/2020-12/schema $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge title: AWS EventBridge type: object properties: settings: description: Configuration properties specific to AWS EventBridge type: object properties: accountId: title: AWS Account ID description: Your Amazon AWS Account ID. type: string writeOnce: true pattern: ^\d{12}$ eventSourceName: title: AWS Event Source Name description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge. type: string writeOnce: true pattern: ^[\.\-_A-Za-z0-9]{1,75}$ region: title: AWS Region description: The destination AWS region for your system log events. type: string writeOnce: true oneOf: - title: US East (Ohio) const: us-east-2 - title: US East (N. Virginia) const: us-east-1 - title: US West (N. California) const: us-west-1 - title: US West (Oregon) const: us-west-2 - title: Canada (Central) const: ca-central-1 - title: Europe (Frankfurt) const: eu-central-1 - title: Europe (Ireland) const: eu-west-1 - title: Europe (London) const: eu-west-2 - title: Europe (Paris) const: eu-west-3 - title: Europe (Milan) const: eu-south-1 - title: Europe (Stockholm) const: eu-north-1 required: - eventSourceName - accountId - region errorMessage: properties: accountId: Account number must be 12 digits. eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters. name: title: Name description: A name for this log stream in Okta type: string writeOnce: false pattern: ^.{1,100}$ required: - name - settings errorMessage: properties: name: Name can't exceed 100 characters. LogStreamSchemaList: value: - $schema: https://json-schema.org/draft/2020-12/schema $id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/aws_eventbridge title: AWS EventBridge type: object properties: settings: description: Configuration properties specific to AWS EventBridge type: object properties: accountId: title: AWS Account ID description: Your Amazon AWS Account ID. type: string writeOnce: true pattern: ^\d{12}$ eventSourceName: title: AWS Event Source Name description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge. type: string writeOnce: true pattern: ^[\.\-_A-Za-z0-9]{1,75}$ region: title: AWS Region description: The destination AWS region for your system log events. type: string writeOnce: true oneOf: - title: US East (Ohio) const: us-east-2 - title: US East (N. Virginia) const: us-east-1 - title: US West (N. California) const: us-west-1 - title: US West (Oregon) const: us-west-2 - title: Canada (Central) const: ca-central-1 - title: Europe (Frankfurt) const: eu-central-1 - title: Europe (Ireland) const: eu-west-1 - title: Europe (London) const: eu-west-2 - title: Europe (Paris) const: eu-west-3 - title: Europe (Milan) const: eu-south-1 - title: Europe (Stockholm) const: eu-north-1 required: - eventSourceName - accountId - region errorMessage: properties: accountId: Account number must be 12 digits. eventSourceName: Event source name can use numbers, letters, the symbols ".", "-" or "_". It must use fewer than 76 characters. name: title: Name description: A name for this log stream in Okta type: string writeOnce: false pattern: ^.{1,100}$ required: - name - settings errorMessage: properties: name: Name can't exceed 100 characters. - $schema: https://json-schema.org/draft/2020-12/schema id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming title: Splunk Cloud type: object properties: settings: description: Configuration properties specific to Splunk Cloud type: object properties: host: title: Host description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com' type: string writeOnce: false pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ token: title: HEC Token description: The token from your Splunk Cloud HTTP Event Collector (HEC). type: string writeOnce: false pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' required: - host - token errorMessage: properties: host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com' name: title: Name description: A name for this log stream in Okta type: string writeOnce: false pattern: ^.{1,100}$ required: - name - settings errorMessage: properties: name: Name can't exceed 100 characters. LogStreamSchemaSplunk: value: $schema: https://json-schema.org/draft/2020-12/schema id: http://{yourOktaDomain}/api/v1/meta/schemas/logStream/splunk_cloud_logstreaming title: Splunk Cloud type: object properties: settings: description: Configuration properties specific to Splunk Cloud type: object properties: host: title: Host description: 'The domain for your Splunk Cloud instance without http or https. For example: acme.splunkcloud.com' type: string writeOnce: false pattern: ^([a-z0-9]+(-[a-z0-9]+)*){1,100}\.splunkcloud(gc|fed)?\.com$ token: title: HEC Token description: The token from your Splunk Cloud HTTP Event Collector (HEC). type: string writeOnce: false pattern: '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}' required: - host - token errorMessage: properties: host: 'Host should be a domain without http or https. For example: acme.splunkcloud.com' name: title: Name description: A name for this log stream in Okta type: string writeOnce: false pattern: ^.{1,100}$ required: - name - settings errorMessage: properties: name: Name can't exceed 100 characters. LogTargetChangeDetails: summary: Example of the `changeDetails` property on the target value: from: vpnLocationOptions: DISABLED vpnSettingsZones: include: null exclude: null to: message: You must a use VPN to connect to this application vpnLocationOptions: ZONE vpnSettingsZones: include: - ALL_ZONES exclude: null MembershipPayload: value: memberExternalId: USEREXT123456784C2IFA MicrosoftIdPResponse: summary: Microsoft IdP value: id: 0oajmvdFawBih4gey0g3 type: MICROSOFT name: Microsoft status: ACTIVE created: '2016-03-29T16:47:36.000Z' lastUpdated: '2016-03-29T16:47:36.000Z' protocol: type: OIDC endpoints: authorization: url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize binding: HTTP-REDIRECT token: url: https://login.microsoftonline.com/common/oauth2/v2.0/token binding: HTTP-POST scopes: - openid - email - profile - https://graph.microsoft.com/User.Read credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.userPrincipalName filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: |- https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3& client_id={clientId}&response_type={responseType}&response_mode={responseMode}& scope={scopes}&redirect_uri={redirectUri}&state={state} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST MultipleIdPCsrsResponse: summary: IdP CSRs value: - id: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 created: '2017-03-28T01:11:10.000Z' csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= kty: RSA _links: self: href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 hints: allow: - GET - DELETE publish: href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish hints: allow: - POST - id: '-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg' created: '2017-03-28T01:21:10.000Z' csr: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= kty: RSA _links: self: href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg hints: allow: - GET - DELETE publish: href: https://{yourOktaDomain}/api/v1/idps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg/lifecycle/publish hints: allow: - POST MultipleIdPKeyCredentialsResponse: summary: IdP key credentials value: - kid: your-key-id created: '2016-01-03T18:15:47.000Z' lastUpdated: '2016-01-03T18:15:47.000Z' e: '65537' 'n': '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' kty: RSA use: sig x5c: - MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 x5t#S256: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE - kty: EC created: '2020-04-24T20:51:20.000Z' lastUpdated: '2020-04-24T20:51:20.000Z' expiresAt: '2040-03-01T20:22:29.000Z' alg: EC x5c: - MIICqDCCAgqgAwIBAgIJAOkmCa/S8dHiMAoGCCqGSM49BAMCMG0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdKYW5reUNvMR8wHQYDVQQDDBZUZXN0IElkZW50aXR5IFByb3ZpZGVyMB4XDTIwMDMwNjIwMjIyOVoXDTQwMDMwMTIwMjIyOVowbTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEDAOBgNVBAoMB0phbmt5Q28xHzAdBgNVBAMMFlRlc3QgSWRlbnRpdHkgUHJvdmlkZXIwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABABW/lGHl17mKDtCD4D7gcMYYOWgyWTGno8MTefDOABA8PddessTsbfrguF49Gli6lCzrZaAKhhvgINc3R6t/dYleAE3lY6LAocOoLe9xDkeggXNcSuP5fDc1x5R9GHTXl44vLoJOLSLsMbOXVMXIXoqbPDzTSYUy24aFdv4W4LZxW6ak6NQME4wHQYDVR0OBBYEFChTXNWvs4z1qjRVemPDD/hqlDQ4MB8GA1UdIwQYMBaAFChTXNWvs4z1qjRVemPDD/hqlDQ4MAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDgYsAMIGHAkIBuDhHMNLbBIsorbKtjxJzHJ2ItCSD2wAwqYv/6JBtA2ulKN5gRTSqdNCnqFsZ1/nYY7FFVXHEuQ2N3pPq7Ri8h84CQSgCq1UQyd0lFtb7+57JbiGb6LVaRqRm7vwx8zLRA+tVjIM1DlQ2Gbxkj3nlkzmM93j9wchiqGdQidyKnF6EBnfd x: Vv5Rh5de5ig7Qg-A-4HDGGDloMlkxp6PDE3nwzgAQPD3XXrLE7G364LhePRpYupQs62WgCoYb4CDXN0erf3WJXg 'y': ATeVjosChw6gt73EOR6CBc1xK4_l8NzXHlH0YdNeXji8ugk4tIuwxs5dUxcheips8PNNJhTLbhoV2_hbgtnFbpqT crv: P-521 kid: your-kid use: sig x5t#S256: TUx-AIwypm2pZURHNqafk7ZDxqQP_ypzIyUwDDnPOlw MultipleIdPSigningKeyCredentialsResponse: summary: IdP signing key credentials value: - created: '2015-12-10T18:56:23.000Z' expiresAt: '2017-12-10T18:56:22.000Z' x5c: - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== kid: akm5hvbbevE341ovl0h7 kty: RSA use: sig x5t#S256: 5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps - created: '2015-12-10T18:55:35.000Z' expiresAt: '2045-01-23T02:15:23.000Z' x5c: - MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw== kid: akm5hvbn1vojA9Fsa0h7 kty: RSA use: sig x5t#S256: 7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ MultipleIdPsResponse: summary: Multiple IdPs value: - id: 0oa62b57p7c8PaGpU0h7 type: FACEBOOK name: Facebook status: ACTIVE created: '2016-03-24T23:18:27.000Z' lastUpdated: '2016-03-24T23:18:27.000Z' protocol: type: OAUTH2 endpoints: authorization: url: https://www.facebook.com/dialog/oauth binding: HTTP-REDIRECT token: url: https://graph.facebook.com/v2.5/oauth/access_token binding: HTTP-POST scopes: - public_profile - email credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.userPrincipalName filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62b57p7c8PaGpU0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST - id: 0oa62bc8wppPw0UGr0h7 type: SAML2 name: Example SAML IdP status: ACTIVE created: '2016-03-24T23:14:54.000Z' lastUpdated: '2016-03-24T23:14:54.000Z' protocol: type: SAML2 endpoints: sso: url: https://idp.example.com binding: HTTP-POST destination: https://idp.example.com acs: binding: HTTP-POST type: INSTANCE algorithms: request: signature: algorithm: SHA-256 scope: REQUEST response: signature: algorithm: SHA-256 scope: ANY settings: nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified credentials: trust: issuer: https://idp.example.com audience: http://www.okta.com/123 kid: your-key-id additionalKids: - additional-key-id policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: saml.subjectNameId filter: (\S+@example\.com) matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 _links: metadata: href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml type: application/xml hints: allow: - GET acs: href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 type: application/xml hints: allow: - POST users: href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate hints: allow: - POST - id: 0oa62bfdiumsUndnZ0h7 type: GOOGLE name: Google status: ACTIVE created: '2016-03-24T23:21:49.000Z' lastUpdated: '2016-03-24T23:21:49.000Z' protocol: type: OIDC endpoints: authorization: url: https://accounts.google.com/o/oauth2/auth binding: HTTP-REDIRECT token: url: https://www.googleapis.com/oauth2/v3/token binding: HTTP-POST scopes: - profile - email - openid credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.userPrincipalName filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdiumsUndnZ0h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST - id: 0oa62bfdjnK55Z5x80h7 type: LINKEDIN name: LinkedIn status: ACTIVE created: '2016-03-24T23:23:59.000Z' lastUpdated: '2016-03-24T23:23:59.000Z' protocol: type: OAUTH2 endpoints: authorization: url: https://www.linkedin.com/uas/oauth2/authorization binding: HTTP-REDIRECT token: url: https://www.linkedin.com/uas/oauth2/accessToken binding: HTTP-POST scopes: - r_basicprofile - r_emailaddress credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.userPrincipalName filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oa62bfdjnK55Z5x80h7&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST - id: 0oajmvdFawBih4gey0g3 type: MICROSOFT name: Microsoft status: ACTIVE created: '2016-03-29T16:47:36.000Z' lastUpdated: '2016-03-29T16:47:36.000Z' protocol: type: OIDC endpoints: authorization: url: https://login.microsoftonline.com/common/oauth2/v2.0/authorize binding: HTTP-REDIRECT token: url: https://login.microsoftonline.com/common/oauth2/v2.0/token binding: HTTP-POST scopes: - openid - email - profile - https://graph.microsoft.com/User.Read credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.userPrincipalName filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oajmvdFawBih4gey0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST - id: 0oaulob4BFVa4zQvt0g3 type: OIDC name: Example OpenID Connect IdP status: ACTIVE created: '2019-02-07T20:07:47.000Z' lastUpdated: '2019-02-07T20:07:47.000Z' protocol: type: OIDC endpoints: authorization: url: https://idp.example.com/authorize binding: HTTP-REDIRECT token: url: https://idp.example.com/token binding: HTTP-POST userInfo: url: https://idp.example.com/userinfo binding: HTTP-REDIRECT jwks: url: https://idp.example.com/keys binding: HTTP-REDIRECT scopes: - openid issuer: url: https://idp.example.com credentials: client: client_id: your-client-id client_secret: your-client-secret policy: provisioning: action: AUTO profileMaster: false groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.email filter: null matchType: USERNAME matchAttribute: null mapAMRClaims: false maxClockSkew: 0 _links: authorize: href: https://{yourOktaDomain}/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} templated: true hints: allow: - GET clientRedirectUri: href: https://{yourOktaDomain}/oauth2/v1/authorize/callback hints: allow: - POST - id: 0oa6jxasyhwM2ZHJh0g4 type: X509 name: Smart Card IDP Name status: ACTIVE created: '2020-01-07T00:19:27.000Z' lastUpdated: '2020-01-07T00:19:27.000Z' properties: additionalAmr: - sc - hwk - pin - mfa protocol: type: MTLS endpoints: sso: url: https://{yourOktaDomain}.okta.com/login/cert credentials: trust: issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US audience: null kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc revocation: CRL revocationCacheLifetime: 2880 policy: provisioning: action: DISABLED profileMaster: false groups: null subject: userNameTemplate: template: idpuser.subjectAltNameEmail filter: null matchType: EMAIL matchAttribute: null mapAMRClaims: false maxClockSkew: 0 _links: deactivate: href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate hints: allow: - POST users: href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users hints: allow: - GET keys: href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc hints: allow: - GET NextAuthorizationServerKey: summary: Next authorization server key value: status: NEXT alg: RS256 e: AQAB 'n': l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK 3 HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37 - XDIDb0XG - R8DOoOHLJPTpsgH - rJe M5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX - 0 TmG5yjSj7ek05txcpxIqYu - 7 FIGT0KKvXge_BOSEUlJpBhLKU28 OtsOnmc3NLIGXB - GeDiUZiBYQdPR - myB4ZoQ kid: Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo kty: RSA use: sig _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/keys/Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo hints: allow: - GET NumberMatchingChallengeRequest: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] value: useNumberMatchingChallenge: true NzErrorApiValidationFailed: summary: API Validation Failed value: errorCode: E0000003 errorSummary: The request body was not well-formed. errorLink: E0000003 errorId: samplewNxQUR9iohr4QYlD0eg errorCauses: [] NzErrorResourceNotFound: summary: Resource Not Found value: errorCode: E0000007 errorSummary: 'Not found: Resource not found: itd (NetworkZone)' errorLink: E0000007 errorId: samplejCSVaKFDkCMElmKQ errorCauses: [] OAuth2AuthSettings: summary: OAuth2 auth settings example value: authType: OAUTH2 oAuth2Settings: authorizeEndpoint: https://example.com/oauth/authorize tokenEndpoint: https://example.com/oauth/token clientId: client123 clientSecret: secret456 scopes: - scope1 - scope2 OAuth2RefreshTokenResponseEx: summary: OAuth 2.0 refresh token example value: id: oar579Mcp7OUsNTlo0g3 status: ACTIVE created: '2023-03-09T03:18:06.000Z' lastUpdated: '2023-03-09T03:18:06.000Z' expiresAt: '2023-03-16T03:18:06.000Z' issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 clientId: 0oabskvc6442nkvQO0h7 userId: 00u5t60iloOHN9pBi0h7 scopes: - offline_access - car:drive _embedded: scopes: - id: scppb56cIl4GvGxy70g3 name: offline_access description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication _links: scope: href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 title: offline_access - id: scp142iq2J8IGRUCS0g4 name: car:drive displayName: Drive car description: Allows the user to drive a car _links: scope: href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4 title: Drive car _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 title: Native self: href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 revoke: href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 hints: allow: - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7 title: Example Client App user: href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3 title: Saml Jackson authorizationServer: href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 title: Example Authorization Server OAuth2RefreshTokenResponseListEx: summary: App refresh token list example value: - id: oar579Mcp7OUsNTlo0g3 status: ACTIVE created: '2023-03-09T03:18:06.000Z' lastUpdated: '2023-03-09T03:18:06.000Z' expiresAt: '2023-03-16T03:18:06.000Z' issuer: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 clientId: 0oabskvc6442nkvQO0h7 userId: 00u5t60iloOHN9pBi0h7 scopes: - offline_access - car:drive _embedded: scopes: - id: scppb56cIl4GvGxy70g3 name: offline_access description: Requests a refresh token by default and is used to obtain more access tokens without re-prompting the user for authentication _links: scope: href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 title: offline_access - id: scp142iq2J8IGRUCS0g4 name: car:drive displayName: Drive car description: Allows the user to drive a car _links: scope: href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scp142iq2J8IGRUCS0g4 title: Drive car _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 title: Native self: href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 revoke: href: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 hints: allow: - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/0oabskvc6442nkvQO0h7 title: Example Client App user: href: https://{yourOktaDomain}/api/v1/users/00upcgi9dyWEOeCwM0g3 title: Saml Jackson authorizationServer: href: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 title: Example Authorization Server OAuth2ResourceServerJsonWebKey: summary: JSON Web Key example value: id: apk2f4zrZbs8nUa7p0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA alg: RS256 use: enc e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: INACTIVE created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: delete: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/resourceservercredentials/keys/RQ8DuhdxCczyMvy7GNJb4Ka3lQ99vrSo3oFBUiZjzzc/lifecycle/delete hints: allow: - DELETE OktaIntegrationIdpResponse: summary: Okta Integration IdP value: id: 0oazzok2vl5aeUH0B0g4 type: OKTA_INTEGRATION name: Example Okta Integration IdP status: ACTIVE created: '2025-02-07T20:07:47.000Z' lastUpdated: '2025-02-07T20:07:47.000Z' protocol: type: OIDC endpoints: authorization: url: https://idp.example.com/oauth2/v1/authorize binding: HTTP-REDIRECT token: url: https://idp.example.com/oauth2/v1/token binding: HTTP-POST userInfo: url: https://idp.example.com/oauth2/v1/userinfo binding: HTTP-REDIRECT jwks: url: https://idp.example.com/oauth2/v1/keys binding: HTTP-REDIRECT scopes: - openid - email - profile issuer: url: https://idp.example.com credentials: client: token_endpoint_auth_method: private_key_jwt client_id: your-client-id pkce_required: 'true' policy: provisioning: action: AUTO profileMaster: false groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.email filter: '' matchType: USERNAME matchAttribute: '' trustClaims: true maxClockSkew: 0 _links: authorize: href: https://idp.example.com/oauth2/v1/authorize?idp=0oaulob4BFVa4zQvt0g3&client_id={clientId}&response_type={responseType}&response_mode={responseMode}&scope={scopes}&redirect_uri={redirectUri}&state={state}&nonce={nonce} templated: true hints: allow: - GET clientRedirectUri: href: https://idp.example.com/oauth2/v1/authorize/callback hints: allow: - POST OktaSupportCase: summary: Org Support case value: impersonation: status: ENABLED expiration: '2024-01-24T11:13:14.000Z' selfAssigned: status: NOT_REQUIRED OktaSupportCases: summary: Org Support cases value: - impersonation: status: ENABLED expiration: '2024-01-24T11:13:14.000Z' selfAssigned: status: REQUESTED subject: Reset admin password caseNumber: '1000001' - impersonation: status: REQUESTED expiration: null selfAssigned: status: NOT_REQUIRED subject: Review IP restriction configuration caseNumber: '1000002' OpenidConnectEx: summary: OPENID_CONNECT value: name: oidc_client label: Sample Client profile signOnMode: OPENID_CONNECT credentials: oauthClient: token_endpoint_auth_method: client_secret_post profile: label: oauth2 client app 1 settings: oauthClient: client_uri: http://localhost:8080 logo_uri: http://developer.okta.com/assets/images/logo-new.png redirect_uris: - https://example.com/oauth2/callback - myapp://callback response_types: - token - id_token - code grant_types: - authorization_code application_type: native participate_slo: false OpenidConnectPutEx: summary: OPENID_CONNECT value: name: oidc_client label: Sample Client profile updated signOnMode: OPENID_CONNECT OpenidConnectPutResponseEx: summary: OPENID_CONNECT value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: true web: true appLinks: oidc_client_link: true name: oidc_client orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:oidc_client:0oafxqCAJWWGELFTYASJ label: Sample Client profile updated features: [] signOnMode: OPENID_CONNECT credentials: userNameTemplate: template: ${source.email} type: BUILT_IN signing: kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc oauthClient: autoKeyRotation: true client_id: 0oahonkqCRR6TSNlg4 client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5 token_endpoint_auth_method: client_secret_post pkce_required: true settings: app: {} oauthClient: client_uri: http://localhost:8080 logo_uri: http://developer.okta.com/assets/images/logo-new.png redirect_uris: - https://example.com/oauth2/callback - myapp://callback response_types: - token - id_token - code grant_types: - authorization_code application_type: native issuer_mode: DYNAMIC idp_initiated_login: mode: DISABLED default_scope: [] wildcard_redirect: DISABLED dpop_bound_access_tokens: false notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED OpenidConnectResponseEx: summary: OPENID_CONNECT value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: true web: true appLinks: oidc_client_link: true name: oidc_client orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:oidc_client:0oafxqCAJWWGELFTYASJ label: Sample Client profile features: [] signOnMode: OPENID_CONNECT credentials: userNameTemplate: template: ${source.email} type: BUILT_IN signing: kid: H34mvc6VrfV5yvy5wA8ikMFws6WInx4nvsAs-7EYbVc oauthClient: autoKeyRotation: true client_id: 0oahonkqCRR6TSNlg4 client_secret: wj9bOsLK0BRNJqy7KMMnaE7m8qrW51bPO2n1-PYvkOmhHRYgcuOecQkEwq9MPYa5 token_endpoint_auth_method: client_secret_post pkce_required: true settings: app: {} oauthClient: client_uri: http://localhost:8080 logo_uri: http://developer.okta.com/assets/images/logo-new.png redirect_uris: - https://example.com/oauth2/callback - myapp://callback response_types: - token - id_token - code grant_types: - authorization_code application_type: native issuer_mode: DYNAMIC idp_initiated_login: mode: DISABLED default_scope: [] wildcard_redirect: DISABLED dpop_bound_access_tokens: false notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED profile: label: oauth2 client app 1 OperationCompletedResponse: summary: Operation Completed Response value: id: rdj2ccmltchKESW8u0g5 type: read:directories status: COMPLETED created: '2023-10-01T12:00:00Z' started: '2023-10-01T12:05:00Z' completed: '2023-10-01T12:10:00Z' OperationFailedResponse: summary: Operation Failed Response value: id: rdj2ccmltchKESW8u0g5 type: read:directories status: FAILED created: '2023-10-01T12:00:00Z' started: '2023-10-01T12:05:00Z' completed: '2023-10-01T12:10:00Z' OperationInProgressResponse: summary: Operation In Progress Response value: id: rdj2ccmltchKESW8u0g5 type: read:directories status: IN_PROGRESS created: '2023-10-01T12:00:00Z' started: '2023-10-01T12:05:00Z' OperationResponse: value: id: rre4mje4ez6B2a7B60g7 type: realm:assignment status: COMPLETED created: '2023-10-25T21:02:54.000Z' started: '2023-10-25T21:02:54.000Z' completed: '2023-10-25T21:02:54.000Z' realmId: 00g1b7rvh0xPLKXFf0g5 realmName: Realm Name assignmentOperation: configuration: id: 0pr1b7rxZj2ibQzfP0g5 name: Realm Assignment 1 conditions: profileSourceId: 0oa4enoRyjwSCy5hx0g4 expression: value: string actions: assignUserToRealm: realmId: 00g1b7rvh0xPLKXFf0g5 numUserMoved: 50 _links: self: rel: self href: http://your-subdomain.okta.com/api/v1/operations/rre4mje4ez6B2a7B60g7 method: GET OptInStatusResponse: summary: Opt in response value: optInStatus: OPTING_IN _links: optInStatus: href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn OptOutStatusResponse: summary: Opt out response value: optInStatus: OPTING_OUT _links: optInStatus: href: http://your-subdomain.okta.com/api/v1/iam/governance/optIn OrgCAPTCHASettingsConfigured: summary: org-wide Captcha settings are configured value: captchaId: abcd4567 enabledPages: - SSR - SIGN_IN _links: self: href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 hints: allow: - GET - POST - PUT - DELETE OrgCAPTCHASettingsDisable: summary: Disable org-wide Captcha settings value: captchaId: 'null' enabledPages: 'null' OrgCAPTCHASettingsDisabled: summary: Disabled org-wide Captcha settings value: captchaId: 'null' enabledPages: '[]' _links: self: href: https://your-subdomain.okta.com/api/v1/captchas/ hints: allow: - GET - PUT OrgCAPTCHASettingsEmpty: summary: Org-wide Captcha settings aren't configured value: captchaId: null enabledPages: [] _links: self: href: https://your-subdomain.okta.com/api/v1/captchas hints: allow: - GET - POST - PUT - DELETE OrgCAPTCHASettingsUpdate: summary: Update org-wide Captcha settings value: captchaId: abcd4567 enabledPages: - SSR - SIGN_IN OrgCAPTCHASettingsUpdated: summary: Updated org-wide Captcha settings value: captchaId: abcd4567 enabledPages: - SSR - SIGN_IN _links: self: href: https://your-subdomain.okta.com/api/v1/captchas/abcd4567 hints: allow: - GET - POST - PUT - DELETE OrgSettingResponse: summary: Org setting response value: address1: 100 1st St address2: 6th floor city: San Fransico companyName: okta country: United States endUserSupportHelpURL: support.okta.com phoneNumber: '+18887227871' postalCode: '94105' state: California supportPhoneNumber: '+18887227871' website: www.okta.com id: 00o3qqiw0vSCIwu8I0g7 created: '2024-01-24T14:15:22Z' lastUpdated: '2024-07-21T14:15:22Z' expiresAt: '2024-12-24T14:15:22Z' status: ACTIVE subdomain: okta _links: preferences: href: https://{yourOktaDomain}/v1/org/preferences uploadLogo: href: https://{yourOktaDomain}/api/v1/org/logo hints: allow: - POST oktaCommunication: href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication logo: null oktaSupport: href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport contacts: href: https://vantest.oktapreview.com/api/v1/org/contacts PasswordImportPayloadExample: summary: An example password import inline hook request body value: eventId: 3o9jBzq1SmOGmmsDsqyyeQ eventTime: '2020-01-17T21:23:56.000Z' eventType: com.okta.user.credential.password.import eventTypeVersion: '1.0' contentType: application/json cloudEventVersion: '0.1' source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7 data: context: request: id: XiIl6wn7005Rr@fjYqeC7CCDBxw method: POST url: value: /idp/idx/challenge/answer ipAddress: 66.124.153.138 credential: username: isaac.brock@example.com password: Okta action: credential: UNVERIFIED PasswordImportUnVerifiedResponse: summary: An example password hook response for an unverified user password value: commands: - type: com.okta.action.update value: credential: UNVERIFIED PasswordImportVerifiedResponse: summary: An example password hook response for a verified user password value: commands: - type: com.okta.action.update value: credential: VERIFIED PatchAIAgentRequestPartialRemoveAppIdAndDescription: value: appId: null profile: description: null PatchAIAgentRequestPartialUpdateAppId: value: appId: 0oab1234EXAMPLEID5d6 PatchAIAgentRequestPartialUpdateName: value: profile: name: Updated name only PatchAIAgentRequestUpdateValues: value: appId: 0oab1234EXAMPLEID5d6 profile: name: Updated name description: Updated description PerClientRateLimitSettingsEnforceDefault: value: defaultMode: ENFORCE PerClientRateLimitSettingsEnforceDefaultWithOverrides: value: defaultMode: ENFORCE useCaseModeOverrides: OAUTH2_AUTHORIZE: PREVIEW OIE_APP_INTENT: DISABLE PerClientRateLimitSettingsPreviewDefaultWithOverrides: value: defaultMode: PREVIEW useCaseModeOverrides: LOGIN_PAGE: ENFORCE PermissionResponse: value: label: okta.users.manage created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.manage PermissionResponseWithConditions: value: label: okta.users.read conditions: include: okta:ResourceAttribute/User/Profile: - city - state - zipCode created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read PermissionsResponse: value: permissions: - label: okta.users.create created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.create - label: okta.users.read created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' conditions: include: okta:ResourceAttribute/User/Profile: - city - state - zipCode _links: role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.read - label: okta.groups.read created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.groups.read - label: okta.users.userprofile.manage created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 self: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions/okta.users.userprofile.manage PersonaIDVResponse: summary: Persona as IdP value: id: 0oa62bfdjnK55Z5x80h7 name: Persona IDV status: ACTIVE created: '2023-10-01T12:00:00.000Z' lastUpdated: '2023-10-01T12:00:00.000Z' protocol: type: ID_PROOFING endpoints: authorization: url: https://withpersona.com/verify binding: HTTP-REDIRECT credentials: bearer: apiKey: your-api-key policy: provisioning: action: DISABLED profileMaster: false groups: null subject: userNameTemplate: template: source.userName filter: null matchType: USERNAME matchAttribute: null maxClockSkew: 0 properties: inquiryTemplateId: itmpl_HSctx8fNvXoHtrQfz2hxUVH8RBjG type: IDV_PERSONA _links: self: href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdjnK55Z5x80h7 hints: allow: - GET - DELETE activate: href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdjnK55Z5x80h7/lifecycle/activate hints: allow: - POST deactivate: href: https://{yourOktaDomain}/api/v1/idps/0oa62bfdjnK55Z5x80h7/lifecycle/deactivate hints: allow: - POST PreviewEmailCustomizationResponse: value: subject: Welcome to Okta! body:

Hello, John. Click here to activate your account. _links: self: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/customizations/oel2kk1zYJBJbeaGo0g4/preview hints: allow: - GET template: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET test: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test hints: allow: - POST PreviewEmailTemplateDefaultContentResponse: value: subject: Welcome to Okta! body:

Hello, John. Click here to activate your account. _links: self: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/default-content/preview hints: allow: - GET template: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation hints: allow: - GET defaultContent: href: https://{yourOktaDomain}/api/v1/brands/{brandId}/templates/email/UserActivation/test/default-content hints: allow: - POST PrincipalRateLimitEntityReplaceRequestSSWSToken: summary: Replace a principal rate limit entity request value: principalId: prlh5hd6act3aHDrr1f5 principalType: SSWS_TOKEN defaultPercentage: 50 defaultConcurrencyPercentage: 75 PrincipalRateLimitEntityReplaceResponseSSWSToken: summary: Replace a principal rate limit entity response example value: id: 0oacamvryxiyMqgiY1e5 orgId: org1234 principalId: prlh5hd6act3aHDrr1f5 principalType: SSWS_TOKEN defaultPercentage: 50 defaultConcurrencyPercentage: 75 createdDate: '2022-05-19T20:05:32.720Z' createdBy: 00u7xut94qEWYx5ss1d4 lastUpdate: '2022-05-20T21:13:07.410Z' lastUpdatedBy: 00u7xut94qEWYx5ss1d4 PrincipalRateLimitEntityRequestSSWSToken: summary: Create a principal rate limit entity request example value: principalId: prlh5hd6act3aHDrr1f5 principalType: SSWS_TOKEN defaultPercentage: 50 defaultConcurrencyPercentage: 75 PrincipalRateLimitEntityResponseSSWSToken: summary: Create a principal rate limit entity response example value: id: 0oacamvryxiyMqgiY1e5 orgId: org1234 principalId: prlh5hd6act3aHDrr1f5 principalType: SSWS_TOKEN defaultPercentage: 50 defaultConcurrencyPercentage: 75 createdDate: '2022-05-19T20:05:32.720Z' createdBy: 00u7xut94qEWYx5ss1d4 lastUpdate: '2022-05-20T21:13:07.410Z' lastUpdatedBy: 00u7xut94qEWYx5ss1d4 PrincipalRateLimitsOAuthClientListAllExample: summary: List all OAuth 2.0 client principal rate limits value: - id: prl7yh347wuzN5P1C1e7 orgId: 00o7xut90ucsjAQ7S1e6 principalId: 0oa7yh346zIE1y84p1e7 principalType: OAUTH_CLIENT defaultPercentage: 40 defaultConcurrencyPercentage: 40 lastUpdate: '2024-11-29T14:56:06.000Z' lastUpdatedBy: 00uid52637YwIXkJq1d4 createdDate: '2023-05-02T20:37:38.000Z' createdBy: 00uid52637YwIXkJq1d4 - id: prlbqdob5bhM6nff61e7 orgId: 00o7xut90ucsjAQ7S1e6 principalId: 0oabqdob4da0JGuMf1e7 principalType: OAUTH_CLIENT defaultPercentage: 50 defaultConcurrencyPercentage: 50 lastUpdate: '2023-12-07T21:58:02.000Z' lastUpdatedBy: 00uid52637YwIXkJq1d4 createdDate: '2023-12-07T21:58:02.000Z' createdBy: 00uid52637YwIXkJq1d4 - id: prlcamvrzvkglWHqR1e7 orgId: 00o7xut90ucsjAQ7S1d7 principalId: 0oacamvryxiyMqgiY1e7 principalType: OAUTH_CLIENT defaultPercentage: 50 defaultConcurrencyPercentage: 50 lastUpdate: '2024-01-12T20:59:18.000Z' lastUpdatedBy: 00uid52637YwIXkJq1d4 createdDate: '2024-01-12T20:59:18.000Z' createdBy: 00uid52637YwIXkJq1d4 PrincipalRateLimitsSSWSListAllExample: summary: List all SSWS API token principal rate limits value: - id: prlh5hd7qct3aHDry1f6 orgId: 00o7xut90ucsjAQ7S1e6 principalId: 00T14q3ns31qMEJUU1d7 principalType: SSWS_TOKEN defaultPercentage: 50 defaultConcurrencyPercentage: 50 lastUpdate: '2024-09-12T17:28:56.000Z' lastUpdatedBy: 00uid52637YwIXkJq1d4 createdDate: '2024-09-12T17:28:56.000Z' createdBy: 00u7xut94qEWYx5ss1d4 - id: prlid6w9ilOWlVbpG1f6 orgId: 00o7xut90ucsjAQ7S1e6 principalId: 00T16ewcxyIrMV6Lb1d7 principalType: SSWS_TOKEN defaultPercentage: 50 defaultConcurrencyPercentage: 50 lastUpdate: '2024-11-13T17:07:14.000Z' lastUpdatedBy: 00uid52637YwIXkJq1d4 createdDate: '2024-11-13T17:07:14.000Z' createdBy: 00uid52637YwIXkJq1d4 PrivilegedResourceClaimAppAccountResponse: value: id: opa100xTfFs4MasRf0g4 resourceType: APP_ACCOUNT containerDetails: appName: google, containerId: 0oa103099SBEb3Z2b0g4, displayName: Google App1, globalAppId: 964b82aa-85b4-5645-b790-83312c473480, passwordPushSupported: true, provisioningEnabled: true, _links: login: href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, logo: href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, credentials: userName: testuser@example.com created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: ACTIVE credentialSyncInfo: secretVersionId: '' syncTime: '' syncState: NOT_SYNCED errorCode: '' errorReason: '' PrivilegedResourceClaimOktaAccountResponse: value: id: opa100xTfFs4MasRf0g4 resourceType: OKTA_USER_ACCOUNT resourceId: 00u100xTfFs4MasRf0g4, credentials: userName: username profile: email: testuser@example.com created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: ACTIVE credentialSyncInfo: secretVersionId: '' syncTime: '' syncState: NOT_SYNCED errorCode: '' errorReason: '' PrivilegedResourceCreateAppAccountRequest: value: resourceType: APP_ACCOUNT containerDetails: containerId: 0oa103099SBEb3Z2b0g4 credentials: userName: testuser@example.com PrivilegedResourceCreateAppAccountResponse: value: id: opa100xTfFs4MasRf0g4 resourceType: APP_ACCOUNT containerDetails: appName: google, containerId: 0oa103099SBEb3Z2b0g4, displayName: Google App1, globalAppId: 964b82aa-85b4-5645-b790-83312c473480, passwordPushSupported: true, provisioningEnabled: true, _links: login: href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, logo: href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, credentials: userName: testuser@example.com created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: INACTIVE credentialSyncInfo: secretVersionId: '' syncTime: '' syncState: NOT_SYNCED errorCode: '' errorReason: '' PrivilegedResourceCreateOktaAccountRequestConvert: value: resourceType: OKTA_USER_ACCOUNT resourceId: 00u100xTfFs4MasRf0g4 PrivilegedResourceCreateOktaAccountRequestNew: value: resourceType: OKTA_USER_ACCOUNT credentials: userName: username profile: email: testuser@example.com PrivilegedResourceCreateOktaAccountResponse: value: id: opa100xTfFs4MasRf0g4 resourceType: OKTA_USER_ACCOUNT resourceId: 00u100xTfFs4MasRf0g4, credentials: userName: username profile: email: testuser@example.com created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: INACTIVE credentialSyncInfo: secretVersionId: '' syncTime: '' syncState: NOT_SYNCED errorCode: '' errorReason: '' PrivilegedResourceFilterCreatePayload: summary: Filters request body value: organizationalUnits: - name: OU=example1,DN=globo,DN=com - name: OU=example2,DN=globo,DN=com appGroups: - name: domainAdminsGroup1 externalId: 18070146415 - name: domainAdminsGroup2 externalId: 7968626130 PrivilegedResourceRotatePasswordAppAccountResponse: value: id: opa100xTfFs4MasRf0g4 resourceType: APP_ACCOUNT containerDetails: appName: google, containerId: 0oa103099SBEb3Z2b0g4, displayName: Google App1, globalAppId: 964b82aa-85b4-5645-b790-83312c473480, passwordPushSupported: true, provisioningEnabled: true, _links: login: href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, logo: href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, credentials: userName: testuser@example.com created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: ACTIVE credentialSyncInfo: secretVersionId: 9f8400-e29b-41d4-a716-926655440034 syncTime: '' syncState: SYNCING errorCode: '' errorReason: '' PrivilegedResourceRotatePasswordOktaAccountResponse: value: id: opa100xTfFs4MasRf0g4 resourceType: OKTA_USER_ACCOUNT resourceId: 00u100xTfFs4MasRf0g4, credentials: userName: username profile: email: testuser@example.com created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: ACTIVE credentialSyncInfo: secretVersionId: 9f8400-e29b-41d4-a716-926655440034 syncTime: '2024-06-11T11:11:01.000Z' syncState: SYNCED errorCode: '' errorReason: '' PrivilegedResourcesAppAccountUpdateRequest: value: username: username PrivilegedResourcesFetchResponse: summary: List privileged resources value: - id: opa100xTfFs4MasRf0g4 resourceType: APP_ACCOUNT credentials: userName: john.adams@ct12-100k.local.domain created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: ACTIVE credentialSyncInfo: secretVersionId: 9f8400-e29b-41d4-a716-926655440034 syncTime: '2024-06-10T11:30:01.000Z' syncState: SYNCED errorCode: '' errorReason: '' profile: firstName: John lastName: Adams displayName: John Adams email: john.adams@ct12-100k.local.domain dn: CN=John Adams,OU=Sales,DC=ct12-100k,DC=local objectSid: sid-1234 samAccountName: john-adams - id: opa100xTfFs4MasRf0g5 resourceType: APP_ACCOUNT credentials: userName: testuser@example.com created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: ACTIVE credentialSyncInfo: secretVersionId: 9f8400-e29b-41d4-a716-926655440034 syncTime: '2024-06-10T11:30:01.000Z' syncState: SYNCED errorCode: '' errorReason: '' profile: firstName: John lastName: Doe displayName: John Doe email: john.doe@ct12-100k.local.domain dn: CN=John Doe,OU=Sales,DC=ct12-100k,DC=local objectSid: sid-5678 samAccountName: john-doe PrivilegedResourcesGetAppAccountResponse: value: id: opa100xTfFs4MasRf0g4 resourceType: APP_ACCOUNT containerDetails: appName: google, containerId: 0oa103099SBEb3Z2b0g4, displayName: Google App1, globalAppId: 964b82aa-85b4-5645-b790-83312c473480, passwordPushSupported: true, provisioningEnabled: true, _links: login: href: https://appinstance-admin.oktapreview.com/home/google/0oa103099SBEb3Z2b0g4, logo: href: https://appinstance-admin.oktapreview.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png, credentials: userName: testuser@example.com created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: ACTIVE credentialSyncInfo: secretVersionId: 9f8400-e29b-41d4-a716-926655440034 syncTime: '2024-06-10T11:30:01.000Z' syncState: SYNC_FAILED errorCode: UNKNOWN_ERROR errorReason: Password update failed PrivilegedResourcesGetOktaAccountResponse: value: id: opa100xTfFs4MasRf0g4 resourceType: OKTA_USER_ACCOUNT resourceId: 00u100xTfFs4MasRf0g4, credentials: userName: testuser@example.com profile: email: testuser@example.com created: '2024-06-10T11:11:01.000Z' lastUpdated: '2024-06-10T11:11:01.000Z' status: ACTIVE credentialSyncInfo: secretVersionId: 9f8400-e29b-41d4-a716-926655440034 syncTime: '2024-06-10T11:30:01.000Z' syncState: SYNCED errorCode: '' errorReason: '' PrivilegedResourcesOktaUserAccountUpdateRequest: value: username: username profile: email: testuser@example.com ProfileEnrollmentRequest: summary: An example registration hook profile enrollment (SSR) inline hook request body value: eventId: 04Dmt8BcT_aEgM eventTime: '2022-04-25T17:35:27.000Z' eventType: com.okta.user.pre-registration eventTypeVersion: 1 contentType: application/json cloudEventVersion: 0.1 source: regt4qeBKU29vSoPz0g3 requestType: self.service.registration data: context: request: method: POST ipAddress: 127.0.0.1 id: 123testId456 url: value: /idp/idx/enroll/new userProfile: firstName: Rosario lastName: Jones login: rosario.jones@example.com email: rosario.jones@example.com action: ALLOW ProfileEnrollmentResponse: summary: An example registration hook profile enrollment (SSR) inline hook response value: commands: - type: com.action.update value: registration: ALLOW ProfileEnrollmentResponseDeny: summary: An example profile enrollment (SSR) inline hook deny response value: commands: - type: com.action.update value: registration: DENY error: errorSummary: Incorrect email address. Please contact your admin. errorCauses: - errorSummary: Only example.com emails can register. reason: INVALID_EMAIL_DOMAIN locationType: body location: data.userProfile.email domain: end-user ProgressiveProfileRequest: summary: An example progressive profile inline hook request value: eventId: vzYp_zMwQu2htIWRbNJdfw eventTime: '2022-04-25T04:04:41.000Z' eventType: com.okta.user.pre-registration eventTypeVersion: 1 contentType: application/json cloudEventVersion: 0.1 source: regt4qeBKU29vS requestType: progressive.profile data: context: request: method: POST ipAddress: 127.0.0.1 id: 123dummyId456 url: value: /idp/idx/enroll/update user: passwordChanged: '2022-01-01T00:00:00.000Z' _links: groups: href: /api/v1/users/00u48gwcu01WxvNol0g7/groups factors: href: /api/v1/users/00u48gwcu01WxvNol0g7/factors profile: firstName: Rosario lastName: Jones" timeZone: America/Los_Angeles login: rosario.jones@example.com locale: en_US id: 00u48gwcu01WxvNo action: ALLOW userProfileUpdate: employeeNumber: 1234 ProgressiveProfileResponse: summary: An example progressive profile inline hook response value: commands: - type: com.okta.user.progressive.profile.update' value: request.body.data.userProfileUpdate['employeeNumber'] ProgressiveProfileResponseDeny: summary: An example progressive profile inline hook deny response value: commands: - type: com.action.update value: registration: DENY error: errorSummary: Incorrect employee number. Enter an employee number with 4 digits. errorCauses: - errorSummary: Only employee numbers with 4 digits can register. reason: INVALID_EMPLOYEE_NUMBER locationType: body location: data.userProfile.employeeNumber domain: end-user ProvisioningConnectionOAuthOrg2OrgWithRotationRequestEx: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: Provisioning connection with OAuth 2.0 for Okta Org2Org app with key rotation value: profile: authScheme: OAUTH clientId: 0oa2h6su6bVFyJzIf1d7 signing: rotationMode: AUTO ProvisioningConnectionOAuthOrg2OrgWithRotationResponseEx: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] summary: Provisioning connection with OAuth 2.0 for Okta Org2Org (okta_org2org) app value: authScheme: OAUTH2 status: ENABLED profile: authScheme: OAUTH2 clientId: 0oa2wmzEtqh49C1Sr0g4 signing: rotationMode: AUTO _links: self: href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default hints: allow: - GET - POST deactivate: href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate hints: allow: - POST ProvisioningConnectionOauthO365RequestEx: summary: Provisioning connection with OAuth 2.0 for Microsoft Office 365 app value: profile: authScheme: OAUTH2 settings: adminUsername: office_admin-username adminPassword: office_admin-password ProvisioningConnectionOauthRequestEx: summary: Provisioning connection with OAuth 2.0 value: profile: authScheme: OAUTH2 ProvisioningConnectionOauthResponseEx: summary: Provisioning connection with OAuth 2.0 for Microsoft Office 365 app value: status: ENABLED profile: authScheme: OAUTH2 _links: self: href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default hints: allow: - GET - POST deactivate: href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate hints: allow: - POST authorize: href: https://login.microsoftonline.com/myofficetenant.onmicrosoft.com/oauth2/authorize?response_type=code&state=>&client_id=&redirect_uri=&scope= hints: allow: - GET guidance: - Specifies the URI to invoke in a browser for granting scope consent required to complete the OAuth 2.0 connection. ProvisioningConnectionTokenOrg2OrgRequestEx: summary: Provisioning connection with token for Okta Org2Org app value: profile: authScheme: TOKEN clientId: 0oa2h6su6bVFyJzIf1d7 ProvisioningConnectionTokenRequestEx: summary: Provisioning connection with token for Zscaler 2.0 (zscalerbyz) app value: baseUrl: https://scim.zscalerbeta.net/1234567/890/scim profile: authScheme: TOKEN token: 00NgAPZqUVy8cX9ehNzzahEE5b-On9sImTcInvWp-x ProvisioningConnectionTokenResponseWithProfileOrg2OrgEx: summary: Provisioning connection with token for Okta Org2Org (okta_org2org) app value: authScheme: TOKEN status: ENABLED baseUrl: https://targetorg.okta.com profile: authScheme: TOKEN _links: self: href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default hints: allow: - GET - POST deactivate: href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate hints: allow: - POST ProvisioningConnectionTokenResponseWithProfileZscalerEx: summary: Provisioning connection with token for Zscaler 2.0 (zscalerbyz) app value: authScheme: TOKEN status: ENABLED baseUrl: https://scim.zscalerbeta.net/1234567/890/scim profile: authScheme: TOKEN _links: self: href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default hints: allow: - GET - POST deactivate: href: https://{yourOktaDomain}/api/v1/apps/${appId}/connections/default/lifecycle/deactivate hints: allow: - POST PublicAppleAppSiteWellKnownURIResponse: value: authsrv: apps: - B7F62B65BN.com.okta.mobile - B7F62B65BN.com.okta.mobile.auth-service-extension - B7F62B65BN.com.okta.authenticator.beta - B7F62B65BN.com.okta.authenticator.beta.auth-service-extension - 7WXXBW6Z2Y.com.okta.mobile.internalrelease - 7WXXBW6Z2Y.com.okta.mobile.internalrelease.auth-service-extension key1: value1 key2: value2 key3: key3.1: value3.1 PublicAssetLinksWellKnownURIResponse: value: - key1: value1 PublicWebauthnWellKnownURIResponse: value: origins: - https://example1.com PushProviderAPNsRequest: value: name: APNs Example providerType: APNS configuration: keyId: KEY_ID teamId: TEAM_ID tokenSigningKey: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' fileName: fileName.p8 PushProviderAPNsResponse: value: id: ppctekcmngGaqeiBxB0g4 name: APNs Example providerType: APNS lastUpdatedDate: '2022-01-01T00:00:00.000Z' configuration: keyId: KEY_ID teamId: TEAM_ID fileName: fileName.p8 _links: self: href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 hints: allow: - DELETE - GET - PUT PushProviderFCMRequest: value: name: FCM Example providerType: FCM configuration: serviceAccountJson: type: service_account project_id: PROJECT_ID private_key_id: KEY_ID private_key: '-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n' client_email: SERVICE_ACCOUNT_EMAIL client_id: CLIENT_ID auth_uri: https://accounts.google.com/o/oauth2/auth token_uri: https://accounts.google.com/o/oauth2/token auth_provider_x509_cert_url: https://www.googleapis.com/oauth2/v1/certs client_x509_cert_url: https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL fileName: fileName.json PushProviderFCMResponse: value: id: ppctekcmngGaqeiBxB0g4 name: FCM Example providerType: FCM lastUpdatedDate: '2022-01-01T00:00:00.000Z' configuration: projectId: PROJECT_ID fileName: fileName.p8 _links: self: href: https://your-subdomain.okta.com/api/v1/push-providers/ppctekcmngGaqeiBxB0g4 hints: allow: - DELETE - GET - PUT RateLimitAdminNotificationsDisabled: value: notificationsEnabled: false RateLimitAdminNotificationsEnabled: value: notificationsEnabled: true RateLimitWarningThresholdValidExample: value: warningThreshold: 66 RealmResponse: value: id: guox9jQ16k9V8IFEL0g3 created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' isDefault: false profile: name: Car Co domains: - atko.com - user.com _links: self: rel: self href: http://your-subdomain.okta.com/api/v1/realms/guox9jQ16k9V8IFEL0g3 method: GET RefreshCurrentSessionResponse: summary: Refresh current session value: amr: - pwd createdAt: '2019-08-24T14:15:22Z' expiresAt: '2019-08-24T14:15:22Z' id: l7FbDVqS8zHSy65uJD85 idp: id: 01a2bcdef3GHIJKLMNOP type: ACTIVE_DIRECTORY lastFactorVerification: '2019-08-24T14:15:22Z' lastPasswordVerification: '2019-08-24T14:15:22Z' login: user@example.com status: ACTIVE userId: 00u0abcdefGHIJKLMNOP _links: self: hints: allow: - GET - DELETE href: https://{yourOktaDomain}/api/v1/sessions/me refresh: hints: allow: - POST href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh user: hints: allow: - GET href: https://{yourOktaDomain}/api/v1/users/me name: User Name RefreshSessionResponse: summary: Refresh an existing session using the session ID value: amr: - pwd createdAt: '2019-08-25T14:17:22Z' expiresAt: '2019-08-25T14:17:22Z' id: l7FbDVqS8zHSy65uJD85 idp: id: 01a2bcdef3GHIJKLMNOP type: ACTIVE_DIRECTORY lastFactorVerification: '2019-08-24T14:15:22Z' lastPasswordVerification: '2019-08-24T14:15:22Z' login: user@example.com status: ACTIVE userId: 00u0abcdefGHIJKLMNOP _links: self: hints: allow: - DELETE href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 RemoveMappingBody: summary: Update an existing profile mapping by removing one or more properties value: properties: nickName: expression: null pushStatus: null RemoveMappingResponse: summary: Update an existing profile mapping by removing one or more properties value: id: prm1k47ghydIQOTBW0g4 source: id: otysbePhQ3yqt4cVv0g3 name: user type: user _links: self: href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 target: id: 0oa1qmn4LZQQEH0wZ0g4 name: okta_org2org type: appuser _links: self: href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default properties: fullName: expression: user.firstName + user.lastName pushStatus: PUSH _links: self: href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 ReplaceAnEventHookWithFilter: summary: Replace an event hook value: name: Event Hook with Filter description: An event hook using an Okta Expression Language filter events: type: EVENT_TYPE items: - group.user_membership.add filter: type: EXPRESSION_LANGUAGE eventFilterMap: - event: group.user_membership.add condition: expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 channel: type: HTTP version: 1.0.0 config: uri: https://example_external_service/userAdded authScheme: type: HEADER key: Authorization value: my-shared-secret ReplaceAuthServerBody: summary: Replace a custom authorization server value: name: New Authorization Server description: Authorization Server description audiences: - api://default credentials: signing: rotationMode: AUTO use: sig issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} issuerMode: ORG_URL status: ACTIVE ReplaceAuthServerEnableTokenEncryptionBody: summary: Rotate the active encryption key for access token encryption value: name: New Authorization Server description: Authorization server description audiences: - api://default credentials: signing: rotationMode: AUTO use: sig issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} issuerMode: ORG_URL status: ACTIVE accessTokenEncryptedResponseAlgorithm: RSA-OAEP-256 jwks: keys: - kty: RSA id: apk2g3sd6bqV5YZxu0h8 status: ACTIVE kid: encKey1 use: enc e: AQAB 'n': iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ - kty: RSA id: apk5f3fg7kkG4TUzv0h8 status: INACTIVE kid: encKey2 use: enc e: AQAB 'n': iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ ReplaceAuthServerEnableTokenEncryptionResponse: summary: Rotate the active encryption key for access token encryption value: id: '{authorizationServerId}' name: Sample Authorization Server description: Sample authorization server description audiences: - https://api.resource.com issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} issuerMode: ORG_URL status: ACTIVE created: '2023-05-17T22:25:57.000Z' lastUpdated: '2023-05-17T22:25:57.000Z' credentials: signing: rotationMode: AUTO lastRotated: '2023-05-17T22:25:57.000Z' nextRotation: '2023-08-15T22:25:57.000Z' kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 accessTokenEncryptedResponseAlgorithm: RSA-OAEP-256 jwks: keys: - kty: RSA id: apk2g3sd6bqV5YZxu0h8 status: ACTIVE kid: encKey1 use: enc e: AQAB 'n': iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ - kty: RSA id: apk5f3fg7kkG4TUzv0h8 status: INACTIVE kid: encKey2 use: enc e: AQAB 'n': iHYyA5KXL82veBfNP81D7Q1GMRWIixNTu5jY03Z19DN7qTg1xYPRyPEPuMJ5Xjdhrm3dJdW7p1woRa6CHfw8FS7aosXUZkplxPs0NICP32nCkwpX3U3CltgVWrpMEUrd-JljKm0AgrervZuLkgBEfwY3BXP_SCKjF0JtbQjcK9MOKFNUUUK3_xTrFcyZThlSOtiOmhjDHTfHzeG2Q0NG2Opom1kfKWLDUVy5qrzYJWgcCaPOyEE1xnk4u5syH_8APOi2tKwKBCgS_D-kXzZ_379VhVuEpo2CGBU20t9Ys_m8KLqMCOyJaoQ3R1r6cWHfnYSab31L1my3rLwuippXkQ _links: scopes: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes hints: allow: - GET claims: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims hints: allow: - GET policies: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies hints: allow: - GET self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - GET - DELETE - PUT metadata: - name: oauth-authorization-server href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server hints: allow: - GET - name: openid-configuration href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration hints: allow: - GET rotateKey: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate hints: allow: - POST deactivate: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate hints: allow: - POST ReplaceAuthServerResponse: summary: Replace a custom authorization server value: id: '{authorizationServerId}' name: Sample Authorization Server description: Sample Authorization Server description audiences: - https://api.resource.com issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} issuerMode: ORG_URL status: ACTIVE created: '2023-05-17T22:25:57.000Z' lastUpdated: '2023-05-17T22:25:57.000Z' credentials: signing: rotationMode: AUTO lastRotated: '2023-05-17T22:25:57.000Z' nextRotation: '2023-08-15T22:25:57.000Z' kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 _links: scopes: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes hints: allow: - GET claims: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims hints: allow: - GET policies: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies hints: allow: - GET self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - GET - DELETE - PUT metadata: - name: oauth-authorization-server href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server hints: allow: - GET - name: openid-configuration href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration hints: allow: - GET rotateKey: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate hints: allow: - POST deactivate: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate hints: allow: - POST ReplaceCustomTokenClaimBody: summary: Replace a custom token claim value: - alwaysIncludeInToken: true claimType: IDENTITY conditions: scopes: - profile group_filter_type: CONTAINS name: Knowledge_Base status: ACTIVE system: false value: Knowledge Base valueType: GROUPS ReplaceCustomTokenClaimResponse: summary: Replace a custom token claim response value: - id: '{claimId}' name: Knowledge_Base status: ACTIVE claimType: IDENTITY valueType: GROUPS value: Knowledge Base conditions: scopes: - profile system: false alwaysIncludeInToken: true apiResourceId: null group_filter_type: CONTAINS _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} hints: allow: - GET - PUT - DELETE ReplaceIdPRequestResponse: summary: Replace an IdP value: id: 0oa62bc8wppPw0UGr0h7 type: SAML2 name: Example SAML IdP status: INACTIVE created: null lastUpdated: '2016-03-29T21:23:45.000Z' protocol: type: SAML2 endpoints: sso: url: https://idp.example.com/saml2/sso binding: HTTP-REDIRECT destination: https://idp.example.com/saml2/sso slo: url: https://idp.example.com/slo binding: HTTP-POST acs: binding: HTTP-POST type: INSTANCE algorithms: request: signature: algorithm: SHA-256 scope: REQUEST response: signature: algorithm: SHA-256 scope: ANY settings: nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified participateSlo: true credentials: trust: issuer: https://idp.example.com audience: https://www.okta.com/saml2/service-provider/spCQJRNaaxs7ANqKBO7M kid: your-key-id additionalKids: - additional-key-id policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: idpuser.subjectNameId filter: null matchType: USERNAME mapAMRClaims: false maxClockSkew: 120000 _links: metadata: href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml type: application/xml hints: allow: - GET acs: href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 type: application/xml hints: allow: - POST users: href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users hints: allow: - GET activate: href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/activate hints: allow: - POST ReplaceKeyResponse: summary: Replace a key response example value: id: HKY1p7jWLndGQV9M60g4 keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad name: My updated new key created: '2022-08-31T18:09:58.000Z' lastUpdated: '2022-08-31T18:16:59.000Z' isUsed: 'false' ReplaceNetworkZone: summary: Replace a network zone value: type: IP id: nzovw2rFz2YoqmvwZ0g9 name: UpdatedNetZone status: ACTIVE system: false usage: POLICY gateways: - type: CIDR value: 10.2.3.4/24 - type: CIDR value: 12.2.3.4/24 - type: RANGE value: 13.4.5.6-13.4.5.8 - type: CIDR value: 14.2.3.4/24 proxies: - type: CIDR value: 12.2.3.4/24 - type: CIDR value: 13.3.4.5/24 - type: RANGE value: 14.4.5.6-14.4.5.8 - type: RANGE value: 15.5.6.7/24-15.5.6.9 _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate hints: allow: - POST ReplaceNetworkZoneResponse: summary: Replace network zone value: type: IP id: nzovw2rFz2YoqmvwZ0g9 name: UpdatedNetZone status: ACTIVE usage: POLICY created: '2022-05-08T18:25:05.000Z' lastUpdated: '2022-05-10T13:15:22.000Z' system: false gateways: - type: CIDR value: 10.2.3.4/24 - type: CIDR value: 12.2.3.4/24 - type: RANGE value: 13.4.5.6-13.4.5.8 - type: CIDR value: 14.2.3.4/24 proxies: - type: CIDR value: 12.2.3.4/24 - type: CIDR value: 13.3.4.5/24 - type: RANGE value: 14.4.5.6-14.4.5.8 - type: RANGE value: 15.5.6.7/24-15.5.6.9 _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzovw2rFz2YoqmvwZ0g9/lifecycle/deactivate hints: allow: - POST ReplaceResourceSetRequest: value: label: SF-IT-People description: People in the IT department of San Francisco ReplaceRoleRequest: value: label: UserCreator description: Create users ReplaceUserTypePutRequest: summary: Replace user type request value: displayName: Replacement Display Name description: Replacement description name: newUserType ReplaceUserTypePutResponse: summary: Replace user type response value: id: otyfnly5cQjJT9PnR0g4 displayName: Replacement Display Name name: newUserType description: Replacement description createdBy: sprz9fj1ycBcsgopy1d6 lastUpdatedBy: sprz9fj1ycBcsgopy1d6 created: '2021-07-05T20:40:38.000Z' lastUpdated: '2021-07-05T20:40:38.000Z' default: false _links: self: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 ResetPwdWithoutSendingEmailResponse: value: summary: Reset password without sending email resetPasswordUrl: https://{yourOktaDomain}/reset_password/XE6wE17zmphl3KqAPFxO ResourceSetBindingAddMembersRequestExample: value: additions: - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - https://{yourOktaDomain}/api/v1/users/00u67DU2qNCjNZYO0g3 ResourceSetBindingCreateRequestExample: value: role: cr0Yq6IJxGIr0ouum0g3 members: - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 ResourceSetBindingMemberResponse: value: id: irb1qe6PGuMc7Oh8N0g4 created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 ResourceSetBindingMembersResponse: value: members: - id: irb1qe6PGuMc7Oh8N0g4 created: '2024-12-19T00:00:00.000Z' lastUpdated: '2024-12-19T00:00:00.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/users/00uuk41Hjga5qGfQ30g3 - id: irb1q92TFAHzySt3x0g4 created: '2024-12-19T00:00:00.000Z' lastUpdated: '2024-12-19T00:00:00.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 _links: self: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members binding: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 ResourceSetBindingResponseExample: value: _links: self: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 bindings: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g ResourceSetBindingResponseWithIdExample: value: id: cr0Yq6IJxGIr0ouum0g3 _links: self: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3 members: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g ResourceSetBindingsResponse: value: roles: - id: cr0WxyzJxGIr0ouum0g4 _links: self: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0WxyzJxGIr0ouum0g4 members: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0WxyzJxGIr0ouum0g4/members _links: self: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g next: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings?after=cr0WxyzJxGIr0ouum0g4 ResourceSetRequest: value: label: SF-IT-People description: People in the IT department of San Francisco resources: - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users - https://{yourOktaDomain}/api/v1/users - https://{yourOktaDomain}/api/v1/realms/00guaxWZ0AOa5NFAj0g3 - https://{yourOktaDomain}/api/v1/realms ResourceSetResourcePatchRequestExample: value: additions: - https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 - https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users ResourceSetResourcePostRequestExample: summary: Resource set with conditions request value: resourceOrnOrUrl: https://{yourOktaDomain}/api/v1/apps conditions: Exclude: okta:ORN: - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack ResourceSetResourcePutRequestExample: value: conditions: Exclude: okta:ORN: - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack ResourceSetResourceResponse: summary: Resource set response value: id: ire106sQKoHoXXsAe0g4 orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps conditions: Exclude: okta:ORN: - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:0oa1014FmyZ2H0oRY0g4 - orn:okta:idp:00o5rb5mt2H3d1TJd0h7:apps:slack created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/apps resource: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1 ResourceSetResourcesResponse: value: resources: - id: ire106sQKoHoXXsAe0g4 orn: orn:{partition}:directory:{yourOrgId}:groups:00guaxWZ0AOa5NFAj0g3 created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/groups/00guaxWZ0AOa5NFAj0g3 resource: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g1 - id: ire106riDrTYl4qA70g4 orn: orn:{partition}:directory:{yourOrgId}:groups:00gu67DU2qNCjNZYO0g3:contained_resources created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/groups/00gu67DU2qNCjNZYO0g3/users resource: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g2 - id: irezvo4AwE2ngpMw40g3 orn: orn:{partition}:directory:{yourOrgId}:users created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/users users: href: https://{yourOktaDomain}/api/v1/users - id: ire2j4iDnxHhUFaZN0g4 orn: orn:{partition}:directory:{yourOrgId}:groups created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/groups groups: href: https://{yourOktaDomain}/api/v1/groups resource: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources/ire2snv2xSY7a4iSe0g3 _links: next: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources?after=irezvn1ZZxLSIBM2J0g3 resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g ResourceSetResponse: value: id: iamoJDFKaJxGIr0oamd9g label: SF-IT-People description: People in the IT department of San Francisco created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g resources: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources bindings: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings ResourceSetsResponse: value: resource-sets: - id: iamoJDFKaJxGIr0oamd9g label: SF-IT-1 description: First San Francisco IT Resource Set created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g resources: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/resources bindings: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings - id: iamoJDFKaJxGIr0oamd0q label: SF-IT-2 description: Second San Francisco IT Resource Set created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q resources: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/resources bindings: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd0q/bindings _links: next: href: https://{yourOktaDomain}/api/v1/iam/resource-sets?after=iamoJDFKaJxGIr0oamd0q RetrieveADeactivatedEventHook: summary: Deactivated event hook value: id: who8vt36qfNpCGz9H1e6 status: INACTIVE verificationStatus: VERIFIED name: Event Hook Test description: null created: '2023-07-07T13:41:56.000Z' createdBy: 00u7xut94qEWYx5ss1e5 lastUpdated: '2023-07-07T13:43:03.000Z' events: type: EVENT_TYPE items: - group.user_membership.add filter: null channel: type: HTTP version: 1.0.0 config: uri: https://example_external_service/userAdded headers: - key: X-Other-Header value: my-header-value method: POST authScheme: type: HEADER key: authorization _links: self: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 verify: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify hints: allow: - POST deactivate: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate hints: allow: - POST RetrieveAllEventHooks: summary: Retrieves all event hooks value: - id: who8tsqyrhCdmetzx135 status: ACTIVE verificationStatus: VERIFIED name: Event Hook Test description: null created: '2023-07-07T17:41:56.000Z' createdBy: 00u7xut94qEWYx5ss1e5 lastUpdated: '2023-07-07T17:43:03.000Z' events: type: EVENT_TYPE items: - user.lifecycle.deactivate - user.lifecycle.activate filter: null channel: type: HTTP version: 1.0.0 config: uri: https://example_external_service/userDeactivate headers: [] method: POST authScheme: type: HEADER key: authorization _links: self: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135 verify: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/verify hints: allow: - POST deactivate: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx135/lifecycle/deactivate hints: allow: - POST - id: who8vt36qfNpCGz9H1e6 status: ACTIVE verificationStatus: VERIFIED name: Event Hook with Filter description: An event hook using an Okta Expression Language filter created: '2023-07-07T13:41:56.000Z' createdBy: 00u7xut94qEWYx5ss1e5 lastUpdated: '2023-07-07T13:43:03.000Z' events: type: EVENT_TYPE items: - group.user_membership.add filter: type: EXPRESSION_LANGUAGE eventFilterMap: - event: group.user_membership.add condition: version: null expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 channel: type: HTTP version: 1.0.0 config: uri: https://example_external_service/userAdded headers: [] method: POST authScheme: type: HEADER key: authorization _links: self: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 verify: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify hints: allow: - POST deactivate: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate hints: allow: - POST RetrieveAllZones: summary: Retrieves all network zones value: - type: DYNAMIC_V2 id: nzok0oz2xYHOZtIch0g4 name: testZone106 status: ACTIVE usage: BLOCKLIST create: '2024-05-13T16:33:44.000Z' lastUpdated: '2024-05-13T16:33:44.000Z' system: false locations: include: [] exclude: [] asns: include: [] exclude: [] ipServiceCategories: include: - ALL_ANONYMIZERS exclude: [] _links: self: href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4 hints: allow: - GET - PUT - DELETE deactivate: href: http://{yourOktaDomain}/api/v1/zones/nzok0oz2xYHOZtIch0g4/lifecycle/deactivate hints: allow: - POST - type: DYNAMIC id: nzoy0ox5xADOZtKrh0g6 name: test status: ACTIVE usage: POLICY created: '2022-05-19T15:33:32.000Z' lastUpdated: '2022-05-19T15:33:32.000Z' system: false locations: - country: AF region: AF-BGL proxyType: ANY asns: - '23457' _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate hints: allow: - POST - type: IP id: nzowc1U5Jh5xuAK0o0g3 name: MyIpZone status: ACTIVE usage: POLICY created: '2021-06-24T20:37:32.000Z' lastUpdated: '2021-06-24T20:37:32.000Z' system: false gateways: - type: CIDR value: 1.2.3.4/24 proxies: - type: RANGE value: 3.3.4.5-3.3.4.15 _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate hints: allow: - POST - type: IP id: nzou3u0stMCmgOzXK1d6 name: BlockedIpZone status: ACTIVE usage: BLOCKLIST created: '2021-06-09T21:32:46.000Z' lastUpdated: '2021-06-09T21:32:46.000Z' system: true gateways: null proxies: null _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate hints: allow: - POST - type: DYNAMIC_V2 id: nzohcnxFrSgsiwyHp0g4 name: DefaultEnhancedDynamicZone status: ACTIVE usage: BLOCKLIST created: '2024-05-06T19:12:29.000Z' lastUpdated: '2024-05-09T21:02:31.000Z' system: true locations: include: [] exclude: [] ipServiceCategories: include: - ALL_ANONYMIZERS exclue: [] asns: include: [] exclude: [] _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0stMCmgOzXK1d6/lifecycle/deactivate hints: allow: - POST - type: IP id: nzou3u0ssJfZjYsWL1d6 name: LegacyIpZone status: ACTIVE usage: POLICY created: '2021-06-09T21:32:46.000Z' lastUpdated: '2021-06-09T21:32:46.000Z' system: true gateways: null proxies: null _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzou3u0ssJfZjYsWL1d6/lifecycle/deactivate hints: allow: - POST RetrieveAllZonesWithFilter: summary: Retrieves network zones with filter value: - type: IP id: nzowc1U5Jh5xuAK0o0g3 name: MyIpZone status: ACTIVE usage: POLICY created: '2021-06-24T20:37:32.000Z' lastUpdated: '2021-06-24T20:37:32.000Z' system: false gateways: - type: CIDR value: 1.2.3.4/24 proxies: - type: RANGE value: 3.3.4.5-3.3.4.15 _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate hints: allow: - POST RetrieveAnEventHook: summary: Retrieve an event hook value: id: who8vt36qfNpCGz9H1e6 status: ACTIVE verificationStatus: VERIFIED name: Event Hook Test description: null created: '2023-07-07T13:41:56.000Z' createdBy: 00u7xut94qEWYx5ss1e5 lastUpdated: '2023-07-07T13:43:03.000Z' events: type: EVENT_TYPE items: - group.user_membership.add filter: null channel: type: HTTP version: 1.0.0 config: uri: https://example_external_service/userAdded headers: - key: X-Other-Header value: my-header-value method: POST authScheme: type: HEADER key: authorization _links: self: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 verify: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify hints: allow: - POST deactivate: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate hints: allow: - POST RetrieveAnEventHookWithFilter: summary: Retrieve an event hook value: id: who8vt36qfNpCGz9H1e6 status: ACTIVE verificationStatus: VERIFIED name: Event Hook with Filter description: An event hook using an Okta Expression Language filter created: '2023-07-07T13:41:56.000Z' createdBy: 00u7xut94qEWYx5ss1e5 lastUpdated: '2023-07-07T13:43:03.000Z' events: type: EVENT_TYPE items: - group.user_membership.add filter: type: EXPRESSION_LANGUAGE eventFilterMap: - event: group.user_membership.add condition: version: null expression: event.target.?[type eq 'UserGroup'].size()>0 && event.target.?[displayName eq 'Sales'].size()>0 channel: type: HTTP version: 1.0.0 config: uri: https://example_external_service/userAdded method: POST authScheme: type: HEADER key: authorization _links: self: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6 verify: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/verify hints: allow: - POST deactivate: href: https://example.com/api/v1/eventHooks/who8tsqyrhCdmetzx1e6/lifecycle/deactivate hints: allow: - POST RetrieveAuthServerResponse: summary: Retrieve a custom authorization server value: id: '{authorizationServerId}' name: Sample Authorization Server description: Sample Authorization Server description audiences: - https://api.resource.com issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} issuerMode: ORG_URL status: ACTIVE created: '2023-05-17T22:25:57.000Z' lastUpdated: '2023-05-17T22:25:57.000Z' credentials: signing: rotationMode: AUTO lastRotated: '2023-05-17T22:25:57.000Z' nextRotation: '2023-08-15T22:25:57.000Z' kid: WYQxoK4XAwGFn5Zw5AzLxFvqEKLP79BbsKmWeuc5TB4 _links: scopes: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes hints: allow: - GET claims: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims hints: allow: - GET policies: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/policies hints: allow: - GET self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} hints: allow: - GET - DELETE - PUT metadata: - name: oauth-authorization-server href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/oauth-authorization-server hints: allow: - GET - name: openid-configuration href: https://{yourOktaDomain}/oauth2/{authorizationServerId}/.well-known/openid-configuration hints: allow: - GET rotateKey: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/credentials/lifecycle/keyRotate hints: allow: - POST deactivate: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/lifecycle/deactivate hints: allow: - POST RetrieveCurrentSessionResponse: summary: Retrieve current session value: amr: - pwd createdAt: '2019-08-24T14:15:22Z' expiresAt: '2019-08-24T14:15:22Z' id: l7FbDVqS8zHSy65uJD85 idp: id: 01a2bcdef3GHIJKLMNOP type: ACTIVE_DIRECTORY lastFactorVerification: '2019-08-24T14:15:22Z' lastPasswordVerification: '2019-08-24T14:15:22Z' login: user@example.com status: ACTIVE userId: 00u0abcdefGHIJKLMNOP _links: self: hints: allow: - GET - DELETE href: https://{yourOktaDomain}/api/v1/sessions/me refresh: hints: allow: - POST href: https://{yourOktaDomain}/api/v1/sessions/me/lifecycle/refresh user: hints: allow: - GET href: https://{yourOktaDomain}/api/v1/users/me name: User Name RetrieveCustomTokenClaimResponse: summary: Retrieve a custom token claim response value: - id: '{claimId}' name: Support status: ACTIVE claimType: IDENTITY valueType: GROUPS value: Support conditions: scopes: - profile system: false alwaysIncludeInToken: true apiResourceId: null group_filter_type: CONTAINS _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/claims/{claimId} hints: allow: - GET - PUT - DELETE RetrieveFeaturesResponse: summary: Retrieve a feature by ID value: id: ftrZooGoT8b41iWRiQs7 description: Example feature description name: Example feature name stage: state: CLOSED value: BETA status: DISABLED type: self-service _links: self: hints: allow: - POST href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 dependents: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents dependencies: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies RetrieveGroupPushMappingResponse_Example: value: created: '2025-01-01T00:00:00Z' errorSummary: '' id: gPm00000000000000000 lastPush: '2025-01-01T00:00:00Z' lastUpdated: '2025-01-01T00:00:00Z' sourceGroupId: 00g00000000000000000 status: ACTIVE targetGroupId: 00g00000000000000001 _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 sourceGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 targetGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 RetrieveGroupPushMappingResponse_Example_ActiveDirectory: value: appConfig: type: ACTIVE_DIRECTORY distinguishedName: dc=example,dc=com groupScope: GLOBAL groupType: SECURITY samAccountName: AdGroup created: '2025-01-01T00:00:00Z' errorSummary: '' id: gPm00000000000000000 lastPush: '2025-01-01T00:00:00Z' lastUpdated: '2025-01-01T00:00:00Z' sourceGroupId: 00g00000000000000000 status: ACTIVE targetGroupId: 00g00000000000000001 _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 sourceGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 targetGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 RetrieveKeyResponse: summary: Retrieve a key by ID response example value: id: HKY1p7jWLndGQV9M60g4 keyId: 7fbc27fd-e3df-4522-86bf-1930110256ad name: My new key created: '2022-08-31T18:09:58.000Z' lastUpdated: '2022-08-31T18:09:58.000Z' isUsed: 'false' RetrieveMappingsResponse: summary: Retrieve a single profile mapping value: id: prm1k47ghydIQOTBW0g4 source: id: otysbePhQ3yqt4cVv0g3 name: user type: user _links: self: href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 target: id: 0oa1qmn4LZQQEH0wZ0g4 name: okta_org2org type: appuser _links: self: href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default properties: firstName: expression: user.firstName pushStatus: PUSH lastName: expression: user.lastName pushStatus: PUSH _links: self: href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 RetrieveNetworkZoneDynamic: summary: Dynamic network zone value: type: DYNAMIC id: nzoy0ox5xADOZtKrh0g6 name: test status: ACTIVE usage: POLICY created: '2022-05-19T15:33:32.000Z' lastUpdated: '2022-05-19T15:33:32.000Z' system: false locations: - country: AF region: AF-BGL proxyType: ANY asns: - '23457' _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzoy0ox5xADOZtKrh0g6/lifecycle/deactivate hints: allow: - POST RetrieveNetworkZoneIP: summary: IP network zone value: type: IP id: nzowc1U5Jh5xuAK0o0g3 name: MyIpZone status: ACTIVE usage: POLICY created: '2021-06-24T20:37:32.000Z' lastUpdated: '2021-06-24T20:37:32.000Z' system: false gateways: - type: CIDR value: 1.2.3.4/24 proxies: - type: RANGE value: 3.3.4.5-3.3.4.15 _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzowc1U5Jh5xuAK0o0g3/lifecycle/deactivate hints: allow: - POST RetrievePublicKeyResponse: summary: Retrieve public key response example value: _embedded: kty: RSA alg: RSA kid: 7fbc27fd-e3df-4522-86bf-1930110256ad use: null e: AQAB 'n': 2naqCnv6r4xNQs7207lRtKQvdtnlVND-8k5iYBIiqoKGY3CqUmRm1jleoOniiQoMkFX8Wj2DmVqr002efF3vOQ7_gjtTatBTVUNbNIQLybun4dkVoUtfP7pRc5SLpcP3eGPRVar734ZrpQXzmCEdpqBt3jrVjwYjNE5DqOjbYXFJtMsy8CWE9LRJ3kyHEoHPzo22dG_vMrXH0_sAQoCk_4TgNCbvyzVmGVYXI_BkUnp0hv2pR4bQVRYzGB9dKJdctOh8zULqc_EJ8tiYsS05YnF7whrWEyARK0rH-e4d4W-OmBTga_zhY4kJ4NsoQ4PyvcatZkxjPO92QHQOFDnf3w` RetrieveRefreshTokenClientResponse: summary: Retrieve a refresh token for a client value: - id: '{refreshTokenId}' status: ACTIVE created: '2023-09-21T19:59:56.000Z' lastUpdated: '2023-09-21T20:00:38.000Z' expiresAt: '2023-09-28T20:00:38.000Z' issuer: https://{yourOktaDomain}/oauth2/{authorizationServerId} client_id: '{clientId}' userId: '{userId}' scopes: - offline_access - openid _embedded: scopes: - id: '{scopeID}' name: offline_access displayName: Keep you signed in to the app description: This keeps you signed in to the app, even when you aren't using it. _links: scope: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} title: Keep you signed in to the app - id: '{scopeId}' name: openid displayName: openid description: Signals that a request is an OpenID request _links: scope: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/{scopeId} title: openid _links: app: href: https://{yourOktaDomain}/api/v1/apps/{appId} title: My Web App authorizationServer: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId} title: Authorization Server name self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} revoke: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/clients/{clientId}/tokens/{tokenId} hints: allow: - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/{clientId} title: My Web App user: href: https://{yourOktaDomain}/api/v1/users/{userId} title: Joe User RetrieveSessionResponse: summary: Retrieve session information for a single session ID value: amr: - pwd createdAt: '2019-08-24T14:15:22Z' expiresAt: '2019-08-24T14:15:22Z' id: l7FbDVqS8zHSy65uJD85 idp: id: 01a2bcdef3GHIJKLMNOP type: ACTIVE_DIRECTORY lastFactorVerification: '2019-08-24T14:15:22Z' lastPasswordVerification: '2019-08-24T14:15:22Z' login: user@example.com status: ACTIVE userId: 00u0abcdefGHIJKLMNOP _links: self: hints: allow: - DELETE href: https://{yourOktaDomain}/api/v1/sessions/l7FbDVqS8zHSy65uJD85 RetrieveUISchemaResponse: summary: Retrieves a UI schema response value: id: uis4a7liocgcRgcxZ0g7 uiSchema: type: Group label: Sign in buttonLabel: Submit elements: - type: Control scope: '#/properties/firstName' label: First name options: format: text - type: Control scope: '#/properties/lastName' label: Last name options: format: text - type: Control scope: '#/properties/email' label: Email options: format: text - type: Control scope: '#/properties/countryCode' label: Country code options: format: select - type: Control scope: '#/properties/bool2' label: bool2 options: format: checkbox - type: Control scope: '#/properties/date' label: date - type: Control scope: '#/properties/enum' label: enum options: format: radio created: '2022-07-25T12:56:31.000Z' lastUpdated: '2022-07-26T11:53:59.000Z' _links: self: href: https://exmaple.com/api/v1/meta/uischemas/uis4a7liocgcRgcxZ0g7 hints: allow: - GET - PUT - DELETE RevokeOktaSupportAccessStatus: summary: Revoke Okta Support access value: impersonation: status: DISABLED expiration: null caseNumber: '1011001' RevokeOktaSupportAccessStatusRequest: summary: Revoke Okta Support access value: impersonation: status: DISABLED RiskEventsRequestExample: summary: Risk events payload example value: - timestamp: '2021-01-20T00:00:00.001Z' subjects: - ip: 6.7.6.7 riskLevel: MEDIUM - ip: 1.1.1.1 riskLevel: HIGH message: Detected Attack tooling and suspicious activity - timestamp: '2021-01-20T01:00:00.001Z' subjects: - ip: 6.7.6.7 riskLevel: LOW - ip: 2.2.2.2 riskLevel: HIGH RiskProviderPutRequest: summary: Replace risk provider request example value: name: Risk-Partner-Y action: enforce_and_log clientId: 00ckjsfgjkdkjdkkljjsd RiskProviderPutResponse: summary: Replace risk provider response example value: id: 00rp12r4skkjkjgsn action: enforce_and_log name: Risk-Partner-Y clientId: 00ckjsfgjkdkjdkkljjsd created: '2021-01-05 22:18:30' lastUpdated: '2021-01-05 23:18:30' _links: self: href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn hints: allow: - GET - PUT RiskProviderRequest: summary: Risk provider payload example value: name: Risk-Partner-X action: log_only clientId: 00ckjsfgjkdkjdkkljjsd RiskProviderResponse: summary: Risk provider response example value: id: 00rp12r4skkjkjgsn action: log_only name: Risk-Partner-X clientId: 00ckjsfgjkdkjdkkljjsd created: '2021-01-05 22:18:30' lastUpdated: '2021-01-05 22:18:30' _links: self: href: https://{yourOktaDomain}/api/v1/risk/providers/00rp12r4skkjkjgsn hints: allow: - GET - PUT RoleAssignedUsersResponseExample: value: value: - id: 00u118oQYT4TBGuay0g4 orn: orn:okta:00o5rb5mt2H3d1TJd0h7:users:00u118oQYT4TBGuay0g4 _links: self: href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4 roles: href: http://your-subdomain.okta.com/api/v1/users/00u118oQYT4TBGuay0g4/roles _links: next: href: http://your-subdomain.okta.com/api/v1/iam/assignees/users?after=00u118oQYT4TBGuay0g4&limit=1 RoleRequest: value: label: UserCreator description: Create users permissions: - okta.users.create - okta.users.read - okta.groups.read - okta.users.userprofile.manage RoleResponse: value: id: cr0Yq6IJxGIr0ouum0g3 label: UserCreator description: Create users created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: permissions: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions self: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 RoleTargetAppInstanceResponse: value: - orn: orn:okta:idp:00o5yd9J0satsK2Rp0g4:apps:myownapp:0oa5yriAxuR12wfQ30g4 assignmentType: USER expiration: '2025-05-10T20:21:11.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/apps/0oa5yriAxuR12wfQ30g4 RoleTargetAppResponse: value: - orn: orn:okta:idp:00ozjqqlt6mmHQonQ0g3:apps:gooddata assignmentType: GROUP expiration: '2025-05-10T20:21:11.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/apps%3Ffilter%3Dname%2Beq%2B%22gooddata%22 RoleTargetGroupResponse: value: - orn: orn:okta:directory:00o5v1t2W4OSF9r4N0g4:groups:00g5vhi3rEJMOog1S0g4 assignmentType: USER expiration: '2025-05-10T20:21:11.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/groups/00g5vhi3rEJMOog1S0g4 RolesResponse: value: roles: - id: cr0Yq6IJxGIr0ouum0g3 label: UserCreator description: Create users created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: permissions: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3/permissions self: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 - id: cr0Fw7HKcWIroo88m3r1 label: GroupMembershipManager description: Manage group membership created: '2021-02-06T16:20:57.000Z' lastUpdated: '2021-02-06T16:20:57.000Z' _links: permissions: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1/permissions self: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Fw7HKcWIroo88m3r1 _links: next: href: https://{yourOktaDomain}/api/v1/iam/roles?after=cr0Fw7HKcWIroo88m3r1 SAMLHookResponseExample: summary: An example SAML assertion inline hook response value: commands: - type: com.okta.assertion.patch value: - op: replace path: /claims/array/attributeValues/1/value value: replacementValue - op: replace path: /authentication/authnContext value: authnContextClassRef: replacementValue - op: add path: /claims/extPatientId value: attributes: NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic attributeValues: - attributes: xsi:type: xs:string value: '4321' - op: add path: /authentication/sessionLifetime value: 300 - type: com.okta.assertion.patch value: - op: replace path: /authentication/sessionIndex value: exampleSession SAMLHookResponseWithURIFormat: summary: An example with `replace` and `add` operations with the URI formatted claim encoded value: commands: - type: com.okta.assertion.patch value: - op: replace path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributeValues/0/value value: replacementValue - op: replace path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1foo/attributes value: attributes: NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic - op: add path: /claims/http:~1~1schemas.xmlsoap.org~1ws~12005~105~1identity~1claims~1bar value: attributes: NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:basic attributeValues: - attributes: xsi:type: xs:string value: bearer SAMLPayLoadExample: summary: An example SAML assertion inline hook request body value: source: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml eventId: XMFoHCM1S4Wi_SGWzL8T9A eventTime: '2019-03-28T19:15:23.000Z' data: context: request: id: reqqXypjzYJRSu2j1G1imUovA method: GET url: value: https://${yourOktaDomain}/app/saml20app_1/exkth8lMzFm0HZOTU0g3/sso/saml ipAddress: 127.0.0.1 protocol: type: SAML2.0 issuer: id: 0oath92zlO60urQOP0g3 name: SAML 2.0 App uri: http://www.okta.com/exkth8lMzFm0HZOTU0g3 session: id: 102LN9Bnuc4S_ewfc9BYwageA userId: 00uq8tMo3zV0OfJON0g3 login: user@example.com createdAt: '2019-03-28T16:45:55.000Z' expiresAt: '2019-03-28T21:15:23.000Z' status: ACTIVE lastPasswordVerification: '2019-03-28T16:45:55.000Z' amr: - PASSWORD idp: id: 00oq6kcVwvrDY2YsS0g3 type: OKTA mfaActive: false user: id: 00uq8tMo3zV0OfJON0g3 passwordChanged: '2018-09-11T23:19:12.000Z' profile: login: user@example.com firstName: Admin lastName: Last locale: en timeZone: America/Los_Angeles _links: groups: href: https://${yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups factors: href: https://${yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors assertion: subject: nameId: user@example.com nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified confirmation: method: urn:oasis:names:tc:SAML:2.0:cm:bearer data: recipient: http://www.example.com:7070/saml/sso authentication: sessionIndex: id1553800523546.312669168 authnContext: authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport conditions: audienceRestriction: - urn:example:sp claims: extPatientId: attributes: NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified attributeValues: - attributes: xsi:type: xs:integer value: '4321' array: attributes: NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified attributeValues: - attributes: xsi:type: xs:string value: Array 1 - attributes: xsi:type: xs:string value: Array2 - attributes: xsi:type: xs:string value: Array3 middle: attributes: NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified attributeValues: - attributes: xsi:type: xs:string value: admin firstAndLast: attributes: NameFormat: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified attributeValues: - attributes: xsi:type: xs:string value: 7d6a50c8-4d7e-4058-9c5b-2cc98cecd294 lifetime: expiration: 300 eventTypeVersion: '1.0' cloudEventVersion: '0.1' eventType: com.okta.saml.tokens.transform contentType: application/json SMSTemplateEditablePropertyValues: value: name: Custom type: SMS_VERIFY_CODE template: '${org.name}: your verification code is ${code}' translations: es: '${org.name}: el código de verificación es ${code}' fr: '${org.name}: votre code de vérification est ${code}' it: '${org.name}: il codice di verifica è ${code}' SMSTemplateListResponse: value: - id: 6NQUJ5yR3bpgEiYmq8IC name: Custom type: SMS_VERIFY_CODE template: '${org.name}: your verification code is ${code}' translations: es: '${org.name}: el código de verificación es ${code}' fr: '${org.name}: votre code de vérification est ${code}' it: '${org.name}: il codice di verifica è ${code}' created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' SMSTemplateResponseValues: value: id: 6NQUJ5yR3bpgEiYmq8IC name: Custom type: SMS_VERIFY_CODE template: '${org.name}: your verification code is ${code}' translations: es: '${org.name}: el código de verificación es ${code}' fr: '${org.name}: votre code de vérification est ${code}' it: '${org.name}: il codice di verifica è ${code}' created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' Saml2.0Ex: summary: SAML_2_0 value: label: Example Custom SAML 2.0 App visibility: autoSubmitToolbar: false hide: iOS: false web: false signOnMode: SAML_2_0 settings: signOn: defaultRelayState: '' ssoAcsUrl: http://testorgone.okta idpIssuer: http://www.okta.com/${org.externalKey} audience: asdqwe123 recipient: http://testorgone.okta destination: http://testorgone.okta subjectNameIdTemplate: ${user.userName} subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified responseSigned: true assertionSigned: true signatureAlgorithm: RSA_SHA256 digestAlgorithm: SHA256 honorForceAuthn: true authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport samlAssertionLifetimeSeconds: 3600 slo: enabled: true issuer: https://testorgone.okta.com logoutUrl: https://testorgone.okta.com/logout participateSlo: enabled: true logoutRequestUrl: https://testorgone.okta.com/logout/participate sessionIndexRequired: true bindingType: REDIRECT spCertificate: x5c: - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n" assertionEncryption: enabled: true keyTransportAlgorithm: RSA_15 encryptionAlgorithm: AES256_GCM x5c: - "MIIC6jCCAdKgAwIBAgIGAZKbFN7JMA0GCSqGSIb3DQEBCwUAMDYxNDAyBgNVBAMM\r\n" requestCompressed: false allowMultipleAcsEndpoints: true acsEndpoints: - url: http://testorgone.okta index: 0 - url: http://testorgone.okta/1 index: 1 attributeStatements: - type: EXPRESSION name: Attribute namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified values: - Value Saml2.0PutEx: summary: SAML_2_0 value: label: Example Custom SAML 2.0 App updated visibility: autoSubmitToolbar: false hide: iOS: false web: false signOnMode: SAML_2_0 settings: signOn: defaultRelayState: '' ssoAcsUrl: http://testorgone.okta idpIssuer: http://www.okta.com/${org.externalKey} audience: asdqwe123 recipient: http://testorgone.okta destination: http://testorgone.okta subjectNameIdTemplate: ${user.userName} subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified responseSigned: true assertionSigned: true signatureAlgorithm: RSA_SHA256 digestAlgorithm: SHA256 honorForceAuthn: true authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport samlAssertionLifetimeSeconds: 3600 slo: enabled: true issuer: https://testorgone.okta.com logoutUrl: https://testorgone.okta.com/logout participateSlo: enabled: true logoutRequestUrl: https://testorgone.okta.com/logout/participate sessionIndexRequired: true bindingType: REDIRECT spCertificate: x5c: - "MIIFnDCCA4QCCQDBSLbiON2T1zANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMxDjAMBgNV\r\n..." assertionEncryption: enabled: true keyTransportAlgorithm: RSA_15 encryptionAlgorithm: AES256_GCM x5c: - "MIIC6jCCAdKgAwIBAgIGAZKbFN7JMA0GCSqGSIb3DQEBCwUAMDYxNDAyBgNVBAMM\r\n" requestCompressed: false allowMultipleAcsEndpoints: true acsEndpoints: - url: http://testorgone.okta index: 0 - url: http://testorgone.okta/1 index: 1 attributeStatements: - type: EXPRESSION name: Attribute namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified values: - Value Saml2.0PutResponseEx: summary: SAML_2_0 value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: testorgone_examplecustomsaml20app_1_link: true name: testorgone_examplecustomsaml20app_1 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_examplecustomsaml20app_1:0oafxqCAJWWGELFTYASJ label: Example Custom SAML 2.0 App updated features: [] signOnMode: SAML_2_0 credentials: userNameTemplate: template: ${source.email} type: BUILT_IN signing: kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q settings: app: {} signOn: defaultRelayState: null ssoAcsUrl: http://testorgone.okta idpIssuer: http://www.okta.com/${org.externalKey} audience: asdqwe123 recipient: http://testorgone.okta destination: http://testorgone.okta subjectNameIdTemplate: ${user.userName} subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified responseSigned: true assertionSigned: true signatureAlgorithm: RSA_SHA256 digestAlgorithm: SHA256 honorForceAuthn: true authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport spIssuer: https://testorgone.okta.com samlAssertionLifetimeSeconds: 3600 slo: enabled: true issuer: https://testorgone.okta.com logoutUrl: https://testorgone.okta.com/logout requestCompressed: false allowMultipleAcsEndpoints: false acsEndpoints: [] samlSignedRequestEnabled: false attributeStatements: - type: EXPRESSION name: Attribute namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified values: - Value inlineHooks: [] notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED Saml2.0ResponseEx: summary: SAML_2_0 value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: testorgone_examplecustomsaml20app_1_link: true name: testorgone_examplecustomsaml20app_1 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_examplecustomsaml20app_1:0oafxqCAJWWGELFTYASJ label: Example Custom SAML 2.0 App features: [] signOnMode: SAML_2_0 credentials: userNameTemplate: template: ${source.email} type: BUILT_IN signing: kid: mh_16Cc8sIfHMFDMlHnp194cxKvJ6yXqs_mNn_6ZC0Q settings: app: {} signOn: defaultRelayState: null ssoAcsUrl: http://testorgone.okta idpIssuer: http://www.okta.com/${org.externalKey} audience: asdqwe123 recipient: http://testorgone.okta destination: http://testorgone.okta subjectNameIdTemplate: ${user.userName} subjectNameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified responseSigned: true assertionSigned: true signatureAlgorithm: RSA_SHA256 digestAlgorithm: SHA256 honorForceAuthn: true authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport spIssuer: https://testorgone.okta.com samlAssertionLifetimeSeconds: 3600 slo: enabled: true issuer: https://testorgone.okta.com logoutUrl: https://testorgone.okta.com/logout requestCompressed: false allowMultipleAcsEndpoints: false acsEndpoints: [] samlSignedRequestEnabled: false attributeStatements: - type: EXPRESSION name: Attribute namespace: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified values: - Value inlineHooks: [] notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED SamlIdPResponse: summary: SAML 2.0 IdP value: id: 0oa62bc8wppPw0UGr0h7 type: SAML2 name: Example SAML IdP status: ACTIVE created: '2016-03-24T23:14:54.000Z' lastUpdated: '2016-03-24T23:14:54.000Z' protocol: type: SAML2 endpoints: sso: url: https://idp.example.com binding: HTTP-POST destination: https://idp.example.com slo: url: https://idp.example.com/slo binding: HTTP-POST acs: binding: HTTP-POST type: INSTANCE algorithms: request: signature: algorithm: SHA-256 scope: REQUEST response: signature: algorithm: SHA-256 scope: ANY settings: nameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified participateSlo: true credentials: trust: issuer: https://idp.example.com audience: http://www.okta.com/123 kid: your-key-id additionalKids: - additional-key-id policy: provisioning: action: AUTO profileMaster: true groups: action: NONE conditions: deprovisioned: action: NONE suspended: action: NONE accountLink: filter: null action: AUTO subject: userNameTemplate: template: saml.subjectNameId filter: (\S+@example\.com) matchType: USERNAME mapAMRClaims: false maxClockSkew: 0 _links: metadata: href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/metadata.xml type: application/xml hints: allow: - GET acs: href: https://{yourOktaDomain}/sso/saml2/0oa62bc8wppPw0UGr0h7 type: application/xml hints: allow: - POST users: href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/users hints: allow: - GET deactivate: href: https://{yourOktaDomain}/api/v1/idps/0oa62bc8wppPw0UGr0h7/lifecycle/deactivate hints: allow: - POST ScimBearerAuthSettings: summary: SCIM bearer auth settings example value: authType: SCIM_BEARER ScimHeaderAuthSettings: summary: SCIM header auth settings example value: authType: SCIM_HEADER SecurePasswordStoreEx: summary: SECURE_PASSWORD_STORE value: name: template_sps label: Example SWA App signOnMode: SECURE_PASSWORD_STORE settings: app: url: https://example.com/login.html passwordField: '#txtbox-password' usernameField: '#txtbox-username' optionalField1: param1 optionalField1Value: somevalue optionalField2: param2 optionalField2Value: yetanothervalue optionalField3: param3 optionalField3Value: finalvalue SecurePasswordStorePutEx: summary: SECURE_PASSWORD_STORE value: name: template_sps label: Example SWA App updated signOnMode: SECURE_PASSWORD_STORE settings: app: url: https://example.com/login.html passwordField: '#txtbox-password' usernameField: '#txtbox-username' optionalField1: param1 optionalField1Value: somevalue_updated optionalField2: param2 optionalField2Value: yetanothervalue optionalField3: param3 optionalField3Value: finalvalue_updated SecurePasswordStorePutResponseEx: summary: SECURE_PASSWORD_STORE value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: template_sps orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_sps:0oafxqCAJWWGELFTYASJ label: Example SWA App updated features: [] signOnMode: SECURE_PASSWORD_STORE credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.email} type: BUILT_IN revealPassword: false signing: {} settings: app: url: https://example.com/login.html passwordField: '#txtbox-password' usernameField: '#txtbox-username' optionalField1: param1 optionalField1Value: somevalue_updated optionalField2: param2 optionalField2Value: yetanothervalue optionalField3: param3 optionalField3Value: finalvalue_updated notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED SecurePasswordStoreResponseEx: summary: SECURE_PASSWORD_STORE value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: template_sps orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_sps:0oafxqCAJWWGELFTYASJ label: Example SWA App features: [] signOnMode: SECURE_PASSWORD_STORE credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.email} type: BUILT_IN revealPassword: false signing: {} settings: app: url: https://example.com/login.html passwordField: '#txtbox-password' usernameField: '#txtbox-username' optionalField1: param1 optionalField1Value: somevalue optionalField2: param2 optionalField2Value: yetanothervalue optionalField3: param3 optionalField3Value: finalvalue notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED SecurityEventTokenJwtHeaderExample: summary: Example JWT header value: kid: kid typ: secevent+jwt alg: RS256 SecurityEventsProviderRequestIssuerAndJwksUrl: summary: Provider with issuer and JWKS value: name: Security Events Provider with an issuer and a JWKS URL type: okta settings: issuer: Issuer jwks_url: https://example.okta.com/jwks/path SecurityEventsProviderRequestWellKnownUrl: summary: Provider with well-known URL value: name: Security Events Provider with well-known URL type: okta settings: well_known_url: https://example.okta.com/.well-known/ssf-configuration SecurityEventsProviderResponseIssuerAndJwksUrl: summary: Provider with issuer and JWKS value: id: sse1qu4fUtsoD12iF0g5 name: Security Events Provider with an issuer and a JWKS URL type: okta status: ACTIVE settings: issuer: Issuer jwks_url: https://example.okta.com/jwks/path _links: self: href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5 hints: allow: - GET - PUT - DELETE deactivate: href: https://example.okta.com/api/v1/security-events-providers/sse1qu4fUtsoD12iF0g5/lifecycle/deactivate hints: allow: - POST SecurityEventsProviderResponseWellKnownUrl: summary: Provider with well-known URL value: id: sse1qg25RpusjUP6m0g5 name: Security Events Provider with well-known URL type: okta status: ACTIVE settings: well_known_url: https://example.okta.com/.well-known/ssf-configuration issuer: Issuer jwks_url: https://example.okta.com/jwks/path _links: self: href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5 hints: allow: - GET - PUT - DELETE deactivate: href: https://example.okta.com/api/v1/security-events-providers/sse1qg25RpusjUP6m0g5/lifecycle/deactivate hints: allow: - POST SendPinRequestExample: summary: Send PIN request value: authenticatorEnrollmentId: fwf5ajzJEWqknX6lk0g4 fulfillmentProvider: yubico userId: 00us2hPODQncCkxef0g3 Set-User-Classification-Example: value: type: LITE SimulatePolicyBody: summary: Simulate policy request body value: policyType: - OKTA_SIGN_ON - MFA_ENROLL appInstance: 0oa4eroj3nYCIJIW70g7 policyContext: groups: ids: - 00g4eralvekR5RLuS0g7 - 00g4eralvekR5RLuS0g8 risk: level: LOW zones: ids: - nzo4eralxcRnbIHYJ0g7 device: platform: IOS registered: true managed: true SimulatePolicyElExpressionBody: summary: Simulate policy request body with EL context value: appInstance: 0oa4fdudGhhB5FNKR0g4 policyContext: user: id: 00u10wvS3zms2JVaO0g4 status: ACTIVE created: '2024-04-29T18:05:24.000Z' lastUpdated: '2024-04-29T18:05:24.000Z' passwordChanged: '2024-04-29T18:05:24.000Z' lastLogin: '2024-04-29T18:05:24.000Z' profile: city: string costCenter: string countryCode: st department: string displayName: string division: string email: user@example.com employeeNumber: string firstName: string honorificPrefix: string honorificSuffix: string lastName: string locale: string login: string manager: string managerId: string middleName: string mobilePhone: string nickName: string organization: string postalAddress: string preferredLanguage: string primaryPhone: string profileUrl: string secondEmail: user@example.com state: string streetAddress: string timezone: string title: string userType: string zipCode: string SimulatePolicyElExpressionResponse: summary: Simulate policy response body with EL context value: evaluation: - status: null policyType: OKTA_SIGN_ON result: policies: - id: 00p4eromwukk6qUku0g7 name: test policy status: MATCH conditions: [] rules: - id: 0pr4erof85nGcyC7Y0g7 name: test rule status: MATCH conditions: - type: people.groups.include status: MATCH undefined: policies: [] evaluated: policies: [] - status: null policyType: MFA_ENROLL result: policies: - id: 00p4eram2kw1aLcrx0g7 name: Default Policy status: MATCH conditions: [] rules: - id: 0pr4eram2lMQT5FZF0g7 name: null status: MATCH conditions: [] undefined: policies: [] evaluated: policies: [] - status: null policyType: ACCESS_POLICY result: policies: - id: rst4eram06ZKZewEe0g7 name: Any two factors status: MATCH conditions: [] rules: - id: rul4eram07VsWgybo0g7 name: Catch-all rule status: MATCH conditions: [] undefined: policies: [] evaluated: policies: [] - status: null policyType: PROFILE_ENROLLMENT result: policies: - id: rst4eram08ZSjPTOl0g7 name: Default Policy status: MATCH conditions: [] rules: - id: rul4eram094PrQ2BX0g7 name: Catch-all rule status: MATCH conditions: [] undefined: policies: [] evaluated: policies: [] SimulatePolicyResponse: summary: Simulate policy response body value: evaluation: - status: null policyType: OKTA_SIGN_ON result: policies: - id: 00p4eromwukk6qUku0g7 name: test policy status: MATCH conditions: [] rules: - id: 0pr4erof85nGcyC7Y0g7 name: test rule status: MATCH conditions: - type: people.groups.include status: MATCH undefined: policies: [] evaluated: policies: [] - status: null policyType: MFA_ENROLL result: policies: - id: 00p4eram2kw1aLcrx0g7 name: Default Policy status: MATCH conditions: [] rules: - id: 0pr4eram2lMQT5FZF0g7 name: null status: MATCH conditions: [] undefined: policies: [] evaluated: policies: [] - status: null policyType: ACCESS_POLICY result: policies: - id: rst4eram06ZKZewEe0g7 name: Any two factors status: MATCH conditions: [] rules: - id: rul4eram07VsWgybo0g7 name: Catch-all rule status: MATCH conditions: [] undefined: policies: [] evaluated: policies: [] - status: null policyType: PROFILE_ENROLLMENT result: policies: - id: rst4eram08ZSjPTOl0g7 name: Default Policy status: MATCH conditions: [] rules: - id: rul4eram094PrQ2BX0g7 name: Catch-all rule status: MATCH conditions: [] undefined: policies: [] evaluated: policies: [] SmartCardIdPResponse: summary: SmartCard IdP value: id: 0oa6jxasyhwM2ZHJh0g4 type: X509 name: Smart Card IDP Name status: ACTIVE created: '2020-01-07T00:19:27.000Z' lastUpdated: '2020-01-07T00:19:27.000Z' properties: additionalAmr: - sc - hwk - pin - mfa protocol: type: MTLS endpoints: sso: url: https://{yourOktaDomain}.okta.com/login/cert credentials: trust: issuer: CN=Test Smart Card, OU=Test OU, O=Test O, C=US audience: null kid: 45dec5ff-8cdc-48c0-85fe-a4869f1753dc revocation: CRL revocationCacheLifetime: 2880 policy: provisioning: action: DISABLED profileMaster: false groups: null subject: userNameTemplate: template: idpuser.subjectAltNameEmail filter: null matchType: EMAIL matchAttribute: null mapAMRClaims: false maxClockSkew: 120000 _links: deactivate: href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/lifecycle/deactivate hints: allow: - POST users: href: https://{yourOktaDomain}.okta.com/api/v1/idps/0oa6jxasyhwM2ZHJh0g4/users hints: allow: - GET keys: href: https://{yourOktaDomain}.okta.com/api/v1/idps/credentials/keys/45dec5ff-8cdc-48c0-85fe-a4869f1753dc hints: allow: - GET SocialAuthTokensResponse: summary: Social authentication tokens value: - id: token: JBTWGV22G4ZGKV3N tokenType: urn:ietf:params:oauth:token-type:access_token tokenAuthScheme: Bearer expiresAt: '2014-08-06T16:56:31.000Z' scopes: - openid - foo - id: token: JBTWGV22G4ZJBRXJ tokenType: urn:ietf:params:oauth:token-type:id_token tokenAuthScheme: null StandardAndCustomRolesListResponse: value: - id: IFIFAX2BIRGUSTQ label: Application administrator type: APP_ADMIN status: ACTIVE created: '2019-02-06T16:17:40.000Z' lastUpdated: '2019-02-06T16:17:40.000Z' assignmentType: USER _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 - id: JBCUYUC7IRCVGS27IFCE2SKO label: Help Desk administrator type: HELP_DESK_ADMIN status: ACTIVE created: '2019-02-06T16:17:40.000Z' lastUpdated: '2019-02-06T16:17:40.000Z' assignmentType: USER _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 - id: ra125eqBFpETrMwu80g4 label: Organization administrator type: ORG_ADMIN status: ACTIVE created: '2019-02-06T16:17:40.000Z' lastUpdated: '2019-02-06T16:17:40.000Z' assignmentType: USER _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 - id: gra25fapn1prGTBKV0g4 label: API Access Management administrator type: API_ACCESS_MANAGEMENT_ADMIN status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: GROUP _links: assignee: href: https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4 - id: irb1q92TFAHzySt3x0g4 role: cr0Yq6IJxGIr0ouum0g3 label: UserCreatorRole type: CUSTOM status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: USER resource-set: iamoJDFKaJxGIr0oamd9g _links: assignee: href": https://{yourOktaDomain}/api/v1/users/00u1gytb3XCr9Dkr18r2 resource-set: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g member: href: https://{yourOktaDomain}/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 role: href: https://{yourOktaDomain}/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 permissions: href: https://{yourOktaDomain}/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions - id: irb5e92YgBazyyQ3x1q5 role: cr0Yq6IJxGIr0ouum0g3 label: UserCreatorRole type: CUSTOM status: ACTIVE created: '2019-02-06T16:20:57.000Z' lastUpdated: '2019-02-06T16:20:57.000Z' assignmentType: GROUP resource-set: iamoakjsdQaJxGIr03int1o _links: assignee: href: https://{ yourOktaDomain }/api/v1/groups/00g1ousb3XCr9Dkr20g4 resource-set: href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoakjsdQaJxGIr03int1o member: href: https://{ yourOktaDomain }/api/v1/iam/resource-sets/iamoJDFKaJxGIr0oamd9g/bindings/cr0Yq6IJxGIr0ouum0g3/members/irb1qe6PGuMc7Oh8N0g4 role: href: https://{ yourOktaDomain }/api/v1/iam/roles/cr0Yq6IJxGIr0ouum0g3 permissions: href: https://{ yourOktaDomain }/api/v1/iam/permission-sets/cr0Yq6IJxGIr0ouum0g3/permissions StandardRoleAssignmentRequest: value: type: HELP_DESK_ADMIN StandardRoleResponseClient: value: id: JBCUYUC7IRCVGS27IFCE2SKO label: Help Desk Administrator type: HELP_DESK_ADMIN status: ACTIVE created: '2023-05-01T14:24:54.000Z' lastUpdated: '2023-05-01T14:24:54.000Z' assignmentType: CLIENT _links: assignee: href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles StandardRoleResponseUser: value: id: ra1b8anIk7rx7em7L0g4 label: Super Organization administrator type: SUPER_ADMIN status: ACTIVE created: '2015-09-06T15:28:47.000Z' lastUpdated: '2015-09-06T15:28:47.000Z' assignmentType: USER _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR StandardRolesListResponse: value: - id: IFIFAX2BIRGUSTQ label: Application administrator type: APP_ADMIN status: ACTIVE created: '2019-02-06T16:17:40.000Z' lastUpdated: '2019-02-06T16:17:40.000Z' assignmentType: USER _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 - id: JBCUYUC7IRCVGS27IFCE2SKO label: Help Desk administrator type: HELP_DESK_ADMIN status: ACTIVE created: '2019-02-06T16:17:40.000Z' lastUpdated: '2019-02-06T16:17:40.000Z' assignmentType: USER _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 - id: ra125eqBFpETrMwu80g4 label: Organization administrator type: ORG_ADMIN status: ACTIVE created: '2019-02-06T16:17:40.000Z' lastUpdated: '2019-02-06T16:17:40.000Z' assignmentType: USER _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 - id: gra25fapn1prGTBKV0g4 label: API Access Management administrator type: API_ACCESS_MANAGEMENT_ADMIN status: ACTIVE created": '2019-02-06T16:20:57.000Z' lastUpdated": '2019-02-06T16:20:57.000Z' assignmentType": GROUP _links": assignee": href": https://{yourOktaDomain}/api/v1/groups/00g1ousb3XCr9Dkr20g4 StandardRolesListResponseClient: value: - id: JBCUYUC7IRCVGS27IFCE2SKO label: Help Desk Administrator type: HELP_DESK_ADMIN status: ACTIVE created: '2023-05-01T14:24:54.000Z' lastUpdated: '2023-05-01T14:24:54.000Z' assignmentType: CLIENT _links: assignee: href: https://{yourOktaDomain}/oauth2/v1/clients/0jrabyQWm4B9zVJPbotY/roles StandardRolesListResponseGroup: value: - id: IFIFAX2BIRGUSTQ label: Application Administrator type: APP_ADMIN status: ACTIVE created: '2019-02-06T16:17:40.000Z' lastUpdated: '2019-02-06T16:17:40.000Z' assignmentType: GROUP _links: assignee: href: https://{yourOktaDomain}/api/v1/users/00ur32Vg0fvpyHZeQ0g3 SubmissionActions: summary: Submission actions example value: actions: - id: okta:action1 provider: type: WORKFLOWS url: https://example.com/workflows/flow1 externalId: JKL490DQNV SubmissionCapabilities: summary: Submission capabilities example value: capabilities: - capability: SSO supportedProtocols: - SAML - OIDC - capability: PROVISIONING supportedProtocols: - ACTIONS SubmissionEMRequest: summary: Submission SCIM with entitlements request example x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] value: name: Strawberry Central description: Your one source for in-season strawberry deals logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 provisioning: features: - CREATE_USER - READ_USER - UPDATE_USER - DEACTIVATE_USER - CREATE_GROUP - READ_GROUP - UPDATE_GROUP - DEACTIVATE_GROUP scim: baseUri: '''https://'' + app.subdomain + ''.example.com/scim/v2''' authMode: header setupInstructionsUri: https://doc.example.com/scim-provisioning scimServerConfig: patch: supported: true changePassword: supported: true entitlementTypes: - name: Role description: Roles endpoint: /Roles attributes: required: true multivalued: false mappings: id: roleId displayName: roleName description: description config: - name: subdomain label: Subdomain globalTokenRevocation: endpoint: '''https://'' + app.subdomain + ''.example.org/gtr''' subjectFormat: EMAIL authMethod: SIGNED_JWT partialLogout: false SubmissionEMResponse: summary: Submission SCIM with entitlements response example x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] value: id: acme_strawberrycentral_1 name: Strawberry Central description: Your one source for in-season strawberry deals logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 provisioning: features: - CREATE_USER - READ_USER - UPDATE_USER - DEACTIVATE_USER - CREATE_GROUP - READ_GROUP - UPDATE_GROUP - DEACTIVATE_GROUP scim: baseUri: '''https://'' + app.subdomain + ''.example.com/scim/v2''' authMode: header setupInstructionsUri: https://doc.example.com/scim-provisioning scimServerConfig: patch: supported: true changePassword: supported: true entitlementTypes: - name: Role description: Roles endpoint: /Roles attributes: required: true multivalued: false mappings: id: roleId displayName: roleName description: description config: - name: subdomain label: Subdomain globalTokenRevocation: endpoint: '''https://'' + app.subdomain + ''.example.org/gtr''' subjectFormat: EMAIL authMethod: SIGNED_JWT partialLogout: false status: To be reviewed by Okta lastUpdated: '2023-08-24T14:15:22.000Z' lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR lastPublished: null SubmissionItemResponse: summary: Submission item example value: - id: acme_strawberrycentral_1 name: Strawberry Central description: Your one source for in-season strawberry deals logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 sso: saml: acs: - url: https://${org.subdomain}.example.com/saml/login entityId: https://${org.subdomain}.example.com claims: - name: manager values: - ${user.manager} groups: - name: groups doc: https://example.com/strawberry/help/samlSetup provisioning: features: - CREATE_USER - READ_USER - UPDATE_USER - DEACTIVATE_USER - CREATE_GROUP - READ_GROUP - UPDATE_GROUP - DEACTIVATE_GROUP scim: baseUri: '''https://'' + app.subdomain + ''.example.com/scim/v2''' authMode: header setupInstructionsUri: https://doc.example.com/scim-provisioning scimServerConfig: patch: supported: true changePassword: supported: true config: - name: subdomain label: Subdomain globalTokenRevocation: endpoint: '''https://'' + app.subdomain + ''.example.org/gtr''' subjectFormat: EMAIL authMethod: SIGNED_JWT partialLogout: false status: Complete lastUpdated: '2023-08-24T14:15:22.000Z' lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR lastPublished: '2023-09-01T13:23:45.000Z' SubmissionOidcRequest: summary: Submission OIDC request example value: name: Strawberry Central description: Your one source for in-season strawberry deals logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 sso: oidc: redirectUris: - https://{app.subdomain}.example.com/strawberry/oidc/login initiateLoginUri: https://{app.subdomain}.example.com/strawberry/oidc/sp-init postLogoutUris: - https://{app.subdomain}.example.com/strawberry/oidc/logged-out doc: https://example.com/strawberry/help/oidcSetup config: - name: subdomain label: Subdomain globalTokenRevocation: endpoint: '''https://'' + app.subdomain + ''.example.org/gtr''' subjectFormat: EMAIL authMethod: SIGNED_JWT partialLogout: false SubmissionOidcResponse: summary: Submission OIDC response example value: id: acme_strawberrycentral_1 name: Strawberry Central description: Your one source for in-season strawberry deals logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 sso: oidc: redirectUris: - https://{app.subdomain}.example.com/strawberry/oidc/login initiateLoginUri: https://{app.subdomain}.example.com/strawberry/oidc/sp-init postLogoutUris: - https://{app.subdomain}.example.com/strawberry/oidc/logged-out doc: https://example.com/strawberry/help/oidcSetup config: - name: subdomain label: Subdomain globalTokenRevocation: endpoint: '''https://'' + app.subdomain + ''.example.org/gtr''' subjectFormat: EMAIL authMethod: SIGNED_JWT partialLogout: false status: New lastUpdated: '2023-08-24T14:15:22.000Z' lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR lastPublished: '2023-09-01T13:23:45.000Z' SubmissionSamlRequest: summary: Submission SAML request example value: name: Strawberry Central description: Your one source for in-season strawberry deals logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 sso: saml: acs: - url: https://${org.subdomain}.example.com/saml/login entityId: https://${org.subdomain}.example.com claims: - name: manager values: - ${user.manager} groups: - name: groups doc: https://example.com/strawberry/help/samlSetup config: - name: subdomain label: Subdomain globalTokenRevocation: endpoint: '''https://'' + app.subdomain + ''.example.org/gtr''' subjectFormat: EMAIL authMethod: SIGNED_JWT partialLogout: false SubmissionSamlResponse: summary: Submission SAML response example value: id: acme_strawberrycentral_1 name: Strawberry Central description: Your one source for in-season strawberry deals logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 sso: saml: acs: - url: https://${org.subdomain}.example.com/saml/login entityId: https://${org.subdomain}.example.com claims: - name: manager values: - ${user.manager} groups: - name: groups doc: https://example.com/strawberry/help/samlSetup config: - name: subdomain label: Subdomain globalTokenRevocation: endpoint: '''https://'' + app.subdomain + ''.example.org/gtr''' subjectFormat: EMAIL authMethod: SIGNED_JWT partialLogout: false status: To be reviewed by Okta lastUpdated: '2023-08-24T14:15:22.000Z' lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR lastPublished: null SubmissionScimRequest: summary: Submission SCIM request example x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] value: name: Strawberry Central description: Your one source for in-season strawberry deals logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 provisioning: features: - CREATE_USER - READ_USER - UPDATE_USER - DEACTIVATE_USER - CREATE_GROUP - READ_GROUP - UPDATE_GROUP - DEACTIVATE_GROUP scim: baseUri: '''https://'' + app.subdomain + ''.example.com/scim/v2''' authMode: header setupInstructionsUri: https://doc.example.com/scim-provisioning scimServerConfig: patch: supported: true changePassword: supported: true config: - name: subdomain label: Subdomain globalTokenRevocation: endpoint: '''https://'' + app.subdomain + ''.example.org/gtr''' subjectFormat: EMAIL authMethod: SIGNED_JWT partialLogout: false SubmissionScimResponse: summary: Submission SCIM response example x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] value: id: acme_strawberrycentral_1 name: Strawberry Central description: Your one source for in-season strawberry deals logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 provisioning: features: - CREATE_USER - READ_USER - UPDATE_USER - DEACTIVATE_USER - CREATE_GROUP - READ_GROUP - UPDATE_GROUP - DEACTIVATE_GROUP scim: baseUri: '''https://'' + app.subdomain + ''.example.com/scim/v2''' authMode: header setupInstructionsUri: https://doc.example.com/scim-provisioning scimServerConfig: patch: supported: true changePassword: supported: true config: - name: subdomain label: Subdomain globalTokenRevocation: endpoint: '''https://'' + app.subdomain + ''.example.org/gtr''' subjectFormat: EMAIL authMethod: SIGNED_JWT partialLogout: false status: To be reviewed by Okta lastUpdated: '2023-08-24T14:15:22.000Z' lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR lastPublished: null SubmissionsResponse: summary: Submission list example value: - id: acme_strawberrycentral_1 name: Strawberry Central description: Your one source for in-season strawberry deals logo: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 sso: saml: acs: - url: https://${org.subdomain}.example.com/saml/login entityId: https://${org.subdomain}.example.com claims: - name: manager values: - ${user.manager} groups: - name: groups doc: https://example.com/strawberry/help/samlSetup provisioning: features: - CREATE_USER - READ_USER - UPDATE_USER - DEACTIVATE_USER - CREATE_GROUP - READ_GROUP - UPDATE_GROUP - DEACTIVATE_GROUP scim: baseUri: '''https://'' + app.subdomain + ''.example.com/scim/v2''' authMode: header setupInstructionsUri: https://doc.example.com/scim-provisioning scimServerConfig: patch: supported: true changePassword: supported: true config: - name: subdomain label: Subdomain globalTokenRevocation: endpoint: '''https://'' + app.subdomain + ''.example.org/gtr''' subjectFormat: EMAIL authMethod: SIGNED_JWT partialLogout: false status: Complete lastUpdated: '2023-08-24T14:15:22.000Z' lastUpdatedBy: 00ub0oNGTSWTBKOLGLNR lastPublished: '2023-09-01T13:23:45.000Z' SupportedFactorResults: value: - factorType: question provider: OKTA vendorName: OKTA _links: questions: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/questions hints: allow: - GET enroll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - POST - factorType: token:software:totp provider: OKTA _links: enroll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - POST - factorType: token:software:totp provider: GOOGLE _links: enroll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - POST - factorType: sms provider: OKTA vendorName: OKTA _links: enroll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - POST _embedded: phones: - id: mblldntFJevYKbyQQ0g3 profile: phoneNumber: '+14081234567' status: ACTIVE - factorType: call provider: OKTA _links: enroll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - POST - factorType: token provider: RSA _links: enroll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - POST - factorType: token provider: SYMANTEC _links: enroll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors hints: allow: - POST TelephonyFailureResponse: summary: An example telephony hook response for an external web service returning failure value: error: - errorSummary: Failed to deliver SMS OTP to test.user@okta.com - errorCauses: errorSummary: Provider could not deliver OTP reason: The content of the message is not supported location: South Africa TelephonyPayloadExample: summary: An example telephony inline hook request body value: eventId: uS5871kJThSsU8qlA1LTcg eventTime: '2020-01-17T21:23:56.000Z' eventType: com.okta.telephony.provider eventTypeVersion: '1.0' contentType: application/json cloudEventVersion: '0.1' source: https://${yourOktaDomain}/api/v1/inlineHooks/cbl2ad6phv9fsPLcF0g7 data: context: request: id: reqRgSk8IBBRhuo0YdlEDTmUw method: POST url: value: /api/internal/v1/inlineHooks/com.okta.telephony.provider/generatePreview ipAddress: 127.0.0.1 userProfile: firstName: test lastName: user login: test.user@okta.com userId: 00uyxxSknGtK8022w0g3 messageProfile: msgTemplate: (HOOK)Your code is 11111 phoneNumber: 9876543210 otpExpires: '2022-01-28T21:48:34.321Z' deliveryChannel: SMS otpCode: 11111 locale: EN-US TelephonySuccessResponse: summary: An example telephony hook response for an external web service returning success value: commands: - type: com.okta.telephony.action value: - status: SUCCESSFUL provider: VONAGE transactionId: SM49a8ece2822d44e4adaccd7ed268f954 transactionMetadata: Duration=300ms TenantSettings: summary: Tenant settings example value: appInstanceProperties: - name: subdomain label: Subdomain - name: region label: Region TestInfoEMRequest: summary: SCIM submission with entitlements testing information request value: testAccount: url: https://example.com/strawberry/login username: test@example.com password: sUperP@ssw0rd instructions: Go to your app URL from a browser and enter your credentials escalationSupportContact: strawberry.support@example.com scimTestConfiguration: specTestResults: https://www.runscope.com/radar/abcdefghijkl/m01nopq2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-3m4n5o678901 crudTestResults: https://www.runscope.com/radar/radfebnsefbd/msdfsvx2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-cdgj455hw45u entitlementsTestResults: https://www.runscope.com/radar/fgdffghfghfg/m01nopq2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-r434565g5451 TestInfoEMResponse: summary: SCIM submission with entitlements testing information response value: testAccount: url: https://example.com/strawberry/login username: test@example.com password: sUperP@ssw0rd instructions: Go to your app URL from a browser and enter your credentials escalationSupportContact: strawberry.support@example.com scimTestConfiguration: specTestResults: https://www.runscope.com/radar/abcdefghijkl/m01nopq2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-3m4n5o678901 crudTestResults: https://www.runscope.com/radar/radfebnsefbd/msdfsvx2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-cdgj455hw45u entitlementsTestResults: https://www.runscope.com/radar/fgdffghfghfg/m01nopq2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-r434565g5451 TestInfoOidcRequest: summary: OIDC SSO submission testing information request value: testAccount: url: https://example.com/strawberry/login username: test@example.com password: sUperP@ssw0rd instructions: Go to your app URL from a browser and enter your credentials escalationSupportContact: strawberry.support@example.com oidcTestConfiguration: jit: false spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init TestInfoOidcResponse: summary: OIDC SSO submission testing information response value: testAccount: url: https://example.com/strawberry/login username: test@example.com password: sUperP@ssw0rd instructions: Go to your app URL from a browser and enter your credentials escalationSupportContact: strawberry.support@example.com oidcTestConfiguration: idp: true sp: true jit: false spInitiateUrl: https://test.example.com/strawberry/oidc/sp-init TestInfoSamlRequest: summary: SAML SSO submission testing information request value: testAccount: url: https://example.com/strawberry/login username: test@example.com password: sUperP@ssw0rd instructions: Go to your app URL from a browser and enter your credentials escalationSupportContact: strawberry.support@example.com samlTestConfiguration: idp: true sp: true jit: false spInitiateUrl: https://test.example.com/strawberry/saml/sp-init spInitiateDescription: Go to the app URL from a browser and enter your username TestInfoSamlResponse: summary: SAML SSO submission testing information response value: testAccount: url: https://example.com/strawberry/login username: test@example.com password: sUperP@ssw0rd instructions: Go to your app URL from a browser and enter your credentials escalationSupportContact: strawberry.support@example.com samlTestConfiguration: idp: true sp: true jit: false spInitiateUrl: https://test.example.com/strawberry/saml/sp-init spInitiateDescription: Go to the app URL from a browser and enter your username TestInfoScimRequest: summary: SCIM submission testing information request value: testAccount: url: https://example.com/strawberry/login username: test@example.com password: sUperP@ssw0rd instructions: Go to your app URL from a browser and enter your credentials escalationSupportContact: strawberry.support@example.com scimTestConfiguration: specTestResults: https://www.runscope.com/radar/abcdefghijkl/m01nopq2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-3m4n5o678901 crudTestResults: https://www.runscope.com/radar/radfebnsefbd/msdfsvx2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-cdgj455hw45u TestInfoScimResponse: summary: SCIM submission testing information response value: testAccount: url: https://example.com/strawberry/login username: test@example.com password: sUperP@ssw0rd instructions: Go to your app URL from a browser and enter your credentials escalationSupportContact: strawberry.support@example.com scimTestConfiguration: specTestResults: https://www.runscope.com/radar/abcdefghijkl/m01nopq2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-3m4n5o678901 crudTestResults: https://www.runscope.com/radar/radfebnsefbd/msdfsvx2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-cdgj455hw45u ThreatInsightResponseExample: summary: ThreatInsight response value: action: none excludeZones: [] created: '2020-08-05T22:18:30.629Z' lastUpdated: '2020-08-05T22:18:30.629Z' _links: self: href: https://{yourOktaDomain}/api/v1/threats/configuration hints: allow: - GET - POST ThreatInsightUpdateRequestExample: summary: ThreatInsight update request value: action: audit excludeZones: - nzo1q7jEOsoCnoKcj0g4 - nzouagptWUz5DlLfM0g3 ThreatInsightUpdateResponseExample: summary: ThreatInsight update response value: action: audit excludeZones: - nzo1q7jEOsoCnoKcj0g4 - nzouagptWUz5DlLfM0g3 created: '2020-08-05T22:18:30.629Z' lastUpdated: '2020-10-13T21:23:10.178Z' _links: self: href: https://{yourOktaDomain}/api/v1/threats/configuration hints: allow: - GET - POST TokenHookErrorExample: summary: Error response value: error: errorSummary: Human-readable summary of the error TokenHookModifyLifetime: summary: Modify token lifetime value: commands: - type: com.okta.identity.patch value: - op: replace path: /token/lifetime/expiration value: 36000 - type: com.okta.access.patch value: - op: replace path: /token/lifetime/expiration value: 36000 TokenHookRemoveClaim: summary: Remove claim value: commands: - type: com.okta.identity.patch value: - op: remove path: /claims/birthdate value: null - type: com.okta.access.patch value: - op: remove path: /claims/external_guid TokenHookRemoveFromArray: summary: Remove from array value: commands: - type: com.okta.identity.patch value: - op: remove path: /claims/preferred_airports/1 TokenHookRemoveFromObject: summary: Remove from JSON object value: commands: - type: com.okta.identity.patch value: - op: remove path: /claims/employee_profile/email TokenHookReplaceExisting: summary: Replace an existing claim value: commands: - type: com.okta.identity.patch value: - op: replace path: /claims/extPatientId value: '1234' - op: replace path: /claims/external_guid value: F0384685-F87D-474B-848D-2058AC5655A7 TokenHookReplaceInPath: summary: Replace within JSON object value: commands: - type: com.okta.identity.patch value: - op: replace path: /claims/employee_profile/email value: anna@company.com TokenHookResponse: summary: An example token inline hook response that adds a claim value: commands: - type: com.okta.identity.patch value: - op: add path: /claims/extPatientId value: '1234' - type: com.okta.access.patch value: - op: add path: /claims/external_guid value: F0384685-F87D-474B-848D-2058AC5655A7 TokenHookResponseAppendArray: summary: Append to array value: commands: - type: com.okta.identity.patch value: - op: add path: /claims/preferred_airports/3 value: lax TokenHookResponseWithURIFormat: summary: Add new members to existing JSON objects value: commands: - type: com.okta.identity.patch value: - op: add path: /claims/employee_profile/department_id value: '4947' TokenPayLoadExample: summary: An example token inline hook request body description: An example token inline hook request body value: source: https://{yourOktaDomain}/oauth2/default/v1/authorize eventId: 3OWo4oo-QQ-rBWfRyTmQYw eventTime: '2019-01-15T23:20:47.000Z' eventTypeVersion: '1.0' cloudEventVersion: '0.1' contentType: application/json eventType: com.okta.oauth2.tokens.transform data: context: request: id: reqv66CbCaCStGEFc8AdfS0ng method: GET url: value: https://{yourOktaDomain}/oauth2/default/v1/authorize?scope=openid+profile+email&response_type=token+id_token&redirect_uri=https%3A%2F%2Fhttpbin.org%2Fget&state=state&nonce=asf&client_id=customClientIdNative ipAddress: 127.0.0.1 protocol: type: OAUTH2.0 request: scope: openid profile email state: state redirect_uri: https://httpbin.org/get response_mode: fragment response_type: token id_token client_id: customClientIdNative issuer: uri: https://{yourOktaDomain}/oauth2/default client: id: customClientIdNative name: Native client type: PUBLIC session: id: 102Qoe7t5PcRnSxr8j3I8I6pA userId: 00uq8tMo3zV0OfJON0g3 login: administrator1@clouditude.net createdAt: '2019-01-15T23:17:09.000Z' expiresAt: '2019-01-16T01:20:46.000Z' status: ACTIVE lastPasswordVerification: '2019-01-15T23:17:09.000Z' amr: - PASSWORD idp: id: 00oq6kcVwvrDY2YsS0g3 type: OKTA mfaActive: false user: id: 00uq8tMo3zV0OfJON0g3 passwordChanged: '2018-09-11T23:19:12.000Z' profile: login: administrator1@clouditude.net firstName: Add-Min lastName: O'Cloudy Tud locale: en timeZone: America/Los_Angeles _links: groups: href: https://{yourOktaDomain}/00uq8tMo3zV0OfJON0g3/groups factors: href: https://{yourOktaDomain}/api/v1/users/00uq8tMo3zV0OfJON0g3/factors policy: id: 00pq8lGaLlI8APuqY0g3 rule: id: 0prq8mLKuKAmavOvq0g3 identity: claims: sub: 00uq8tMo3zV0OfJON0g3 name: Add-Min O'Cloudy Tud email: administrator1@clouditude.net ver: 1 iss: https://{yourOktaDomain}/oauth2/default aud: customClientIdNative jti: ID.YxF2whJfB3Eu4ktG_7aClqtCgjDq6ab_hgpiV7-ZZn0 amr: - pwd idp: 00oq6kcVwvrDY2YsS0g3 nonce: asf preferred_username: administrator1@clouditude.net auth_time: 1547594229 token: lifetime: expiration: 3600 access: claims: ver: 1 jti: AT.W-rrB-z-kkZQmHW0e6VS3Or...QfEN_YvoWJa46A7HAA iss: https://{yourOktaDomain}/oauth2/default aud: api://default cid: customClientIdNative uid: 00uq8tMo3zV0OfJON0g3 sub: administrator1@clouditude.net firstName: Add-Min preferred_username: administrator1@clouditude.net token: lifetime: expiration: 3600 scopes: openid: id: scpq7bW1cp6dcvrz80g3 action: GRANT profile: id: scpq7cWJ81CIP5Qkr0g3 action: GRANT email: id: scpq7dxsoz6LQlRj00g3 action: GRANT refresh_token: jti: oarob4a0tckCkGcyo1d6 TriggerSessionResponse: value: - id: aps1qqonvr2SZv6o70h8 identitySourceId: 0oa3l6l6WK6h0R0QW0g4 status: TRIGGERED importType: INCREMENTAL created: '2022-04-04T15:56:05.000Z' lastUpdated: '2022-05-05T18:15:44.000Z' TrustedOriginBody: summary: Trusted origin request body value: name: New trusted origin origin: http://example.com scopes: - type: CORS - type: REDIRECT TrustedOriginBodyWithIframeEmbedding: summary: Trusted origin request body with iFrame embedding (Okta End-User Dashboard and Okta sign-in page) description: | Creates a new trusted origin for iFrame embedding of an Okta resource within that origin. In this example, the type of Okta resource is both the Okta End-User Dashboard and the Okta sign-in page. value: name: New trusted origin origin: http://example.com scopes: - type: IFRAME_EMBED allowedOktaApps: - OKTA_ENDUSER TrustedOriginBodyWithIframeEmbeddingSignIn: summary: Trusted origin request body with iFrame embedding (Okta sign-in page) description: | Creates a new trusted origin for iFrame embedding of an Okta resource within that origin. In this example, the Okta resource is the Okta sign-in page. value: name: New trusted origin origin: http://example.com scopes: - type: IFRAME_EMBED allowedOktaApps: [] TrustedOriginInactiveResponse: summary: Trusted origin response value: id: tos10hu7rkbtrFt1M0g4 name: New trusted origin origin: http://example.com status: INACTIVE scopes: - type: CORS - type: REDIRECT created: '2018-01-13T01:11:44.000Z' createdBy: 00ut5t92p6IEOi4bu0g3 lastedUpdated: '2018-01-13T01:11:44.000Z' lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: activate: href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/activate hints: allow: - POST self: href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 hints: allow: - GET - PUT - DELETE TrustedOriginPut: value: id: tosue7JvguwJ7U6kz0g3 name: Updated Example trusted origin origin: http://updated.example.com scopes: - type: CORS - type: REDIRECT status: ACTIVE created: '2017-12-16T05:01:12.000Z' createdBy: 00ut5t92p6IEOi4bu0g3 lastUpdated: '2017-12-16T05:01:12.000Z' lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 hints: allow: - GET - PUT - DELETE deactivate: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate hints: allow: - POST TrustedOriginPutBody: summary: Trusted origin request body value: value: id: tosue7JvguwJ7U6kz0g3 name: Updated Example trusted origin origin: http://updated.example.com scopes: - type: CORS - type: REDIRECT status: ACTIVE created: '2017-12-16T05:01:12.000Z' createdBy: 00ut5t92p6IEOi4bu0g3 lastUpdated: '2017-12-16T05:01:12.000Z' lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 hints: allow: - GET - PUT - DELETE deactivate: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate hints: allow: - POST TrustedOriginPutBodyWithIframeEmbedding: summary: Trusted origin request body with iFrame embedding value: value: id: tosue7JvguwJ7U6kz0g3 name: Updated trusted origin example origin: http://updated.example.com scopes: - type: IFRAME_EMBED allowedOktaApps: - OKTA_ENDUSER status: ACTIVE created: '2017-12-16T05:01:12.000Z' createdBy: 00ut5t92p6IEOi4bu0g3 lastUpdated: '2017-12-16T05:01:12.000Z' lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 hints: allow: - GET - PUT - DELETE deactivate: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate hints: allow: - POST TrustedOriginPutResponse: summary: Trusted origin response body value: value: id: tosue7JvguwJ7U6kz0g3 name: Updated Example trusted origin origin: http://updated.example.com scopes: - type: CORS - type: REDIRECT status: ACTIVE created: '2017-12-16T05:01:12.000Z' createdBy: 00ut5t92p6IEOi4bu0g3 lastUpdated: '2017-12-16T05:01:12.000Z' lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 hints: allow: - GET - PUT - DELETE deactivate: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate hints: allow: - POST TrustedOriginPutResponseWithIframeEmbedding: summary: Trusted origin response body with iFrame embedding value: value: id: tosue7JvguwJ7U6kz0g3 name: Updated trusted origin example origin: http://updated.example.com scopes: - type: IFRAME_EMBED allowedOktaApps: - OKTA_ENDUSER status: ACTIVE created: '2017-12-16T05:01:12.000Z' createdBy: 00ut5t92p6IEOi4bu0g3 lastUpdated: '2017-12-16T05:01:12.000Z' lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 hints: allow: - GET - PUT - DELETE deactivate: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate hints: allow: - POST TrustedOriginPutWithIframeEmbedding: value: id: tosue7JvguwJ7U6kz0g3 name: Updated trusted origin example origin: http://updated.example.com scopes: - type: IFRAME_EMBED allowedOktaApps: - OKTA_ENDUSER status: ACTIVE created: '2017-12-16T05:01:12.000Z' createdBy: 00ut5t92p6IEOi4bu0g3 lastUpdated: '2017-12-16T05:01:12.000Z' lastUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3 hints: allow: - GET - PUT - DELETE deactivate: href: https://${yourOktaDomain}/api/v1/trustedOrigins/tosue7JvguwJ7U6kz0g3/lifecycle/deactivate hints: allow: - POST TrustedOriginResponse: summary: Trusted origin response value: id: tos10hu7rkbtrFt1M0g4 name: New trusted origin origin: http://example.com status: ACTIVE scopes: - type: CORS - type: REDIRECT created: '2018-01-13T01:11:44.000Z' createdBy: 00ut5t92p6IEOi4bu0g3 lastedUpdated: '2018-01-13T01:11:44.000Z' lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate hints: allow: - POST TrustedOriginResponseWithIframeEmbedding: summary: Trusted origin response with iFrame embedding (End-User Dashboard and Okta sign-in page) value: id: tos10hu7rkbtrFt1M0g4 name: New trusted origin origin: http://example.com status: ACTIVE scopes: - type: IFRAME_EMBED allowedOktaApps: - OKTA_ENDUSER created: '2018-01-13T01:11:44.000Z' createdBy: 00ut5t92p6IEOi4bu0g3 lastedUpdated: '2018-01-13T01:11:44.000Z' lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate hints: allow: - POST TrustedOriginResponseWithIframeEmbeddingSignIn: summary: Trusted origin response with iFrame embedding (Okta sign-in page) value: id: tos10hu7rkbtrFt1M0g4 name: New trusted origin origin: http://example.com status: ACTIVE scopes: - type: IFRAME_EMBED allowedOktaApps: [] created: '2018-01-13T01:11:44.000Z' createdBy: 00ut5t92p6IEOi4bu0g3 lastedUpdated: '2018-01-13T01:11:44.000Z' lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate hints: allow: - POST TrustedOriginsResponse: summary: Trusted origins response value: - id: tos10hu7rkbtrFt1M0g4 name: New trusted origin origin: http://example.com status: ACTIVE scopes: - type: CORS - type: REDIRECT created: '2018-01-13T01:11:44.000Z' createdBy: 00ut5t92p6IEOi4bu0g3 lastedUpdated: '2018-01-13T01:11:44.000Z' lastedUpdatedBy: 00ut5t92p6IEOi4bu0g3 _links: self: href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/trustedOrigins/tos10hu7rkbtrFt1M0g4/lifecycle/deactivate hints: allow: - POST UpdateAIAgentRequest: value: appId: 0oab1234EXAMPLEID5d6 profile: name: Demo Agent description: Demo Conversational AI Agent UpdateAppFeatureRequestEx: summary: Update USER_PROVISIONING request value: create: lifecycleCreate: status: ENABLED update: lifecycleDeactivate: status: ENABLED profile: status: ENABLED password: status: ENABLED seed: RANDOM change: CHANGE UpdateAppFeatureResponseEx: summary: Update USER_PROVISIONING response value: name: USER_PROVISIONING status: ENABLED description: User provisioning settings from Okta to a downstream application capabilities: create: lifecycleCreate: status: ENABLED update: lifecycleDeactivate: status: ENABLED profile: status: ENABLED password: status: ENABLED seed: RANDOM change: CHANGE _links: self: href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/USER_PROVISIONING hints: allow: - GET - PUT UpdateAuthorizationServerPolicyRequest: summary: Update an authorization server policy value: id: 00p5m9xrrBffPd9ah0g4 type: OAUTH_AUTHORIZATION_POLICY status: ACTIVE name: Default Policy description: Default policy description priority: 1 system: false conditions: clients": include": - ALL_CLIENTS UpdateAuthorizationServerPolicyRuleRequest: summary: Update authorization server policy rule value: type: RESOURCE_ACCESS name: Default Policy Rule priority: 1 status: ACTIVE conditions: people: groups: include: - EVERYONE grantTypes: include: - implicit - client_credentials - authorization_code - password scopes: include: - '*' actions: token: accessTokenLifetimeMinutes: 60 refreshTokenLifetimeMinutes: 0 refreshTokenWindowMinutes: 10080 inlineHook: id: cal4egvp1mbMldrYN0g7 UpdateBrandRequest: value: customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy agreeToCustomPrivacyPolicy: true removePoweredByOkta: true name: New Name For Brand emailDomainId: OeD114iNkrcN6aR680g4 locale: en defaultApp: appInstanceId: 0oa114iNkrcN6aR680g4 appLinkName: null classicApplicationUri: null UpdateBrandResponse: value: id: bnd114iNkrcN6aR680g4 removePoweredByOkta: true agreeToCustomPrivacyPolicy: true name: New Name For Brand isDefault: true customPrivacyPolicyUrl: https://www.someHost.com/privacy-policy emailDomainId: OeD114iNkrcN6aR680g4 defaultApp: appInstanceId: 0oa114iNkrcN6aR680g4 appLinkName: null classicApplicationUri: null locale: en _links: self: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4 hints: allow: - GET - PUT - DELETE themes: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/themes hints: allow: - GET emailDomain: href: https://{yourOktaDomain}/api/v1/email-domains/OeD114iNkrcN6aR680g4 hints: allow: - GET - PUT UpdateDefaultExemptIpZone: summary: Update the DefaultExemptIpZone value: type: IP id: nzodufauoBZYt5fIB0w6 name: DefaultExemptIpZone status: ACTIVE usage: POLICY useAsExemptList: true system: true gateways: - type: RANGE value: 1.1.1.16-1.1.1.16 proxies: null _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzodufauoBZYt5fIB0w6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzodufauoBZYt5fIB0w6/lifecycle/deactivate hints: allow: - POST UpdateDefaultExemptIpZoneResponse: summary: Update the DefaultExemptIpZone response value: type: IP id: nzodufauoBZYt5fIB0w6 name: DefaultExemptIpZone status: ACTIVE usage: POLICY created: '2024-10-08T16:35:21.000Z' lastUpdated: '2024-10-08T16:36:31.000Z' system: true useAsBlackList: false useAsExemptList: true gateways: - type: RANGE value: 1.1.1.16-1.1.1.16 proxies: null _links: self: href: https://{yourOktaDomain}/api/v1/zones/nzodufauoBZYt5fIB0w6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/zones/nzodufauoBZYt5fIB0w6/lifecycle/deactivate hints: allow: - POST UpdateEmailDomainRequest: value: displayName: IT Admin userName: noreply UpdateFeatureLifecycleResponse: summary: Update the feature lifecycle status value: description: Example feature description id: ftrZooGoT8b41iWRiQs7 name: Example feature name stage: state: OPEN value: BETA status: DISABLED type: self-service _links: self: hints: allow: - POST href: https://{yourOktaDomain}/api/v1/features/ftrZooGoT8b41iWRiQs7 dependents: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependents dependencies: href: https://{yourOktaDomain}/api/v1/features/ftrlBDFcGwYP2epXCGYn/dependencies UpdateGroupPushMappingRequest_Example: value: status: INACTIVE UpdateGroupPushMappingResponse_Example: value: created: '2025-01-01T00:00:00Z' errorSummary: '' id: gPm00000000000000000 lastPush: '2025-01-01T00:00:00Z' lastUpdated: '2025-01-01T00:00:00Z' sourceGroupId: 00g00000000000000000 status: INACTIVE targetGroupId: 00g00000000000000001 _links: app: href: https://{yourOktaDomain}/api/v1/apps/0oa00000000000000000 sourceGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000000 targetGroup: href: https://{yourOktaDomain}/api/v1/groups/00g00000000000000001 UpdateInboundProvisioningFeatureRequestEx: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Update INBOUND_PROVISIONING request value: capabilities: importSettings: username: userNameFormat: EMAIL schedule: status: ENABLED fullImport: expression: 0 0 * * 0 timezone: America/New_York incrementalImport: expression: 0 */3 * * * timezone: America/New_York importRules: userCreateAndMatch: exactMatchCriteria: EMAIL allowPartialMatch: false autoConfirmPartialMatch: false autoConfirmExactMatch: false autoConfirmNewUsers: false autoActivateNewUsers: false UpdateInboundProvisioningFeatureResponseEx: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Update INBOUND_PROVISIONING response value: name: INBOUND_PROVISIONING status: ENABLED description: In-bound provisioning settings from an application to Okta capabilities: importSettings: username: userNameFormat: EMAIL schedule: status: ENABLED fullImport: expression: 0 0 * * 0 timezone: America/New_York incrementalImport: expression: 0 */3 * * * timezone: America/New_York importRules: userCreateAndMatch: exactMatchCriteria: EMAIL allowPartialMatch: false autoConfirmPartialMatch: false autoConfirmExactMatch: false autoConfirmNewUsers: false autoActivateNewUsers: false _links: self: href: https://{yourOktaDomain}/api/v1/apps/${appId}/features/INBOUND_PROVISIONING hints: allow: - GET - PUT UpdateMappingBody: summary: Update an existing profile mapping by updating one or more properties value: properties: nickName: expression: user.honorificPrefix + user.displayName pushStatus: DONT_PUSH UpdateMappingResponse: summary: Update an existing profile mapping by updating one or more properties value: id: prm1k47ghydIQOTBW0g4 source: id: otysbePhQ3yqt4cVv0g3 name: user type: user _links: self: href: https://{yourOktaDomain}/api/v1/meta/types/user/otysbePhQ3yqt4cVv0g3 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscsbePhQ3yqt4cVv0g3 target: id: 0oa1qmn4LZQQEH0wZ0g4 name: okta_org2org type: appuser _links: self: href: https://{yourOktaDomain}/api/v1/apps/0oa1qmn4LZQQEH0wZ0g4 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/apps/0oa1qmn4LZQQEH0wZ0g4/default properties: fullName: expression: user.firstName + user.lastName pushStatus: PUSH nickName: expression: user.honorificPrefix + user.displayName pushStatus: DONT_PUSH _links: self: href: https://{yourOktaDomain}/api/v1/mappings/prm1k48weFSOnEUnw0g4 UpdateOAuth2ScopeRequest: summary: Example scope value: description: Order car name: car:order metadataPublish: ALL_CLIENTS UpdateOrgSettingEx: summary: Org setting request value: address1: 100 1st St address2: 6th floor city: San Fransico companyName: okta country: United States endUserSupportHelpURL: support.okta.com phoneNumber: '+18887227871' postalCode: '94105' state: California supportPhoneNumber: '+18887227871' website: www.okta.com UpdateRecQuestionRequest: value: password: value: tlpWENT2m recovery_question: question: How many roads must a man walk down? answer: forty two UpdateRecQuestionResponse: value: password: {} recovery_question: question: How many roads must a man walk down? provider: type: OKTA name: OKTA UpdateSMSTemplateRequest: value: translations: de: '${org.name}: ihre bestätigungscode ist ${code}.' UpdateSMSTemplateResponse: value: id: 6NQUJ5yR3bpgEiYmq8IC name: Custom type: SMS_VERIFY_CODE template: '${org.name}: your verification code is ${code}' translations: es: '${org.name}: el código de verificación es ${code}' fr: '${org.name}: votre code de vérification est ${code}' it: '${org.name}: il codice di verifica è ${code}' de: '${org.name}: ihre bestätigungscode ist ${code}.' created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' UpdateThemeRequest: value: primaryColorHex: '#1662dd' primaryColorContrastHex: '#000000' secondaryColorHex: '#ebebed' secondaryColorContrastHex: '#000000' signInPageTouchPointVariant: OKTA_DEFAULT endUserDashboardTouchPointVariant: OKTA_DEFAULT errorPageTouchPointVariant: OKTA_DEFAULT emailTemplateTouchPointVariant: OKTA_DEFAULT loadingPageTouchPointVariant: OKTA_DEFAULT UpdateThemeResponse: value: id: thdul904tTZ6kWVhP0g3 logo: https://{yourOktaDomain}/assets/img/logos/okta-logo.47066819ac7db5c13f4c431b2687cef6.png favicon: https://{yourOktaDomain}/favicon.ico backgroundImage: null primaryColorHex: '#1662dd' primaryColorContrastHex: '#000000' secondaryColorHex: '#ebebed' secondaryColorContrastHex: '#000000' signInPageTouchPointVariant: OKTA_DEFAULT endUserDashboardTouchPointVariant: OKTA_DEFAULT errorPageTouchPointVariant: OKTA_DEFAULT emailTemplateTouchPointVariant: OKTA_DEFAULT loadingPageTouchPointVariant: OKTA_DEFAULT UpdateUserTypePostRequest: summary: Update user type request value: displayName: Updated Display Name UpdateUserTypePostResponse: summary: Update user type response value: id: otyfnly5cQjJT9PnR0g4 displayName: Updated Display Name name: newUserType description: A new custom user type createdBy: sprz9fj1ycBcsgopy1d6 lastUpdatedBy: sprz9fj1ycBcsgopy1d6 created: '2021-07-05T20:40:38.000Z' lastUpdated: '2021-07-05T20:40:38.000Z' default: false _links: self: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscz9fj2jMiRBC1ZT1d6 UpdateWellKnownURIRequest: value: representation: key1: value1 key2: value2 key3: key3.1: value3.1 UpdatedEmailDomainResponse: value: id: OeD114iNkrcN6aR680g4 validationStatus: NOT_STARTED displayName: IT Admin userName: noreply domain: example.com validationSubdomain: mail dnsValidationRecords: - recordType: TXT fqdn: _oktaverification.example.com verificationValue: 759080212bda43e3bc825a7d73b4bb64 - recordType: CNAME fqdn: mail.example.com verificationValue: u22224444.wl024.sendgrid.net - recordType: CNAME fqdn: t02._domainkey.example.com verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net - recordType: CNAME fqdn: t022._domainkey.example.com verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net UpdatedOAuth2ScopeResponse: summary: Updated scope value: id: scp5yu8kLOnDzo7lh0g4 name: car:order description: Order car system: false default: false displayName: Saml Jackson consent: REQUIRED optional: false metadataPublish: ALL_CLIENTS _links: self: href: https://{yourOktaDomain}/api/v1/authorizationServers/{authorizationServerId}/scopes/scp5yu8kLOnDzo7lh0g4 hints: allow: - GET - PUT - DELETE UploadYubikeyTokenSeedRequest: summary: YubiKey OTP seed value: serialNumber: '7886622' publicId: ccccccijgibu privateId: b74be6169486 aesKey: 1fcc6d8ce39bf1604e0b17f3e0a11067 UploadYubikeyTokenSeedResponse: value: id: ykkut4G6ti62DD8Dy0g3 created: '2020-01-10T23:04:10.000Z' lastVerified: '2020-01-10T23:04:10.000Z' lastUpdated: '2020-01-10T23:04:10.000Z' status: UNASSIGNED profile: serial: '000007886622' _links: self: href: https://{yourOktaDomain}/api/v1/org/factors/yubikey_token/tokens/ykkut4G6ti62DD8Dy0g3 hints: allow: - GET - DELETE UserFactorChallengeCallResponse: summary: call challenge value: factorResult: CHALLENGE profile: phoneNumber: '+12532236986' phoneExtension: '1234' _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV/verify hints: allow: - POST factor: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/clff17zuKEUMYQAQGCOV hints: allow: - GET - DELETE UserFactorChallengeEmailResponse: summary: email challenge value: factorResult: CHALLENGE _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3/verify hints: allow: - POST factor: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/emfnf3gSScB8xXoXK0g3 hints: allow: - GET - DELETE UserFactorChallengePushResponse: summary: push challenge value: expiresAt: '2015-04-01T15:57:32.000Z' factorResult: WAITING _links: poll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g hints: allow: - GET cancel: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g hints: allow: - DELETE UserFactorChallengePushResponseWithNumberMatchingChallenge: summary: Push challenge with number matching value: expiresAt: '2015-04-01T15:57:32.000Z' factorResult: WAITING _links: poll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g hints: allow: - GET cancel: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/mst1eiHghhPxf0yhp0g hints: allow: - DELETE _embedded: challenge: correctAnswer: 72 x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] UserFactorChallengeSmsResponse: summary: sms challenge value: factorResult: CHALLENGE profile: phoneNumber: '+12532236986' _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3/verify hints: allow: - POST factor: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/smsszf1YNUtGWTx4j0g3 hints: allow: - GET - DELETE UserFactorChallengeU2fResponse: summary: u2f challenge value: factorResult: CHALLENGE profile: credentialId: GAiiLsVab2m3-zL1Fi3bVtNrM9G6_MntUITHKjxkV24ktGKjLSCRnz72wCEdHCe18IvC69Aia0sE4UpsO0HpFQ version: U2F_V2 _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4/verify hints: allow: - POST factor: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fuf2rovRxogXJ0nDy0g4 hints: allow: - GET - DELETE _embedded: challenge: nonce: vQFwTt6zKzMV7HFPzjS2 timeoutSeconds: 20 UserFactorChallengeWebauthnResponse: summary: webAuthn challenge value: factorResult: CHALLENGE profile: credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA authenticatorName: MacBook Touch ID _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4/verify hints: allow: - POST factor: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/fwf2rovRxogXJ0nDy0g4 hints: allow: - GET - DELETE _embedded: challenge: challenge: vQFwTt6zKzMV7HFPzjS2 extensions: {} UserFactorVerifyCallSuccessResponse: summary: call verify value: factorResult: SUCCESS UserFactorVerifyEmailSuccessResponse: summary: email verify value: factorResult: SUCCESS UserFactorVerifyPushRejectedResponse: summary: push verification rejected value: factorResult: REJECTED profile: credentialId: jane.doe@example.com _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify hints: allow: - POST factor: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 hints: allow: - GET - DELETE UserFactorVerifyPushTransactionApproved: summary: SUCCESS value: factorResult: SUCCESS UserFactorVerifyPushTransactionRejected: summary: REJECTED value: factorResult: REJECTED profile: credentialId: jane.doe@example.com _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify hints: allow: - POST factor: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 hints: allow: - GET - DELETE UserFactorVerifyPushTransactionTimeout: summary: TIMEOUT value: factorResult: TIMEOUT profile: credentialId: jane.doe@example.com _links: verify: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/verify hints: allow: - POST factor: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3 hints: allow: - GET - DELETE UserFactorVerifyPushTransactionWaiting: summary: WAITING value: expiresAt: '2015-04-01T15:57:32.000Z' factorResult: WAITING profile: credentialId: jane.doe@example.com _links: poll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA hints: allow: - GET cancel: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA hints: allow: - DELETE UserFactorVerifyPushTransactionWaitingNMC: summary: WAITING (with number matching challenge) value: expiresAt: '2015-04-01T15:57:32.000Z' factorResult: WAITING profile: credentialId: jane.doe@example.com _links: poll: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA hints: allow: - GET cancel: href: https://{yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors/opfh52xcuft3J4uZc0g3/transactions/v2mst.GldKV5VxTrifyeZmWSQguA hints: allow: - DELETE _embedded: challenge: correctAnswer: 72 x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] UserFactorVerifySecurityQuestionRequest: summary: security question verify value: answer: mayonnaise UserFactorVerifySuccessSmsResponse: summary: sms verify value: factorResult: SUCCESS UserFactorVerifySuccessSqResponse: summary: security question verify value: factorResult: SUCCESS UserFactorVerifySuccessTokenResponse: summary: token verify value: factorResult: SUCCESS UserFactorVerifySuccessTotpResponse: summary: totp verify value: factorResult: SUCCESS UserFactorVerifySuccessYubikeyResponse: summary: yubikey verify value: factorResult: SUCCESS UserFactorVerifyU2fRequest: summary: u2f verify value: clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9 signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc UserFactorVerifyU2fResponse: summary: u2f verify response value: factorResult: SUCCESS profile: credentialId: h1bFwJFU9wnelYkexJuQfoUHZ5lX3CgQMTZk4H3I8kM9Nn6XALiQ-BIab4P5EE0GQrA7VD-kAwgnG950aXkhBw version: U2F_V2 UserFactorVerifyWebauthnRequest: summary: WebAuthn verify challenge value: clientData: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiS2NCLXRqUFU0NDY0ZThuVFBudXIiLCJvcmlnaW4iOiJodHRwczovL2xvY2FsaG9zdDozMDAwIiwiY2lkX3B1YmtleSI6InVudXNlZCJ9 authenticatorData: SBv04caJ+NLZ0bTeotGq9esMhHJ8YC5z4bMXXPbT95UFXbDsOg== signatureData: AQAAACYwRgIhAKPktdpH0T5mlPSm_9uGW5w-VaUy-LhI9tIacexpgItkAiEAncRVZURVPOq7zDwIw-OM5LtSkdAxOkfv0ZDVUx3UFHc UserFactorVerifyWebauthnResponse: summary: WebAuthn verify value: factorResult: SUCCESS profile: credentialId: l3Br0n-7H3g047NqESqJynFtIgf3Ix9OfaRoNwLoloso99Xl2zS_O7EXUkmPeAIzTVtEL4dYjicJWBz7NpqhGA authenticatorName: MacBook Touch ID UserImportChangeAppUserProfileExample: summary: An example user import inline hook response that updates an app user's profile value: commands: - type: com.okta.appUser.profile.update value: firstName: Stan UserImportChangeUserProfileExample: summary: Update an Okta user's profile response value: commands: - type: com.okta.user.profile.update value: firstName: Stan UserImportCreateANewUserExample: summary: Create a new Okta user profile response value: commands: - type: com.okta.action.update value: result: CREATE_USER UserImportErrorExample: summary: Return an error object value: error: errorSummary: Error at third-party service. Please contact your admin. UserImportMatchExample: summary: Match an existing Okta user response value: commands: - type: com.okta.action.update value: result: LINK_USER - type: com.okta.user.update value: id: 00garwpuyxHaWOkdV0g3 UserImportPayloadExample: summary: An example user import request body value: source: cal7eyxOsnb20oWbZ0g4 eventId: JUGOUiYZTaKPmH6db0nDag eventTime: '2019-02-27T20:59:04.000Z' eventTypeVersion: '1.0' cloudEventVersion: '0.1' eventType: com.okta.import.transform contentType: application/json data: context: conflicts: - login application: name: test_app id: 0oa7ey7aLRuBvcYUD0g4 label: Test App status: ACTIVE job: id: ij17ez2AWtMZRfCZ60g4 type: import:users matches: [] policy: - EMAIL - FIRST_AND_LAST_NAME action: result: CREATE_USER appUser: profile: firstName: Sally2 lastName: Admin2 mobilePhone: null accountType: PRO secondEmail: null failProvisioning: null failDeprovisioning: null externalId: user221 groups: - everyone@examplee.net - tech@example.net userName: administrator2 email: sally.admin@example.net user: profile: lastName: Admin2 zipCode: null city: null secondEmail: null postAddress: null login: sally.admin@example.net firstName: Sally2 primaryPhone: null mobilePhone: null streetAddress: null countryCode: null typeId: null state: null email: sally.admin@example.net UserPayload: value: externalId: EXT987654321Z9Y7X profile: userName: emily.jones@example.com firstName: Emily lastName: Jones email: emily.jones@example.com secondEmail: emily.secondary@example.com mobilePhone: 987-654-3210 homeAddress: '10800 NE 8th St #600, Bellevue, WA 98004' UserProvisioningJsonWebKeysResponse: summary: JSON Web Key list response example value: jwks: keys: - kid: '-rZYtf4RZWc_tVTlmrvLPcDwvO4SwbWeztzB7AjHyLA' kty: RSA alg: RSA use: sig e: AQAB 'n': AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU= UserReplacePayload: value: profile: firstName: Emily lastName: Brock email: brockly@email.com UserReplaceResponse: value: profile: firstName: Emily lastName: Brock email: brockly@email.com secondEmail: null mobilePhone: null homeAddress: null UserResponse: value: id: 00u7m9p9ZT8k2S2EX1f7 externalId: EXT987654321Z9Y7X created: '2025-07-24T12:06:05.000Z' lastUpdated: '2025-08-05T16:15:44.000Z' profile: userName: emily.jones@example.com firstName: Emily lastName: Jones email: emily.jones@example.com secondEmail: emily.secondary@example.com mobilePhone: 987-654-3210 homeAddress: '10800 NE 8th St #600, Bellevue, WA 98004' UserRiskNoneResponse: summary: Example user risk with NONE risk level response value: riskLevel: NONE _links: self: href: https://{yourOktaDomain}/api/v1/users/{userId}/risk hints: allow: - GET - PUT user: href: https://{yourOktaDomain}/api/v1/users/{userId} hints: allow: - GET UserRiskRequest: summary: Example upsert the risk for a user request value: riskLevel: HIGH UserRiskResponse: summary: Example user risk response value: riskLevel: HIGH reason: Admin override risk _links: self: href: https://{yourOktaDomain}/api/v1/users/{userId}/risk hints: allow: - GET - PUT user: href: https://{yourOktaDomain}/api/v1/users/{userId} hints: allow: - GET UserSchemaAddRequest: value: definitions: custom: id: '#custom' type: object properties: salesforceUserName: title: Salesforce username description: User's username for Salesforce type: string required: false minLength: 1 maxLength: 20 permissions: - principal: SELF action: READ_WRITE required: [] UserSchemaDefaultResponse: value: id: https://{yourOktaDomain}/meta/schemas/user/default $schema: http://json-schema.org/draft-04/schema# name: user title: Default Okta user descripton: Okta user profile template with default permission settings lastUpdated: '2025-05-20T20:04:26.000Z' created: '2025-05-20T20:04:26.000Z' definitions: base: id: '#base' type: object properties: login: title: Username type: string required: true minLength: 5 maxLength: 100 permissions: - principal: SELF action: READ_WRITE firstName: title: First name type: string required: true minLength: 1 maxLength: 50 permissions: - principal: SELF action: READ_WRITE lastName: title: Last name type: string required: true minLength: 1 maxLength: 50 permissions: - principal: SELF action: READ_WRITE email: title: Primary email type: string required: true format: email permissions: - principal: SELF action: READ_WRITE required: - login - firstName - lastName - email custom: id: '#custom' type: object properties: {} required: [] type: object properties: profile: allOf: - $ref: '#/definitions/base' - $ref: '#/definitions/custom' UserSchemaResponse: value: id: https://{yourOktaDomain}/meta/schemas/user/oscmlha7lcRyMn82P1d7 $schema: http://json-schema.org/draft-04/schema# name: user title: An Okta user lastUpdated: '2015-09-05T10:40:45.000Z' created: '2015-02-02T10:27:36.000Z' definitions: base: id: '#base' type: object properties: login: title: Username type: string required: true minLength: 5 maxLength: 100 permissions: - principal: SELF action: READ_WRITE firstName: title: First name type: string required: true minLength: 1 maxLength: 50 permissions: - principal: SELF action: READ_WRITE lastName: title: Last name type: string required: true minLength: 1 maxLength: 50 permissions: - principal: SELF action: READ_WRITE email: title: Primary email type: string required: true format: email permissions: - principal: SELF action: READ_WRITE required: - login - firstName - lastName - email custom: id: '#custom' type: object properties: salesforceUserName: title: Salesforce username description: User's username for Salesforce type: string required: false default: salesforce-username minLength: 1 maxLength: 20 permissions: - principal: SELF action: READ_WRITE required: [] type: object properties: profile: allOf: - $ref: '#/definitions/base' - $ref: '#/definitions/custom' UserUpdatePayload: value: profile: firstName: Emily lastName: Brock email: emily.brock@update.com UserUpdateResponse: value: profile: firstName: Emily lastName: Brock email: emily.brock@update.com secondEmail: emily.secondary@example.com mobilePhone: 987-654-3210 homeAddress: '10800 NE 8th St #600, Bellevue, WA 98004' ValidationDetailsResult: summary: Validation details example value: - valid: false validationDetails: - id: okta:action1 provider: type: WORKFLOWS externalId: JKL490DQNV result: INVALID_FLOW_REFERENCE VerifiedEmailDomainResponse: value: id: OeD114iNkrcN6aR680g4 validationStatus: VERIFIED displayName: IT Admin userName: noreply domain: example.com validationSubdomain: mail dnsValidationRecords: - recordType: TXT fqdn: _oktaverification.example.com verificationValue: 759080212bda43e3bc825a7d73b4bb64 - recordType: CNAME fqdn: mail.example.com verificationValue: u22224444.wl024.sendgrid.net - recordType: CNAME fqdn: t02._domainkey.example.com verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net - recordType: CNAME fqdn: t022._domainkey.example.com verificationValue: t02.domainkey.u22224444.wl024.sendgrid.net WSFederationEx: summary: WS_FEDERATION value: name: template_wsfed label: Sample WS-Fed App signOnMode: WS_FEDERATION settings: app: audienceRestriction: urn:example:app groupValueFormat: windowsDomainQualifiedName wReplyURL: https://example.com/ nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport siteURL: https://example.com usernameAttribute: username WSFederationPutEx: summary: WS_FEDERATION value: name: template_wsfed label: Sample WS-Fed App updated signOnMode: WS_FEDERATION settings: app: audienceRestriction: urn:exampleupdated:app groupValueFormat: windowsDomainQualifiedName wReplyURL: https://example.com/ nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport siteURL: https://example.com usernameAttribute: username WSFederationPutResponseEx: summary: WS_FEDERATION value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: template_wsfed orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_wsfed:0oafxqCAJWWGELFTYASJ label: Sample WS-Fed App updated features: [] signOnMode: WS_FEDERATION credentials: userNameTemplate: template: ${source.email} type: BUILT_IN signing: kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU settings: app: groupFilter: null siteURL: https://example.com authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport wReplyOverride: false digestAlgorithm: SHA1 usernameAttribute: username signatureAlgorithm: RSA_SHA1 audienceRestriction: urn:exampleupdated:app wReplyURL: https://example.com/ groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role attributeStatements: null nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4 groupValueFormat: windowsDomainQualifiedName notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED WSFederationResponseEx: summary: WS_FEDERATION value: id: 0oafxqCAJWWGELFTYASJ status: ACTIVE lastUpdated: '2023-01-21T14:11:24.000Z' created: '2023-01-21T14:11:24.000Z' accessibility: selfService: false errorRedirectUrl: null loginRedirectUrl: null _links: uploadLogo: href: http://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/logo hints: allow: - POST appLinks: - name: customswaapp_link href: http://{yourOktaDomain}/home/{appName}/0oafxqCAJWWGELFTYASJ/aln5vjkW5oUmDGLMX0g4 type: text/html groups: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/groups logo: - name: medium href: http://{yourOktaDomain}/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png type: image/png users: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafxqCAJWWGELFTYASJ/lifecycle/deactivate visibility: autoLaunch: false autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true name: template_wsfed orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:template_wsfed:0oafxqCAJWWGELFTYASJ label: Sample WS-Fed App features: [] signOnMode: WS_FEDERATION credentials: userNameTemplate: template: ${source.email} type: BUILT_IN signing: kid: FzJvvXtBHvs_-n70T4C2Rb2d64AyN4fqOme6piHOUKU settings: app: groupFilter: null siteURL: https://example.com authnContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport wReplyOverride: false digestAlgorithm: SHA1 usernameAttribute: username signatureAlgorithm: RSA_SHA1 audienceRestriction: urn:example:app wReplyURL: https://example.com/ groupName: http://schemas.microsoft.com/ws/2008/06/identity/claims/role attributeStatements: null nameIDFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified realm: urn:okta:app:exkarjfNMKUjTmzTZ0g4 groupValueFormat: windowsDomainQualifiedName notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED WellKnownAppAuthenticatorConfigurationCustomApp: value: - authenticatorId: aut22f6xzargnJZYE3l7 orgId: 00o1vhf34q20MfCFC3l7 type: app key: custom_app name: Custom authenticator createdDate: '2022-10-11T08:56:45.000Z' lastUpdated: '2023-09-07T11:31:35.000Z' settings: userVerification: PREFERRED supportedMethods: - type: push status: ACTIVE settings: algorithms: - RS256 - ES256 keyProtection: ANY appAuthenticatorEnrollEndpoint: https://{yourOktaDomain}/idp/myaccount/app-authenticators WellKnownOrgMetadataResponseClassic: value: id: 00o5rb5mt2H3d1TJd0h7 _links: organization: href: https://{{yourOktaDomain}} pipeline: v1 WellKnownOrgMetadataResponseCustomUrlOie: value: id: 00o47wwoytgsDqEtz0g7 _links: organization: href: https://{yourSubdomain}.okta.com alternate: href: https://{yourCustomDomain} pipeline: idx WellKnownRepresentationSizeLimitExceededError: summary: Size limit exceeded value: errorCode: E0000001 errorSummary: 'Api validation failed: request' errorLink: E0000001 errorId: sampleiCF-8D5rLW6myqiPItW errorCauses: - errorSummary: Content must be less than 100KB. WellKnownURIResponse: value: representation: key1: value1 key2: value2 key3: key3.1: value3.1 _links: self: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/apple-app-site-association/customized hints: allow: - GET - PUT WellKnownURIRootResponse: value: _links: self: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/apple-app-site-association hints: allow: - GET customized: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/apple-app-site-association/customized hints: allow: - GET - PUT WellKnownURIsRootResponse: value: _links: self: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris hints: allow: - GET apple-app-site-association: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/apple-app-site-association hints: allow: - GET - PUT assetlinks.json: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/assetlinks.json hints: allow: - GET - PUT webauthn: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/webauthn hints: allow: - GET - PUT _embedded: apple-app-site-association: customized: representation: authsrv: apps: - B7F62B65BN.com.okta.mobile - B7F62B65BN.com.okta.mobile.auth-service-extension - B7F62B65BN.com.okta.authenticator.beta - B7F62B65BN.com.okta.authenticator.beta.auth-service-extension - 7WXXBW6Z2Y.com.okta.mobile.internalrelease - 7WXXBW6Z2Y.com.okta.mobile.internalrelease.auth-service-extension key1: value1 key2: value2 key3: key3.1: value3.1 _links: self: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/apple-app-site-association/customized hints: allow: - GET - PUT assetlinks.json: customized: representation: - key1: value1 key2: value2 key3: key3.1: value3.1 _links: self: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/assetlinks.json/customized hints: allow: - GET - PUT webauthn: customized: representation: origins: - https://example1.com _links: self: href: https://{yourOktaDomain}/api/v1/brands/bnd114iNkrcN6aR680g4/well-known-uris/webauthn/customized hints: allow: - GET - PUT activate-managed-connection-response-example: summary: Activate a managed connection value: connectionType: IDENTITY_ASSERTION_APP_INSTANCE protocolType: IDENTITY_ASSERTION id: mcnbcde12f3g4h5i6j7k orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcnbcde12f3g4h5i6j7k status: ACTIVE resourceIndicator: https://api.salesforce.com app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 name: Salesforce Production logo: https://dev-123456.okta.com/img/logos/salesforce.png _links: self: href: https://dev-123456.okta.com/api/v1/admin/app/salesforce/instance/0oa1gjh63g214q0Hq0g4 web: href: https://dev-123456.okta.com/admin/app/salesforce/instance/0oa1gjh63g214q0Hq0g4 type: text/html _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcnbcde12f3g4h5i6j7k activateOAuth2ClientSecretResponse: summary: Activate secret response example value: id: ocs2f50kZB0cITmYU0g4 status: ACTIVE client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B secret_hash: 0WOOvBSzV9clc4Nr7Rbaug created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate hints: allow: - POST activeAPIServiceIntegrationInstanceSecretResponse: summary: Activate secret response example value: id: ocs2f50kZB0cITmYU0g4 status: ACTIVE client_secret: '***MQGQ' secret_hash: 0WOOvBSzV9clc4Nr7Rbaug created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: deactivate: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate hints: allow: - POST add-user-request: summary: Add user to group value: id: 00g1xucgTZFrziXg10g4 parameters: action: ADD attribute: member values: - 00u1bh5efGKMsSiLv0g4 agentJsonWebKey: summary: RSA JSON Web Key example value: id: pks2f50kZB0cITmYU0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA alg: RS256 use: sig e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: ACTIVE created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: deactivate: href: https://{yourOktaDomain}/workload-principals/api/v1/ai-agents/wlpx9jQ16k9V8IFEL0g3/credentials/jwks/pks2f4zrZbs8nUa7p0g4/lifecycle/deactivate hints: allow: - POST agentJsonWebKeyListResponse: summary: JSON Web Key list response example value: data: - id: pks2f4zrZbs8nUa7p0g4 kid: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B kty: RSA alg: RS256 use: sig e: AQAB 'n': AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU= status: INACTIVE created: '2023-02-21T20:08:24.000Z' lastUpdated: '2023-02-21T20:08:24.000Z' _links: activate: href: https://{yourOktaDomain}/workload-principals/api/v1/ai-agents/wlpx9jQ16k9V8IFEL0g3/credentials/jwks/pks2f4zrZbs8nUa7p0g4/lifecycle/activate hints: allow: - POST delete: href: https://{yourOktaDomain}/workload-principals/api/v1/ai-agents/wlpx9jQ16k9V8IFEL0g3/credentials/jwks/pks2f4zrZbs8nUa7p0g4 hints: allow: - DELETE - id: pks2f50kZB0cITmYU0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA alg: RS256 use: sig e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: ACTIVE created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: deactivate: href: https://{yourOktaDomain}/workload-principals/api/v1/ai-agents/wlpx9jQ16k9V8IFEL0g3/credentials/jwks/pks2f4zrZbs8nUa7p0g4/lifecycle/deactivate hints: allow: - POST _links: self: href: https://{yourOktaDomain}/workload-principals/api/v1/ai-agents/wlpx9jQ16k9V8IFEL0g3/credentials/jwks agentJsonWebKeyRequest: summary: RSA JSON Web Key request example value: kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA alg: RS256 use: sig e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: ACTIVE amc-two-chain: summary: App sign-in policy - Allow two authentication method chains value: name: Allow two authentication method chains actions: appSignOn: access: ALLOW verificationMethod: type: AUTH_METHOD_CHAIN chains: - authenticationMethods: - key: okta_password method: password next: - authenticationMethods: - key: phone_number method: sms - authenticationMethods: - key: okta_verify method: signed_nonce userVerification: REQUIRED type: ACCESS_POLICY _links: self: href: https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - PUT deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST bulkDeletePayload: value: entityType: USERS profiles: - externalId: EXT123456784C2IF - externalId: EXT123456784C3IF - externalId: EXT123456784C4IF bulkGroupDeletePayload: value: externalIds: - GROUPEXT123456784C2IF - GROUPEXT123456784C3IF - GROUPEXT123456784C4IF bulkGroupMembershipsDeletePayload: value: memberships: - groupExternalId: GROUPEXT123456784C2IFA memberExternalIds: - USEREXT123456784C2IFA - USEREXT123456784C3IFB - USEREXT123456784C4IFC - groupExternalId: GROUPEXT123456784C2IFB memberExternalIds: - USEREXT123456784C2IFA - USEREXT123456784C3IFB - USEREXT123456784C4IFC bulkGroupMembershipsUpsertPayload: value: memberships: - groupExternalId: GROUPEXT123456784C2IFA memberExternalIds: - USEREXT123456784C2IFA - USEREXT123456784C3IFB - USEREXT123456784C4IFC - groupExternalId: GROUPEXT123456784C2IFB memberExternalIds: - USEREXT123456784C2IFA - USEREXT123456784C3IFB - USEREXT123456784C4IFC bulkGroupUpsertPayload: value: profiles: - externalId: GROUPEXT123456784C2IF profile: displayName: group1 description: group1 description - externalId: GROUPEXT123456784C3IF profile: displayName: group2 description: group2 description bulkUpsertPayload: value: entityType: USERS profiles: - externalId: EXT123456784C2IF profile: userName: isaac.brock@example.com firstName: Isaac lastName: Brock email: isaac.brock@example.com secondEmail: isaac2.brock@example.com mobilePhone: 123-456-7890 homeAddress: '10800 NE 8th St #600, Bellevue, WA 98004' - externalId: EXT123456784C3IF profile: userName: jane.smith@example.com firstName: Jane lastName: Smith email: jane.smith@example.com secondEmail: jane2.smith@example.com mobilePhone: 555-123-4567 homeAddress: Seattle, WA 98101 cloud-rule: summary: Global session policy - Challenge cloud users value: type: SIGN_ON name: Challenge Cloud Users conditions: people: users: include: [] exclude: [] groups: include: [] exclude: [] network: connection: ZONE include: - 00u7yq5goxNFTiMjW1d7 authContext: authType: ANY actions: signon: access: ALLOW requireFactor: true factorPromptMode: ALWAYS rememberDeviceByDefault: false session: usePersistentCookie: false maxSessionIdleMinutes: 720 maxSessionLifetimeMinutes: 0 cloud-rule-response: summary: Global session policy - Challenge cloud users value: id: rule8jjozjGMGbHyC1d6 status: ACTIVE type: SIGN_ON name: Challenge Cloud Users priority: 0 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: false conditions: people: users: include: [] exclude: [] groups: include: [] exclude: [] network: connection: ZONE include: - 00u7yq5goxNFTiMjW1d7 authContext: authType: ANY risk: behaviors: [] riskScore: level: ANY identityProvider: provider: ANY actions: signon: access: ALLOW requireFactor: true primaryFactor: PASSWORD_IDP_ANY_FACTOR factorPromptMode: ALWAYS rememberDeviceByDefault: false session: usePersistentCookie: false maxSessionIdleMinutes: 720 maxSessionLifetimeMinutes: 0 _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE create-access-policy-response: summary: ACCESS_POLICY value: type: ACCESS_POLICY id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: false conditions: null created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' _links: mappings: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings hints: allow: - GET - POST self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT - DELETE rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - GET - POST deviceSignalCollectionPolicy: href: https://{yourOktaDomain}/api/v1/policies/{deviceSignalCollectionPolicyId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/lifecycle/deactivate hints: allow: - POST create-auth-policy-rule-condition: summary: App sign-in policy - Create rule with conditions value: system: false type: ACCESS_POLICY name: Rule with conditions conditions: userType: include: [] exclude: - otyezu4m0xN6w5JEa1d7 network: connection: ZONE exclude: - 00u7yq5goxNFTiMjW1d7 riskScore: level: ANY people: users: exclude: - 00u7yq5goxNFTiMjW1d7 include: [] groups: include: - 00g9i12jictsYdZdi1d7 exclude: [] platform: include: - type: MOBILE os: type: IOS - type: MOBILE os: type: ANDROID - type: DESKTOP os: type: MACOS elCondition: condition: security.risk.level == 'HIGH' actions: appSignOn: access: ALLOW verificationMethod: factorMode: 2FA reauthenticateIn: PT2H constraints: - knowledge: reauthenticateIn: PT2H types: - password type: ASSURANCE create-auth-policy-rule-condition-response: summary: App sign-in policy - Policy rule with conditions value: id: rule8jjozjGMGbHyC1d6 status: ACTIVE name: Rule with conditions priority: 0 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: false conditions: people: users: exclude: - 00u7yq5goxNFTiMjW1d7 groups: include: - 00g9i12jictsYdZdi1d7 network: connection: ZONE exclude: - nzo9o4rctwQCJNE6y1d7 platform: include: - type: MOBILE os: type: IOS - type: MOBILE os: type: ANDROID - type: DESKTOP os: type: MACOS exclude: [] riskScore: level: ANY userType: include: [] exclude: - otyezu4m0xN6w5JEa1d7 elCondition: condition: security.risk.level == 'HIGH' actions: appSignOn: access: ALLOW verificationMethod: factorMode: 2FA type: ASSURANCE reauthenticateIn: PT2H constraints: knowledge: required: true types: - password reauthenticateIn: PT2H type: ACCESS_POLICY _links: self: href: https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - PUT - DELETE create-device-signal-collection-rule: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Device signal collection policy - collect context for Okta Verify devices value: name: Device signal collection rule actions: deviceSignalCollection: deviceContextProviders: - key: OKTA_VERIFY userIdentification: ALLOW - key: DEVICE_POSTURE_IDP id: 0oa159mE9aOSpCwmr0g4 type: DEVICE_SIGNAL_COLLECTION create-group-rule-request-example: summary: Create group rule request example value: type: group_rule name: Engineering group rule conditions: people: users: exclude: - 00u22w79JPMEeeuLr0g4 groups: exclude: [] expression: value: user.role=="Engineer" type: urn:okta:expression:1.0 actions: assignUserToGroups: groupIds: - 00gjitX9HqABSoqTB0g3 create-managed-connection-identity-assertion-app-instance-example: summary: Create an identity assertion connection for an app instance value: connectionType: IDENTITY_ASSERTION_APP_INSTANCE protocolType: IDENTITY_ASSERTION resourceIndicator: https://api.custom-crm.com app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:custom-crm:00a5t60iloOHN9pBi0h7 issuerUrl: https://dev-123456.okta.com/oauth2/aus5t60iloOHN9pBi0h7 scopeCondition: INCLUDE_ONLY scopes: - crm.contacts.read - crm.accounts.write create-managed-connection-identity-assertion-custom-as-example: summary: Create an identity assertion connection for a custom authorization server value: connectionType: IDENTITY_ASSERTION_CUSTOM_AS protocolType: IDENTITY_ASSERTION resourceIndicator: https://api.crm.company.com authorizationServer: orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:authorization_servers:aus5rb5mt2H3d1TJd0h7 scopeCondition: EXCLUDE scopes: - crm.admin.delete - crm.admin.write create-managed-connection-response-example: summary: A managed connection value: connectionType: IDENTITY_ASSERTION_APP_INSTANCE protocolType: IDENTITY_ASSERTION id: mcn5e6f7g8h9i0j1k2l3 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn5e6f7g8h9i0j1k2l3 status: INACTIVE app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:custom-crm:00a5t60iloOHN9pBi0h7 name: Custom CRM Application logo: https://dev-123456.okta.com/img/logos/custom-crm.png _links: self: href: https://dev-123456.okta.com/api/v1/admin/app/custom-crm/instance/00a5t60iloOHN9pBi0h7 web: href: https://dev-123456.okta.com/admin/app/custom-crm/instance/00a5t60iloOHN9pBi0h7 type: text/html resourceIndicator: https://api.custom-crm.com authorizationServer: orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:authorization_servers:aus5t60iloOHN9pBi0h7 name: Custom CRM Authorization Server issuerUrl: https://dev-123456.okta.com/oauth2/aus5t60iloOHN9pBi0h7 logo: https://dev-123456.okta.com/img/logos/custom-as.png _links: self: href: https://dev-123456.okta.com/api/v1/admin/app/custom-crm/instance/00a5t60iloOHN9pBi0h7 web: href: https://dev-123456.okta.com/admin/app/custom-crm/instance/00a5t60iloOHN9pBi0h7 type: text/html scopeCondition: INCLUDE_ONLY scopes: - crm.contacts.read - crm.accounts.write _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn5e6f7g8h9i0j1k2l3 create-managed-connection-service-account-example: summary: Create a service account connection value: connectionType: STS_SERVICE_ACCOUNT protocolType: STS resourceIndicator: orn:okta:pam:00o1n8sbwArJ7OQRw406:apps:slack:0oa1gjh63g214q0Hq0g4:service_accounts:4923897d-c665-488a-9480-a415b4080861 app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:slack:0oa1gjh63g214q0Hq0g4 serviceAccount: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:apps:slack:0oa1gjh63g214q0Hq0g4:service_accounts:4923897d-c665-488a-9480-a415b4080861 create-managed-connection-vaulted-secret-example: summary: Create a vaulted secret connection value: connectionType: STS_VAULT_SECRET protocolType: STS resourceIndicator: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:d2642f68-df50-4ba8-a898-6c0f82f89d8a secret: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:d2642f68-df50-4ba8-a898-6c0f82f89d8a create-okta-sign-on-policy-response: summary: OKTA_SIGN_ON value: type: OKTA_SIGN_ON id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: false conditions: people: groups: include: - groupId created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' _links: mappings: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings hints: allow: - GET - POST self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT - DELETE rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - GET - POST deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/lifecycle/deactivate hints: allow: - POST create-user-in-group-request: description: See [Create user in group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-in-group) value: profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 groupIds: - 00g1emaKYZTWRYYRRTSK - 00garwpuyxHaWOkdV0g4 create-user-in-group-response: value: id: 00ub0oNGTSWTBKOLGLNR status: STAGED created: '2013-07-02T21:36:25.344Z' activated: null statusChanged: null lastLogin: null lastUpdated: '2013-07-02T21:36:25.344Z' passwordChanged: null profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: provider: type: OKTA name: OKTA _links: activate: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR create-user-with-authentication-provider-request: description: Set `activate` parameter to `true`. See [Create user with authentication provider](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-authentication-provider). value: profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: provider: type: FEDERATION name: FEDERATION create-user-with-authentication-provider-response: value: id: 00uijntSwJjSHtDY70g3 status: ACTIVE created: '2016-01-19T22:02:08.000Z' activated: '2016-01-19T22:02:08.000Z' statusChanged: '2016-01-19T22:02:08.000Z' lastLogin: null lastUpdated: '2016-01-19T22:02:08.000Z' passwordChanged: null profile: login: isaac.brock@example.com firstName: Isaac lastName: Brock mobilePhone: 555-415-1337 email: isaac.brock@example.com secondEmail: null credentials: provider: type: FEDERATION name: FEDERATION _links: resetPassword: href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/reset_password method: POST changeRecoveryQuestion: href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/credentials/change_recovery_question method: POST deactivate: href: https://{yourOktaDomain}/api/v1/users/00uijntSwJjSHtDY70g3/lifecycle/deactivate method: POST self: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR create-user-with-imported-hashed-password-request: description: Set `activate` parameter to `true`. See [Create user with imported hashed password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-imported-hashed-password). value: profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: password: hash: algorithm: BCRYPT workFactor: 10 salt: rwh3vH166HCH/NT9XV5FYu value: qaMqvAPULkbiQzkTCWo5XDcvzpk8Tna create-user-with-imported-hashed-password-response: value: id: 00ub0oNGTSWTBKOLGLNR status: ACTIVE created: '2013-07-02T21:36:25.344Z' activated: null statusChanged: null lastLogin: null lastUpdated: '2013-07-02T21:36:25.344Z' passwordChanged: '2013-07-02T21:36:25.344Z' profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: password: {} provider: type: IMPORT name: IMPORT _links: activate: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR create-user-with-non-default-user-type-request: description: See [Create user with non-default user type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-non-default-user-type) value: profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 type: id: otyfnjfba4ye7pgjB0g4 create-user-with-non-default-user-type-response: value: id: 00ub0oNGTSWTBKOLGLNR status: STAGED created: '2013-07-02T21:36:25.344Z' activated: null statusChanged: null lastLogin: null lastUpdated: '2013-07-02T21:36:25.344Z' passwordChanged: null type: id: otyfnjfba4ye7pgjB0g4 profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: provider: type: OKTA name: OKTA _links: schema: href: https://{yourOktaDomain}/api/v1/meta/schemas/user/oscfnjfba4ye7pgjB0g4 activate: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR type: href: https://{yourOktaDomain}/api/v1/meta/types/user/otyfnjfba4ye7pgjB0g4 create-user-with-password-and-recovery-question-request: description: See [Create user with password and recovery question](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-password-and-recovery-question) value: profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: password: value: tlpWENT2m recovery_question: question: Who is a major player in the cowboy scene? answer: Annie Oakley create-user-with-password-and-recovery-question-response: value: id: 00ub0oNGTSWTBKOLGLNR status: STAGED created: '2013-07-02T21:36:25.344Z' activated: null statusChanged: null lastLogin: null lastUpdated: '2013-07-02T21:36:25.344Z' passwordChanged: '2013-07-02T21:36:25.344Z' profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: password: {} recovery_question: question: Who's a major player in the cowboy scene? provider: type: OKTA name: OKTA _links: activate: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR create-user-with-password-import-inline-hook-request: description: Set `activate` parameter to `true`. See [Create user with password import inline hook](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-password-import-inline-hook). value: profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: password: hook: type: default create-user-with-password-import-inline-hook-response: value: id: 00ub0oNGTSWTBKOLGLNR status: ACTIVE created: '2013-07-02T21:36:25.344Z' activated: null statusChanged: null lastLogin: null lastUpdated: '2013-07-02T21:36:25.344Z' passwordChanged: '2013-07-02T21:36:25.344Z' profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: password: {} provider: type: IMPORT name: IMPORT _links: self: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR create-user-with-password-request: description: Set `activate` parameter to `true`. See [Create user with password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-password). value: profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: password: value: tlpWENT2m create-user-with-password-response: value: id: 00ub0oNGTSWTBKOLGLNR status: ACTIVE created: '2013-07-02T21:36:25.344Z' activated: null statusChanged: null lastLogin: null lastUpdated: '2013-07-02T21:36:25.344Z' passwordChanged: '2013-07-02T21:36:25.344Z' profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: password: {} provider: type: OKTA name: OKTA _links: activate: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR create-user-with-recovery-question-request: description: See [Create user with recovery question](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-recovery-question) value: profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: recovery_question: question: Who is a major player in the cowboy scene? answer: Annie Oakley create-user-with-recovery-question-response: value: id: 00ub0oNGTSWTBKOLGLNR status: STAGED created: '2013-07-02T21:36:25.344Z' activated: null statusChanged: null lastLogin: null lastUpdated: '2013-07-02T21:36:25.344Z' passwordChanged: null profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: recovery_question: question: Who's a major player in the cowboy scene? provider: type: OKTA name: OKTA _links: activate: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR create-user-without-credentials-request: description: See [Create user without credentials](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-without-credentials) value: profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 create-user-without-credentials-response: value: id: 00ub0oNGTSWTBKOLGLNR status: STAGED created: '2013-07-02T21:36:25.344Z' activated: null statusChanged: null lastLogin: null lastUpdated: '2013-07-02T21:36:25.344Z' passwordChanged: null profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 credentials: provider: type: OKTA name: OKTA _links: activate: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR/lifecycle/activate self: href: https://{yourOktaDomain}/api/v1/users/00ub0oNGTSWTBKOLGLNR createFederatedClaimRequestBody: summary: Create federated claim example value: name: role expression: appuser.entitlements.role createInterclientTrustMappingRequestBody: summary: Create an interclient target and allowed app mapping value: id: ASHJHGasa782333-0oa89ks1irGAcYwXw0g5 createOAuth2ClientSecretCustomRequestBody: summary: Add a user provided client secret value: client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B status: ACTIVE createOAuth2ClientSecretSystemGeneratedRequestBody: summary: Add a system-generated client secret value: {} deactivate-managed-connection-response-example: summary: A deactivated managed connection value: connectionType: STS_VAULT_SECRET protocolType: STS id: mcn0j1k2l3m4n5o6p7q8 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn0j1k2l3m4n5o6p7q8 status: INACTIVE resourceIndicator: https://api.crm.company.com secret: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:d2642f68-df50-4ba8-a898-6c0f82f89d8a name: Database Root Password path: /secrets/database/root-password description: Root password for production database server _links: self: href: https://dev-123456.pam.okta.com/v1/teams/default/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secrets/d2642f68-df50-4ba8-a898-6c0f82f89d8a web: href: https://dev-123456.pam.okta.com/t/default/secrets/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secret/d2642f68-df50-4ba8-a898-6c0f82f89d8a type: text/html _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn0j1k2l3m4n5o6p7q8 deactivateAgentJsonWebKeyResponse: summary: Deactivate JSON Signing Key example value: id: pks2f50kZB0cITmYU0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA alg: RS256 use: sig e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: INACTIVE created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: activate: href: https://{yourOktaDomain}/workload-principals/api/v1/ai-agents/wlpx9jQ16k9V8IFEL0g3/credentials/jwks/pks2f4zrZbs8nUa7p0g4/lifecycle/activate hints: allow: - POST deactivateOAuth2ClientJsonWebKeyResponse: summary: Deactivate JSON Signing Key example value: id: pks2f50kZB0cITmYU0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA alg: RS256 use: sig e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: INACTIVE created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: activate: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/activate hints: allow: - POST deactivateOAuth2ClientSecretResponse: summary: Deactivate secret response example value: id: ocs2f4zrZbs8nUa7p0g4 status: INACTIVE client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B secret_hash: yk4SVx4sUWVJVbHt6M-UPA created: '2023-02-21T20:08:24.000Z' lastUpdated: '2023-02-21T20:08:24.000Z' _links: activate: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate hints: allow: - POST delete: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 hints: allow: - DELETE deny-rule: summary: Global session policy - Deny users value: type: SIGN_ON name: Deny users conditions: network: connection: ANYWHERE authContext: authType: ANY actions: signon: access: DENY requireFactor: false deny-rule-response: summary: Global session policy - Deny users value: id: rule8jjozjGMGbHyC1d6 status: ACTIVE type: SIGN_ON name: Deny priority: 0 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: false conditions: people: users: exclude: [] network: connection: ANYWHERE authContext: authType: ANY risk: behaviors: [] riskScore: level: ANY identityProvider: provider: ANY actions: signon: access: DENY requireFactor: false primaryFactor: PASSWORD_IDP rememberDeviceByDefault: false session: usePersistentCookie: false maxSessionIdleMinutes: 120 maxSessionLifetimeMinutes: 0 _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE device-signal-collection-policy-response: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: DEVICE_SIGNAL_COLLECTION value: type: DEVICE_SIGNAL_COLLECTION id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: false conditions: null created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT - DELETE rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - GET - POST deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/lifecycle/deactivate hints: allow: - POST device-signal-collection-rule-response: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Device signal collection policy - collect context for Okta Verify devices value: id: rul7yut96gmsOzKAA1d6 status: ACTIVE name: Device signal collection rule priority: 0 created: '2023-05-01T21:13:15.000Z' lastUpdated: '2023-05-01T21:13:15.000Z' system: false conditions: null actions: deviceSignalCollection: deviceContextProviders: - key: OKTA_VERIFY userIdentification: IGNORE - key: DEVICE_POSTURE_IDP id: 0oa159mE9aOSpCwmr0g4 type: DEVICE_SIGNAL_COLLECTION _links: self: href: https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - PUT editFeatureExample: summary: Enable Okta Personal admin settings value: enableExportApps: true enableEnduserEntryPoints: true federatedClaimResponse: summary: An example federated claim value: id: ofc893fbjaBaqdtoX0g7 name: role expression: appuser.entitlements.role created: '2024-12-25T03:00:00.000Z' lastUpdated: '2024-12-25T03:00:00.000Z' get-entity-risk-policy-response: summary: ENTITY_RISK value: type: ENTITY_RISK id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true conditions: null created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - GET - POST get-managed-connection-identity-assertion-app-instance-response-example: summary: Get an identity assertion managed connection for an app authorization server description: When a managed connection enables a workload principal to obtain an ID-JAG for an app instance's authorization server value: connectionType: IDENTITY_ASSERTION_APP_INSTANCE protocolType: IDENTITY_ASSERTION id: mcn1a2b3c4d5e6f7g8h9 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn1a2b3c4d5e6f7g8h9 status: INACTIVE resourceIndicator: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 name: Salesforce Production logo: https://dev-123456.okta.com/img/logos/salesforce.png _links: self: href: https://dev-123456.okta.com/api/v1/admin/app/salesforce/instance/0oa1gjh63g214q0Hq0g4 web: href: https://dev-123456.okta.com/admin/app/salesforce/instance/0oa1gjh63g214q0Hq0g4 type: text/html authorizationServer: issuerUrl: https://dev-123456.okta.com/oauth2/aus1gjh63g214q0Hq0g4 scopeCondition: ALL_SCOPES scopes: - '*' _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn1a2b3c4d5e6f7g8h9 get-managed-connection-identity-assertion-custom-as-response-example: summary: Get an identity assertion managed connection for custom authorization server description: When a managed connection enables a workload principal to obtain an ID-JAG for a custom authorization server value: connectionType: IDENTITY_ASSERTION_CUSTOM_AS protocolType: IDENTITY_ASSERTION id: mcn6f7g8h9i0j1k2l3m4 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn6f7g8h9i0j1k2l3m4 status: ACTIVE resourceIndicator: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:crm:0oa1gjh63g214q0Hq0g4 authorizationServer: orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:authorization_servers:aus5rb5mt2H3d1TJd0h7 name: Custom Authorization Server for CRM API issuerUrl: https://dev-123456.okta.com/oauth2/aus3m4n5k6l7p8q9r0s1 _links: self: href: https://dev-123456.okta.com/api/v1/authorizationServers/aus5rb5mt2H3d1TJd0h7 web: href: https://dev-123456.okta.com/admin/oauth2/as/aus5rb5mt2H3d1TJd0h7 type: text/html scopeCondition: INCLUDE_ONLY scopes: - crm.read - crm.write _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn6f7g8h9i0j1k2l3m4 get-managed-connection-identity-assertion-excluded-scopes-example: summary: An identity assertion managed connection with excluded scopes value: connectionType: IDENTITY_ASSERTION_APP_INSTANCE protocolType: IDENTITY_ASSERTION id: mcn7g8h9i0j1k2l3m4n5 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn7g8h9i0j1k2l3m4n5 status: ACTIVE resourceIndicator: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 name: Salesforce Production logo: https://dev-123456.okta.com/img/logos/salesforce.png _links: self: href: https://dev-123456.okta.com/api/v1/admin/app/salesforce/instance/0oa1gjh63g214q0Hq0g4 web: href: https://dev-123456.okta.com/admin/app/salesforce/instance/0oa1gjh63g214q0Hq0g4 type: text/html authorizationServer: issuerUrl: https://dev-123456.okta.com/oauth2/aus1gjh63g214q0Hq0g4 scopeCondition: EXCLUDE scopes: - salesforce.admin.delete - salesforce.admin.write _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn7g8h9i0j1k2l3m4n5 get-managed-connection-sts-secret-response-example: summary: Get a vaulted secret managed connection description: When a managed connection enables a workload principal to obtain a vaulted secret credential value: connectionType: STS_VAULT_SECRET protocolType: STS id: mcn2b3c4d5e6f7g8h9i0 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn2b3c4d5e6f7g8h9i0 status: ACTIVE resourceIndicator: https://api.crm.company.com secret: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:d2642f68-df50-4ba8-a898-6c0f82f89d8a name: Database Root Password path: /secrets/database/root-password description: Root password for production database server _links: self: href: https://dev-123456.pam.okta.com/v1/teams/default/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secrets/d2642f68-df50-4ba8-a898-6c0f82f89d8a web: href: https://dev-123456.pam.okta.com/t/default/secrets/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secret/d2642f68-df50-4ba8-a898-6c0f82f89d8a type: text/html _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn2b3c4d5e6f7g8h9i0 get-managed-connection-sts-service-account-response-example: summary: Get a service account managed connection description: When a managed connection enables a workload principal to obtain a service account credential value: connectionType: STS_SERVICE_ACCOUNT protocolType: STS id: mcn3c4d5e6f7g8h9i0j1 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn3c4d5e6f7g8h9i0j1 status: ACTIVE resourceIndicator: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_customsaml20app_1:0oa1gjh63g214q0Hq0g4 app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:testorgone_customsaml20app_1:0oa1gjh63g214q0Hq0g4 name: Test Org Custom SAML App logo: https://dev-123456.okta.com/img/logos/custom-saml.png _links: self: href: https://dev-123456.okta.com/api/v1/admin/app/testorgone_customsaml20app_1/instance/0oa1gjh63g214q0Hq0g4 web: href: https://dev-123456.okta.com/admin/app/testorgone_customsaml20app_1/instance/0oa1gjh63g214q0Hq0g4 type: text/html serviceAccount: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:apps:testorgone_customsaml20app_1:0oa1gjh63g214q0Hq0g4:service_accounts:4923897d-c665-488a-9480-a415b4080861 name: Test Org SAML Bot _links: self: href: https://dev-123456.pam.okta.com/v1/teams/default/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/saas_app_accounts/4923897d-c665-488a-9480-a415b4080861 web: href: https://dev-123456.pam.okta.com/t/default/saas_app_accounts/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/saas_app_accounts/4923897d-c665-488a-9480-a415b4080861 type: text/html _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn3c4d5e6f7g8h9i0j1 get-post-auth-session-policy-response: summary: POST_AUTH_SESSION value: type: POST_AUTH_SESSION id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true conditions: null created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - GET - POST getBlockListExample: summary: List of blocked email domains value: domains: - yahoo.com - google.com group-example: summary: Group example description: Example of a group value: id: 00g1emaKYZTWRYYRRTSK created: '2015-02-06T10:11:28.000Z' lastUpdated: '2015-10-05T19:16:43.000Z' lastMembershipUpdated: '2015-11-28T19:15:32.000Z' objectClass: - okta:user_group type: OKTA_GROUP profile: name: West Coast users description: All users West of The Rockies _links: logo: - name: medium href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png type: image/png - name: large href: https://{yourOktaDomain}/img/logos/groups/okta-large.png type: image/png users: href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users apps: href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps group-rule-example: summary: Group rule example description: Example of a group rule value: type: group_rule id: 0pr3f7zMZZHPgUoWO0g4 status: INACTIVE name: Engineering group rule created: '2016-12-01T14:40:04.000Z' lastUpdated: '2016-12-01T14:40:04.000Z' conditions: people: users: exclude: - 00u22w79JPMEeeuLr0g4 groups: exclude: [] expression: value: user.role=="Engineer" type: urn:okta:expression:1.0 actions: assignUserToGroups: groupIds: - 00gjitX9HqABSoqTB0g3 idp-discovery-dynamic-routing-rule: summary: IdP discovery policy - Routing rule with dynamic IdP value: name: Dynamic routing rule priority: 1 status: ACTIVE conditions: network: connection: ANYWHERE actions: idp: providers: [] idpSelectionType: DYNAMIC matchCriteria: - providerExpression: login.identifier.substringAfter('@') propertyName: name system: false type: IDP_DISCOVERY idp-discovery-dynamic-routing-rule-response: summary: IdP discovery policy - Routing rule with dynamic IdP value: id: ruleId _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST name: Dynamic routing rule priority: 1 status: ACTIVE conditions: network: connection: ANYWHERE actions: idp: providers: [] idpSelectionType: DYNAMIC matchCriteria: - providerExpression: login.identifier.substringAfter('@') propertyName: name system: false type: IDP_DISCOVERY idp-discovery-policy-response: summary: IDP_DISCOVERY value: type: IDP_DISCOVERY id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true created: createdDate lastUpdated: lastUpdated conditions: null _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - POST - GET idp-discovery-specific-routing-rule: summary: IdP discovery policy - Routing rule with specific IdP value: name: Specific routing rule priority: 1 status: ACTIVE conditions: network: connection: ANYWHERE actions: idp: providers: - type: GOOGLE id: 0oa5ks3WmHLRh8Ivr0g4 idpSelectionType: SPECIFIC system: false type: IDP_DISCOVERY idp-discovery-specific-routing-rule-response: summary: IdP discovery policy - Routing rule with specific IdP value: id: ruleId _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST name: Specific routing rule priority: 1 status: ACTIVE conditions: network: connection: ANYWHERE actions: idp: providers: - type: GOOGLE id: 0oa5ks3WmHLRh8Ivr0g4 idpSelectionType: SPECIFIC system: false type: IDP_DISCOVERY inactiveAPIServiceIntegrationInstanceSecretResponse: summary: Deactivate secret response example value: id: ocs2f4zrZbs8nUa7p0g4 status: INACTIVE client_secret: '***DhOW' secret_hash: yk4SVx4sUWVJVbHt6M-UPA created: '2023-02-21T20:08:24.000Z' lastUpdated: '2023-02-21T20:08:24.000Z' _links: activate: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate hints: allow: - POST delete: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 hints: allow: - DELETE list-access-policy-response: summary: ACCESS_POLICY value: - type: ACCESS_POLICY id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true conditions: null created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - GET - POST list-all-access-policy-rule-response: summary: ACCESS_POLICY value: - id: ruleId status: ACTIVE name: Catch-all rule priority: 99 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: true conditions: null actions: appSignOn: access: ALLOW verificationMethod: factorMode: 1FA type: ASSURANCE reauthenticateIn: PT12H constraints: [] _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT type: ACCESS_POLICY list-all-device-signal-collection-rule-response: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: DEVICE_SIGNAL_COLLECTION value: - id: ruleId status: ACTIVE name: Device signal collection rule priority: 0 created: '2024-11-20T18:22:15.000Z' lastUpdated: '2025-01-03T23:04:33.000Z' system: false conditions: network: connection: ZONE exclude: - nzo9o4rctwQCJNE6y1d7 platform: include: - type: MOBILE os: type: ANDROID actions: deviceSignalCollection: deviceContextProviders: - key: OKTA_VERIFY userIdentification: IGNORE - key: CHROME_DEVICE_TRUST - key: DEVICE_POSTURE_IDP id: 0oa159mE9aOSpCwmr0g4 _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT type: DEVICE_SIGNAL_COLLECTION list-all-entity-risk-policy-rule-response: summary: ENTITY_RISK value: - id: ruleId status: ACTIVE name: Catch-all rule priority: 99 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: true conditions: null actions: entityRisk: actions: [] _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT type: ENTITY_RISK list-all-idp-discovery-policy-rule-response: summary: IDP_DISCOVERY value: - id: 0prgu3bb10hce267M1d7 status: ACTIVE name: Test rule priority: 1 created: '2024-08-27T19:51:15.000Z' lastUpdated: '2024-08-27T19:51:15.000Z' system: true conditions: network: connection: ANYWHERE platform: include: [] exclude: [] userIdentifier: patterns: [] app: include: [] exclude: [] actions: idp: providers: - type: OKTA idpSelectionType: SPECIFIC _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT type: IDP_DISCOVERY list-all-mfa-enroll-policy-rule-response: summary: MFA_ENROLL value: - id: 0prgu3g4mon9ARm9F1d7 status: ACTIVE name: Test Rule priority: 1 created: '2024-08-27T19:51:39.000Z' lastUpdated: '2024-08-27T19:51:39.000Z' system: true conditions: people: users: exclude: [] network: connection: ANYWHERE actions: enroll: self: CHALLENGE _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT type: MFA_ENROLL list-all-password-policy-rule-response: summary: PASSWORD value: - id: 0prgu3baytQGHuVEv1d7 status: ACTIVE name: Test Rule priority: 1 created: '2024-08-27T19:51:11.000Z' lastUpdated: '2024-08-27T19:51:17.000Z' system: true conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - email stepUp: required: false selfServiceUnlock: access: DENY _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT type: PASSWORD list-all-post-auth-session-policy-rule-response: summary: POST_AUTH_SESSION value: - id: ruleId status: ACTIVE name: Post auth rule priority: 0 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: false conditions: people: users: exclude: [] actions: postAuthSession: failureActions: [] _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST type: POST_AUTH_SESSION - id: ruleId2 status: ACTIVE name: Catch-all rule priority: 99 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: true conditions: null actions: postAuthSession: failureActions: [] _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId2} hints: allow: - GET - PUT type: POST_AUTH_SESSION list-all-profile-enrollment-policy-rule-response: summary: PROFILE_ENROLLMENT value: - id: rulgu3bb4oWR7qbMi1d7 status: ACTIVE name: Test Rule priority: 99 created: '2024-08-27T19:51:18.000Z' lastUpdated: '2024-08-27T19:51:22.000Z' system: true conditions: null actions: profileEnrollment: access: ALLOW preRegistrationInlineHooks: null profileAttributes: - name: email label: Email required: true - name: firstName label: First name required: true - name: lastName label: Last name required: true targetGroupIds: null unknownUserAction: DENY activationRequirements: emailVerification: true uiSchemaId: uisgu3bb4zTbvwD8S1d7 progressiveProfilingAction: DISABLED _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT type: PROFILE_ENROLLMENT list-all-sign-on-policy-rule-response: summary: OKTA_SIGN_ON value: - id: 0prh1sd28q5sXGW08697 status: ACTIVE name: Test rule priority: 0 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: false conditions: people: users: exclude: [] network: connection: ANYWHERE risk: behaviors: [] riskScore: level: ANY identityProvider: provider: ANY actions: signon: requireFactor: false factorPromptMode: ALWAYS factorLifetime: 15 access: ALLOW primaryFactor: PASSWORD_IDP_ANY_FACTOR session: maxSessionIdleMinutes: 720 maxSessionLifetimeMinutes: 0 usePersistentCookie: false _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - POST type: SIGN_ON list-apps-example: summary: List apps example description: List all apps example value: - id: 0oafwvZDWJKVLDCUWUAC name: template_basic_auth label: Sample Basic Auth App status: ACTIVE lastUpdated: '2013-09-30T00:56:52.000Z' created: '2013-09-30T00:56:52.000Z' accessibility: selfService: false errorRedirectUrl: null visibility: autoSubmitToolbar: false hide: iOS: false web: false appLinks: login: true features: [] signOnMode: BASIC_AUTH credentials: scheme: EDIT_USERNAME_AND_PASSWORD userNameTemplate: template: ${source.login} type: BUILT_IN settings: app: url: https://example.com/login.html authURL: https://example.com/auth.html _links: appLinks: - href: https://{yourOktaDomain}/home/template_basic_auth/0oafwvZDWJKVLDCUWUAC/1438 name: login type: text/html users: href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/users deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/lifecycle/deactivate groups: href: https://{yourOktaDomain}/api/v1/apps/0oafwvZDWJKVLDCUWUAC/groups list-device-signal-collection-policy-response: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: DEVICE_SIGNAL_COLLECTION value: - type: DEVICE_SIGNAL_COLLECTION id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: false conditions: null created: '2025-04-25T17:35:02.000Z' lastUpdated: '2025-04-25T17:35:02.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT - DELETE rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - GET - POST list-entity-risk-policy-response: summary: ENTITY_RISK value: - type: ENTITY_RISK id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true conditions: null created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - GET - POST list-group-rules-example: summary: List group rules example description: List all group rules example value: - type: group_rule id: 0pr3f7zMZZHPgUoWO0g4 status: INACTIVE name: Engineering group rule created: '2016-12-01T14:40:04.000Z' lastUpdated: '2016-12-01T14:40:04.000Z' conditions: people: users: exclude: - 00u22w79JPMEeeuLr0g4 groups: exclude: [] expression: value: user.role=="Engineer" type: urn:okta:expression:1.0 actions: assignUserToGroups: groupIds: - 00gjitX9HqABSoqTB0g3 list-groups-examples: summary: List all groups example description: Lists an example of an OKTA_GROUP and an APP_GROUP value: - id: 00g1emaKYZTWRYYRRTSK created: '2015-02-06T10:11:28.000Z' lastUpdated: '2015-10-05T19:16:43.000Z' lastMembershipUpdated: '2015-11-28T19:15:32.000Z' objectClass: - okta:user_group type: OKTA_GROUP profile: name: West Coast users description: All users West of The Rockies _links: logo: - name: medium href: https://{yourOktaDomain}/img/logos/groups/okta-medium.png type: image/png - name: large href: https://{yourOktaDomain}/img/logos/groups/okta-large.png type: image/png users: href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/users apps: href: https://{yourOktaDomain}/api/v1/groups/00g1emaKYZTWRYYRRTSK/apps - id: 00garwpuyxHaWOkdV0g4 created: '2015-08-15T19:15:17.000Z' lastUpdated: '2015-11-18T04:02:19.000Z' lastMembershipUpdated: '2015-08-15T19:15:17.000Z' objectClass: - okta:windows_security_principal type: APP_GROUP profile: name: Engineering users description: All users in the engineering department groupType: Security samAccountName: Engineering users objectSid: S-1-5-21-717838489-685202119-709183397-1177 groupScope: Global dn: CN=Engineering users,OU=Engineering,DC=corp,DC=example,DC=com windowsDomainQualifiedName: CORP\Engineering users externalId: OZJdWdONCU6h7WjQKp+LPA== source: id: 0oa2v0el0gP90aqjJ0g7 _links: logo: - name: medium href: https://{yourOktaDomain}/img/logos/groups/active_directory-medium.png type: image/png - name: large href: https://{yourOktaDomain}/img/logos/groups/active_directory-large.png type: image/png source: href: https://{yourOktaDomain}/api/v1/apps/0oa2v0el0gP90aqjJ0g7 users: href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/users apps: href: https://{yourOktaDomain}/api/v1/groups/00garwpuyxHaWOkdV0g4/apps list-managed-connections-example: summary: List all managed connections value: data: - connectionType: IDENTITY_ASSERTION_APP_INSTANCE protocolType: IDENTITY_ASSERTION id: mcn1a2b3c4d5e6f7g8h9 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn1a2b3c4d5e6f7g8h9 status: ACTIVE resourceIndicator: https://api.salesforce.com app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 name: Salesforce logo: https://dev-123456.okta.com/img/logos/salesforce.png _links: self: href: https://dev-123456.okta.com/api/v1/admin/app/salesforce/instance/0oa1gjh63g214q0Hq0g4 web: href: https://dev-123456.okta.com/admin/app/salesforce/instance/0oa1gjh63g214q0Hq0g4 type: text/html authorizationServer: issuerUrl: https://dev-123456.okta.com/oauth2/aus1gjh63g214q0Hq0g4 scopeCondition: ALL_SCOPES scopes: - '*' _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn1a2b3c4d5e6f7g8h9 - connectionType: IDENTITY_ASSERTION_CUSTOM_AS protocolType: IDENTITY_ASSERTION id: mcn4d5e6f7g8h9i0j1k2 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn4d5e6f7g8h9i0j1k2 status: ACTIVE resourceIndicator: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:authorization_servers:aus5rb5mt2H3d1TJd0h7 authorizationServer: orn: orn:okta:idp:00o5rb5mt2H3d1TJd0h7:authorization_servers:aus5rb5mt2H3d1TJd0h7 name: Custom Auth Server issuerUrl: https://dev-123456.okta.com/oauth2/aus5rb5mt2H3d1TJd0h7 _links: self: href: https://dev-123456.okta.com/api/v1/authorizationServers/aus5rb5mt2H3d1TJd0h7 web: href: https://dev-123456.okta.com/admin/oauth2/as/aus5rb5mt2H3d1TJd0h7 type: text/html scopeCondition: INCLUDE_ONLY scopes: - crm.read - crm.write _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn4d5e6f7g8h9i0j1k2 - connectionType: STS_VAULT_SECRET protocolType: STS id: mcn2b3c4d5e6f7g8h9i0 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn2b3c4d5e6f7g8h9i0 status: ACTIVE resourceIndicator: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:d2642f68-df50-4ba8-a898-6c0f82f89d8a secret: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:d2642f68-df50-4ba8-a898-6c0f82f89d8a name: AWS Access Key Secret path: /prod/aws-keys description: Production AWS API credentials _links: self: href: https://dev-123456.pam.okta.com/v1/teams/default/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secrets/d2642f68-df50-4ba8-a898-6c0f82f89d8a web: href: https://dev-123456.pam.okta.com/t/default/secrets/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secret/d2642f68-df50-4ba8-a898-6c0f82f89d8a type: text/html _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn2b3c4d5e6f7g8h9i0 - connectionType: STS_SERVICE_ACCOUNT protocolType: STS id: mcn3c4d5e6f7g8h9i0j1 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn3c4d5e6f7g8h9i0j1 status: INACTIVE resourceIndicator: orn:okta:pam:00o1n8sbwArJ7OQRw406:apps:slack:0oa5rb5mt2H3d1TJd0h7:service_accounts:4923897d-c665-488a-9480-a415b4080861 app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:slack:0oa5rb5mt2H3d1TJd0h7 name: Slack Enterprise logo: https://dev-123456.okta.com/img/logos/slack.png _links: self: href: https://dev-123456.okta.com/api/v1/admin/app/slack/instance/0oa5rb5mt2H3d1TJd0h7 web: href: https://dev-123456.okta.com/admin/app/slack/instance/0oa5rb5mt2H3d1TJd0h7 type: text/html serviceAccount: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:apps:slack:0oa5rb5mt2H3d1TJd0h7:service_accounts:4923897d-c665-488a-9480-a415b4080861 name: Slack Notification Bot _links: self: href: https://dev-123456.pam.okta.com/v1/teams/default/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/saas_app_accounts/4923897d-c665-488a-9480-a415b4080861 web: href: https://dev-123456.pam.okta.com/t/default/saas_app_accounts/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/saas_app_accounts/4923897d-c665-488a-9480-a415b4080861 type: text/html _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn3c4d5e6f7g8h9i0j1 _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections list-okta-sign-on-policy-response: summary: OKTA_SIGN_ON value: - type: OKTA_SIGN_ON id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true conditions: people: groups: include: - groupId created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - GET - POST list-post-auth-session-policy-response: summary: POST_AUTH_SESSION value: - type: POST_AUTH_SESSION id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true conditions: null created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - GET - POST list-potential-connections-app-instance-example: summary: List all IDENTITY_ASSERTION_APP_INSTANCE potential connections value: data: - connectionType: IDENTITY_ASSERTION_APP_INSTANCE protocolType: IDENTITY_ASSERTION resourceIndicator: https://api.salesforce.com app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 name: Salesforce Production logo: https://dev-123456.okta.com/img/logos/salesforce.png _links: self: href: https://dev-123456.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4 web: href: https://dev-123456.okta.com/admin/app/salesforce/instance/0oa1gjh63g214q0Hq0g4 type: text/html authorizationServer: issuerUrl: https://dev-123456.okta.com/oauth2/aus1gjh63g214q0Hq0g4 - connectionType: IDENTITY_ASSERTION_APP_INSTANCE protocolType: IDENTITY_ASSERTION resourceIndicator: https://slack.com/api app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:slack:0oa2c8xwvBn4h2Ry50g7 name: Slack Enterprise logo: https://dev-123456.okta.com/img/logos/slack.png _links: self: href: https://dev-123456.okta.com/api/v1/apps/0oa2c8xwvBn4h2Ry50g7 web: href: https://dev-123456.okta.com/admin/app/slack/instance/0oa2c8xwvBn4h2Ry50g7 type: text/html authorizationServer: issuerUrl: https://dev-123456.okta.com/oauth2/aus2c8xwvBn4h2Ry50g7 _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/potential-connections?filter=connectionType%20eq%20%22IDENTITY_ASSERTION_APP_INSTANCE%22 list-potential-connections-custom-as-example: summary: List all IDENTITY_ASSERTION_CUSTOM_AS potential connections value: data: - connectionType: IDENTITY_ASSERTION_CUSTOM_AS protocolType: IDENTITY_ASSERTION resourceIndicator: https://api.crm.company.com authorizationServer: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:authorization_servers:aus5rb5mt2H3d1TJd0h7 name: Custom Authorization Server for CRM API issuerUrl: https://dev-123456.okta.com/oauth2/aus3m4n5k6l7p8q9r0s1 logo: https://dev-123456.okta.com/img/logos/custom-as.png _links: self: href: https://dev-123456.okta.com/api/v1/authorizationServers/aus5rb5mt2H3d1TJd0h7 web: href: https://dev-123456.okta.com/admin/oauth2/as/aus5rb5mt2H3d1TJd0h7 type: text/html _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/potential-connections?filter=connectionType%20eq%20%22IDENTITY_ASSERTION_CUSTOM_AS%22 list-potential-connections-service-account-example: summary: List all STS_SERVICE_ACCOUNT potential connections value: data: - connectionType: STS_SERVICE_ACCOUNT protocolType: STS resourceIndicator: orn:okta:pam:00o1n8sbwArJ7OQRw406:apps:slack:0oa1gjh63g214q0Hq0g4:service_accounts:4923897d-c665-488a-9480-a415b4080861 app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:slack:0oa1gjh63g214q0Hq0g4 name: Slack Enterprise logo: https://dev-123456.okta.com/img/logos/slack.png _links: self: href: https://dev-123456.okta.com/api/v1/apps/0oa1gjh63g214q0Hq0g4 web: href: https://dev-123456.okta.com/admin/app/slack/instance/0oa1gjh63g214q0Hq0g4 type: text/html serviceAccount: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:apps:slack:0oa1gjh63g214q0Hq0g4:service_accounts:4923897d-c665-488a-9480-a415b4080861 name: Slack Notification Bot _links: self: href: https://dev-123456.pam.okta.com/v1/teams/default/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/saas_app_accounts/4923897d-c665-488a-9480-a415b4080861 web: href: https://dev-123456.pam.okta.com/t/default/saas_app_accounts/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/saas_app_accounts/4923897d-c665-488a-9480-a415b4080861 type: text/html - connectionType: STS_SERVICE_ACCOUNT protocolType: STS resourceIndicator: orn:okta:pam:00o1n8sbwArJ7OQRw406:apps:jira:0oa5rb5mt2H3d1TJd0h7:service_accounts:4923897d-c665-488a-9480-a415b4080861 app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:jira:0oa5rb5mt2H3d1TJd0h7 name: Jira Cloud logo: https://dev-123456.okta.com/img/logos/jira.png _links: self: href: https://dev-123456.okta.com/api/v1/apps/0oa5rb5mt2H3d1TJd0h7 web: href: https://dev-123456.okta.com/admin/app/jira/instance/0oa5rb5mt2H3d1TJd0h7 type: text/html serviceAccount: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:apps:jira:0oa5rb5mt2H3d1TJd0h7:service_accounts:4923897d-c665-488a-9480-a415b4080861 name: Jira Automation Bot _links: self: href: https://dev-123456.pam.okta.com/v1/teams/default/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/saas_app_accounts/4923897d-c665-488a-9480-a415b4080861 web: href: https://dev-123456.pam.okta.com/t/default/saas_app_accounts/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/saas_app_accounts/4923897d-c665-488a-9480-a415b4080861 type: text/html - connectionType: STS_SERVICE_ACCOUNT protocolType: STS resourceIndicator: orn:okta:pam:00o1n8sbwArJ7OQRw406:apps:github:0oa2c8xwvBn4h2Ry50g7:service_accounts:4923897d-c665-488a-9480-a415b4080861 app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:github:0oa2c8xwvBn4h2Ry50g7 name: GitHub Enterprise logo: https://dev-123456.okta.com/img/logos/github.png _links: self: href: https://dev-123456.okta.com/api/v1/apps/0oa2c8xwvBn4h2Ry50g7 web: href: https://dev-123456.okta.com/admin/app/github/instance/0oa2c8xwvBn4h2Ry50g7 type: text/html serviceAccount: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:apps:github:0oa2c8xwvBn4h2Ry50g7:service_accounts:4923897d-c665-488a-9480-a415b4080861 name: GitHub Actions Bot _links: self: href: https://dev-123456.pam.okta.com/v1/teams/default/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/saas_app_accounts/4923897d-c665-488a-9480-a415b4080861 web: href: https://dev-123456.pam.okta.com/t/default/saas_app_accounts/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/saas_app_accounts/4923897d-c665-488a-9480-a415b4080861 type: text/html _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/potential-connections?filter=connectionType%20eq%20%22STS_SERVICE_ACCOUNT%22 list-potential-connections-vaulted-secret-example: summary: List all STS_VAULT_SECRET potential connections value: data: - connectionType: STS_VAULT_SECRET protocolType: STS resourceIndicator: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:d2642f68-df50-4ba8-a898-6c0f82f89d8a secret: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:d2642f68-df50-4ba8-a898-6c0f82f89d8a name: AWS Production API Key path: /secrets/aws/prod-api-key _links: self: href: https://dev-123456.pam.okta.com/v1/teams/default/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secrets/d2642f68-df50-4ba8-a898-6c0f82f89d8a web: href: https://dev-123456.pam.okta.com/t/default/secrets/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secret/d2642f68-df50-4ba8-a898-6c0f82f89d8a type: text/html - connectionType: STS_VAULT_SECRET protocolType: STS resourceIndicator: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:f3759h79-eg61-5cb9-b9a9-7d1g93g8ae9b secret: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:f3759h79-eg61-5cb9-b9a9-7d1g93g8ae9b name: Azure Service Principal Secret path: /secrets/azure/service-principal _links: self: href: https://dev-123456.pam.okta.com/v1/teams/default/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secrets/f3759h79-eg61-5cb9-b9a9-7d1g93g8ae9b web: href: https://dev-123456.pam.okta.com/t/default/secrets/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secret/f3759h79-eg61-5cb9-b9a9-7d1g93g8ae9b type: text/html - connectionType: STS_VAULT_SECRET protocolType: STS resourceIndicator: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:a4860i8a-fh72-6dca-caba-8e2ha4h9bf0c secret: orn: orn:okta:pam:00o1n8sbwArJ7OQRw406:secrets:a4860i8a-fh72-6dca-caba-8e2ha4h9bf0c name: Database Connection String path: /secrets/database/prod-connection _links: self: href: https://dev-123456.pam.okta.com/v1/teams/default/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secrets/a4860i8a-fh72-6dca-caba-8e2ha4h9bf0c web: href: https://dev-123456.pam.okta.com/t/default/secrets/resource_groups/1c2a1d99-9a20-4d83-b602-34c278ec5249/projects/20662d8c-2ece-4a89-97d8-c7b437fb5b23/secret/a4860i8a-fh72-6dca-caba-8e2ha4h9bf0c type: text/html _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/potential-connections?filter=connectionType%20eq%20%22STS_VAULT_SECRET%22 list-user-example: value: - id: 00u1f96ECLNVOKVMUSEA status: ACTIVE created: '2013-12-12T16:14:22.000Z' activated: '2013-12-12T16:14:22.000Z' statusChanged: '2013-12-12T22:14:22.000Z' lastLogin: '2013-12-12T22:14:22.000Z' lastUpdated: '2015-11-15T19:23:32.000Z' passwordChanged: '2013-12-12T22:14:22.000Z' profile: firstName: Easy lastName: E email: easy-e@example.com login: easy-e@example.com mobilePhone: null credentials: password: {} provider: type: OKTA name: OKTA _links: self: href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA listAIAgentOperationsResponse: summary: List of AI agent operations value: data: - id: op-1a2b3c4d type: ai-agent:Register status: COMPLETED created: '2025-09-11T18:52:48.000Z' started: '2025-09-11T18:52:48.000Z' completed: '2025-09-11T18:52:49.000Z' resource: id: aiAgent_abc123def456 type: AI_AGENT status: ACTIVE _links: self: href: https://subdomain.okta.com/workload-principal/api/v1/ai-agents/aiAgent_abc123def456 - id: op-0f1e2d3c type: ai-agent:Replace status: IN_PROGRESS created: '2025-09-10T15:00:00.000Z' started: '2025-09-10T15:00:01.000Z' - id: op-2b3c4d5e type: ai-agent:Delete status: FAILED created: '2025-09-10T14:30:00.000Z' started: '2025-09-10T14:30:01.000Z' completed: '2025-09-10T14:30:05.000Z' errorDetails: code: E0000001 message: custom error message. _links: self: href: https://subdomain.okta.com/workload-principal/api/v1/operations next: href: https://subdomain.okta.com/workload-principal/api/v1/operations?after=op-2b3c4d5e listFederatedClaimResponse: summary: List federated claim response example value: - id: ofc893fbjaBaqdtoX0g7 name: role expression: appuser.entitlements.role created: '2024-12-25T03:00:00.000Z' lastUpdated: '2024-12-25T03:00:00.000Z' - id: ofc893fbjaTxynmo5v93 name: readOnly expression: appuser.entitlements.readOnly created: '2024-12-25T05:00:00.000Z' lastUpdated: '2024-12-25T05:00:00.000Z' listStreamConfigurationExample: summary: List of SSF stream configurations example value: - aud: https://example.com delivery: method: urn:ietf:rfc:8935 endpoint_url: https://example.com events_delivered: - https://schemas.openid.net/secevent/caep/event-type/session-revoked - https://schemas.openid.net/secevent/caep/event-type/credential-change events_requested: - https://schemas.openid.net/secevent/caep/event-type/session-revoked - https://schemas.openid.net/secevent/caep/event-type/credential-change events_supported: - https://schemas.openid.net/secevent/caep/event-type/session-revoked - https://schemas.openid.net/secevent/caep/event-type/credential-change format: iss_sub iss: https://{yourOktaDomain} min_verification_interval: 0 stream_id: esc1k235GIIztAuGK0g5 mfa-enroll-policy-response: summary: MFA_ENROLL value: type: MFA_ENROLL id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true created: createdDate lastUpdated: lastUpdated conditions: people: groups: include: - groupId settings: type: AUTHENTICATORS authenticators: - key: okta_email enroll: self: NOT_ALLOWED - key: okta_verify enroll: self: OPTIONAL - key: okta_password enroll: self: REQUIRED _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - POST - GET mappings: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings hints: allow: - GET - POST deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/lifecycle/deactivate hints: allow: - POST mfa-enroll-policy-with-grace-period-response: summary: MFA_ENROLL value: type: MFA_ENROLL id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true created: createdDate lastUpdated: lastUpdated conditions: people: groups: include: - groupId settings: type: AUTHENTICATORS authenticators: - key: okta_email enroll: self: NOT_ALLOWED - key: okta_verify enroll: self: OPTIONAL - key: okta_password enroll: self: REQUIRED - key: phone_number enroll: self: REQUIRED gracePeriod: type: BY_DATE_TIME expiry: '2025-01-01T18:30:45.000Z' _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - POST - GET mappings: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings hints: allow: - GET - POST deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/lifecycle/deactivate hints: allow: - POST newAPIServiceIntegrationInstanceSecretResponse: summary: New secret response example value: id: ocs2f50kZB0cITmYU0g4 status: ACTIVE client_secret: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B secret_hash: FpCwXwSjTRQNtEI11I00-g created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: deactivate: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate hints: allow: - POST oAuth2ClientSecretResponse: summary: Client secret response example value: id: ocs2f50kZB0cITmYU0g4 status: ACTIVE client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B secret_hash: FpCwXwSjTRQNtEI11I00-g created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate hints: allow: - POST oAuthClientJsonActiveEncryptionKey: summary: JSON active encryption key example value: id: pks2f50kZB0cITmYU0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA use: enc e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: ACTIVE created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' oAuthClientJsonActiveEncryptionKeyRequest: summary: Add an active JSON encryption key request example value: id: pks2f50kZB0cITmYU0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA use: enc e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: ACTIVE oAuthClientJsonInactiveEncryptionKey: summary: JSON inactive encryption key example value: id: pks2f50kZB0cITmYU0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA use: enc e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: INACTIVE created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: activate: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/activate hints: allow: - POST delete: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4 hints: allow: - DELETE oAuthClientJsonInactiveEncryptionKeyRequest: summary: Add an inactive JSON encryption key request example value: id: pks2f50kZB0cITmYU0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA use: enc e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: INACTIVE oAuthClientJsonWebKey: summary: JSON Web Key example value: id: pks2f50kZB0cITmYU0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA alg: RS256 use: sig e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: ACTIVE created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate hints: allow: - POST oAuthClientJsonWebKeyListResponse: summary: JSON Web Key list response example value: jwks: keys: - id: pks2f4zrZbs8nUa7p0g4 kid: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B kty: RSA alg: RS256 use: sig e: AQAB 'n': AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU= status: INACTIVE created: '2023-02-21T20:08:24.000Z' lastUpdated: '2023-02-21T20:08:24.000Z' _links: activate: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4/lifecycle/activate hints: allow: - POST delete: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f4zrZbs8nUa7p0g4 hints: allow: - DELETE - id: pks2f50kZB0cITmYU0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA alg: RS256 use: sig e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: ACTIVE created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/jwks/pks2f50kZB0cITmYU0g4/lifecycle/deactivate hints: allow: - POST oAuthClientJsonWebKeyRequest: summary: JSON Web Key request example value: id: pks2f50kZB0cITmYU0g4 kid: ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B kty: RSA alg: RS256 use: sig e: AQAB 'n': AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn= status: ACTIVE oAuthClientSecretListResponse: summary: Secrets list response example value: - id: ocs2f4zrZbs8nUa7p0g4 status: INACTIVE client_secret: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B secret_hash: yk4SVx4sUWVJVbHt6M-UPA created: '2023-02-21T20:08:24.000Z' lastUpdated: '2023-02-21T20:08:24.000Z' _links: activate: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4/lifecycle/activate hints: allow: - POST delete: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f4zrZbs8nUa7p0g4 hints: allow: - DELETE - id: ocs2f50kZB0cITmYU0g4 status: ACTIVE client_secret: HAGDTYU9XbLnS......3xasFDDwecdZuFs5B secret_hash: 0WOOvBSzV9clc4Nr7Rbaug created: '2023-04-06T21:32:33.000Z' lastUpdated: '2023-04-06T21:32:33.000Z' _links: deactivate: href: https://{yourOktaDomain}/api/v1/apps/0oa1nkheCuDn82XVI0g4/credentials/secrets/ocs2f50kZB0cITmYU0g4/lifecycle/deactivate hints: allow: - POST oamp-id-proofing-policy-rule: summary: Okta account management policy with ID proofing enabled value: id: ruleId name: Account Management Policy Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: appSignOn: access: ALLOW verificationMethod: id: entity_id type: ID_PROOFING oamp-id-proofing-policy-rule-response: summary: Account Management Policy - Account management policy rule with ID proofing enabled value: id: ruleId _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST name: Account Management Policy Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: appSignOn: access: ALLOW verificationMethod: id: entity_id type: ID_PROOFING orgCommunicationOptInResponse: summary: Opt in to communication emails value: optOutEmailUsers: false _links: optOut: href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optOut hints: allow: - POST orgCommunicationOptOutResponse: summary: Opt out of communication emails value: optOutEmailUsers: true _links: optIn: href: https://{yourOktaDomain}/api/v1/org/privacy/oktaCommunication/optIn hints: allow: - POST orgContactTypeResponse: summary: Org contact types value: - contactType: BILLING _links: billing: href: https://{yourOktaDomain}/api/v1/org/contacts/billing - contactType: TECHNICAL _links: technical: href: https://{yourOktaDomain}/api/v1/org/contacts/technical orgContactUserResponse: summary: Contact user value: userId: 00ux3u0ujW1r5AfZC1d7 _links: user: href: https://{yourOktaDomain}/api/v1/users/00ux3u0ujW1r5AfZC1d7 orgHideFooterPrefResponse: summary: Hide footer response value: showEndUserFooter: false _links: showEndUserFooter: href: https://{yourOktaDomain}/api/v1/org/preferences/showEndUserFooter hints: allow: - POST orgShowFooterPrefResponse: summary: Show footer response value: showEndUserFooter: true _links: hideEndUserFooter: href: https://{yourOktaDomain}/api/v1/org/preferences/hideEndUserFooter hints: allow: - POST orgSupportSettingsWithCaseNumberResponse: summary: Org support settings with impersonation grant for cases value: support: ENABLED expiration: '2024-01-24T11:13:14.000Z' caseNumber: '20000144' _links: case: href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/case/{caseNumber} hints: allow: - PATCH cases: href: https://{yourOktaDomain}/api/v1/org/privacy/oktaSupport/cases hints: allow: - GET password-policy-response: summary: PASSWORD value: type: PASSWORD id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true created: createdDate lastUpdated: lastUpdated conditions: people: groups: include: - groupId authProvider: provider: provider settings: password: complexity: minLength: 8 minLowerCase: 1 minUpperCase: 1 minNumber: null minSymbol: 0 excludeUsername: true dictionary: common: exclude: false excludeAttributes: [] age: maxAgeDays: 0 expireWarnDays: 0 minAgeMinutes: 0 historyCount: 4 lockout: maxAttempts: 0 autoUnlockMinutes: 0 userLockoutNotificationChannels: [] showLockoutFailures: false recovery: factors: recovery_question: status: ACTIVE properties: complexity: complexity: 4 okta_email: status: ACTIVE properties: recoveryToken: tokenLifetimeMinutes: 10080 okta_sms: status: INACTIVE okta_call: status: INACTIVE delegation: options: skipUnlock: false _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - POST - GET password-policy-with-breached-protection-response: summary: PASSWORD_WITH_BREACHED_PROTECTION value: type: PASSWORD id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true created: createdDate lastUpdated: lastUpdated conditions: people: groups: include: - groupId authProvider: provider: provider settings: password: complexity: minLength: 8 minLowerCase: 1 minUpperCase: 1 minNumber: null minSymbol: 0 excludeUsername: true dictionary: common: exclude: false excludeAttributes: [] age: maxAgeDays: 0 expireWarnDays: 0 minAgeMinutes: 0 historyCount: 4 lockout: maxAttempts: 0 autoUnlockMinutes: 0 userLockoutNotificationChannels: [] showLockoutFailures: false breachedProtection: expireAfterDays: 1 logoutEnabled: true deletegatedWorkflowId: workflowId recovery: factors: recovery_question: status: ACTIVE properties: complexity: complexity: 4 okta_email: status: ACTIVE properties: recoveryToken: tokenLifetimeMinutes: 10080 okta_sms: status: INACTIVE okta_call: status: INACTIVE delegation: options: skipUnlock: false _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - POST - GET patch-managed-connection-identity-assertion-example: summary: Patch an identity assertion managed connection description: Update scopeCondition and scopes for an Identity Assertion connection. Only valid for IDENTITY_ASSERTION_APP_INSTANCE and IDENTITY_ASSERTION_CUSTOM_AS types. value: scopeCondition: INCLUDE_ONLY scopes: - crm.contacts.read - crm.accounts.write - crm.reports.read patch-managed-connection-identity-assertion-excluded-example: summary: Update an identity assertion managed connection with excluded scopes description: Update scopeCondition and scopes for an Identity Assertion connection. Only valid for IDENTITY_ASSERTION_APP_INSTANCE and IDENTITY_ASSERTION_CUSTOM_AS types. value: scopeCondition: EXCLUDE scopes: - crm.admin.delete - crm.admin.write patch-managed-connection-reset-resource-indicator-example: summary: Reset resource indicator to default description: Set resourceIndicator to null to reset it to the default value based on the connection type (app instance ORN, authorization server ORN, secret ORN, or service account ORN). value: resourceIndicator: null patch-managed-connection-resource-indicator-example: summary: Update the resource indicator description: Update only the resourceIndicator. Valid for all connection types except IDENTITY_ASSERTION_CUSTOM_AS (which uses the authorization server ORN). value: resourceIndicator: https://api.custom-domain.company.com patch-managed-connection-response-example: summary: Get a managed connection value: connectionType: IDENTITY_ASSERTION_APP_INSTANCE protocolType: IDENTITY_ASSERTION id: mcn1a2b3c4d5e6f7g8h9 orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:connections:mcn1a2b3c4d5e6f7g8h9 status: ACTIVE resourceIndicator: https://api.crm.company.com app: orn: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:crm:0oa1gjh63g214q0Hq0g4 name: CRM Application logo: https://dev-123456.okta.com/img/logos/crm.png _links: self: href: https://dev-123456.okta.com/api/v1/admin/app/crm/instance/0oa1gjh63g214q0Hq0g4 web: href: https://dev-123456.okta.com/admin/app/crm/instance/0oa1gjh63g214q0Hq0g4 type: text/html authorizationServer: issuerUrl: https://dev-123456.okta.com/oauth2/aus1gjh63g214q0Hq0g4 scopeCondition: INCLUDE_ONLY scopes: - crm.contacts.read - crm.accounts.write - crm.reports.read _links: self: href: https://dev-123456.okta.com/workload-principals/api/v1/ai-agents/wlpkhjm0jnDp8RrUu0g4/connections/mcn1a2b3c4d5e6f7g8h9 policy-mapping-list-response: summary: List all mappings for a policy value: - id: policyId _links: application: href: https://{yourOktaDomain}/api/v1/apps/{appId} hints: allow: - GET - PUT - DELETE self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId} hints: allow: - GET - PUT - DELETE policy: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT - DELETE policy-mapping-response: summary: Policy mapping for a policy value: id: policyId _links: application: href: https://{yourOktaDomain}/api/v1/apps/{appId} hints: allow: - GET - PUT - DELETE self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/mappings/{mappingId} hints: allow: - GET - PUT - DELETE policy: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT - DELETE postAPIServiceIntegrationRequest: summary: POST request example value: type: my_app_cie grantedScopes: - okta.logs.read - okta.groups.read - okta.users.read postAPIServiceIntegrationResponse: summary: Post response example value: id: 0oa72lrepvp4WqEET1d9 type: my_app_cie name: My App Cloud Identity Engine createdAt: '2023-02-21T20:08:24.000Z' createdBy: 00uu3u0ujW1P6AfZC2d5 clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide grantedScopes: - okta.logs.read - okta.groups.read - okta.users.read _links: self: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 hints: allow: - GET - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 hints: allow: - GET logo: name: small href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo postAPIServiceWithPropertiesIntegrationRequest: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: POST request example with app properties value: type: my_app_cie grantedScopes: - okta.logs.read - okta.groups.read - okta.users.read properties: baseUrl: https://example.com orgId: '42' postAPIServiceWithPropertiesIntegrationResponse: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true summary: Post response example with app properties value: id: 0oa72lrepvp4WqEET1d9 type: my_app_cie name: My App Cloud Identity Engine createdAt: '2023-02-21T20:08:24.000Z' createdBy: 00uu3u0ujW1P6AfZC2d5 clientSecret: CkF69kXtag0q0P4pXU8OnP5IAzgGlwx6eqGy7Fmg configGuideUrl: https://{docDomain}/my-app-cie/configuration-guide grantedScopes: - okta.logs.read - okta.groups.read - okta.users.read properties: baseUrl: https://example.com orgId: '42' _links: self: href: https://{yourOktaDomain}/integrations/api/v1/api-services/0oa72lrepvp4WqEET1d9 hints: allow: - GET - DELETE client: href: https://{yourOktaDomain}/oauth2/v1/clients/0oa72lrepvp4WqEET1d9 hints: allow: - GET logo: name: small href: https://{logoDomain}/{logoPath}/my_app_cie_small_logo profile-enrollment-policy-response: summary: PROFILE_ENROLLMENT value: type: PROFILE_ENROLLMENT id: policyId status: ACTIVE name: Policy name description: Policy description priority: 1 system: true created: createdDate lastUpdated: lastUpdated conditions: null _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId} hints: allow: - GET - PUT rules: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules hints: allow: - POST - GET radius-rule: summary: Global session policy - Challenge VPN users with Radius value: type: SIGN_ON status: ACTIVE name: Challenge VPN users conditions: network: connection: ANYWHERE authContext: authType: RADIUS people: users: exclude: [] risk: behaviors: [] riskScore: level: ANY identityProvider: provider: ANY actions: signon: access: ALLOW requireFactor: true primaryFactor: PASSWORD_IDP_ANY_FACTOR factorPromptMode: ALWAYS rememberDeviceByDefault: false session: usePersistentCookie: false maxSessionIdleMinutes: 720 maxSessionLifetimeMinutes: 0 radius-rule-response: summary: Global session policy - Challenge VPN users with Radius value: id: rule8jjozjGMGbHyC1d6 status: ACTIVE type: SIGN_ON name: Challenge VPN users priority: 0 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: false conditions: network: connection: ANYWHERE authContext: authType: RADIUS actions: signon: access: ALLOW requireFactor: true factorPromptMode: ALWAYS rememberDeviceByDefault: false session: usePersistentCookie: false maxSessionIdleMinutes: 720 maxSessionLifetimeMinutes: 0 _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE replace-user-request: value: credentials: password: value: tlpWENT2m recovery_question: question: Who's a major player in the cowboy scene? answer: Annie Oakley provider: type: OKTA name: OKTA profile: firstName: Isaac lastName: Brock email: isaac.brock@example.com login: isaac.brock@example.com mobilePhone: 555-415-1337 replaceFederatedClaimRequestBody: summary: Replace federated claim example value: name: readOnly expression: appuser.entitlements.readOnly replaceFederatedClaimResponse: summary: An updated federated claim value: id: ofc893fbjaTxynmo5v93 name: readOnly expression: appuser.entitlements.readOnly created: '2024-12-25T04:00:00.000Z' lastUpdated: '2024-12-25T05:00:00.000Z' settingsResponseBaseEx: value: notifications: vpn: network: connection: DISABLED message: null helpUrl: null manualProvisioning: false implicitAssignment: false notes: admin: null enduser: null emOptInStatus: DISABLED sign-on-policy-rule: summary: Sign-on policy - Rule with factor mode always value: type: SIGN_ON name: Test Sign On conditions: network: connection: ANYWHERE riskScore: level: ANY identityProvider: provider: ANY authContext: authType: ANY actions: signon: requireFactor: false factorPromptMode: ALWAYS factorLifetime: 15 access: ALLOW session: maxSessionIdleMinutes: 720 maxSessionLifetimeMinutes: 0 usePersistentCookie: false primaryFactor: PASSWORD_IDP_ANY_FACTOR sign-on-policy-rule-response: summary: Sign-on policy - Rule with factor mode always value: type: SIGN_ON name: Test Sign On id: 0prh1sd28q5sXGW08697 priority: 0 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: false status: ACTIVE conditions: network: connection: ANYWHERE riskScore: level: ANY identityProvider: provider: ANY authContext: authType: ANY people: users: exclude: [] actions: signon: requireFactor: false factorPromptMode: ALWAYS factorLifetime: 15 access: ALLOW session: maxSessionIdleMinutes: 720 maxSessionLifetimeMinutes: 0 usePersistentCookie: false primaryFactor: PASSWORD_IDP_ANY_FACTOR _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE skip-factor-challenge-on-prem-rule: summary: Global session policy - Skip factor challenge for on-prem sign-in use value: type: SIGN_ON status: ACTIVE name: Skip Factor Challenge when On-Prem conditions: network: connection: ZONE include: - 00u7yq5goxNFTiMjW1d7 authContext: authType: ANY actions: signon: access: ALLOW requireFactor: false rememberDeviceByDefault: false session: usePersistentCookie: false maxSessionIdleMinutes: 720 maxSessionLifetimeMinutes: 0 skip-factor-challenge-on-prem-rule-response: summary: Global session policy - Skip factor challenge for on-prem sign-in use value: id: rule8jjozjGMGbHyC1d6 status: ACTIVE name: Skip Factor Challenge when On-Prem priority: 0 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: false conditions: network: connection: ZONE include: - 00u7yq5goxNFTiMjW1d7 authContext: authType: ANY people: users: exclude: [] risk: behaviors: [] riskScore: level: ANY identityProvider: provider: ANY actions: signon: access: ALLOW requireFactor: false primaryFactor: PASSWORD_IDP_ANY_FACTOR rememberDeviceByDefault: false session: usePersistentCookie: false maxSessionIdleMinutes: 720 maxSessionLifetimeMinutes: 0 type: SIGN_ON _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE sspr-enabled-OAMP: summary: Password policy - Self-service password change, reset, or unlock requirements defined by Okta account management policy value: name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: accessControl: AUTH_POLICY primary: methods: - sms - email stepUp: required: false selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-OAMP-response: summary: Password policy - Self-service password change, reset, or unlock requirements defined by Okta account management policy value: id: ruleId _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: accessControl: AUTH_POLICY primary: methods: - sms - email stepUp: required: false selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-OAMP-update: summary: Password policy - Self-service password change, reset, or unlock requirements defined by Okta account management policy value: id: ruleId name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: accessControl: AUTH_POLICY primary: methods: - sms - email stepUp: required: false selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-no-step-up: summary: Password policy - Self-service password change, reset, or unlock with no step up value: name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - sms - email stepUp: required: false selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-no-step-up-response: summary: Password policy - Self-service password change, reset, or unlock with no step up value: id: ruleId _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - sms - email stepUp: required: false selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-no-step-up-update: summary: Password policy - Self-service password change, reset, or unlock with no step up value: id: ruleId name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - sms - email stepUp: required: false selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-sq-step-up: summary: Password policy - Self-service password change, reset, or unlock with security question as step up value: name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - push - sms stepUp: required: true methods: - security_question selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-sq-step-up-response: summary: Password policy - Self-service password change, reset, or unlock with security question as step up value: id: ruleId _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - push - sms stepUp: required: true methods: - security_question selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-sq-step-up-update: summary: Password policy - Self-service password change, reset, or unlock with security question as step up value: id: ruleId name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - push - sms stepUp: required: true methods: - security_question selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-sso-step-up: summary: Password policy - Self-service password change, reset, or unlock with any SSO authenticator as step up value: name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - push - sms stepUp: required: true selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-sso-step-up-response: summary: Password policy - SSPR with any SSO authenticator as step up value: id: ruleId _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - push - sms stepUp: required: true selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-sso-step-up-update: summary: Password policy - Self-service password change, reset, or unlock with any SSO authenticator as step up value: id: ruleId name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - push - sms stepUp: required: true selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-sso-step-up-with-constraints: summary: Password policy - Enable self-service password change, reset, or unlock with OTP enabled and Google Authenticator constraint value: id: ruleId name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - push - sms - otp methodConstraints: - method: otp allowedAuthenticators: - key: google_otp stepUp: required: true selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-sso-step-up-with-constraints-response: summary: Password policy - Enable self-service password change, reset, or unlock with OTP enabled and Google Authenticator constraint value: id: ruleId _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - push - sms - otp methodConstraints: - method: otp allowedAuthenticators: - key: google_otp stepUp: required: true selfServiceUnlock: access: ALLOW system: false type: PASSWORD sspr-enabled-sso-step-up-with-constraints-update: summary: Password policy - Enable self-service password change, reset, or unlock with OTP enabled and Google Authenticator constraint value: id: ruleId name: SSPR Rule priority: 1 status: ACTIVE conditions: people: users: exclude: [] network: connection: ANYWHERE actions: passwordChange: access: ALLOW selfServicePasswordReset: access: ALLOW requirement: primary: methods: - push - sms - otp methodConstraints: - method: otp allowedAuthenticators: - key: google_otp stepUp: required: true selfServiceUnlock: access: ALLOW system: false type: PASSWORD streamConfigurationExample: summary: SSF stream configuration example value: aud: https://example.com delivery: method: urn:ietf:rfc:8935 endpoint_url: https://example.com events_delivered: - https://schemas.openid.net/secevent/caep/event-type/session-revoked - https://schemas.openid.net/secevent/caep/event-type/credential-change events_requested: - https://schemas.openid.net/secevent/caep/event-type/session-revoked - https://schemas.openid.net/secevent/caep/event-type/credential-change events_supported: - https://schemas.openid.net/secevent/caep/event-type/session-revoked - https://schemas.openid.net/secevent/caep/event-type/credential-change format: iss_sub iss: https://{yourOktaDomain} min_verification_interval: 0 stream_id: esc1k235GIIztAuGK0g5 streamStatusDisabledExample: summary: SSF Stream disabled status example value: stream_id: esc1k235GIIztAuGK0g5 status: disabled streamStatusEnabledExample: summary: SSF Stream enabled status example value: stream_id: esc1k235GIIztAuGK0g5 status: enabled twofa-enabled-disallow-password-allow-phishing: summary: App sign-in policy - 2FA with granular authentication value: name: Passwordless 2FA actions: appSignOn: access: ALLOW verificationMethod: factorMode: 2FA type: ASSURANCE reauthenticateIn: PT0S constraints: knowledge: excludedAuthenticationMethods: key: okta_password possession: deviceBound: REQUIRED phishingREsistant: REQUIRED type: ACCESS_POLICY twofa-enabled-disallow-password-allow-phishing-response: summary: App sign-in policy - 2FA with granular authentication value: id: rul7yut96gmsOzKAA1d6 status: ACTIVE name: Passwordless 2FA priority: 0 created: '2023-05-01T21:13:15.000Z' lastUpdated: '2023-05-01T21:13:15.000Z' system: false conditions: null actions: appSignOn: access: ALLOW verificationMethod: factorMode: 2FA type: ASSURANCE reauthenticateIn: PT0S constraints: knowledge: excludedAuthenticationMethods: key: okta_password required: false possession: deviceBound: REQUIRED phishingREsistant: REQUIRED required: true type: ACCESS_POLICY _links: self: href: https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - PUT twofa-enabled-post-auth-kmsi-disabled: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine summary: App sign-in policy - 2FA with granular authentication with Keep Me Signed In (KMSI) disabled value: name: 2FA with Post Auth KMSI prompt disabled actions: appSignOn: access: ALLOW verificationMethod: factorMode: 2FA type: ASSURANCE reauthenticateIn: PT2H constraints: knowledge: excludedAuthenticationMethods: key: okta_password keepMeSignedIn: postAuth: NOT_ALLOWED type: ACCESS_POLICY twofa-enabled-post-auth-kmsi-disabled-response: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine summary: App sign-in policy - 2FA with granular authentication with Keep Me Signed In (KMSI) disabled value: id: rul7yut96gmsOzKAA1d6 status: ACTIVE name: 2FA with Post Auth KMSI prompt disabled priority: 0 created: '2023-05-01T21:13:15.000Z' lastUpdated: '2023-05-01T21:13:15.000Z' system: false conditions: null actions: appSignOn: access: ALLOW verificationMethod: factorMode: 2FA type: ASSURANCE reauthenticateIn: PT0S constraints: knowledge: excludedAuthenticationMethods: key: okta_password required: true keepMeSignedIn: postAuth: NOT_ALLOWED type: ACCESS_POLICY _links: self: href: https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - PUT deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST twofa-enabled-post-auth-kmsi-enabled: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine summary: App sign-in policy - 2FA with granular authentication with Keep Me Signed In (KMSI) enabled value: name: 2FA with Post Auth KMSI prompt enabled actions: appSignOn: access: ALLOW verificationMethod: factorMode: 2FA type: ASSURANCE reauthenticateIn: PT2H constraints: knowledge: excludedAuthenticationMethods: key: okta_password keepMeSignedIn: postAuth: ALLOWED postAuthPromptFrequency: P30D twofa-enabled-post-auth-kmsi-enabled-response: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine summary: App sign-in policy - 2FA with granular authentication with Keep Me Signed In (KMSI) enabled value: id: rul7yut96gmsOzKAA1d6 status: ACTIVE name: 2FA with Post Auth KMSI prompt enabled priority: 0 created: '2023-05-01T21:13:15.000Z' lastUpdated: '2023-05-01T21:13:15.000Z' system: false conditions: null actions: appSignOn: access: ALLOW verificationMethod: factorMode: 2FA type: ASSURANCE reauthenticateIn: PT0S constraints: knowledge: excludedAuthenticationMethods: key: okta_password required: true keepMeSignedIn: postAuth: ALLOWED postAuthPromptFrequency: PT720H type: ACCESS_POLICY _links: self: href: https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - PUT deactivate: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId}/lifecycle/deactivate hints: allow: - POST update-auth-policy-rule-condition: summary: App sign-in policy - Rule with conditions value: type: ACCESS_POLICY name: Rule with conditions - exclude a group description: Updated policy rule conditions: userType: include: [] exclude: - otyezu4m0xN6w5JEa1d7 network: connection: ZONE exclude: - nzo9o4rctwQCJNE6y1d7 riskScore: level: ANY people: users: exclude: - 00u7yq5goxNFTiMjW1d7 include: [] groups: include: [] exclude: - 00g8vta8qzkxPEfKC1d7 platform: include: - type: MOBILE os: type: IOS - type: MOBILE os: type: ANDROID - type: DESKTOP os: type: MACOS elCondition: condition: security.risk.level == 'HIGH' update-auth-policy-rule-condition-response: summary: App sign-in policy - Rule with conditions value: id: rulezuo73ySrHndLb1d7 status: ACTIVE name: Rule with conditions - exclude a group priority: 0 created: '2024-04-25T17:35:02.000Z' lastUpdated: '2024-04-25T17:35:02.000Z' system: false conditions: people: users: exclude: [] groups: exclude: - 00u7yq5goxNFTiMjW1d7 network: connection: ZONE exclude: - nzo9o4rctwQCJNE6y1d7 platform: include: - type: MOBILE os: type: IOS - type: MOBILE os: type: ANDROID - type: DESKTOP os: type: MACOS exclude: [] riskScore: level: ANY userType: include: [] exclude: - otyezu4m0xN6w5JEa1d7 elCondition: condition: security.risk.level == 'HIGH' actions: appSignOn: access: ALLOW verificationMethod: factorMode: 2FA type: ASSURANCE reauthenticateIn: PT2H constraints: knowledge: required: true types: - password reauthenticateIn: PT2H type: ACCESS_POLICY _links: self: href: https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - PUT - DELETE deactivate: href: https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - PUT - DELETE update-device-signal-collection-rule: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Device signal collection policy - disallow Okta Verify from identifying users value: name: Device signal collection rule actions: deviceSignalCollection: deviceContextProviders: - key: OKTA_VERIFY userIdentification: IGNORE - key: DEVICE_POSTURE_IDP id: 0oa159mE9aOSpCwmr0g4 type: DEVICE_SIGNAL_COLLECTION update-device-signal-collection-rule-response: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] summary: Device signal collection policy - collect context for Okta Verify devices value: id: rul7yut96gmsOzKAA1d6 status: ACTIVE name: Device signal collection rule priority: 0 created: '2023-05-01T21:13:15.000Z' lastUpdated: '2023-05-01T21:13:15.000Z' system: false conditions: null actions: deviceSignalCollection: deviceContextProviders: - key: OKTA_VERIFY userIdentification: IGNORE - key: DEVICE_POSTURE_IDP id: 0oa159mE9aOSpCwmr0g4 type: DEVICE_SIGNAL_COLLECTION _links: self: href: https://{yourOktaDomain}/api/v1/policies/rst7xus97faIAgmti1d7/rules/rul7yut96gmsOzKAA1d6 hints: allow: - GET - PUT update-identifiers-in-user-profile-policy: summary: User profile policy - Configure multiple identifiers value: type: PROFILE_ENROLLMENT, id: rulgu3bb4oWR7qbMi1d7, status: ACTIVE, name: Test Rule, priority: 99, system: true, conditions: null, actions: profileEnrollment: access: ALLOW preRegistrationInlineHooks: null profileAttributes: - name: email label: Email required: true - name: firstName label: First name required: true - name: lastName label: Last name required: true targetGroupIds: null unknownUserAction: DENY activationRequirements: emailVerification: true uiSchemaId: uisgu3bb4zTbvwD8S1d7 progressiveProfilingAction: DISABLED allowedIdentifiers: - login - customAttribute update-identifiers-in-user-profile-policy-response: summary: User profile policy - Configure multiple identifiers value: type: PROFILE_ENROLLMENT, id: rulgu3bb4oWR7qbMi1d7, status: ACTIVE, name: Test Rule, priority: 99, system: true, conditions: null, _links: self: href: https://{yourOktaDomain}/api/v1/policies/{policyId}/rules/{ruleId} hints: allow: - GET - PUT actions: profileEnrollment: access: ALLOW preRegistrationInlineHooks: null profileAttributes: - name: email label: Email required: true - name: firstName label: First name required: true - name: lastName label: Last name required: true targetGroupIds: null unknownUserAction: DENY activationRequirements: emailVerification: true uiSchemaId: uisgu3bb4zTbvwD8S1d7 progressiveProfilingAction: DISABLED allowedIdentifiers: - login - customAttribute update-user-profile-request: value: profile: firstName: Isaac email: isaac.brock@update.example.com mobilePhone: 555-415-1337 update-user-set-password-request: value: credentials: password: value: uTVM,TPw55 update-user-set-recovery-question-and-answer: value: credentials: recovery_question: question: How many roads must a man walk down? answer: forty two user-example: summary: User example value: id: 00ub0oNGTSWTBKOLGLNR status: ACTIVE created: '2013-06-24T16:39:18.000Z' activated: '2013-06-24T16:39:19.000Z' statusChanged: '2013-06-24T16:39:19.000Z' lastLogin: '2013-06-24T17:39:19.000Z' lastUpdated: '2013-07-02T21:36:25.344Z' passwordChanged: '2013-07-02T21:36:25.344Z' profile: login: isaac.brock@example.com firstName: Isaac lastName: Brock nickName: issac displayName: Isaac Brock email: isaac.brock@example.com secondEmail: isaac@example.org profileUrl: http://www.example.com/profile preferredLanguage: en-US userType: Employee organization: Okta title: Director division: R&D department: Engineering costCenter: '10' employeeNumber: '187' mobilePhone: +1-555-415-1337 primaryPhone: +1-555-514-1337 streetAddress: 301 Brannan St. city: San Francisco state: CA zipCode: '94107' countryCode: US credentials: password: {} recovery_question: question: What's my childhood elementary school? provider: type: OKTA name: OKTA _links: self: href: https://{yourOktaDomain}/api/v1/users/00u1f96ECLNVOKVMUSEA userNameTemplateResponseBaseEx: value: userNameTemplate: template: ${source.email} type: BUILT_IN wellKnownSSFMetadataExample: summary: Well-Known SSF metadata example value: configuration_endpoint: https://{yourOktaDomain}/api/v1/ssf/stream delivery_methods_supported: - https://schemas.openid.net/secevent/risc/delivery-method/push - urn:ietf:rfc:8935 issuer: https://{yourOktaDomain} jwks_uri: https://{yourOktaDomain}/oauth2/v1/keys verification_endpoint: https://{yourOktaDomain}/api/v1/ssf/stream/verification spec_version: 1_0-ID3 authorization_schemes: - spec_urn: urn:ietf:rfc:6749 default_subjects: ALL parameters: CustomAsPathJsonWebKeyId: name: keyId in: path schema: type: string required: true description: Unique `id` of the Custom Authorization Server JSON Web Key example: apk2f4zrZbs8nUa7p0g4 OktaResponse: name: Content-Type in: header description: |- Specifies the media type of the resource. Optional `okta-response` value can be included for performance optimization. Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck. Enum values for `okta-response`: * `omitCredentials`: Omits the credentials subobject from the response. * `omitCredentialsLinks`: Omits the following HAL links from the response: Update password, Change recovery question, Start forgot password flow, Reset password, Reset factors, Unlock. * `omitTransitioningToStatus`: Omits the `transitioningToStatus` field from the response. required: false schema: type: string examples: Omit credentials subobject and credentials links: value: application/json; okta-response=omitCredentials,omitCredentialsLinks summary: Omits the credentials subobject and credentials links from the response. Doesn't apply performance optimization. Omit credentials, credentials links, and `transitioningToStatus` field: value: application/json; okta-response="omitCredentials,omitCredentialsLinks, omitTransitioningToStatus" summary: Omits the credentials, credentials links, and `transitioningToStatus` field from the response. Applies performance optimization. UISchemaId: name: id description: The unique ID of the UI Schema in: path required: true schema: type: string example: uis4a7liocgcRgcxZ0g7 aiAgentOperationId: name: operationId description: ID of the AI agent operation in: path required: true schema: type: string example: op-1a2b3c4d appIdToDelete: name: allowedAppId in: path schema: type: string required: true description: App ID of the allowed app instance to delete mapping from the target app. example: 0oa1elyw9EAkUNUrW0g5 appInstanceId: name: appInstanceId in: path description: ID of the Active Directory app instance in Okta schema: type: string required: true assignmentId: name: assignmentId description: ID of the realm assignment in: path required: true schema: type: string example: rul2jy7jLUlnO3ng00g4 assignmentType: name: assignmentType description: Specifies the assignment type of the user in: query required: false schema: type: string enum: - USER - GROUP example: GROUP authenticatorEnrollmentId: name: authenticatorEnrollmentId in: path required: true description: ID for a WebAuthn preregistration factor in Okta schema: type: string capabilityType: name: capabilityType description: Capability type in: path required: true schema: $ref: '#/components/schemas/CapabilityType' example: SSO caseNumber: name: caseNumber in: path required: true schema: type: string description: Okta Support case number example: '00000144' claimId: name: claimId in: path schema: type: string required: true description: The unique `id` of the federated claim example: ofc2f4zrZbs8nUa7p0g4 connectionId: name: connectionId description: Connection ID in: path required: true schema: type: string example: 0oafxqCAJWWGELFTYASJ containerId: name: containerId in: path description: ID of an existing container, such as an app instance required: true schema: type: string domain: name: domain in: path description: The Okta domain name of your org or one of your custom domains required: true schema: type: string filterSingleConnectionType: name: filter in: query required: true description: | A required [filter](/#filter) expression to return a specific type of potential connections. The expression supports the `eq` [operator](/#operators) and the following `connectionType` values: * `IDENTITY_ASSERTION_APP_INSTANCE` * `IDENTITY_ASSERTION_CUSTOM_AS` * `STS_VAULT_SECRET` * `STS_SERVICE_ACCOUNT` You can combine multiple expressions using the `and` operator to narrow results. For example, filter by connection type and app instance ORN for `STS_SERVICE_ACCOUNT` connections. **Note:** Query parameter percent encoding is required. See [Special characters](/#special-characters). schema: type: string format: scim-filter examples: FilterByAppInstanceConnectionType: summary: Filter by IDENTITY_ASSERTION_APP_INSTANCE connection type value: connectionType%20eq%20%22IDENTITY_ASSERTION_APP_INSTANCE%22 description: 'Query param: ?filter=connectionType eq "IDENTITY_ASSERTION_APP_INSTANCE"' FilterByCustomASConnectionType: summary: Filter by IDENTITY_ASSERTION_CUSTOM_AS connection type value: connectionType%20eq%20%22IDENTITY_ASSERTION_CUSTOM_AS%22 description: 'Query param: ?filter=connectionType eq "IDENTITY_ASSERTION_CUSTOM_AS"' FilterByVaultSecretConnectionType: summary: Filter by STS_VAULT_SECRET connection type value: connectionType%20eq%20%22STS_VAULT_SECRET%22 description: 'Query param: ?filter=connectionType eq "STS_VAULT_SECRET"' FilterByServiceAccountConnectionType: summary: Filter by STS_SERVICE_ACCOUNT connection type value: connectionType%20eq%20%22STS_SERVICE_ACCOUNT%22 description: 'Query param: ?filter=connectionType eq "STS_SERVICE_ACCOUNT"' FilterByServiceAccountAndAppInstance: summary: Filter by STS_SERVICE_ACCOUNT and specific app instance value: connectionType%20eq%20%22STS_SERVICE_ACCOUNT%22%20and%20appInstanceOrn%20eq%20%22orn%3Aokta%3Aidp%3A00o1n8sbwArJ7OQRw406%3Aapps%3Aslack%3A0oa1gjh63g214q0Hq0g4%22 description: 'Query param: ?filter=connectionType eq "STS_SERVICE_ACCOUNT" and appInstanceOrn eq "orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:slack:0oa1gjh63g214q0Hq0g4"' x-scim-filter: connectionType: operators: - eq schema: type: string enum: - IDENTITY_ASSERTION_APP_INSTANCE - IDENTITY_ASSERTION_CUSTOM_AS - STS_VAULT_SECRET - STS_SERVICE_ACCOUNT appInstanceOrn: operators: - eq schema: type: string description: Filter by app instance ORN. This is applicable for `STS_SERVICE_ACCOUNT` and `IDENTITY_ASSERTION_APP_INSTANCE` connection types. inlineHookType: name: type description: One of the supported inline hook types in: query schema: type: string enum: - com.okta.import.transform - com.okta.oauth2.tokens.transform - com.okta.saml.tokens.transform - com.okta.user.credential.password.import - com.okta.user.pre-registration - com.okta.telephony.provider limitParameter: name: limit in: query schema: type: string description: Defines the number of policy rules returned. See [Pagination](https://developer.okta.com/docs/api/#pagination). managedConnectionId: name: connectionId in: path required: true description: ID of the connection schema: type: string example: mcn1a2b3c4d5e6f7g8h9 managedConnectionsAgentId: name: agentId in: path required: true description: ID of the agent schema: type: string example: wlpkhjm0jnDp8RrUu0g4 matchFuzzy: name: match in: query required: false description: A case-insensitive substring for fuzzy-match that's prefix-friendly schema: type: string minLength: 3 maxLength: 50 example: agent matchQueryFilter: name: match description: Searches for app service accounts where the account name (`name`), username (`username`), app instance label (`containerInstanceName`), or OIN app key name (`containerGlobalName`) contains the given value in: query required: false schema: type: string minLength: 3 maxLength: 255 example: salesforce operationId: name: operationId in: path description: ID of the asynchronous operation in Okta schema: type: string required: true pathAAGUID: name: aaguid description: Unique ID of a custom AAGUID in: path required: true schema: type: string example: cb69481e-8ff7-4039-93ec-0a272911111 pathAIAgentId: name: agentId description: ID of the AI agent in: path required: true schema: type: string example: wlpcFogtKCrK9aYq3fgV pathAIAgentJsonWebKeyId: name: keyId in: path schema: type: string required: true description: Unique `id` of the AI agent JSON Web Key example: pks2f4zrZbs8nUa7p0g4 pathActionId: name: actionId description: Action ID in: path required: true schema: type: string example: action_1234567890 pathActionsProviderType: name: actionsProviderType description: Actions provider type in: path required: true schema: type: string enum: - workflows example: workflows pathApiServiceId: name: apiServiceId in: path schema: type: string required: true description: '`id` of the API Service Integration instance' example: 000lr2rLjZ6NsGn1P0g3 pathApiTokenId: name: apiTokenId in: path schema: type: string example: 00Tabcdefg1234567890 required: true description: id of the API Token pathAppId: name: appId description: Application ID in: path required: true schema: type: string example: 0oafxqCAJWWGELFTYASJ pathAppName: name: appName description: Name of the app definition (the OIN catalog app key name) in: path required: true schema: type: string example: google pathAppUserId: name: userId description: ID of an existing Okta user in: path required: true schema: type: string example: 00u13okQOVWZJGDOAUVR pathAssociatedServerId: name: associatedServerId description: '`id` of the associated Authorization Server' in: path required: true schema: type: string example: aus6xt9jKPmCyn6kg0g4 pathAuthServerId: name: authServerId description: '`id` of the Authorization Server' in: path required: true schema: type: string example: GeGRTEr7f3yu2n7grw22 pathAuthenticatorId: name: authenticatorId description: '`id` of the authenticator' in: path required: true schema: type: string example: aut1nd8PQhGcQtSxB0g4 pathBehaviorId: name: behaviorId in: path schema: type: string example: abcd1234 required: true description: ID of the Behavior Detection Rule pathBrandId: name: brandId in: path required: true schema: type: string description: The ID of the brand pathBundleId: name: bundleId in: path schema: type: string example: enbllojq9J9J105DL1d6 required: true description: The `id` of a bundle pathCapability: name: capability description: Capability in: path required: true schema: type: string enum: - sso - universal_logout - provisioning - entitlements - shared example: provisioning pathCaptchaId: name: captchaId in: path schema: type: string required: true description: The unique key used to identify your CAPTCHA instance pathClaimId: name: claimId description: '`id` of Claim' in: path required: true schema: type: string example: hNJ3Uk76xLagWkGx5W3N pathClientId: name: clientId description: '`client_id` of the app' in: path required: true schema: type: string example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD pathClientSecretId: name: secretId in: path schema: type: string required: true description: Unique `id` of the OAuth 2.0 Client Secret example: ocs2f4zrZbs8nUa7p0g4 pathContactType: name: contactType in: path required: true schema: type: string description: Type of contact enum: - BILLING - TECHNICAL example: BILLING pathCredentialKeyId: name: keyId description: '`id` of the certificate key' in: path required: true schema: type: string example: P7jXpG-LG2ObNgY9C0Mn2uf4InCQTmRZMDCZoVNxdrk pathCsrId: name: csrId description: '`id` of the CSR' in: path required: true schema: type: string example: fd7x1h7uTcZFx22rU1f7 pathCustomizationId: name: customizationId in: path required: true schema: type: string description: The ID of the email customization pathDeviceAssuranceId: in: path name: deviceAssuranceId required: true description: Id of the device assurance policy schema: type: string pathDeviceId: name: deviceId in: path schema: type: string example: guo4a5u7JHHhjXrMK0g4 required: true description: '`id` of the device' pathDeviceIntegrationId: in: path name: deviceIntegrationId required: true description: The ID of the device integration schema: type: string pathDomainId: name: domainId description: '`id` of the Domain' in: path required: true schema: type: string example: OmWNeywfTzElSLOBMZsL pathEmailDomainId: name: emailDomainId in: path required: true schema: type: string description: The ID of the email domain. pathEmailServerId: name: emailServerId in: path required: true schema: type: string description: ID of your SMTP Server configuration pathEnrollmentId: name: enrollmentId description: Unique identifier of an enrollment in: path required: true schema: type: string example: sms8lqwuzSpWT4kVs0g4 pathEntitlementId: name: entitlementId in: path schema: type: string example: ent4rg7fltWSgrlDT8g6 required: true description: The `id` of a bundle entitlement pathEventHookId: name: eventHookId description: '`id` of the Event Hook' in: path required: true schema: type: string example: who8vt36qfNpCGz9H1e6 pathExternalUserId: name: externalId in: path required: true description: The external ID of the user example: 00u7m9p9ZT8k2S2EX1f7 schema: type: string pathFactorId: name: factorId description: ID of an existing user factor in: path required: true schema: type: string example: zAgrsaBe0wVGRugDYtdv pathFeatureId: name: featureId description: '`id` of the feature' in: path required: true schema: type: string example: R5HjqNn1pEqWGy48E9jg pathFeatureName: name: featureName description: Name of the Feature in: path required: true schema: $ref: '#/components/schemas/ApplicationFeatureType' pathFirstPartyAppName: name: appName description: | The key name for the Okta app.
Supported apps: * Okta Admin Console (`admin-console`) in: path required: true schema: type: string example: admin-console pathGrantId: name: grantId description: Grant ID in: path required: true schema: type: string example: iJoqkwx50mrgX4T9LcaH pathGroupId: name: groupId description: The `id` of the group in: path required: true schema: type: string example: 00g1emaKYZTWRYYRRTSK pathGroupPushMappingId: name: mappingId description: Group push mapping ID in: path required: true schema: type: string example: gPm00000000000000000 pathGroupRuleId: name: groupRuleId description: The `id` of the group rule in: path required: true schema: type: string example: 0pr3f7zMZZHPgUoWO0g4 pathHookKeyId: name: id description: ID of the Hook Key in: path required: true schema: type: string example: XreKU5laGwBkjOTehusG pathId: name: id description: An ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user in: path required: true schema: type: string pathIdentitySourceExternalId: name: externalId in: path required: true description: The external ID of the identity source group example: GROUPEXT123456784C2IF schema: type: string pathIdentitySourceGroupOrExternalId: name: groupOrExternalId in: path required: true description: The Okta group ID or external ID of the identity source group example: 00gsl4xM9ys8TdnbZ0g4 or GROUPEXT123456784C2IF schema: type: string pathIdentitySourceId: name: identitySourceId in: path required: true description: The ID of the identity source for which the session is created example: 0oa3l6l6WK6h0R0QW0g4 schema: type: string pathIdentitySourceMemberExternalId: name: memberExternalId in: path required: true description: The external ID of the identity source user example: USEREXT123456784C2IFA schema: type: string pathIdentitySourceSessionId: name: sessionId in: path required: true description: The ID of the identity source session example: aps1qqonvr2SZv6o70h8 schema: type: string pathIdentitySourceUserId: name: appUserId in: path required: true description: The ID of the user in the identity source example: 00u7m9p9ZT8k2S2EX1f7 schema: type: string pathIdpCsrId: name: idpCsrId description: '`id` of the IdP CSR' in: path required: true schema: type: string example: 1uEhyE65oV3H6KM9gYcN pathIdpId: name: idpId description: '`id` of IdP' in: path required: true schema: type: string example: 0oa62bfdjnK55Z5x80h7 pathInlineHookId: name: inlineHookId description: '`id` of the inline hook' in: path required: true schema: type: string example: Y7Rzrd4g4xj6WdKzrBHH pathJsonWebKeyId: name: keyId in: path schema: type: string required: true description: Unique `id` of the OAuth 2.0 Client JSON Web Key example: pks2f4zrZbs8nUa7p0g4 pathKeyId: name: keyId description: ID of the Key Credential for the application in: path required: true schema: type: string example: sjP9eiETijYz110VkhHN pathKid: name: kid description: Unique `id` of the IdP key credential in: path required: true schema: type: string example: KmMo85SSsU7TZzOShcGb pathLifecycle: name: lifecycle description: Whether to `ENABLE` or `DISABLE` the feature in: path required: true schema: $ref: '#/components/schemas/FeatureLifecycle' pathLinkedObjectName: name: linkedObjectName description: Primary or Associated name in: path required: true schema: type: string pathLogStreamId: name: logStreamId in: path schema: type: string example: 0oa1orzg0CHSgPcjZ0g4 required: true description: Unique identifier for the log stream pathLogStreamType: name: logStreamType in: path required: true schema: $ref: '#/components/schemas/LogStreamType' pathMappingId: name: mappingId description: '`id` of the Mapping' in: path required: true schema: type: string example: cB6u7X8mptebWkffatKA pathMemberId: name: memberId in: path schema: type: string example: irb1qe6PGuMc7Oh8N0g4 required: true description: '`id` of the member' pathMethodType: name: methodType description: Type of authenticator method in: path required: true schema: $ref: '#/components/schemas/AuthenticatorMethodType' pathNotificationType: name: notificationType in: path required: true schema: $ref: '#/components/schemas/NotificationType' pathOAuthProvisioningAppName: name: appName in: path required: true schema: $ref: '#/components/schemas/OAuthProvisioningEnabledApp' pathOperation: name: operation in: path required: true schema: type: string pathOwnerId: description: The `id` of the group owner name: ownerId in: path required: true schema: type: string example: 00u1emaK22TWRYd3TtG pathPermissionType: name: permissionType in: path schema: type: string example: okta.users.manage required: true description: An Okta [permission](/openapi/okta-management/guides/permissions) pathPolicyId: name: policyId description: '`id` of the Policy' in: path required: true schema: type: string example: 00plrilJ7jZ66Gn0X0g3 pathPolicyMappingId: name: mappingId description: '`id` of the policy resource Mapping' in: path required: true schema: type: string example: maplr2rLjZ6NsGn1P0g3 pathPoolId: name: poolId in: path description: ID of the agent pool for which the settings apply to schema: type: string required: true pathPostureCheckId: in: path name: postureCheckId required: true description: ID of the device posture check schema: type: string pathPrimaryRelationshipName: name: primaryRelationshipName description: Name of the `primary` relationship being assigned in: path required: true schema: type: string example: manager pathPrimaryUserId: name: primaryUserId description: User ID to be assigned to the `primary` relationship for the `associated` user in: path required: true schema: type: string pathPrincipalRateLimitId: name: principalRateLimitId in: path schema: type: string example: 0oacamvryxiyMqgiY1d7 required: true description: ID of the principal rate limit pathPublicKeyId: name: keyId description: id" of the Public Key in: path required: true schema: type: string example: FcH2P9Eg7wr0o8N2FuV0 pathPushProviderId: in: path name: pushProviderId required: true description: Id of the push provider schema: type: string pathQueryRoleExpand: name: expand description: 'An optional parameter used to return targets configured for the standard role assignment in the `embedded` property. Supported values: `targets/groups` or `targets/catalog/apps`' in: query required: false schema: type: string examples: groupTarget: value: targets/groups summary: Return group targets appTarget: value: targets/catalog/apps summary: Return app targets pathRealmId: name: realmId description: ID of the realm in: path required: true schema: type: string example: vvrcFogtKCrK9aYq3fgV pathRelationshipName: name: relationshipName description: Name of the `primary` or `associated` relationship being queried in: path required: true schema: type: string examples: manager: value: manager summary: Example of a `primary` name subordinate: value: subordinate summary: Example of an `associated` name pathResourceId: name: resourceId in: path schema: type: string example: ire106sQKoHoXXsAe0g4 required: true description: '`id` of the resource' pathResourceSetIdOrLabel: name: resourceSetIdOrLabel in: path schema: type: string example: iamoJDFKaJxGIr0oamd9g required: true description: '`id` or `label` of the resource set' pathRiskProviderId: name: riskProviderId in: path schema: type: string example: 00rp12r4skkjkjgsn required: true description: '`id` of the risk provider object' pathRoleAssignmentId: name: roleAssignmentId description: The `id` of the role assignment in: path required: true schema: type: string example: JBCUYUC7IRCVGS27IFCE2SKO pathRoleId: name: roleId description: '`id` of the role' in: path required: true schema: type: string example: 3Vg1Pjp3qzw4qcCK5EdO pathRoleIdOrEncodedRoleId: name: roleIdOrEncodedRoleId description: The `id` of the role or Base32 encoded `id` of the role name in: path required: true schema: type: string example: JBCUYUC7IRCVGS27IFCE2SKO pathRoleIdOrLabel: name: roleIdOrLabel in: path schema: type: string example: cr0Yq6IJxGIr0ouum0g3 required: true description: '`id` or `label` of the role' pathRoleRef: name: roleRef in: path description: A reference to an existing role. Standard roles require a `roleType`, while Custom Roles require a `roleId`. See [Standard roles](/openapi/okta-management/guides/roles/#standard-roles). required: true schema: oneOf: - title: roleType type: string $ref: '#/components/schemas/RoleType' - title: roleId type: string pathRuleId: name: ruleId description: '`id` of the policy rule' in: path required: true schema: type: string example: ruld3hJ7jZh4fn0st0g3 pathSchemaId: name: schemaId description: Schema ID. You can also use `default` to refer to the default user type schema. in: path required: true schema: type: string pathScopeId: name: scopeId description: '`id` of Scope' in: path required: true schema: type: string example: 0TMRpCWXRKFjP7HiPFNM pathSecretId: name: secretId in: path schema: type: string required: true description: '`id` of the API Service Integration instance Secret' example: ocs2f4zrZbs8nUa7p0g4 pathSection: name: section in: path required: true schema: type: string pathSecurityEventProviderId: name: securityEventProviderId in: path schema: type: string example: sse1qg25RpusjUP6m0g5 required: true description: '`id` of the Security Events Provider instance' pathSessionId: name: sessionId description: '`id` of the Session' in: path required: true schema: type: string example: l7FbDVqS8zHSy65uJD85 pathSubmissionId: name: submissionId description: OIN Integration ID in: path required: true schema: type: string example: acme_submissionapp_1 pathTargetGroupId: name: targetGroupId in: path required: true schema: type: string example: 00g1e9dfjHeLAsdX983d pathTemplateId: name: templateId description: '`id` of the Template' in: path required: true schema: type: string example: 6NQUJ5yR3bpgEiYmq8IC pathTemplateName: name: templateName in: path required: true schema: type: string description: The name of the email template pathThemeId: name: themeId in: path required: true schema: type: string description: The ID of the theme pathTokenId: name: tokenId description: '`id` of Token' in: path required: true schema: type: string example: sHHSth53yJAyNSTQKDJZ pathTransactionId: name: transactionId description: ID of an existing factor verification transaction in: path required: true schema: type: string example: gPAQcN3NDjSGOCAeG2Jv pathTrustedOriginId: name: trustedOriginId description: '`id` of the trusted origin' in: path required: true schema: type: string example: 7j2PkU1nyNIDe26ZNufR pathTypeId: name: typeId in: path required: true schema: type: string description: The unique key for the user type pathUpdateId: name: updateId in: path description: ID of the update schema: type: string required: true pathUserId: name: userId description: ID of an existing Okta user in: path required: true schema: type: string example: 00ub0oNGTSWTBKOLGLNR pathUserIdOrLogin: name: userIdOrLogin description: |- If for the `self` link, this is the ID of the user for whom you want to get the primary user ID. If for the `associated` relation, this is the user ID or login value of the user assigned the associated relationship. This can be `me` to represent the current session user. in: path required: true schema: type: string examples: manager: value: 00u5zex6ztMbOZhF50h7 summary: Example ID of `primary` subordinate: value: 00u5zex6ztMbOZhF50h7 summary: Example ID of `associated` pathWebAuthnMethodType: name: webAuthnMethodType description: Type of authenticator method in: path required: true schema: $ref: '#/components/schemas/AuthenticatorMethodTypeWebAuthn' pathWellKnownUriPath: name: path in: path required: true schema: type: string enum: - apple-app-site-association - assetlinks.json - webauthn description: The path of the well-known URI pathZoneId: name: zoneId in: path schema: type: string required: true description: '`id` of the Network Zone' example: nzowc1U5Jh5xuAK0o0g3 privQueryAfter: description: The cursor used for pagination. It represents the last privileged resource ID returned in the previous fetch operation. name: after in: query schema: type: string example: oprbuthToCeLWOBwh0g4 privQueryLastUpdated: description: Last updated timestamp query parameter name: lastUpdated in: query schema: type: string example: '2024-11-03T00:00:00.000Z' privQueryLimit: description: Specifies the batch size of the results to be returned name: limit in: query schema: type: integer format: int32 default: 200 maximum: 1000 privQueryStatus: description: The status of the privileged resource to filter on name: status in: query schema: type: string example: ACTIVE privilegedResourceId: name: id in: path description: ID of an existing privileged resource required: true schema: type: string queryAfter: name: after in: query schema: type: string description: The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the `Link` response header. See [Pagination](https://developer.okta.com/docs/api/#pagination) and [Link header](https://developer.okta.com/docs/api/#link-header). queryAppAfter: name: after in: query description: Specifies the pagination cursor for the next page of results. Treat this as an opaque value obtained through the next link relationship. See [Pagination](/#pagination). schema: type: string example: 16275000448691 queryAppGrantsExpand: name: expand in: query description: 'An optional parameter to return scope details in the `_embedded` property. Valid value: `scope`' schema: type: string example: scope queryAppLimit: name: limit in: query schema: type: integer format: int32 minimum: 1 maximum: 500 default: 50 description: | Specifies the number of objects to return per page. If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). See [Pagination](/#pagination). queryAppUserExpand: name: expand in: query description: |- An optional query parameter to return the corresponding [User](/openapi/okta-management/management/tag/User/) object in the `_embedded` property. Valid value: `user` schema: type: string example: user queryAppUserQ: name: q in: query schema: type: string example: sam description: | Specifies a filter for the list of application users returned based on their profile attributes. The value of `q` is matched against the beginning of the following profile attributes: `userName`, `firstName`, `lastName`, and `email`. This filter only supports the `startsWith` operation that matches the `q` string against the beginning of the attribute values. > **Note:** For OIDC apps, user profiles don't contain the `firstName` or `lastName` attributes. Therefore, the query only matches against the `userName` or `email` attributes. queryAppsExpand: name: expand in: query description: |- An optional parameter used for link expansion to embed more resources in the response. Only supports `expand=user/{userId}` and must be used with the `user.id eq "{userId}"` filter query for the same user. Returns the assigned [application user](/openapi/okta-management/management/tag/ApplicationUsers/) in the `_embedded` property. schema: type: string example: user/0oa1gjh63g214q0Hq0g4 queryDiscloseIdentifiers: name: discloseIdentifiers description: Indicates whether or not the identifier of an authenticator enrollment is disclosed or anonymized. If it's included in the operation query, then the identifier of the authenticator enrollment (the actual phone number, for example) is included in the response. in: query schema: type: array items: type: string enum: - phone queryExpand: name: expand in: query schema: type: string description: 'Valid value: `scope`. If specified, scope details are included in the `_embedded` attribute.' queryExpandBrand: name: expand in: query style: form explode: false required: false schema: type: array items: type: string enum: - themes - domains - emailDomain description: Specifies additional metadata to be included in the response queryExpandEmailDomain: name: expand in: query style: form explode: false required: false schema: type: array items: type: string enum: - brands description: Specifies additional metadata to be included in the response queryExpandEmailTemplate: name: expand in: query style: form explode: false required: false schema: type: array items: type: string enum: - settings - customizationCount description: Specifies additional metadata to be included in the response queryExpandPageRoot: name: expand in: query style: form explode: false required: false schema: type: array items: type: string enum: - default - customized - customizedUrl - preview - previewUrl description: Specifies additional metadata to be included in the response queryExpandWellKnownUri: name: expand in: query style: form explode: false required: false schema: type: array items: type: string enum: - customized description: Specifies additional metadata to include in the response queryExpandWellKnownUris: name: expand in: query style: form explode: false required: false schema: type: array items: type: string enum: - all - apple-app-site-association - assetlinks.json - webauthn description: Specifies additional metadata to include in the response queryFilter: name: q in: query description: Searches the records for matching value schema: type: string queryGroupAssignmentLimit: name: limit in: query description: |- Specifies the number of objects to return per page. If there are multiple pages of results, the Link header contains a `next` link that you need to use as an opaque value (follow it, don't parse it). See [Pagination](/#pagination). examples: min: value: 20 summary: Minimum limit value hundred: value: 100 summary: Sample limit value max: value: 200 summary: Maximum limit value schema: type: integer format: int32 default: 20 minimum: 20 maximum: 200 queryGroupAssignmentWithGroupExpand: name: expand in: query description: |- An optional query parameter to return the corresponding assigned [group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) or the group assignment metadata details in the `_embedded` property. schema: type: string example: group examples: group: value: group summary: Embedded assigned group metadata: value: metadata summary: Embedded group assignment metadata queryGroupAssignmentWithMetadataExpand: name: expand in: query description: |- An optional query parameter to return the corresponding assigned [group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) or the group assignment metadata details in the `_embedded` property. schema: type: string example: metadata examples: group: value: group summary: Embedded assigned group metadata: value: metadata summary: Embedded group assignment metadata queryLanguage: name: language schema: $ref: '#/components/schemas/Language' in: query description: The language to use for the email. Defaults to the current user's language if unspecified. queryLimit: name: limit in: query schema: type: integer minimum: 1 maximum: 200 default: 20 description: A limit on the number of objects to return queryLimitPerPoolType: name: limitPerPoolType in: query schema: type: integer default: 5 required: false description: Maximum number of agent pools returned queryPoolType: name: poolType in: query schema: $ref: '#/components/schemas/AgentType' required: false description: Agent type to search for queryScheduled: name: scheduled in: query description: Return only scheduled or ad-hoc updates. If this parameter isn't provided, Okta returns the entire list of updates. schema: type: boolean required: false querySortOrder: name: sortOrder in: query description: 'Specifies sort order: `asc` or `desc` (for search queries only). This parameter is ignored if `sortBy` isn''t present.' schema: type: string default: asc queryUserExpand: name: expand in: query description: 'An optional parameter to include metadata in the `_embedded` attribute. Valid values: `blocks` or `classification`.' required: false schema: type: string example: blocks serviceAccountId: name: id in: path description: ID of an existing service account required: true schema: type: string simulateParameter: name: expand description: Use `expand=EVALUATED` to include a list of evaluated but not matched policies and policy rules. Use `expand=RULE` to include details about why a rule condition wasn't matched. in: query schema: type: string example: EVALUATED yubikeyTokenId: name: tokenId description: ID of a YubiKey token in: path required: true schema: type: string example: ykkxdtCA1fKVxyu6R0g3 requestBodies: PhoneAuthenticatorEnrollmentRequestBody: content: application/json: schema: $ref: '#/components/schemas/AuthenticatorEnrollmentCreateRequest' examples: PhoneSmsEx: $ref: '#/components/examples/AuthenticatorEnrollmentCreateRequestPhone' required: true TacAuthenticatorEnrollmentRequestBody: content: application/json: schema: $ref: '#/components/schemas/AuthenticatorEnrollmentCreateRequestTac' examples: TacEx: $ref: '#/components/examples/AuthenticatorEnrollmentCreateRequestTac' required: true AuthenticatorRequestBody: content: application/json: schema: $ref: '#/components/schemas/AuthenticatorBase' examples: Duo: $ref: '#/components/examples/AuthenticatorRequestDuo' TAC: $ref: '#/components/examples/AuthenticatorRequestTac' required: true responses: ErrorAppUserForbidden403: description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: AppUserProvEx: $ref: '#/components/examples/ErrorAppUserForbiddenAction' AccessDenied: $ref: '#/components/examples/ErrorAccessDenied' ErrorAppUserUpdateBadRequest400: description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: AppUserUpdateCredEx: $ref: '#/components/examples/ErrorAppUserUpdateBadRequest' APIValidationFailed: $ref: '#/components/examples/ErrorApiValidationFailed' AuthenticatorEnrollmentResponse: description: Success content: application/json: schema: $ref: '#/components/schemas/AuthenticatorEnrollment' examples: PhoneSmsEx: $ref: '#/components/examples/AuthenticatorEnrollmentResponsePhoneSms' PhoneCallEx: $ref: '#/components/examples/AuthenticatorEnrollmentResponsePhoneVoice' PhoneDisclosedEx: $ref: '#/components/examples/AuthenticatorEnrollmentResponsePhoneDisclosed' PhoneAuthenticatorCreateEnrollmentResponse: description: Success content: application/json: schema: $ref: '#/components/schemas/AuthenticatorEnrollment' examples: PhoneSmsEx: $ref: '#/components/examples/AuthenticatorEnrollmentResponsePhoneSms' PhoneCallEx: $ref: '#/components/examples/AuthenticatorEnrollmentResponsePhoneVoice' TacAuthenticatorCreateEnrollmentResponse: description: Success content: application/json: schema: $ref: '#/components/schemas/TacAuthenticatorEnrollment' examples: TacEx: $ref: '#/components/examples/AuthenticatorEnrollmentResponseTac' AuthenticatorResponse: description: OK content: application/json: schema: $ref: '#/components/schemas/AuthenticatorBase' examples: Duo: $ref: '#/components/examples/AuthenticatorResponseDuo' Email: $ref: '#/components/examples/AuthenticatorResponseEmail' Password: $ref: '#/components/examples/AuthenticatorResponsePassword' Phone: $ref: '#/components/examples/AuthenticatorResponsePhone' WebAuthn: $ref: '#/components/examples/AuthenticatorResponseWebAuthn' SecurityQuestion: $ref: '#/components/examples/AuthenticatorResponseSecurityQuestion' TAC: $ref: '#/components/examples/AuthenticatorResponseTac' AuthenticatorResponseInactiveWebAuthn: description: OK content: application/json: schema: $ref: '#/components/schemas/AuthenticatorBase' examples: WebAuthn: $ref: '#/components/examples/AuthenticatorResponseInactiveWebAuthn' ErrorApiValidationFailed400: description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: APIValidationFailed: $ref: '#/components/examples/ErrorApiValidationFailed' ErrorMissingRequiredParameter400: description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: MissingRequiredParameter: $ref: '#/components/examples/ErrorMissingRequiredParameter' ErrorInvalidToken401: description: Unauthorized content: application/json: schema: $ref: '#/components/schemas/Error' examples: InvalidTokenProvided: $ref: '#/components/examples/ErrorInvalidTokenProvided' ErrorAccessDenied403: description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' examples: AccessDenied: $ref: '#/components/examples/ErrorAccessDenied' ErrorResourceNotFound404: description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' examples: ResourceNotFound: $ref: '#/components/examples/ErrorResourceNotFound' ErrorApiValidationConflict409: description: Conflict content: application/json: schema: $ref: '#/components/schemas/Error' examples: AccessDenied: $ref: '#/components/examples/ErrorApiValidationConflict' ErrorTooManyRequests429: description: Too Many Requests content: application/json: schema: $ref: '#/components/schemas/Error' examples: TooManyRequests: $ref: '#/components/examples/ErrorTooManyRequests' ErrorInternalServer500: description: Internal Server Error content: application/json: schema: $ref: '#/components/schemas/Error' examples: InternalServerError: $ref: '#/components/examples/ErrorInternalServer' Error502NoConnectedAgents: description: There are no connected agents. content: application/json: schema: $ref: '#/components/schemas/Error' examples: AgentTimeOut: $ref: '#/components/examples/ErrorNoConnectedAgents' Error504AgentTimeOut: description: Timed out waiting for agent content: application/json: schema: $ref: '#/components/schemas/Error' examples: AgentTimeOut: $ref: '#/components/examples/ErrorAgentTimeOut' FailoverResponse: description: OK content: application/json: schema: properties: results: type: array description: Results of the failover operation items: properties: domain: type: string description: Domain for your org example: yourOktaDomain.okta.com message: type: string description: Domain failover message example: Failover was successful FailbackResponse: description: OK content: application/json: schema: properties: results: type: array description: Results of the failback operation items: properties: domain: type: string description: Domain for your org example: yourOktaDomain.okta.com message: type: string description: Domain failback message example: Failback was successful DRStatusResponse: description: OK content: application/json: schema: properties: status: type: array description: List of domains and their disaster recovery status items: $ref: '#/components/schemas/DRStatusItem' example: status: - domain: yourOktaDomain.okta.com isFailedOver: true headers: Link: description: A link to the next page of responses schema: type: string GetFactorResponse: description: Success content: application/json: schema: $ref: '#/components/schemas/UserFactor' examples: SMS: $ref: '#/components/examples/FactorResponseSms' Email: $ref: '#/components/examples/FactorEmail' Error-FF-NotEnabled-Response-401: description: Unauthorized content: application/json: examples: Unauthorized: value: errorCode: E0000015 errorSummary: You do not have permission to access the feature you are requesting errorLink: E0000015 errorId: oaeStOuPPxDRUm3PJhf-tL7bQ errorCauses: [] NzErrorApiValidationFailed400: description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' examples: APIValidationFailed: $ref: '#/components/examples/NzErrorApiValidationFailed' NzErrorResourceNotFound404: description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' examples: ResourceNotFound: $ref: '#/components/examples/NzErrorResourceNotFound' schemas: AAGUIDAuthenticatorCharacteristics: description: Contains additional properties about custom AAGUID. type: object properties: fipsCompliant: description: Indicates whether the authenticator meets Federal Information Processing Standards (FIPS) compliance requirements type: boolean hardwareProtected: description: Indicates whether the authenticator stores the private key on a hardware component type: boolean platformAttached: description: Indicates whether the custom AAGUID is built into the authenticator (`true`) or if it's a separate, external authenticator type: boolean AAGUIDGroupObject: type: object properties: aaguids: description: A list of YubiKey hardware FIDO2 AAGUIDs. The available [AAGUIDs](https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs) are provided by the FIDO Alliance Metadata Service. type: array items: type: string description: AAGUID name: type: string description: A name to identify the group of YubiKey hardware FIDO2 AAGUIDs AIAgent: type: object properties: appId: type: string description: The ID of the connected app for the AI agent readOnly: false created: type: string format: date-time description: Timestamp when the AI agent was created readOnly: true id: type: string description: Unique ID for the AI agent readOnly: true lastUpdated: type: string format: date-time description: Timestamp when the AI agent was updated readOnly: true profile: $ref: '#/components/schemas/AIAgentProfile' status: type: string description: When an AI agent is created, it's in the STAGED status. After credentials and owners are associated with the agent, it can be set to the ACTIVE status. enum: - ACTIVE - INACTIVE - STAGED _links: $ref: '#/components/schemas/LinksSelf' AIAgentOperationListResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/AIAgentOperationResponse' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - $ref: '#/components/schemas/LinksNext' AIAgentOperationResponse: type: object properties: completed: type: string description: Timestamp of when the AI agent operation completed format: date-time created: type: string description: Timestamp of when the AI agent operation was created format: date-time errorDetails: $ref: '#/components/schemas/ErrorDetails' id: type: string description: ID of the AI agent operation resource: $ref: '#/components/schemas/AIAgentResource' started: type: string description: Timestamp of when the AI agent operation started format: date-time status: type: string description: The status of the AI agent operation enum: - COMPLETED - SCHEDULED - IN_PROGRESS - FAILED type: type: string description: The AI agent operation type enum: - ai-agent:Register - ai-agent:Replace - ai-agent:Delete - ai-agent:Activate - ai-agent:Deactivate - ai-agent:Patch required: - id - type - status - created AIAgentProfile: description: AI agent profile type: object properties: description: type: string description: Description of the AI agent name: type: string description: Unique name of the AI agent required: - name AIAgentResource: description: The AI agent resource associated with the operation. These properties are available after the operation completes successfully. type: object properties: id: type: string description: The ID of the AI agent resource status: type: string description: The status of the AI agent resource type: type: string description: The type of resource _links: $ref: '#/components/schemas/LinksSelf' required: - id - type - status - _links APIServiceIntegrationInstance: type: object properties: configGuideUrl: type: string description: The URL to the API service integration configuration guide example: https://{docDomain}/my-app-cie/configuration-guide readOnly: true createdAt: type: string description: Timestamp when the API Service Integration instance was created example: '2023-02-21T20:08:24.000Z' readOnly: true createdBy: type: string description: The user ID of the API Service Integration instance creator example: 00uu3u0ujW1P6AfZC2d5 readOnly: true grantedScopes: type: array description: The list of Okta management scopes granted to the API Service Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management). items: type: string example: - okta.logs.read id: type: string description: The ID of the API Service Integration instance readOnly: true example: 0oa72lrepvp4WqEET1d9 name: type: string description: The name of the API service integration that corresponds with the `type` property. This is the full name of the API service integration listed in the Okta Integration Network (OIN) catalog. readOnly: true example: My App Cloud Identity Engine properties: $ref: '#/components/schemas/AppProperties' type: type: string description: The type of the API service integration. This string is an underscore-concatenated, lowercased API service integration name. For example, `my_api_log_integration`. example: my_app_cie _links: $ref: '#/components/schemas/APIServiceIntegrationLinks' readOnly: true APIServiceIntegrationInstanceSecret: type: object properties: client_secret: type: string description: The OAuth 2.0 client secret string. The client secret string is returned in the response of a Secret creation request. In other responses (such as list, activate, or deactivate requests), the client secret is returned as an undisclosed hashed value. example: DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B readOnly: true created: type: string description: Timestamp when the API Service Integration instance Secret was created example: '2023-02-21T20:08:24.000Z' readOnly: true id: type: string description: The ID of the API Service Integration instance Secret example: ocs2f4zrZbs8nUa7p0g4 readOnly: true lastUpdated: type: string description: Timestamp when the API Service Integration instance Secret was updated example: '2023-02-21T20:08:24.000Z' readOnly: true secret_hash: type: string description: OAuth 2.0 client secret string hash example: yk4SVx4sUWVJVbHt6M-UPA readOnly: true status: type: string enum: - ACTIVE - INACTIVE description: Status of the API Service Integration instance Secret example: ACTIVE _links: $ref: '#/components/schemas/APIServiceIntegrationSecretLinks' readOnly: true required: - id - status - client_secret - created - lastUpdated - secret_hash - _links APIServiceIntegrationLinks: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. properties: client: $ref: '#/components/schemas/HrefObjectClientLink' logo: $ref: '#/components/schemas/HrefObjectLogoLink' self: $ref: '#/components/schemas/HrefObjectSelfLink' readOnly: true APIServiceIntegrationSecretLinks: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. properties: activate: $ref: '#/components/schemas/HrefObjectActivateLink' deactivate: $ref: '#/components/schemas/HrefObjectDeactivateLink' delete: $ref: '#/components/schemas/HrefObjectDeleteLink' readOnly: true APNSConfiguration: properties: fileName: type: string description: (Optional) File name for Admin Console display keyId: type: string description: 10-character Key ID obtained from the Apple developer account teamId: type: string description: 10-character Team ID used to develop the iOS app tokenSigningKey: type: string description: APNs private authentication token signing key writeOnly: true APNSPushProvider: allOf: - $ref: '#/components/schemas/PushProvider' - type: object properties: configuration: $ref: '#/components/schemas/APNSConfiguration' AccessPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: type: string description: Policy conditions aren't supported. Conditions are applied at the rule level for this policy type. default: null nullable: true AccessPolicyConstraint: description: |- Consists of a `POSSESSION` constraint, a `KNOWLEDGE` constraint, or both. You can't configure an `INHERENCE` constraint, but an inherence factor can satisfy the second part of a 2FA assurance if no other constraints are specified. Constraints are logically evaluated such that only one `constraint` object needs to be satisfied, but within a `constraint` object, each `constraint` property must be satisfied. type: object properties: authenticationMethods: description: This property specifies the precise authenticator and method for authentication. type: array items: $ref: '#/components/schemas/AuthenticationMethodObject' excludedAuthenticationMethods: description: This property specifies the precise authenticator and method to exclude from authentication. items: $ref: '#/components/schemas/AuthenticationMethodObject' methods: description: The authenticator methods that are permitted items: type: string enum: - PASSWORD - SECURITY_QUESTION - SMS - VOICE - EMAIL - PUSH - SIGNED_NONCE - OTP - TOTP - WEBAUTHN - DUO - IDP - CERT type: array reauthenticateIn: description: The duration after which the user must re-authenticate regardless of user activity. This re-authentication interval overrides the Verification Method object's `reauthenticateIn` interval. The supported values use ISO 8601 period format for recurring time intervals (for example, `PT1H`). type: string required: description: This property indicates whether the knowledge or possession factor is required by the assurance. It's optional in the request, but is always returned in the response. By default, this field is `true`. If the knowledge or possession constraint has values for `excludedAuthenticationMethods` the `required` value is false. type: boolean types: description: The authenticator types that are permitted items: type: string enum: - SECURITY_KEY - PHONE - EMAIL - PASSWORD - SECURITY_QUESTION - APP - FEDERATED type: array AccessPolicyConstraints: description: Specifies constraints for the authenticator. Constraints are logically evaluated such that only one constraint object needs to be satisfied. But, within a constraint object, each constraint property must be satisfied. type: object properties: knowledge: $ref: '#/components/schemas/KnowledgeConstraint' possession: $ref: '#/components/schemas/PossessionConstraint' AccessPolicyLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the app access policy resource AccessPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' - type: object properties: actions: $ref: '#/components/schemas/AccessPolicyRuleActions' conditions: $ref: '#/components/schemas/AccessPolicyRuleConditions' AccessPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' - type: object - description: Specifies actions to be taken, or operations that may be allowed, if the rule conditions are satisfied. properties: appSignOn: $ref: '#/components/schemas/AccessPolicyRuleApplicationSignOn' AccessPolicyRuleApplicationSignOn: description: Specifies the results when a user attempts to sign in type: object properties: access: $ref: '#/components/schemas/AccessPolicyRuleApplicationSignOnAccess' keepMeSignedIn: $ref: '#/components/schemas/KeepMeSignedIn' verificationMethod: $ref: '#/components/schemas/VerificationMethod' AccessPolicyRuleApplicationSignOnAccess: type: string enum: - ALLOW - DENY AccessPolicyRuleConditions: allOf: - type: object - description: Specifies conditions that must be met during policy evaluation to apply the rule. All policy conditions, as well as conditions for at least one rule must be met to apply the settings specified in the policy and the associated rule. properties: device: $ref: '#/components/schemas/DeviceAccessPolicyRuleCondition' elCondition: $ref: '#/components/schemas/AccessPolicyRuleCustomCondition' network: $ref: '#/components/schemas/PolicyNetworkCondition' people: $ref: '#/components/schemas/PolicyPeopleCondition' platform: $ref: '#/components/schemas/PlatformPolicyRuleCondition' riskScore: $ref: '#/components/schemas/RiskScorePolicyRuleCondition' userType: $ref: '#/components/schemas/UserTypeCondition' AccessPolicyRuleCustomCondition: description: Specifies [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language-in-identity-engine/) expressions properties: condition: type: string description: expression to match required: - condition AccessTokenKeyEncryptionAlgorithm: description: The algorithm for encrypting access tokens issued by this authorization server. If this is requested, the response is signed, and then encrypted. The result is a nested JWT. The default, if omitted, is that no encryption is performed. x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true type: string enum: - RSA-OAEP-256 - RSA-OAEP-384 - RSA-OAEP-512 AcsEndpoint: description: An array of ACS endpoints. You can configure a maximum of 100 endpoints. type: object properties: index: type: integer description: Index of the URL in the array of ACS endpoints example: 0 url: type: string description: URL of the ACS maxLength: 1024 example: https://www.example.com/sso/saml required: - url - index ActionProvider: type: object properties: externalId: type: string description: The unique identifier of the action flow in the provider system type: $ref: '#/components/schemas/ActionProviderPayloadType' url: type: string format: uri description: The URL to the action flow required: - type - url - externalId discriminator: propertyName: type mapping: WORKFLOWS: '#/components/schemas/WorkflowActionProvider' ActionProviderPayloadType: description: Type of action provider type: string enum: - WORKFLOWS ActionProviderType: type: string enum: - workflows Actions: description: Action to apply to a user type: object properties: assignUserToRealm: $ref: '#/components/schemas/AssignUserToRealm' ActiveDirectoryGroupScope: description: The scope of the group in Active Directory type: string enum: - DOMAIN_LOCAL - GLOBAL - UNIVERSAL ActiveDirectoryGroupType: description: The type of the group in Active Directory type: string enum: - DISTRIBUTION - SECURITY AdminConsoleSettings: title: Okta Admin Console Settings description: Settings specific to the Okta Admin Console type: object properties: sessionIdleTimeoutMinutes: description: The maximum idle time before the Okta Admin Console session expires. Must be no more than 12 hours. type: integer minimum: 5 maximum: 720 default: 15 sessionMaxLifetimeMinutes: description: The absolute maximum session lifetime of the Okta Admin Console. Must be no more than 7 days. type: integer minimum: 5 maximum: 10080 default: 720 Agent: description: Agent details type: object properties: id: type: string readOnly: true description: Unique identifier for the agent that's generated during installation example: ajd3fxzltQKQ2VeLu5s6 isHidden: type: boolean description: Determines if an agent is hidden from the Admin Console isLatestGAedVersion: type: boolean description: Determines if the agent is on the latest generally available version lastConnection: type: integer format: int64 description: Unix timestamp in milliseconds when the agent last connected to Okta name: type: string description: Agent name example: WIN-region1A-dc operationalStatus: $ref: '#/components/schemas/OperationalStatus' poolId: type: string description: Pool ID example: 0oa3eu7ekG8tjbD9J5s6 type: $ref: '#/components/schemas/AgentType' updateMessage: type: string description: Status message of the agent example: Queued for update. updateStatus: $ref: '#/components/schemas/AgentUpdateInstanceStatus' version: type: string description: Agent version number example: 3.19.0 _links: $ref: '#/components/schemas/LinksSelf' AgentAction: description: Details about the Active Directory group membership update type: object properties: id: type: string description: ID of the Active Directory group to update parameters: $ref: '#/components/schemas/Parameters' AgentJsonSigningKeyCommon: title: Signing Key type: object properties: alg: type: string description: Algorithm that's used in the JSON Web Key example: RS256 nullable: false use: type: string description: |- Acceptable use of the JSON Web Key You can only use signing keys for AI agents, so the value of `use` is always `sig`. example: sig nullable: false enum: - sig AgentJsonSigningKeyRequest: title: Signing Key oneOf: - $ref: '#/components/schemas/AgentJsonWebKeyRsaRequest' - $ref: '#/components/schemas/AgentJsonWebKeyECRequest' discriminator: propertyName: kty mapping: RSA: '#/components/schemas/AgentJsonWebKeyRsaRequest' EC: '#/components/schemas/AgentJsonWebKeyECRequest' AgentJsonSigningKeyResponse: title: Signing Key oneOf: - $ref: '#/components/schemas/AgentJsonWebKeyRsaResponse' - $ref: '#/components/schemas/AgentJsonWebKeyECResponse' discriminator: propertyName: kty mapping: RSA: '#/components/schemas/AgentJsonWebKeyRsaResponse' EC: '#/components/schemas/AgentJsonWebKeyECResponse' AgentJsonWebKeyECRequest: title: EC Signing Key description: An EC signing key allOf: - $ref: '#/components/schemas/AgentJsonWebKeyRequestBase' - $ref: '#/components/schemas/AgentJsonSigningKeyCommon' type: object properties: crv: type: string description: The cryptographic curve that's used for the key pair example: P-256 nullable: false enum: - P-256 - P-384 - P-521 kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: EC nullable: false enum: - EC x: type: string description: The public x coordinate for the elliptic curve point 'y': type: string description: The public y coordinate for the elliptic curve point required: - kty AgentJsonWebKeyECResponse: title: EC Signing Key description: An EC signing key allOf: - $ref: '#/components/schemas/AgentJsonWebKeyRequestBase' - $ref: '#/components/schemas/AgentJsonSigningKeyCommon' - $ref: '#/components/schemas/AgentJsonWebKeyResponseBase' type: object properties: crv: type: string description: The cryptographic curve that's used for the key pair example: P-256 nullable: false enum: - P-256 - P-384 - P-521 kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: EC nullable: false enum: - EC x: type: string description: The public x coordinate for the elliptic curve point 'y': type: string description: The public y coordinate for the elliptic curve point required: - kty AgentJsonWebKeyRequestBase: type: object properties: kid: type: string description: Unique identifier of the JSON Web Key in the AI agent's JSON Web Key Set (JWKS) example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 nullable: false status: type: string enum: - ACTIVE - INACTIVE description: Status of the AI agent JSON Web Key example: ACTIVE nullable: false default: ACTIVE AgentJsonWebKeyResponseBase: type: object properties: created: type: string description: Timestamp of when the AI agent JSON Web Key was created example: '2023-02-21T20:08:24.000Z' readOnly: true nullable: false id: type: string description: The unique ID of the AI agent JSON Web Key example: pks2f4zrZbs8nUa7p0g4 readOnly: true nullable: false lastUpdated: type: string description: Timestamp of when the AI agent JSON Web Key was last updated example: '2023-02-21T20:08:24.000Z' readOnly: true nullable: false _links: $ref: '#/components/schemas/AgentSecretLinks' readOnly: true nullable: false AgentJsonWebKeyRsaRequest: title: RSA Signing Key description: An RSA signing key allOf: - $ref: '#/components/schemas/AgentJsonWebKeyRequestBase' - $ref: '#/components/schemas/AgentJsonSigningKeyCommon' type: object properties: e: type: string description: |- The public exponent of the RSA key, represented as a Base64URL-encoded string. This value is used in combination with the modulus (`n`) to verify signatures and encrypt data. example: AQAB nullable: false kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: RSA nullable: false enum: - RSA 'n': type: string description: |- The modulus of the RSA public key, represented as a Base64URL-encoded string. This is the primary component of the RSA key and, with the exponent (`e`), is used for cryptographic signature verification and encryption. example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ nullable: false required: - kty AgentJsonWebKeyRsaResponse: title: RSA Signing Key description: An RSA signing key allOf: - $ref: '#/components/schemas/AgentJsonWebKeyRequestBase' - $ref: '#/components/schemas/AgentJsonSigningKeyCommon' - $ref: '#/components/schemas/AgentJsonWebKeyResponseBase' type: object properties: e: type: string description: |- The public exponent of the RSA key, represented as a Base64URL-encoded string. This value is used in combination with the modulus (`n`) to verify signatures and encrypt data. example: AQAB nullable: false kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: RSA nullable: false enum: - RSA 'n': type: string description: |- The modulus of the RSA public key, represented as a Base64URL-encoded string. This is the primary component of the RSA key and, with the exponent (`e`), is used for cryptographic signature verification and encryption. example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ nullable: false required: - kty AgentPool: description: An agent pool is a collection of agents that serve a common purpose. An agent pool has a unique ID within an org, and contains a collection of agents disjoint to every other agent pool, meaning that no two agent pools share an agent. type: object properties: agents: type: array items: $ref: '#/components/schemas/Agent' disruptedAgents: description: Number of agents in the pool that are in a disrupted state type: integer id: type: string readOnly: true description: Agent pool ID inactiveAgents: description: Number of agents in the pool that are in an inactive state type: integer name: type: string description: Agent pool name operationalStatus: $ref: '#/components/schemas/OperationalStatus' type: $ref: '#/components/schemas/AgentType' _links: $ref: '#/components/schemas/LinksSelf' AgentPoolUpdate: description: Various information about agent auto-update configuration type: object properties: agents: type: array items: $ref: '#/components/schemas/Agent' agentType: $ref: '#/components/schemas/AgentType' enabled: type: boolean description: Indicates if auto-update is enabled for the agent pool id: type: string readOnly: true description: ID of the agent pool update name: type: string description: Name of the agent pool update example: region1A.dc notifyAdmin: type: boolean description: Indicates if the admin is notified about the update reason: description: Reason for the update type: string example: Update failed. schedule: $ref: '#/components/schemas/AutoUpdateSchedule' sortOrder: description: Specifies the sort order type: integer status: $ref: '#/components/schemas/AgentUpdateJobStatus' targetVersion: type: string description: The agent version to update to example: 3.20.0 _links: $ref: '#/components/schemas/LinksSelf' AgentPoolUpdateSetting: description: Setting for auto-update type: object properties: agentType: $ref: '#/components/schemas/AgentType' continueOnError: type: boolean description: Continues the update even if some agents fail to update latestVersion: type: string description: Latest version of the agent example: 3.20.0 minimalSupportedVersion: type: string description: Minimal version of the agent example: 3.19.0 poolId: type: string readOnly: true description: ID of the agent pool that the settings apply to example: 0oa3eu7ekG8tjbD9J5s6 poolName: type: string description: Pool name example: iwa.dc releaseChannel: $ref: '#/components/schemas/ReleaseChannel' AgentSecretLinks: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an AI agent using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. type: object properties: activate: $ref: '#/components/schemas/HrefObjectActivateLink' deactivate: $ref: '#/components/schemas/HrefObjectDeactivateLink' delete: $ref: '#/components/schemas/HrefObjectDeleteLink' readOnly: true AgentType: description: Agent types that are being monitored type: string enum: - AD - IWA - LDAP - MFA - OPP - RUM - Radius AgentUpdateInstanceStatus: description: Status for one agent regarding the status to auto-update that agent type: string enum: - Cancelled - Failed - InProgress - PendingCompletion - Scheduled - Success AgentUpdateJobStatus: description: Overall state for the auto-update job from the admin perspective type: string enum: - Cancelled - Failed - InProgress - Paused - Scheduled - Success AllCustomAAGUIDResponseObject: items: $ref: '#/components/schemas/CustomAAGUIDResponseObject' type: array AllowedForEnum: description: The allowed types of uses for the authenticator type: string enum: - any - none - recovery - sso AndroidDeviceTrust: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] description: Android Device Trust integration provider type: object properties: deviceIntegrityLevel: $ref: '#/components/schemas/DeviceIntegrity' networkProxyDisabled: description: Indicates whether a device has a network proxy disabled type: boolean playProtectVerdict: $ref: '#/components/schemas/PlayProtectVerdict' requireMajorVersionUpdate: description: | Indicates whether the device needs to be on the latest major version available to the device **Note:** This option requires an `osVersion.dynamicVersionRequirement` value to be supplied with the `osVersion.dynamicVersionRequirement.type` as either `MINIMUM` or `EXACT`. type: boolean screenLockComplexity: $ref: '#/components/schemas/ScreenLockComplexity' usbDebuggingDisabled: description: Indicates whether Android Debug Bridge (adb) over USB is disabled type: boolean wifiSecured: description: Indicates whether a device is on a password-protected Wi-Fi network type: boolean ApiToken: title: API Token description: An API token for an Okta User. This token is NOT scoped any further and can be used for any API the user has permissions to call. type: object properties: clientName: type: string readOnly: true created: type: string format: date-time readOnly: true expiresAt: type: string format: date-time readOnly: true id: type: string readOnly: true lastUpdated: type: string format: date-time readOnly: true name: type: string network: type: object description: The Network Condition of the API Token properties: connection: type: string description: The connection type of the Network Condition include: type: array description: List of included IP network zones items: type: string exclude: type: array description: List of excluded IP network zones items: type: string tokenWindow: $ref: '#/components/schemas/TimeDuration' userId: type: string _link: $ref: '#/components/schemas/LinksSelf' required: - name ApiTokenUpdate: title: API Token Update description: An API Token Update Object for an Okta user. This token is NOT scoped any further and can be used for any API that the user has permissions to call. type: object properties: clientName: type: string description: The client name associated with the API Token readOnly: true created: type: string description: The creation date of the API Token format: date-time readOnly: true name: type: string description: The name associated with the API Token network: type: object description: The Network Condition of the API Token properties: connection: type: string description: The connection type of the Network Condition include: type: array description: List of included IP network zones items: type: string exclude: type: array description: List of excluded IP network zones items: type: string userId: type: string description: The userId of the user who created the API Token AppAccountContainerDetails: description: Container details for resource type APP_ACCOUNT type: object properties: appName: type: string description: The application name readOnly: true example: google containerId: type: string description: The app ID associated with the privileged resource example: 0oa103099SBEb3Z2b0g4 displayName: type: string description: Human-readable name of the container that owns the privileged resource readOnly: true example: Google App1 globalAppId: type: string description: The application global ID readOnly: true example: 964b82aa-85b4-5645-b790-83312c473480 passwordPushSupported: type: boolean description: Indicates if the application supports password push readOnly: true example: true provisioningEnabled: type: boolean description: Indicates if provisioning is enabled for this application readOnly: true example: true status: $ref: '#/components/schemas/AppInstanceContainerStatus' _links: $ref: '#/components/schemas/AppAccountContainerLink' required: - containerId AppAccountContainerLink: type: object properties: login: $ref: '#/components/schemas/HrefObjectAppLink' logo: $ref: '#/components/schemas/HrefObjectLogoLink' readOnly: true AppAndInstanceConditionEvaluatorAppOrInstance: type: object properties: id: type: string description: ID of the app readOnly: false name: type: string description: Name of the app type type: $ref: '#/components/schemas/AppAndInstanceType' AppAndInstancePolicyRuleCondition: description: Specifies apps to include or exclude. If `include` is empty, then the condition is met for all apps. type: object properties: exclude: type: array description: The list of apps or app instances to exclude items: $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' include: type: array description: The list of apps or app instances to match on items: $ref: '#/components/schemas/AppAndInstanceConditionEvaluatorAppOrInstance' AppAndInstanceType: description: Type of app type: string enum: - APP - APP_TYPE AppConfig: description: Additional app configuration for group push mappings. Currently only required for Active Directory. type: object properties: type: type: string $ref: '#/components/schemas/AppConfigType' discriminator: propertyName: type mapping: ACTIVE_DIRECTORY: '#/components/schemas/AppConfigActiveDirectory' AppConfigActiveDirectory: allOf: - $ref: '#/components/schemas/AppConfig' type: object properties: distinguishedName: description: The distinguished name of the group in Active Directory type: string groupScope: $ref: '#/components/schemas/ActiveDirectoryGroupScope' groupType: $ref: '#/components/schemas/ActiveDirectoryGroupType' samAccountName: description: The SAM account name of the group in Active Directory type: string required: - distinguishedName - groupScope - groupType - samAccountName AppConfigType: description: The type of the app configuration type: string enum: - ACTIVE_DIRECTORY AppConnectionUserProvisionJWKList: properties: keys: type: array items: $ref: '#/components/schemas/JsonWebKey' required: - keys AppConnectionUserProvisionJWKResponse: properties: jwks: $ref: '#/components/schemas/AppConnectionUserProvisionJWKList' required: - jwks AppCsrPkcs10: description: Base64URL-encoded CSR in DER format format: base64 type: string AppCustomHrefObject: type: object properties: hints: type: object description: Describes allowed HTTP verbs for the `href` properties: allow: type: array items: type: string href: type: string description: Link URI title: type: string description: Link name type: type: string description: The media type of the link. If omitted, it is implicitly `application/json`. required: - href readOnly: true AppGroup: type: object properties: externalId: type: string description: The external ID of the app group whose members might be privileged app users maxLength: 255 example: 18070146415 name: type: string description: The name of the app group whose members might be privileged app users maxLength: 255 example: domainAdminsGroup required: - name - externalId AppInstanceAuthorizationServer: description: Authorization server for app instance connections type: object properties: issuerUrl: type: string description: Issuer URL for the authorization server required: - issuerUrl AppInstanceContainerStatus: description: Current status of the application instance type: string enum: - ACTIVE - DELETED - INACTIVE readOnly: true AppInstanceOrn: description: The [ORN](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#okta-resource-name-orn) of the app instance type: string AppInstancePolicyRuleCondition: type: object properties: exclude: type: array items: type: string include: type: array items: type: string AppInstanceProperty: type: object properties: label: type: string name: type: string required: - name - label AppProperties: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true description: App instance properties additionalProperties: type: object properties: name: type: string description: Name of the property example: baseUrl value: type: string description: Value of the property example: https://example.com type: object AppResourceHrefObject: type: object properties: href: type: string description: Link URI example: https://{yourOktaDomain}/api/v1/apps/0oabskvc6442nkvQO0h7 title: type: string description: Link name example: My App AppServiceAccount: type: object properties: containerGlobalName: description: The key name of the app in the Okta Integration Network (OIN) readOnly: true type: string example: salesforce containerInstanceName: description: The app instance label readOnly: true type: string example: salesforce Prod 5 containerOrn: description: |- The [ORN](/openapi/okta-management/guides/roles/#okta-resource-name-orn) of the relevant resource. Use the specific app ORN format (`orn:{partition}:idp:{yourOrgId}:apps:{appType}:{appId}`) to identify an Okta app instance in your org. type: string example: orn:okta:idp:00o1n8sbwArJ7OQRw406:apps:salesforce:0oa1gjh63g214q0Hq0g4 created: type: string format: date-time description: Timestamp when the app service account was created readOnly: true description: description: The description of the app service account format: regex maxLength: 255 minLength: 0 type: string example: This is for accessing salesforce Prod-5 id: description: The UUID of the app service account format: regex pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ readOnly: true type: string example: a747a818-a4c4-4446-8a87-704216495a08 lastUpdated: type: string format: date-time description: Timestamp when the app service account was last updated readOnly: true name: description: The user-defined name for the app service account format: regex maxLength: 50 minLength: 1 pattern: ^[\w\-_. ]+$ type: string example: salesforce Prod-5 account ownerGroupIds: description: A list of IDs of the Okta groups who own the app service account type: array items: type: string minItems: 0 maxItems: 10 example: - 00g57qp78yZT2XBA40g7 ownerUserIds: description: A list of IDs of the Okta users who own the app service account type: array items: type: string minItems: 0 maxItems: 10 example: - 00u11s48P9zGW8yqm0g5 password: type: string writeOnly: true description: The app service account password. Required for apps that don't have provisioning enabled or don't support password synchronization. format: password status: $ref: '#/components/schemas/ServiceAccountStatus' statusDetail: $ref: '#/components/schemas/ServiceAccountStatusDetail' username: type: string description: The username that serves as the direct link to your managed app account. Ensure that this value precisely matches the identifier of the target app account. minLength: 1 maxLength: 100 example: testuser-salesforce-5@example.com required: - name - containerOrn - username AppServiceAccountCredentials: description: Credentials for a SaaS app account type: object properties: password: type: string writeOnly: true description: The password associated with the service account format: password username: type: string description: The username associated with the service account minLength: 1 maxLength: 100 example: testuser@example.com required: - username AppServiceAccountForUpdate: type: object properties: description: description: The description of the app service account format: regex maxLength: 255 minLength: 0 type: string example: This is for accessing salesforce Prod-5 name: description: The user-defined name for the app service account format: regex maxLength: 50 minLength: 1 pattern: ^[\w\-_. ]+$ type: string example: salesforce Prod-5 account ownerGroupIds: description: A list of IDs of the Okta groups who own the app service account type: array items: type: string minItems: 0 maxItems: 10 example: - 00g57qp78yZT2XBA40g7 ownerUserIds: description: A list of IDs of the Okta users who own the app service account type: array items: type: string minItems: 0 maxItems: 10 example: - 00u11s48P9zGW8yqm0g5 AppUser: title: Application User description: The application user object defines a user's app-specific profile and credentials for an app type: object properties: created: allOf: - $ref: '#/components/schemas/createdProperty' - example: '2014-06-24T15:27:59.000Z' credentials: $ref: '#/components/schemas/AppUserCredentials' externalId: type: string description: |- The ID of the user in the target app that's linked to the Okta application user object. This value is the native app-specific identifier or primary key for the user in the target app. The `externalId` is set during import when the user is confirmed (reconciled) or during provisioning when the user is created in the target app. This value isn't populated for SSO app assignments (for example, SAML or SWA) because it isn't synchronized with a target app. readOnly: true example: 70c14cc17d3745e8a9f98d599a68329c id: type: string description: Unique identifier for the Okta user example: 00u11z6WHMYCGPCHCRFK lastSync: type: string description: Timestamp of the last synchronization operation. This value is only updated for apps with the `IMPORT_PROFILE_UPDATES` or `PUSH PROFILE_UPDATES` feature. format: date-time readOnly: true example: '2014-06-24T15:27:59.000Z' lastUpdated: allOf: - $ref: '#/components/schemas/lastUpdatedProperty' - example: '2014-06-24T15:28:14.000Z' passwordChanged: type: string description: Timestamp when the application user password was last changed format: date-time readOnly: true nullable: true example: '2014-06-24T15:27:59.000Z' profile: $ref: '#/components/schemas/AppUserProfile' scope: type: string description: Indicates if the assignment is direct (`USER`) or by group membership (`GROUP`). enum: - USER - GROUP example: USER status: $ref: '#/components/schemas/AppUserStatus' statusChanged: type: string description: Timestamp when the application user status was last changed format: date-time readOnly: true example: '2014-06-24T15:28:14.000Z' syncState: $ref: '#/components/schemas/AppUserSyncState' _embedded: type: object description: Embedded resources related to the application user using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification additionalProperties: type: object properties: {} readOnly: true _links: $ref: '#/components/schemas/LinksAppAndUser' AppUserAssignRequest: allOf: - $ref: '#/components/schemas/AppUser' - required: - id AppUserCredentials: description: | Specifies a user's credentials for the app. This parameter can be omitted for apps with [sign-on mode](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/signOnMode&t=response) (`signOnMode`) or [authentication schemes](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=0/credentials/scheme&t=response) (`credentials.scheme`) that don't require credentials. type: object properties: password: $ref: '#/components/schemas/AppUserPasswordCredential' userName: type: string description: |- The user's username in the app > **Note:** The [userNameTemplate](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/userNameTemplate&t=request) in the application object defines the default username generated when a user is assigned to that app. > If you attempt to assign a username or password to an app with an incompatible [authentication scheme](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication!path=0/credentials/scheme&t=request), the following error is returned: > "Credentials should not be set on this resource based on the scheme." minLength: 1 maxLength: 100 example: testuser@example.com AppUserCredentialsRequestPayload: title: Credentials description: Updates the assigned user credentials type: object properties: credentials: $ref: '#/components/schemas/AppUserCredentials' AppUserPasswordCredential: description: The user's password. This is a write-only property. An empty `password` object is returned to indicate that a password value exists. type: object properties: value: description: Password value type: string format: password writeOnly: true AppUserProfile: description: | Specifies the default and custom profile properties for a user. Properties that are visible in the Admin Console for an app assignment can also be assigned through the API. Some properties are reference properties that are imported from the target app and can't be configured. See [profile](/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response). additionalProperties: true type: object AppUserProfileRequestPayload: title: Profile description: |- Updates the assigned user profile > **Note:** The Okta API currently doesn't support entity tags for conditional updates. As long as you're the only user updating the the user profile, Okta recommends you fetch the most recent profile with [Retrieve an Application User](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/getApplicationUser), apply your profile update, and then `POST` back the updated profile. type: object properties: profile: $ref: '#/components/schemas/AppUserProfile' AppUserStatus: description: Status of an application user example: ACTIVE type: string enum: - ACTIVE - APPROVED - DEPROVISIONED - IMPLICIT - IMPORTED - INACTIVE - MATCHED - PENDING - PROVISIONED - REVOKED - STAGED - SUSPENDED - UNASSIGNED x-enumDescriptions: ACTIVE: The application user is provisioned and is enabled to use the app. This status also occurs if the app has the `IMPORT_PROFILE_UPDATES` feature enabled and user import is confirmed, or if the app doesn't have provisioning enabled. INACTIVE: The application user is provisioned, but isn't enabled to use the app. Application users in this status can be reactivated with a password reset or permanently deleted. IMPORTED: The application user is created based on imported data. MATCHED: The imported user is matched with an existing Application User. UNASSIGNED: The application user was imported, but the user-matching operation was skipped. SUSPENDED: The application user is provisioned, but isn't enabled to use the app. Application users in this status can be reactivated without a password reset. PENDING: The application user is provisioned, but in a pending state and can't use the app. The status moves to `ACTIVE` when the application user is activated. APPROVED: The application user was created but not provisioned. This status can occur when manual provisioning acknowledgment is required. REVOKED: The application user is disabled and waiting for deprovisioning acknowledgment. The application user can be deleted after deprovisioning acknowledgment. IMPLICIT: The application user is now migrated to use implicit app assignment. STAGED: The application user doesn't have `externalId` set and the background provisioning operation is queued. This applies to apps with the `PUSH_NEW_USERS` feature enabled. PROVISIONED: The background provisioning operation completed and the application user was assigned an `externalId` successfully. DEPROVISIONED: The user was removed by the provisioning operation and the `externalId` property is unassigned. readOnly: true AppUserSyncState: description: |- The synchronization state for the application user. The application user's `syncState` depends on whether the `PROFILE_MASTERING` feature is enabled for the app. > **Note:** User provisioning currently must be configured through the Admin Console. example: SYNCHRONIZED type: string enum: - DISABLED - ERROR - OUT_OF_SYNC - SYNCHRONIZED - SYNCING x-enumDescriptions: DISABLED: The provisioning feature is disabled for the app (`PROFILE_MASTERING` feature is disabled). OUT_OF_SYNC: The Application User has changes that haven't been pushed to the target app. SYNCING: A background provisioning operation is running to update the user's profile in the target app. SYNCHRONIZED: All changes to the application user profile have successfully been synchronized with the target app. ERROR: A background provisioning operation failed to update the user's profile in the target app. You must resolve the provisioning task in the Admin Console before you retry the operation. readOnly: true AppUserUpdateRequest: oneOf: - $ref: '#/components/schemas/AppUserCredentialsRequestPayload' - $ref: '#/components/schemas/AppUserProfileRequestPayload' AppleClientSigning: description: |- Information used to generate the secret JSON Web Token for the token requests to Apple IdP > **Note:** The `privateKey` property is required for a CREATE request. For an UPDATE request, it can be null and keeps the existing value if it's null. The `privateKey` property isn't returned for LIST and GET requests or UPDATE requests if it's null. type: object properties: kid: type: string description: The key ID that you obtained from Apple when you created the private key for the client maxLength: 1024 example: test key id privateKey: type: string description: The PKCS \#8 encoded private key that you created for the client and downloaded from Apple maxLength: 1024 example: MIGTAgEAMBM........Cb9PnybCnzDv+3cWSGWqpAIsQQZ teamId: type: string description: The Team ID associated with your Apple developer account maxLength: 1024 example: test team id Application: type: object properties: accessibility: $ref: '#/components/schemas/ApplicationAccessibility' created: type: string format: date-time readOnly: true description: Timestamp when the application object was created expressConfiguration: $ref: '#/components/schemas/ApplicationExpressConfiguration' features: type: array description: | Enabled app features > **Note:** See [Application Features](/openapi/okta-management/management/tag/ApplicationFeatures/) for app provisioning features. readOnly: true items: type: string enum: - GROUP_PUSH - IMPORT_NEW_USERS - IMPORT_PROFILE_UPDATES - IMPORT_USER_SCHEMA - PROFILE_MASTERING - PUSH_NEW_USERS - PUSH_PASSWORD_UPDATES - PUSH_PROFILE_UPDATES - PUSH_USER_DEACTIVATION - REACTIVATE_USERS - OUTBOUND_DEL_AUTH - DESKTOP_SSO - FEDERATED_PROFILE - SUPPRESS_ACTIVATION_EMAIL - PUSH_PENDING_USERS - MFA - UPDATE_EXISTING_USERNAME - EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH - EXCHANGE_ACTIVE_SYNC - IMPORT_SYNC - IMPORT_SYNC_CONTACTS - DEVICE_COMPLIANCE - VPN_CONFIG - IMPORT_SCHEMA_ENUM_VALUES - SCIM_PROVISIONING - DEVICE_FILTER_IN_SIGN_ON_RULES - PROFILE_TEMPLATE_UPGRADE - DEFAULT_PUSH_STATUS_TO_PUSH - REAL_TIME_SYNC - SSO - AUTHN_CONTEXT - JIT_PROVISIONING - GROUP_SYNC - OPP_SCIM_INCREMENTAL_IMPORTS - IN_MEMORY_APP_USER - LOG_STREAMING - OAUTH_INTEGRATION - IDP - PUSH_NEW_USERS_WITHOUT_PASSWORD - SKYHOOK_SERVICE - ENTITLEMENT_MANAGEMENT - PUSH_NEW_USERS_WITH_HASHED_PASSWORD x-enumDescriptions: GROUP_PUSH: Creates or links a group in the app when a mapping is defined for a group in Okta. Okta is the source for group memberships and all group members in Okta who are also assigned to the app are synced as group members to the app. IMPORT_NEW_USERS: Creates or links a user in Okta to a user from the app IMPORT_PROFILE_UPDATES: Updates a linked user's app profile during manual or scheduled imports IMPORT_USER_SCHEMA: Discovers the profile schema for a user from the app automatically PROFILE_MASTERING: Designates the app as the identity lifecycle and profile attribute authority for linked users. The user's profile in Okta is read-only. PUSH_NEW_USERS: Creates or links a user account in the app when assigning the app to a user in Okta PUSH_PASSWORD_UPDATES: Updates the user's app password when their password changes in Okta PUSH_PROFILE_UPDATES: Updates a user's profile in the app when the user's profile changes in Okta (the profile source) PUSH_USER_DEACTIVATION: Deactivates a user's account in the app when unassigned from the app in Okta or deactivated REACTIVATE_USERS: Reactivates an existing inactive user when provisioning a user to the app OUTBOUND_DEL_AUTH: Okta user authentication requests are delegated to a third-party app DESKTOP_SSO: Okta user authentication requests are handled by desktop SSO negotiation (if possible) FEDERATED_PROFILE: App user profiles are synchronized at sign-in and profile-view instances instead of during bulk imports SUPPRESS_ACTIVATION_EMAIL: Activation emails aren't sent to users sourced by AD and orgs with DelAuth enabled PUSH_PENDING_USERS: Users are in PENDING state in Okta and are created but not active in the sourced app user MFA: App can verify credentials as a second factor UPDATE_EXISTING_USERNAME: App can update the user name for existing users EXCLUDE_USERNAME_UPDATE_ON_PROFILE_PUSH: Exclude username update during profile push EXCHANGE_ACTIVE_SYNC: App supports synchronizing credentials with OMM enrolled devices IMPORT_SYNC: Synchronize import events IMPORT_SYNC_CONTACTS: Synchronize contacts DEVICE_COMPLIANCE: Apps support device compliance rules VPN_CONFIG: App supports pushing VPN configuration to OMM enrolled devices IMPORT_SCHEMA_ENUM_VALUES: App supports downloading schema enum values. You can download custom objects and integrating them with UD without being tied to the type metadata system. SCIM_PROVISIONING: App supports generic SCIM client provisioning and can leverage SCIM standard for provisioning and push custom attributes to a third-party app DEVICE_FILTER_IN_SIGN_ON_RULES: App supports filtering by client type in app sign-on rules PROFILE_TEMPLATE_UPGRADE: App supports profile template upgrades. This is primarily to help roll out the profile template upgrade feature for individual apps DEFAULT_PUSH_STATUS_TO_PUSH: App defaults Push status to `PUSH`. This feature is for apps, such as SharePoint, that want to receive App User profile updates even though they didn't implement traditional PUSH_PROFILE_UPDATES in the client API. REAL_TIME_SYNC: Apps support real-time synchronization SSO: Apps support establishing a subject based on claims from an IdP AUTHN_CONTEXT: Apps support establishing an authentication context based on claims from an IdP JIT_PROVISIONING: Apps support provisioning a user based on claims from an IdP GROUP_SYNC: Apps support syncing group information based on claims from an IdP OPP_SCIM_INCREMENTAL_IMPORTS: Apps support incremental imports. Used for SCIM app instances IN_MEMORY_APP_USER: Apps support in-memory app users. This feature is used as an alternative to Implicit App Assignment for a non-persisted app user. LOG_STREAMING: Apps support log streaming OAUTH_INTEGRATION: App is an OAuth 2.0 integration IDP: Apps support IdP functionalities PUSH_NEW_USERS_WITHOUT_PASSWORD: Don't send generated password for new users SKYHOOK_SERVICE: Use the Skyhook microservice for LCM operations ENTITLEMENT_MANAGEMENT: Marker to showcase which OIN apps are entitlement enabled PUSH_NEW_USERS_WITH_HASHED_PASSWORD: Send hashed password for new users. This feature is only used for CIS to CIC migration. id: type: string readOnly: true description: Unique ID for the app instance label: $ref: '#/components/schemas/ApplicationLabel' lastUpdated: type: string format: date-time readOnly: true description: Timestamp when the application object was last updated licensing: $ref: '#/components/schemas/ApplicationLicensing' orn: type: string readOnly: true description: The Okta resource name (ORN) for the current app instance profile: type: object description: |- Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps). For example, add an app manager contact email address or define an allowlist of groups that you can then reference using the Okta Expression Language `getFilteredGroups` function. > **Notes:** > * `profile` isn't encrypted, so don't store sensitive data in it. > * `profile` doesn't limit the level of nesting in the JSON schema you created, but there is a practical size limit. Okta recommends a JSON schema size of 1 MB or less for best performance. additionalProperties: true signOnMode: $ref: '#/components/schemas/ApplicationSignOnMode' status: $ref: '#/components/schemas/ApplicationLifecycleStatus' universalLogout: $ref: '#/components/schemas/ApplicationUniversalLogout' visibility: $ref: '#/components/schemas/ApplicationVisibility' _embedded: type: object description: Embedded resources related to the app using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. If the `expand=user/{userId}` query parameter is specified, then the assigned [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) is embedded. properties: user: type: object description: The specified [Application User](/openapi/okta-management/management/tag/ApplicationUsers/) assigned to the app additionalProperties: type: object properties: {} readOnly: true _links: $ref: '#/components/schemas/ApplicationLinks' required: - signOnMode - label discriminator: propertyName: signOnMode mapping: AUTO_LOGIN: '#/components/schemas/AutoLoginApplication' BASIC_AUTH: '#/components/schemas/BasicAuthApplication' BOOKMARK: '#/components/schemas/BookmarkApplication' BROWSER_PLUGIN: '#/components/schemas/BrowserPluginApplication' OPENID_CONNECT: '#/components/schemas/OpenIdConnectApplication' SAML_1_1: '#/components/schemas/Saml11Application' SAML_2_0: '#/components/schemas/SamlApplication' SECURE_PASSWORD_STORE: '#/components/schemas/SecurePasswordStoreApplication' WS_FEDERATION: '#/components/schemas/WsFederationApplication' ApplicationAccessibility: description: Specifies access settings for the app type: object properties: errorRedirectUrl: type: string description: Custom error page URL for the app loginRedirectUrl: type: string description: |- Custom login page URL for the app > **Note:** The `loginRedirectUrl` property is deprecated in Identity Engine. This property is used with the custom app login feature. Orgs that actively use this feature can continue to do so. See [Okta-hosted sign-in (redirect authentication)](https://developer.okta.com/docs/guides/redirect-authentication/) or [configure IdP routing rules](https://help.okta.com/okta_help.htm?type=oie&id=ext-cfg-routing-rules) to redirect users to the appropriate sign-in app for orgs that don't use the custom app login feature. selfService: type: boolean description: Represents whether the app can be self-assignable by users ApplicationCapability: description: Capabilities supported by the app type: string enum: - PROVISIONING - SSO - UNIVERSAL_LOGOUT ApplicationCredentials: description: Credentials for the specified `signOnMode` type: object properties: signing: $ref: '#/components/schemas/ApplicationCredentialsSigning' userNameTemplate: $ref: '#/components/schemas/ApplicationCredentialsUsernameTemplate' ApplicationCredentialsOAuthClient: type: object properties: autoKeyRotation: type: boolean description: Requested key rotation mode default: true client_id: type: string maxLength: 100 minLength: 6 description: |- Unique identifier for the OAuth 2.0 client app > **Notes:** > * If you don't specify the `client_id`, this immutable property is populated with the [Application instance ID](/openapi/okta-management/management/tag/Application/#tag/Application/operation/getApplication!c=200&path=4/id&t=response). > * The `client_id` must consist of alphanumeric characters or the following special characters: `$-_.+!*'(),`. > * You can't use the reserved word `ALL_CLIENTS`. client_secret: type: string maxLength: 100 minLength: 14 description: |- OAuth 2.0 client secret string (used for confidential clients) > **Notes:** If a `client_secret` isn't provided on creation, and the `token_endpoint_auth_method` requires one, Okta generates a random `client_secret` for the client app. > The `client_secret` is only shown when an OAuth 2.0 client app is created or updated (and only if the `token_endpoint_auth_method` requires a client secret). pkce_required: type: boolean description: Requires Proof Key for Code Exchange (PKCE) for additional verification. If `token_endpoint_auth_method` is `none`, then `pkce_required` must be `true`. The default is `true` for browser and native app types. default: true token_endpoint_auth_method: $ref: '#/components/schemas/OAuthEndpointAuthenticationMethod' ApplicationCredentialsScheme: description: | Apps with `BASIC_AUTH`, `BROWSER_PLUGIN`, or `SECURE_PASSWORD_STORE` sign-on modes have credentials vaulted by Okta and can be configured with the following schemes. type: string enum: - ADMIN_SETS_CREDENTIALS - EDIT_PASSWORD_ONLY - EDIT_USERNAME_AND_PASSWORD - EXTERNAL_PASSWORD_SYNC - SHARED_USERNAME_AND_PASSWORD x-enumDescriptions: ADMIN_SETS_CREDENTIALS: Admin sets username and password EDIT_PASSWORD_ONLY: Admin sets username, user sets password EDIT_USERNAME_AND_PASSWORD: User sets username and password EXTERNAL_PASSWORD_SYNC: Admin sets username, password is the same as user's Okta password SHARED_USERNAME_AND_PASSWORD: Users share a single username and password set by the admin ApplicationCredentialsSigning: description: | App signing key properties > **Note:** Only apps with SAML_2_0, SAML_1_1, WS_FEDERATION, or OPENID_CONNECT `signOnMode` support the key rotation feature. type: object properties: kid: type: string description: |- Key identifier used for signing assertions > **Note:** Currently, only the X.509 JWK format is supported for apps with SAML_2_0 `signOnMode`. lastRotated: type: string description: Timestamp when the signing key was last rotated format: date-time readOnly: true nextRotation: type: string description: The scheduled time for the next signing key rotation format: date-time readOnly: true rotationMode: type: string description: The mode of key rotation use: $ref: '#/components/schemas/ApplicationCredentialsSigningUse' ApplicationCredentialsSigningUse: description: Specifies the intended use of the key type: string enum: - sig ApplicationCredentialsUsernameTemplate: description: The template used to generate the username when the app is assigned through a group or directly to a user type: object properties: pushStatus: type: string description: Determines if the username is pushed to the app on updates for CUSTOM `type` enum: - PUSH - DONT_PUSH - NOT_CONFIGURED template: type: string description: |- Mapping expression used to generate usernames. The following are supported mapping expressions that are used with the `BUILT_IN` template type: | Name | Template Expression | | ------------------------------- | ---------------------------------------------- | | AD Employee ID | `${source.employeeID}` | | AD SAM Account Name | `${source.samAccountName}` | | AD SAM Account Name (lowercase) | `${fn:toLowerCase(source.samAccountName)}` | | AD User Principal Name | `${source.userName}` | | AD User Principal Name prefix | `${fn:substringBefore(source.userName, "@")}` | | Email | `${source.email}` | | Email (lowercase) | `${fn:toLowerCase(source.email)}` | | Email prefix | `${fn:substringBefore(source.email, "@")}` | | LDAP UID + custom suffix | `${source.userName}${instance.userSuffix}` | | Okta username | `${source.login}` | | Okta username prefix | `${fn:substringBefore(source.login, "@")}` | default: ${source.login} type: type: string description: Type of mapping expression. Empty string is allowed. enum: - NONE - BUILT_IN - CUSTOM default: BUILT_IN userSuffix: type: string description: An optional suffix appended to usernames for `BUILT_IN` mapping expressions ApplicationExpressConfiguration: description: |-

Indicates which Express Configuration capabilities the app supports and has enabled type: object properties: enabledCapabilities: type: array description: Capabilities currently enabled for the app items: $ref: '#/components/schemas/ApplicationCapability' example: - SSO supportedCapabilities: type: array description: Capabilities supported by the app items: $ref: '#/components/schemas/ApplicationCapability' example: - SSO - PROVISIONING - UNIVERSAL_LOGOUT readOnly: true ApplicationFeature: description: | The Feature object is used to configure app feature settings. type: object properties: description: type: string description: Description of the feature example: Settings for provisioning users from Okta to a downstream app readOnly: true name: $ref: '#/components/schemas/ApplicationFeatureType' readOnly: true status: allOf: - $ref: '#/components/schemas/EnabledStatus' - default: DISABLED - example: ENABLED - readOnly: true _links: allOf: - $ref: '#/components/schemas/LinksSelf' - readOnly: true discriminator: propertyName: name mapping: USER_PROVISIONING: '#/components/schemas/UserProvisioningApplicationFeature' INBOUND_PROVISIONING: '#/components/schemas/InboundProvisioningApplicationFeature' ApplicationFeatureType: description: | Key name of the feature | Feature name | Description | | --------- | ------------- | | USER_PROVISIONING | User profiles are pushed from Okta to the third-party app. Represents the **To App** provisioning feature setting in the Admin Console. | | INBOUND_PROVISIONING | User profiles are imported from the third-party app into Okta. This feature represents the **To Okta** provisioning feature setting in the Admin Console. | Select the feature: example: USER_PROVISIONING type: string enum: - USER_PROVISIONING - INBOUND_PROVISIONING ApplicationGroupAssignment: title: Application Group Assignment description: The Application Group object that defines a group of users' app-specific profile and credentials for an app type: object properties: id: type: string description: ID of the [group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) readOnly: true example: 00g4hb1HChfUriNgW0g4 lastUpdated: allOf: - $ref: '#/components/schemas/lastUpdatedProperty' - example: '2014-06-24T15:28:14.000Z' priority: type: integer description: |- Priority assigned to the group. If an app has more than one group assigned to the same user, then the group with the higher priority has its profile applied to the [application user](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/). If a priority value isn't specified, then the next highest priority is assigned by default. See [Assign attribute group priority](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-app-group-priority) and the [sample priority use case](https://help.okta.com/okta_help.htm?type=oie&id=ext-usgp-combine-values-use). example: 99 profile: $ref: '#/components/schemas/GroupAssignmentProfile' _embedded: type: object description: |- Embedded resource related to the Application Group using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. If the `expand=group` query parameter is specified, then the [group](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/) object is embedded. If the `expand=metadata` query parameter is specified, then the group assignment metadata is embedded. additionalProperties: type: object properties: {} readOnly: true _links: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: app: $ref: '#/components/schemas/HrefObjectAppLink' group: $ref: '#/components/schemas/HrefObjectGroupLink' ApplicationLabel: description: User-defined display name for app type: string ApplicationLayout: type: object properties: elements: type: array items: type: object additionalProperties: {} label: type: string options: type: object additionalProperties: {} rule: type: object properties: effect: type: string condition: $ref: '#/components/schemas/ApplicationLayoutRuleCondition' scope: type: string type: type: string ApplicationLayoutRuleCondition: type: object properties: schema: type: object additionalProperties: {} scope: type: string ApplicationLayouts: type: object properties: _links: type: object properties: general: $ref: '#/components/schemas/ApplicationLayoutsLinksItem' signOn: $ref: '#/components/schemas/ApplicationLayoutsLinksItem' provisioning: $ref: '#/components/schemas/ApplicationLayoutsLinksItem' readOnly: true ApplicationLayoutsLinksItem: items: $ref: '#/components/schemas/HrefObject' type: array ApplicationLicensing: description: Licenses for the app type: object properties: seatCount: type: integer description: Number of licenses purchased for the app ApplicationLifecycleStatus: description: App instance status type: string enum: - ACTIVE - DELETED - INACTIVE readOnly: true ApplicationLinks: description: Discoverable resources related to the app properties: accessPolicy: $ref: '#/components/schemas/AccessPolicyLink' activate: $ref: '#/components/schemas/HrefObjectActivateLink' appLinks: type: array description: List of app link resources items: $ref: '#/components/schemas/HrefObject' deactivate: $ref: '#/components/schemas/HrefObjectDeactivateLink' groups: $ref: '#/components/schemas/GroupsLink' help: $ref: '#/components/schemas/HelpLink' logo: type: array description: List of app logo resources items: $ref: '#/components/schemas/HrefObject' metadata: $ref: '#/components/schemas/MetadataLink' self: $ref: '#/components/schemas/HrefObjectSelfLink' users: $ref: '#/components/schemas/UsersLink' readOnly: true ApplicationSettings: description: App settings type: object properties: emOptInStatus: type: string description: The entitlement management opt-in status for the app readOnly: true enum: - DISABLED - DISABLING - ENABLED - ENABLING - NONE x-enumDescriptions: DISABLED: Entitlement management for the app is disabled. DISABLING: Entitlement management for the app was enabled and is now being disabled. ENABLED: Entitlement management for the app is enabled. ENABLING: Entitlement management for the app was disabled and is now being enabled. identityStoreId: type: string description: Identifies an additional identity store app, if your app supports it. The `identityStoreId` value must be a valid identity store app ID. This identity store app must be created in the same org as your app. implicitAssignment: type: boolean description: Controls whether Okta automatically assigns users to the app based on the user's role or group membership. inlineHookId: type: string description: Identifier of an inline hook. Inline hooks are outbound calls from Okta to your own custom code, triggered at specific points in Okta process flows. They allow you to integrate custom functionality into those flows. See [Inline hooks](/openapi/okta-management/management/tag/InlineHook/). notes: $ref: '#/components/schemas/ApplicationSettingsNotes' notifications: $ref: '#/components/schemas/ApplicationSettingsNotifications' ApplicationSettingsNotes: description: App notes visible to either the admin or end user type: object properties: admin: type: string description: An app message that's visible to admins enduser: type: string description: A message that's visible in the End-User Dashboard ApplicationSettingsNotifications: description: Specifies notifications settings for the app type: object properties: vpn: $ref: '#/components/schemas/ApplicationSettingsNotificationsVpn' ApplicationSettingsNotificationsVpn: description: Sends customizable messages with conditions to end users when a VPN connection is required type: object properties: helpUrl: type: string description: An optional URL to a help page to assist your end users in signing in to your company VPN message: type: string description: A VPN requirement message that's displayed to users network: $ref: '#/components/schemas/ApplicationSettingsNotificationsVpnNetwork' required: - network ApplicationSettingsNotificationsVpnNetwork: description: Defines network zones for VPN notification type: object properties: connection: type: string description: Specifies the VPN connection details required to access the app enum: - DISABLED - ANYWHERE - ON_NETWORK - OFF_NETWORK - ZONE x-enumDescriptions: DISABLED: The default state. Retain this setting for apps that don't require a VPN connection. ANYWHERE: Displays VPN connection information regardless of the browser's client IP. The notification appears before the end user can access the app. ON_NETWORK: Displays VPN connection information only when a browser's client IP matches the configured Public Gateway IPs. The notification appears before the end user can access the app. OFF_NETWORK: Displays VPN connection information only when the browser's client IP doesn't match the configured Public Gateway IPs. The notification appears before the end user can access the app. exclude: type: array description: Defines the IP addresses or network ranges that are excluded from the VPN requirement items: type: string include: type: array description: Defines the IP addresses or network ranges that are required to use the VPN items: type: string ApplicationSignOnMode: description: | Authentication mode for the app | signOnMode | Description | | ---------- | ----------- | | AUTO_LOGIN | Secure Web Authentication (SWA) | | BASIC_AUTH | HTTP Basic Authentication with Okta Browser Plugin | | BOOKMARK | Just a bookmark (no-authentication) | | BROWSER_PLUGIN | Secure Web Authentication (SWA) with Okta Browser Plugin | | OPENID_CONNECT | Federated Authentication with OpenID Connect (OIDC) | | SAML_1_1 | Federated Authentication with SAML 1.1 WebSSO (not supported for custom apps) | | SAML_2_0 | Federated Authentication with SAML 2.0 WebSSO | | SECURE_PASSWORD_STORE | Secure Web Authentication (SWA) with POST (plugin not required) | | WS_FEDERATION | Federated Authentication with WS-Federation Passive Requestor Profile | Select the `signOnMode` for your custom app: type: string enum: - AUTO_LOGIN - BASIC_AUTH - BOOKMARK - BROWSER_PLUGIN - OPENID_CONNECT - SAML_1_1 - SAML_2_0 - SECURE_PASSWORD_STORE - WS_FEDERATION ApplicationType: description: 'The type of client application. Default value: `web`.' type: string enum: - browser - native - service - web ApplicationUniversalLogout: description: |-
Universal Logout properties for the app. These properties are only returned and can't be updated. x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] example: ACTIVE type: object properties: identityStack: type: string description: Indicates whether the app uses a shared identity stack that may cause the user to sign out of other apps by the same company enum: - SHARED - NOT_SHARED example: SHARED protocol: type: string description: The protocol used for Universal Logout enum: - PROPRIETARY - GLOBAL_TOKEN_REVOCATION x-enumDescriptions: PROPRIETARY: Universal Logout is implemented with a proprietary method. GLOBAL_TOKEN_REVOCATION: Universal Logout is implemented with the [Global Token Revocation](https://datatracker.ietf.org/doc/draft-parecki-oauth-global-token-revocation/) protocol. See the [Global Token Revocation API](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/GlobalTokenRevocation/). example: PROPRIETARY status: type: string description: Universal Logout status for the app instance enum: - ENABLED - DISABLED - UNSUPPORTED example: ENABLED x-enumDescriptions: ENABLED: Universal Logout is enabled. Users are signed out of the app instance when the Okta system or an admin initiates logout. DISABLED: Universal Logout is disabled UNSUPPORTED: The app doesn't support Universal Logout supportType: type: string description: Indicates whether the app supports full or partial Universal Logout (UL). enum: - FULL - PARTIAL x-enumDescriptions: FULL: Full UL support (users are signed out of an app when the Okta system or an admin initiates logout) PARTIAL: This app's sign-out behavior can be different from other supported UL apps. example: FULL readOnly: true ApplicationVisibility: description: Specifies visibility settings for the app type: object properties: appLinks: type: object description: Links or icons that appear on the End-User Dashboard if they're set to `true`. additionalProperties: type: boolean autoLaunch: type: boolean description: Automatically signs in to the app when user signs into Okta autoSubmitToolbar: type: boolean description: Automatically sign in when user lands on the sign-in page hide: $ref: '#/components/schemas/ApplicationVisibilityHide' ApplicationVisibilityHide: description: Hides the app for specific end-user apps type: object properties: iOS: type: boolean description: Okta Mobile for iOS or Android (pre-dates Android) default: false example: false web: type: boolean description: Okta End-User Dashboard on a web browser default: false example: true AssignGroupOwnerRequestBody: type: object properties: id: description: The `id` of the group owner type: string type: $ref: '#/components/schemas/GroupOwnerType' AssignRoleRequest: type: object properties: type: $ref: '#/components/schemas/RoleType' AssignUserToRealm: description: Action that assigns a user to a realm type: object properties: realmId: description: ID of the realm type: string AssignedAppLink: type: object properties: appAssignmentId: type: string readOnly: true appInstanceId: type: string readOnly: true appName: type: string readOnly: true credentialsSetup: type: boolean readOnly: true hidden: type: boolean readOnly: true id: type: string readOnly: true label: type: string readOnly: true linkUrl: type: string readOnly: true logoUrl: type: string readOnly: true sortOrder: type: integer readOnly: true AssociatedServerMediated: type: object properties: trusted: type: array description: A list of the authorization server IDs items: type: string AssuranceMethod: allOf: - $ref: '#/components/schemas/VerificationMethod' - type: object properties: constraints: description: Specifies constraints for the authenticator. Constraints are logically evaluated such that only one constraint object needs to be satisfied. But, within a constraint object, each constraint property must be satisfied. items: $ref: '#/components/schemas/AccessPolicyConstraints' type: array factorMode: $ref: '#/components/schemas/AssuranceMethodFactorMode' inactivityPeriod: type: string description: The inactivity duration after which the user must re-authenticate. Use the ISO 8601 period format (for example, PT2H). reauthenticateIn: type: string description: The duration after which the user must re-authenticate, regardless of user activity. Keep in mind that the re-authentication intervals for constraints take precedent over this value. Use the ISO 8601 period format for recurring time intervals (for example, PT2H, PT0S, PT43800H, and so on). AssuranceMethodFactorMode: type: string enum: - 1FA - 2FA AttackProtectionAuthenticatorSettings: type: object properties: verifyKnowledgeSecondWhen2faRequired: type: boolean description: If true, requires users to verify a possession factor before verifying a knowledge factor when the assurance requires two-factor authentication (2FA). default: false AttestationRootCertificatesRequest: description: Contains the certificate and information about it items: type: object properties: x5c: description: X.509 certificate chain type: string type: array AttestationRootCertificatesResponse: items: type: object properties: x5c: description: X.509 certificate chain type: string x5t#S256: description: SHA-256 hash (thumbprint) of the X.509 certificate type: string iss: description: Issuer of certificate type: string exp: description: Expiry date of certificate type: string type: array AuthServerLinks: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: claims: allOf: - description: Link to the authorization server claims - $ref: '#/components/schemas/HrefObject' deactivate: allOf: - $ref: '#/components/schemas/HrefObjectDeactivateLink' metadata: description: Link to the authorization server metadata type: array items: $ref: '#/components/schemas/HrefObject' policies: allOf: - description: Link to the authorization server policies - $ref: '#/components/schemas/HrefObject' rotateKey: allOf: - description: Link to the authorization server key rotation - $ref: '#/components/schemas/HrefObject' scopes: allOf: - description: Link to the authorization server scopes - $ref: '#/components/schemas/HrefObject' AuthSettings: type: object properties: authType: $ref: '#/components/schemas/AuthType' customSettings: $ref: '#/components/schemas/CustomAuthSettings' oAuth2Settings: $ref: '#/components/schemas/OAuth2Settings' required: - authType AuthType: type: string enum: - BASIC - CUSTOM - OAUTH2 - SCIM_BEARER - SCIM_HEADER AuthenticationMethod: type: object properties: hardwareProtection: type: string description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints. enum: - OPTIONAL - REQUIRED default: OPTIONAL id: type: string description: An ID that identifies the authenticator key: type: string description: A label that identifies the authenticator method: type: string description: Specifies the method used for the authenticator phishingResistant: type: string description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints enum: - OPTIONAL - REQUIRED default: OPTIONAL userVerification: type: string description: Indicates if a user is required to be verified with a verification method. enum: - OPTIONAL - REQUIRED default: OPTIONAL userVerificationMethods: description: Indicates which methods can be used for user verification. `userVerificationMethods` can only be used when `userVerification` is `REQUIRED`. `BIOMETRICS` is currently the only supported method. type: array items: type: string enum: - BIOMETRICS - PIN required: - key - method AuthenticationMethodChain: type: object properties: authenticationMethods: items: $ref: '#/components/schemas/AuthenticationMethod' type: array next: type: array description: The next steps of the authentication method chain. This is an array of `AuthenticationMethodChain`. Only supports one item in the array. items: type: object reauthenticateIn: type: string description: |- Specifies how often the user is prompted for authentication using duration format for the time period. For example, `PT2H30M` for two and a half hours. This parameter can't be set at the same time as the `reauthenticateIn` property on the `verificationMethod`. AuthenticationMethodChainMethod: allOf: - $ref: '#/components/schemas/VerificationMethod' - type: object properties: chains: items: $ref: '#/components/schemas/AuthenticationMethodChain' type: array description: Authentication method chains. Only supports 5 items in the array. Each chain can support maximum 3 steps. reauthenticateIn: description: |- Specifies how often the user is prompted for authentication using duration format for the time period. For example, `PT2H30M` for two and a half hours. Don't set this parameter if you're setting the `reauthenticateIn` parameter in `chains`. type: string AuthenticationMethodObject: type: object properties: id: type: string description: Authenticator ID x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine key: type: string description: A label that identifies the authenticator method: type: string description: Specifies the method used for the authenticator required: - key AuthenticationProvider: description: Specifies the authentication provider that validates the user's password credential. The user's current provider is managed by the **Delegated Authentication** settings for your org. The provider object is **read-only**. type: object properties: name: type: string description: The name of the authentication provider readOnly: true example: OKTA type: $ref: '#/components/schemas/AuthenticationProviderType' readOnly: true AuthenticationProviderType: description: The type of authentication provider type: string enum: - ACTIVE_DIRECTORY - FEDERATION - IMPORT - LDAP - OKTA - SOCIAL x-enumDescriptions: ACTIVE_DIRECTORY: Specifies the Microsoft Active Directory instance name as the `name` property FEDERATION: Specifies a federated identity provider (such as an SAML IdP) that validates the user's password credentials. Doesn't support a `password` or `recovery question` credential. The user must authenticate through a trusted identity provider. IMPORT: Specifies a hashed password that was imported from an external source LDAP: Specifies the LDAP directory instance name as the `name` property OKTA: Specifies the Okta identity provider SOCIAL: Specifies an OIDC or third-party social identity provider. Doesn't support a `password` or `recovery question` credential. The user must authenticate through a trusted identity provider. readOnly: true AuthenticationProviderTypeWritable: description: The type of authentication provider type: string enum: - ACTIVE_DIRECTORY - FEDERATION - IMPORT - LDAP - OKTA - SOCIAL x-enumDescriptions: ACTIVE_DIRECTORY: Specifies a Microsoft Active Directory instance name as the `name` property FEDERATION: Specifies a federated identity provider (such as a SAML IdP) that validates the user's password credentials. Doesn't support a `password` or `recovery question` credential. The user must authenticate through a trusted identity provider. IMPORT: Specifies a hashed password that was imported from an external source LDAP: Specifies the LDAP directory instance name as the `name` property OKTA: Specifies the Okta identity provider SOCIAL: Specifies an OIDC or third-party social identity provider. Doesn't support a `password` or `recovery question` credential. The user must authenticate through a trusted identity provider. AuthenticationProviderWritable: description: Specifies the authentication provider that validates the user password credential. The user's current provider is managed by the **Delegated Authentication** settings in your org. See [Create user with authentication provider](/openapi/okta-management/management/tag/User/#create-user-with-authentication-provider). type: object properties: name: type: string description: The name of the authentication provider example: OKTA type: $ref: '#/components/schemas/AuthenticationProviderTypeWritable' AuthenticatorBase: type: object properties: created: description: Timestamp when the authenticator was created format: date-time readOnly: true type: string id: description: A unique identifier for the authenticator readOnly: true type: string key: $ref: '#/components/schemas/AuthenticatorKeyEnum' lastUpdated: description: Timestamp when the authenticator was last modified format: date-time readOnly: true type: string name: description: Display name of the authenticator type: string status: description: Status of the authenticator $ref: '#/components/schemas/LifecycleStatus' type: $ref: '#/components/schemas/AuthenticatorType' _links: description: Link relations for this object $ref: '#/components/schemas/AuthenticatorLinks' discriminator: propertyName: key mapping: custom_app: '#/components/schemas/AuthenticatorKeyCustomApp' duo: '#/components/schemas/AuthenticatorKeyDuo' okta_email: '#/components/schemas/AuthenticatorKeyEmail' google_otp: '#/components/schemas/AuthenticatorKeyGoogleOtp' external_idp: '#/components/schemas/AuthenticatorKeyExternalIdp' okta_password: '#/components/schemas/AuthenticatorKeyPassword' okta_verify: '#/components/schemas/AuthenticatorKeyOktaVerify' onprem_mfa: '#/components/schemas/AuthenticatorKeyOnprem' phone_number: '#/components/schemas/AuthenticatorKeyPhone' security_key: '#/components/schemas/AuthenticatorKeySecurityKey' security_question: '#/components/schemas/AuthenticatorKeySecurityQuestion' symantec_vip: '#/components/schemas/AuthenticatorKeySymantecVip' smart_card_idp: '#/components/schemas/AuthenticatorKeySmartCard' webauthn: '#/components/schemas/AuthenticatorKeyWebauthn' yubikey_token: '#/components/schemas/AuthenticatorKeyYubikey' tac: '#/components/schemas/AuthenticatorKeyTac' AuthenticatorEnrollment: type: object properties: created: type: string description: Timestamp when the authenticator enrollment was created format: date-time id: description: The unique identifier of the authenticator enrollment type: string key: description: A human-readable string that identifies the authenticator type: string lastUpdated: type: string description: Timestamp when the authenticator enrollment was last updated format: date-time name: description: The authenticator display name type: string profile: $ref: '#/components/schemas/AuthenticatorProfile' status: type: string description: Status of the enrollment type: $ref: '#/components/schemas/AuthenticatorType' _links: $ref: '#/components/schemas/AuthenticatorEnrollmentLinks' AuthenticatorEnrollmentCreateRequest: type: object properties: authenticatorId: type: string description: Unique identifier of the `phone` authenticator profile: $ref: '#/components/schemas/AuthenticatorProfile' required: - authenticatorId - profile AuthenticatorEnrollmentCreateRequestTac: type: object properties: authenticatorId: type: string description: Unique identifier of the TAC authenticator profile: $ref: '#/components/schemas/AuthenticatorProfileTacRequest' required: - authenticatorId AuthenticatorEnrollmentLinks: allOf: - $ref: '#/components/schemas/LinksSelf' - $ref: '#/components/schemas/LinksUserAuthenticators' - $ref: '#/components/schemas/LinksAuthenticator' readOnly: true AuthenticatorEnrollmentPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyConditions' settings: $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettings' AuthenticatorEnrollmentPolicyAuthenticatorSettings: type: object properties: constraints: description: Constraints for the authenticator nullable: true minimum: 0 type: object properties: aaguidGroups: type: array description: |- The list of FIDO2 WebAuthn authenticator groups allowed for enrollment. The authenticators in the group are based on FIDO Alliance Metadata Service that's identified by name or the Authenticator Attestation Global Unique Identifier ([AAGUID](https://support.yubico.com/hc/en-us/articles/360016648959-YubiKey-Hardware-FIDO2-AAGUIDs)) number. These groups are defined in the [WebAuthn authenticator method settings](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Authenticator/#tag/Authenticator/operation/listAuthenticatorMethods). items: type: string uniqueItems: true x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] enroll: type: object description: Enrollment requirements for the authenticator properties: self: $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorStatus' gracePeriod: $ref: '#/components/schemas/EnrollmentPolicyAuthenticatorGracePeriod' key: $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorType' AuthenticatorEnrollmentPolicyAuthenticatorStatus: description: Requirements for the user-initiated enrollment default: NOT_ALLOWED type: string enum: - NOT_ALLOWED - OPTIONAL - REQUIRED AuthenticatorEnrollmentPolicyAuthenticatorType: description: A label that identifies the authenticator type: string enum: - custom_app - custom_otp - duo - external_idp - google_otp - okta_email - okta_password - okta_verify - onprem_mfa - phone_number - rsa_token - security_question - symantec_vip - webauthn - yubikey_token AuthenticatorEnrollmentPolicyConditions: allOf: - type: object - description: Specifies the conditions that must be met during policy evaluation to apply the policy - properties: people: type: object description: Identifies users and groups that are used together properties: groups: type: object description: Specifies a set of groups whose users are to be included or excluded properties: include: type: array description: Groups to be included items: type: string AuthenticatorEnrollmentPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' - type: object properties: actions: $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActions' conditions: $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleConditions' AuthenticatorEnrollmentPolicyRuleActionEnroll: description: Specifies whether the user is to be enrolled the first time they `LOGIN`, the next time they are in the `CHALLENGE` process, or `NEVER` type: object properties: self: type: string enum: - CHALLENGE - LOGIN - NEVER AuthenticatorEnrollmentPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' - type: object - description: Specifies actions to be taken, or operations that may be allowed, if the rule conditions are satisfied properties: enroll: $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyRuleActionEnroll' AuthenticatorEnrollmentPolicyRuleConditions: description: Specifies conditions that must be met during policy evaluation to apply the rule. All policy conditions and conditions for at least one rule must be met to apply the settings specified in the policy and the associated rule. type: object properties: network: $ref: '#/components/schemas/PolicyNetworkCondition' people: type: object description: Identifies users and groups that are used together properties: users: type: object description: Specifies a set of users to be included or excluded properties: exclude: type: array description: Users to be excluded items: type: string AuthenticatorEnrollmentPolicySettings: description: |- Specifies the policy level settings > **Note:** In Identity Engine, the Multifactor (MFA) Enrollment policy name has changed to authenticator enrollment policy. The policy type of `MFA_ENROLL` remains unchanged. However, the `settings` data is updated for authenticators. Policy `settings` are included only for those authenticators that are enabled. type: object properties: authenticators: description: | List of authenticator policy settings For orgs with the Authenticator enrollment policy feature enabled, the new default authenticator enrollment policy created by Okta contains the `authenticators` property in the policy settings. Existing default authenticator enrollment policies from a migrated Classic Engine org remain unchanged. The policies still use the `factors` property in their settings. The `authenticators` parameter allows you to configure all available authenticators, including authentication and recovery. The `factors` parameter only allows you to configure multifactor authentication. items: $ref: '#/components/schemas/AuthenticatorEnrollmentPolicyAuthenticatorSettings' type: array type: $ref: '#/components/schemas/AuthenticatorEnrollmentPolicySettingsType' AuthenticatorEnrollmentPolicySettingsType: description: | Type of policy configuration object The `type` property in the policy `settings` is only applicable to the authenticator enrollment policy available in Identity Engine. default: FACTORS type: string enum: - AUTHENTICATORS - FACTORS AuthenticatorIdentity: description: Represents a particular authenticator serving as a constraint on a method type: object properties: key: type: string AuthenticatorKeyCustomApp: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' - type: object properties: agreeToTerms: type: boolean description: A value of `true` indicates that the administrator accepts the [terms](https://www.okta.com/privacy-policy/) for creating a new authenticator. Okta requires that you accept the terms when creating a new `custom_app` authenticator. Other authenticators don't require this field. provider: type: object properties: type: type: string description: Provider type enum: - PUSH configuration: type: object description: The configuration of the provider properties: apns: type: object properties: id: type: string description: ID of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) appBundleId: type: string description: AppBundleId of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) debugAppBundleId: type: string description: DebugAppBundleId of the APNs (Apple Push Notification Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) fcm: type: object properties: id: type: string description: ID of the FCM (Firebase Cloud Messaging Service) [configurations](https://developer.okta.com/docs/reference/api/push-providers/) settings: type: object properties: userVerification: $ref: '#/components/schemas/CustomAppUserVerificationEnum' appInstanceId: type: string description: The application instance ID. For custom_app, you need to create an OIDC native app using the [Apps API](https://developer.okta.com/docs/reference/api/apps/) with `Authorization Code` and `Refresh Token` grant types. You can leave both `Sign-in redirect URIs` and `Sign-out redirect URIs` as the default values. AuthenticatorKeyDuo: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' - type: object properties: provider: type: object properties: type: type: string description: Provider type enum: - DUO configuration: type: object properties: host: type: string description: The Duo Security API hostname integrationKey: type: string description: The Duo Security integration key secretKey: type: string description: The Duo Security secret key userNameTemplate: type: object properties: template: type: string description: The Duo Security user template name AuthenticatorKeyEmail: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' - type: object properties: settings: type: object properties: allowedFor: $ref: '#/components/schemas/AllowedForEnum' tokenLifetimeInMinutes: description: Specifies the lifetime of an email token. Default value is 5 minutes. type: number default: 5 AuthenticatorKeyEnum: description: A human-readable string that identifies the authenticator type: string enum: - custom_app - duo - external_idp - google_otp - okta_email - okta_password - okta_verify - onprem_mfa - phone_number - security_key - security_question - smart_card_idp - symantec_vip - webauthn - yubikey_token - tac AuthenticatorKeyExternalIdp: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' AuthenticatorKeyGoogleOtp: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' AuthenticatorKeyOktaVerify: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' - type: object properties: settings: type: object properties: channelBinding: $ref: '#/components/schemas/ChannelBinding' compliance: $ref: '#/components/schemas/Compliance' userVerification: $ref: '#/components/schemas/UserVerificationEnum' appInstanceId: type: string description: The application instance ID AuthenticatorKeyOnprem: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' AuthenticatorKeyPassword: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' AuthenticatorKeyPhone: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' - type: object properties: settings: type: object properties: allowedFor: $ref: '#/components/schemas/AllowedForEnum' AuthenticatorKeySecurityKey: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' AuthenticatorKeySecurityQuestion: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' - type: object properties: settings: type: object properties: allowedFor: $ref: '#/components/schemas/AllowedForEnum' AuthenticatorKeySmartCard: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' AuthenticatorKeySymantecVip: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' AuthenticatorKeyTac: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] allOf: - $ref: '#/components/schemas/AuthenticatorSimple' - type: object properties: provider: type: object description: Settings for the TAC authenticator x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] properties: type: type: string description: Provider type enum: - tac configuration: type: object description: Define the configuration settings of the TAC required: - minTtl - maxTtl - defaultTtl - length - complexity properties: minTtl: type: number description: Minimum time-to-live (TTL) of the TAC in minutes. The `minTtl` indicates the minimum amount of time that a TAC is valid. The `minTtl` must be less than the `maxTtl`. minimum: 10 maximum: 14400 maxTtl: type: number description: Maximum TTL of the TAC in minutes. The `maxTtl` indicates the maximum amount of time that a TAC is valid. The `maxTtl` must be greater than the `minTtl`. minimum: 10 maximum: 14400 defaultTtl: type: number description: The default TTL in minutes when you create a TAC. The `defaultTtl` indicates the actual amount of time that a TAC is valid before it expires. The `defaultTtl` must be greater than the `minTtl` and less than the `maxTtl`. minimum: 10 maximum: 14400 default: 120 length: type: number description: Defines the number of characters in a TAC. For example, a `length` of `16` means that the TAC is 16 characters. minimum: 8 maximum: 64 complexity: type: object description: Define the complexity of the TAC properties: numbers: type: boolean description: Use numbers in the TAC. `numbers` is always `true` for the TAC authenticator. letters: type: boolean description: Use letters in the TAC specialCharacters: type: boolean description: Use special characters in the TAC multiUseAllowed: type: boolean description: Indicates whether a TAC can be used multiple times. If set to `true`, the TAC can be used multiple times until it expires. AuthenticatorKeyWebauthn: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' AuthenticatorKeyYubikey: allOf: - $ref: '#/components/schemas/AuthenticatorSimple' AuthenticatorLinks: allOf: - $ref: '#/components/schemas/LinksSelfAndLifecycle' - type: object properties: methods: description: Link to authenticator methods allOf: - $ref: '#/components/schemas/HrefObject' AuthenticatorMethodAlgorithm: type: string enum: - ES256 - RS256 AuthenticatorMethodBase: type: object properties: status: description: The status of the authenticator method $ref: '#/components/schemas/LifecycleStatus' type: $ref: '#/components/schemas/AuthenticatorMethodType' _links: $ref: '#/components/schemas/LinksSelfAndLifecycle' discriminator: propertyName: type mapping: sms: '#/components/schemas/AuthenticatorMethodSimple' voice: '#/components/schemas/AuthenticatorMethodSimple' email: '#/components/schemas/AuthenticatorMethodSimple' push: '#/components/schemas/AuthenticatorMethodPush' signed_nonce: '#/components/schemas/AuthenticatorMethodSignedNonce' totp: '#/components/schemas/AuthenticatorMethodTotp' otp: '#/components/schemas/AuthenticatorMethodOtp' password: '#/components/schemas/AuthenticatorMethodSimple' webauthn: '#/components/schemas/AuthenticatorMethodWebAuthn' security_question: '#/components/schemas/AuthenticatorMethodSimple' idp: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' duo: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' cert: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' tac: '#/components/schemas/AuthenticatorMethodTac' AuthenticatorMethodConstraint: description: 'Limits the authenticators that can be used for a given method. Currently, only the `otp` method supports constraints, and Google authenticator (key : ''google_otp'') is the only allowed authenticator.' type: object properties: allowedAuthenticators: type: array items: $ref: '#/components/schemas/AuthenticatorIdentity' method: enum: - otp AuthenticatorMethodOtp: allOf: - $ref: '#/components/schemas/AuthenticatorMethodWithVerifiableProperties' - type: object properties: acceptableAdjacentIntervals: type: integer description: The number of acceptable adjacent intervals, also known as the clock drift interval. This setting allows you to build in tolerance for any time difference between the token and the server. For example, with a `timeIntervalInSeconds` of 60 seconds and an `acceptableAdjacentIntervals` value of 5, Okta accepts passcodes within 300 seconds (60 * 5) before or after the end user enters their code. minimum: 0 maximum: 10 algorithm: $ref: '#/components/schemas/OtpTotpAlgorithm' encoding: $ref: '#/components/schemas/OtpTotpEncoding' factorProfileId: type: string description: The `id` value of the factor profile example: aut1nd8PQhGcQtSxB0g4 passCodeLength: $ref: '#/components/schemas/OtpTotpPassCodeLength' protocol: $ref: '#/components/schemas/OtpProtocol' timeIntervalInSeconds: $ref: '#/components/schemas/OtpTotpTimeIntervalInSeconds' AuthenticatorMethodProperty: type: string enum: - DEVICE_BOUND - HARDWARE_PROTECTED - PHISHING_RESISTANT - USER_PRESENCE - USER_VERIFYING AuthenticatorMethodPush: allOf: - $ref: '#/components/schemas/AuthenticatorMethodBase' - type: object properties: settings: type: object properties: algorithms: type: array items: $ref: '#/components/schemas/AuthenticatorMethodAlgorithm' keyProtection: $ref: '#/components/schemas/PushMethodKeyProtection' transactionTypes: type: array items: $ref: '#/components/schemas/AuthenticatorMethodTransactionType' AuthenticatorMethodSignedNonce: allOf: - $ref: '#/components/schemas/AuthenticatorMethodBase' - type: object properties: settings: type: object properties: algorithms: type: array items: $ref: '#/components/schemas/AuthenticatorMethodAlgorithm' keyProtection: $ref: '#/components/schemas/PushMethodKeyProtection' showSignInWithOV: $ref: '#/components/schemas/ShowSignInWithOV' AuthenticatorMethodSimple: allOf: - $ref: '#/components/schemas/AuthenticatorMethodBase' AuthenticatorMethodTac: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] type: object properties: status: description: The status of the authenticator method $ref: '#/components/schemas/LifecycleStatus' type: $ref: '#/components/schemas/AuthenticatorMethodType' _links: $ref: '#/components/schemas/LinksSelfAndLifecycle' AuthenticatorMethodTotp: allOf: - $ref: '#/components/schemas/AuthenticatorMethodBase' - type: object properties: settings: type: object properties: timeIntervalInSeconds: $ref: '#/components/schemas/OtpTotpTimeIntervalInSeconds' encoding: $ref: '#/components/schemas/OtpTotpEncoding' algorithm: $ref: '#/components/schemas/OtpTotpAlgorithm' passCodeLength: $ref: '#/components/schemas/OtpTotpPassCodeLength' AuthenticatorMethodTransactionType: type: string enum: - CIBA - LOGIN AuthenticatorMethodType: description: The type of authenticator method type: string enum: - cert - duo - email - idp - otp - password - push - security_question - signed_nonce - sms - totp - voice - webauthn - tac AuthenticatorMethodTypeWebAuthn: description: The type of authenticator method type: string enum: - webauthn AuthenticatorMethodWebAuthn: allOf: - $ref: '#/components/schemas/AuthenticatorMethodBase' - type: object properties: settings: description: The settings for the WebAuthn authenticator method type: object properties: aaguidGroups: description: The FIDO2 Authenticator Attestation Global Unique Identifiers (AAGUID) groups available to the WebAuthn authenticator type: array items: $ref: '#/components/schemas/AAGUIDGroupObject' userVerification: $ref: '#/components/schemas/UserVerificationEnum' attachment: $ref: '#/components/schemas/WebAuthnAttachmentEnum' rpId: $ref: '#/components/schemas/WebAuthnRpId' enableAutofillUI: type: boolean description: Enables the passkeys autofill UI to display available WebAuthn discoverable credentials ("resident key") from the Sign-In Widget username field default: false x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] AuthenticatorMethodWithVerifiableProperties: allOf: - $ref: '#/components/schemas/AuthenticatorMethodBase' - type: object properties: verifiableProperties: type: array items: $ref: '#/components/schemas/AuthenticatorMethodProperty' AuthenticatorProfile: description: Defines the authenticator specific parameters type: object properties: phoneNumber: type: string description: The phone number for a `call` or `sms` authenticator enrollment. required: - phoneNumber AuthenticatorProfileTacRequest: description: Defines the authenticator specific parameters type: object properties: multiUse: type: boolean description: Determines whether the enrollment can be used more than once. To enable multi-use, the org-level authenticator’s configuration must allow multi-use. writeOnly: true ttl: type: string description: |- Time-to-live (TTL) in minutes. Specifies how long the TAC enrollment is valid after it's created and activated. The configured value must be between 10 minutes (`10`) and 10 days (`14400`), inclusive. The actual allowed range depends on the org-level authenticator configuration. writeOnly: true AuthenticatorProfileTacResponsePost: description: Defines the authenticator specific parameters type: object properties: expiresAt: type: string description: The time when the TAC enrollment expires in the UTC timezone format: date-time multiUse: type: boolean description: Determines whether an enrollment can be used more than once tac: type: string description: |- A temporary access code used for authentication. It can be used one or more times and is valid for a defined period specified by the `ttl` property. The `tac` is returned in the response when the enrollment is created. It is not returned when the enrollment is retrieved. Issuing a new TAC invalidates any existing TAC for this user. AuthenticatorSimple: allOf: - $ref: '#/components/schemas/AuthenticatorBase' AuthenticatorType: description: The type of authenticator type: string enum: - app - email - federated - password - phone - security_key - security_question - tac AuthorizationServer: type: object properties: accessTokenEncryptedResponseAlgorithm: $ref: '#/components/schemas/AccessTokenKeyEncryptionAlgorithm' audiences: type: array description: The recipients that the tokens are intended for. This becomes the `aud` claim in an access token. Okta currently supports only one audience. items: type: string created: type: string format: date-time readOnly: true credentials: $ref: '#/components/schemas/AuthorizationServerCredentials' description: type: string description: The description of the custom authorization server id: type: string description: The ID of the custom authorization server readOnly: true issuer: type: string description: The complete URL for the custom authorization server. This becomes the `iss` claim in an access token. issuerMode: type: string description: |- Indicates which value is specified in the issuer of the tokens that a custom authorization server returns: the Okta org domain URL or a custom domain URL. `issuerMode` is visible if you have a custom URL domain configured or the Dynamic Issuer Mode feature enabled. If you have a custom URL domain configured, you can set a custom domain URL in a custom authorization server, and this property is returned in the appropriate responses. When set to `ORG_URL`, then in responses, `issuer` is the Okta org domain URL: `https://${yourOktaDomain}`. When set to `CUSTOM_URL`, then in responses, `issuer` is the custom domain URL configured in the administration user interface. When set to `DYNAMIC`, then in responses, `issuer` is the custom domain URL if the OAuth 2.0 request was sent to the custom domain, or is the Okta org's domain URL if the OAuth 2.0 request was sent to the original Okta org domain. After you configure a custom URL domain, all new custom authorization servers use `CUSTOM_URL` by default. If the Dynamic Issuer Mode feature is enabled, then all new custom authorization servers use `DYNAMIC` by default. All existing custom authorization servers continue to use the original value until they're changed using the Admin Console or the API. This way, existing integrations with the client and resource server continue to work after the feature is enabled. jwks: $ref: '#/components/schemas/ResourceServerJsonWebKeys' jwks_uri: description: URL string that references a JSON Web Key Set for encrypting JWTs minted by the custom authorization server type: string x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true lastUpdated: type: string format: date-time readOnly: true name: type: string description: The name of the custom authorization server status: $ref: '#/components/schemas/LifecycleStatus' _links: $ref: '#/components/schemas/AuthServerLinks' AuthorizationServerCredentials: type: object properties: signing: $ref: '#/components/schemas/AuthorizationServerCredentialsSigningConfig' AuthorizationServerCredentialsRotationMode: description: The Key rotation mode for the authorization server type: string enum: - AUTO - MANUAL AuthorizationServerCredentialsSigningConfig: type: object properties: kid: type: string description: The ID of the JSON Web Key used for signing tokens issued by the authorization server readOnly: true lastRotated: type: string description: The timestamp when the authorization server started using the `kid` for signing tokens format: date-time readOnly: true nextRotation: type: string description: The timestamp when the authorization server changes the Key for signing tokens. This is only returned when `rotationMode` is set to `AUTO`. format: date-time readOnly: true rotationMode: $ref: '#/components/schemas/AuthorizationServerCredentialsRotationMode' use: $ref: '#/components/schemas/AuthorizationServerCredentialsUse' AuthorizationServerCredentialsUse: description: How the key is used type: string enum: - sig AuthorizationServerJsonWebKey: type: object properties: alg: description: 'The algorithm used with the Key. Valid value: `RS256`' type: string e: description: RSA key value (public exponent) for Key binding type: string readOnly: true kid: description: Unique identifier for the key type: string readOnly: true kty: description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`' type: string readOnly: true 'n': description: RSA modulus value that is used by both the public and private keys and provides a link between them type: string status: description: |- An `ACTIVE` Key is used to sign tokens issued by the authorization server. Supported values: `ACTIVE`, `NEXT`, or `EXPIRED`
A `NEXT` Key is the next Key that the authorization server uses to sign tokens when Keys are rotated. The `NEXT` Key might not be listed if it hasn't been generated. An `EXPIRED` Key is the previous Key that the authorization server used to sign tokens. The `EXPIRED` Key might not be listed if no Key has expired or the expired Key was deleted. type: string use: description: 'Acceptable use of the key. Valid value: `sig`' type: string readOnly: true _links: $ref: '#/components/schemas/LinksSelf' AuthorizationServerOrn: description: The [ORN](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#okta-resource-name-orn) of the authorization server type: string AuthorizationServerPolicy: allOf: - type: object properties: id: type: string description: ID of the Policy type: type: string description: Indicates that the Policy is an authorization server Policy enum: - OAUTH_AUTHORIZATION_POLICY name: type: string description: Name of the Policy maxLength: 100 minLength: 1 conditions: $ref: '#/components/schemas/AuthorizationServerPolicyConditions' description: type: string description: Description of the Policy maxLength: 255 minLength: 1 priority: type: integer description: Specifies the order in which this Policy is evaluated in relation to the other Policies in a custom authorization server status: type: string description: Specifies whether requests have access to this Policy enum: - ACTIVE - INACTIVE system: type: boolean description: Specifies whether Okta created this Policy created: type: string format: date-time readOnly: true description: Timestamp when the Policy was created lastUpdated: type: string format: date-time readOnly: true description: Timestamp when the Policy was last updated _links: allOf: - $ref: '#/components/schemas/LinksSelfAndLifecycle' - type: object properties: rules: allOf: - description: Link to the authorization server policy's rules - $ref: '#/components/schemas/HrefObject' AuthorizationServerPolicyConditions: type: object properties: clients: $ref: '#/components/schemas/ClientPolicyCondition' AuthorizationServerPolicyPeopleCondition: description: Identifies Users and Groups that are used together type: object properties: groups: $ref: '#/components/schemas/AuthorizationServerPolicyRuleGroupCondition' users: $ref: '#/components/schemas/AuthorizationServerPolicyRuleUserCondition' AuthorizationServerPolicyRule: type: object properties: actions: $ref: '#/components/schemas/AuthorizationServerPolicyRuleActions' conditions: $ref: '#/components/schemas/AuthorizationServerPolicyRuleConditions' created: type: string format: date-time readOnly: true description: Timestamp when the rule was created id: type: string description: Identifier of the rule readOnly: true lastUpdated: type: string format: date-time readOnly: true description: Timestamp when the rule was last modified name: type: string description: Name of the rule priority: type: integer description: Priority of the rule status: type: string description: Status of the rule enum: - ACTIVE - INACTIVE system: type: boolean description: Set to `true` for system rules. You can't delete system rules. type: type: string description: Rule type enum: - RESOURCE_ACCESS _links: allOf: - $ref: '#/components/schemas/LinksSelfAndLifecycle' AuthorizationServerPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' - type: object properties: token: $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleAction' AuthorizationServerPolicyRuleConditions: type: object properties: grantTypes: $ref: '#/components/schemas/GrantTypePolicyRuleCondition' people: $ref: '#/components/schemas/AuthorizationServerPolicyPeopleCondition' scopes: $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' AuthorizationServerPolicyRuleGroupCondition: description: Specifies a set of Groups whose Users are to be included type: object properties: include: type: array description: Groups to be included items: type: string AuthorizationServerPolicyRuleRequest: allOf: - $ref: '#/components/schemas/AuthorizationServerPolicyRule' - type: object required: - name - conditions - type AuthorizationServerPolicyRuleUserCondition: description: Specifies a set of Users to be included type: object properties: include: description: Users to be included type: array items: type: string AuthorizationServerResourceHrefObject: type: object properties: href: type: string description: Link URI example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7 title: type: string description: Link name example: Example Authorization Server AutoAssignAdminAppSetting: description: The org setting that automatically assigns the Okta Admin Console when an admin role is assigned type: object properties: autoAssignAdminAppSetting: type: boolean description: Automatically assigns the Okta Admin Console to the user when an admin role is assigned AutoLoginApplication: allOf: - $ref: '#/components/schemas/Application' - type: object properties: credentials: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string description: A unique key is generated for the custom SWA app instance when you use AUTO_LOGIN `signOnMode`. readOnly: true settings: $ref: '#/components/schemas/AutoLoginApplicationSettings' AutoLoginApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: signOn: $ref: '#/components/schemas/AutoLoginApplicationSettingsSignOn' AutoLoginApplicationSettingsSignOn: type: object properties: loginUrl: type: string description: Primary URL of the sign-in page for this app redirectUrl: type: string description: Secondary URL of the sign-in page for this app required: - loginUrl AutoUpdateSchedule: description: The schedule of auto-update configured by the admin type: object properties: cron: type: string description: The schedule of the update in cron format. The cron settings are limited to only the day of the month or the nth-day-of-the-week configurations. For example, `0 8 ? * 6#3` indicates every third Saturday at 8:00 AM. example: 0 8 ? * 6#3 delay: description: Delay in days type: integer duration: description: Duration in minutes type: integer example: 120 lastUpdated: description: Timestamp when the update finished (only for a successful or failed update, not for a cancelled update). Null is returned if the job hasn't finished once yet. type: string format: date-time timezone: type: string description: Timezone of where the scheduled job takes place example: America/New_York AvailableAction: type: object properties: id: type: string description: Action identifier example: okta:action1 provider: $ref: '#/components/schemas/WorkflowAvailableActionProvider' required: - id - provider AvailableActionProvider: type: object properties: actionName: type: string description: The name of the action flow externalId: type: string description: The unique identifier of the action flow in the provider system type: $ref: '#/components/schemas/ActionProviderPayloadType' url: type: string format: uri description: The URL to the action flow required: - actionName - url - externalId - type discriminator: propertyName: type mapping: WORKFLOWS: '#/components/schemas/WorkflowAvailableActionProvider' AvailableActions: type: object properties: actions: type: array items: $ref: '#/components/schemas/AvailableAction' AwsAccountId: description: Your AWS account ID minLength: 12 maxLength: 12 example: 123456789012 type: string AwsEventSourceName: description: An alphanumeric name (no spaces) to identify this event source in AWS EventBridge minLength: 1 maxLength: 75 example: your-event-source-name type: string pattern: ^[a-zA-Z0-9.\-_]$ AwsRegion: description: The destination AWS region where your event source is located type: string enum: - ap-northeast-1 - ap-northeast-2 - ap-northeast-3 - ap-south-1 - ap-southeast-1 - ap-southeast-2 - ca-central-1 - eu-central-1 - eu-north-1 - eu-west-1 - eu-west-2 - eu-west-3 - sa-east-1 - us-east-1 - us-east-2 - us-west-1 - us-west-2 BaseContext: description: This object contains a number of sub-objects, each of which provide some type of contextual information. type: object properties: request: $ref: '#/components/schemas/InlineHookRequestObject' session: description: Details of the user session type: object properties: id: description: The unique identifier for the user's session type: string example: 102LN9Bnuc4S_ewfc9BYwageA userId: description: The unique identifier for the user type: string example: 00uq8tMo3zV0OfJON0g3 login: description: The username used to identify the user. This is often the user's email address. type: string example: user@example.com createdAt: description: Timestamp of when the session was created type: string format: date-time example: '2019-03-28T16:45:55.000Z' expiresAt: description: Timestamp of when the session expires type: string format: date-time example: '2019-03-28T21:15:23.000Z' status: description: Represents the current status of the user's session type: string example: ACTIVE lastPasswordVerification: description: Timestamp of when the user was last authenticated type: string format: date-time example: '2019-03-28T16:45:55.000Z' amr: description: The authentication method reference type: array items: type: string example: - PASSWORD idp: $ref: '#/components/schemas/SessionIdentityProvider' mfaActive: description: Describes whether multifactor authentication was enabled type: boolean example: false user: description: Identifies the Okta user that the token was generated to authenticate and provides details of their Okta user profile type: object properties: id: description: The unique identifier for the user type: string example: 00uq8tMo3zV0OfJON0g3 passwordChanged: description: The timestamp when the user's password was last updated type: string format: date-time example: '2018-09-11T23:19:12.000Z' profile: type: object properties: login: description: The username used to identify the user. This is often the user's email address. type: string example: user@example.com firstName: description: The first name of the user type: string example: John lastName: description: The last name of the user type: string example: Smith locale: description: |- The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. A locale value is a concatenation of the [ISO 639-1](https://en.wikipedia.org/wiki/List_of_ISO_639_language_codes) two-letter language code, an underscore, and the [ISO 3166-1](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) two-letter country code. For example, `en_US` specifies the language English and country US. This value is `en_US` by default. type: string example: en_US timeZone: description: The user's timezone type: string example: America/Los_Angeles _links: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled. type: object properties: groups: description: URL to retrieve the individual user's group memberships allOf: - $ref: '#/components/schemas/HrefObject' factors: description: URL to retrieve individual user's factor enrollments allOf: - $ref: '#/components/schemas/HrefObject' BaseEmailDomain: type: object properties: displayName: type: string userName: type: string required: - displayName - userName BaseEmailServer: type: object properties: alias: type: string description: Human-readable name for your SMTP server example: CustomServer1 enabled: type: boolean description: If `true`, routes all email traffic through your SMTP server host: type: string description: Hostname or IP address of your SMTP server example: 192.168.160.1 port: type: integer description: Port number of your SMTP server example: 587 username: type: string description: Username used to access your SMTP server example: aUser BaseToken: type: object properties: claims: description: Claims included in the token. Consists of name-value pairs for each included claim. For descriptions of the claims that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#claims). type: object token: description: The token type: object properties: lifetime: description: Lifetime of the token type: object properties: expiration: description: Time in seconds until the token expires type: integer BasicApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: app: $ref: '#/components/schemas/BasicApplicationSettingsApplication' BasicApplicationSettingsApplication: type: object properties: authURL: type: string description: The URL of the authenticating site for this app url: type: string description: The URL of the sign-in page for this app required: - authURL - url BasicAuthApplication: x-okta-defined-as: name: template_basic_auth allOf: - $ref: '#/components/schemas/Application' - type: object properties: credentials: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string description: '`template_basic_auth` is the key name for a Basic Authentication scheme app instance' enum: - template_basic_auth settings: $ref: '#/components/schemas/BasicApplicationSettings' required: - name - settings BeforeScheduledActionPolicyRuleCondition: type: object properties: duration: $ref: '#/components/schemas/Duration' lifecycleAction: $ref: '#/components/schemas/ScheduledUserLifecycleAction' BehaviorRule: title: Behavior Detection Rule type: object properties: created: type: string description: Timestamp when the Behavior Detection Rule was created readOnly: true id: type: string description: ID of the Behavior Detection Rule readOnly: true lastUpdated: type: string description: Timestamp when the Behavior Detection Rule was last modified readOnly: true name: type: string description: Name of the Behavior Detection Rule maxLength: 128 status: $ref: '#/components/schemas/LifecycleStatus' type: $ref: '#/components/schemas/BehaviorRuleType' _link: $ref: '#/components/schemas/LinksSelf' required: - name - type discriminator: propertyName: type mapping: ANOMALOUS_LOCATION: '#/components/schemas/BehaviorRuleAnomalousLocation' ANOMALOUS_IP: '#/components/schemas/BehaviorRuleAnomalousIP' ANOMALOUS_DEVICE: '#/components/schemas/BehaviorRuleAnomalousDevice' VELOCITY: '#/components/schemas/BehaviorRuleVelocity' ANOMALOUS_ASN: '#/components/schemas/BehaviorRuleASN' BehaviorRuleASN: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] allOf: - $ref: '#/components/schemas/BehaviorRule' - type: object properties: settings: $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousASN' BehaviorRuleAnomalousDevice: allOf: - $ref: '#/components/schemas/BehaviorRule' - type: object properties: settings: $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousDevice' BehaviorRuleAnomalousIP: allOf: - $ref: '#/components/schemas/BehaviorRule' - type: object properties: settings: $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousIP' BehaviorRuleAnomalousLocation: allOf: - $ref: '#/components/schemas/BehaviorRule' - type: object properties: settings: $ref: '#/components/schemas/BehaviorRuleSettingsAnomalousLocation' BehaviorRuleSettings: title: Behavior Detection Rule Settings type: object BehaviorRuleSettingsAnomalousASN: allOf: - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased' BehaviorRuleSettingsAnomalousDevice: allOf: - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased' BehaviorRuleSettingsAnomalousIP: allOf: - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased' - type: object properties: maxEventsUsedForEvaluation: type: integer minimum: 0 maximum: 100 default: 50 BehaviorRuleSettingsAnomalousLocation: allOf: - $ref: '#/components/schemas/BehaviorRuleSettingsHistoryBased' - type: object properties: granularity: $ref: '#/components/schemas/LocationGranularity' radiusKilometers: type: integer description: Required when `granularity` is `LAT_LONG`. Radius from the provided coordinates in kilometers. required: - granularity BehaviorRuleSettingsHistoryBased: allOf: - $ref: '#/components/schemas/BehaviorRuleSettings' - title: Behavior Detection Rule Settings based on Event History type: object properties: maxEventsUsedForEvaluation: type: integer minimum: 1 maximum: 100 default: 20 minEventsNeededForEvaluation: type: integer minimum: 0 maximum: 10 default: 0 BehaviorRuleSettingsVelocity: allOf: - $ref: '#/components/schemas/BehaviorRuleSettings' - title: Behavior Detection Rule Settings based on device velocity in kilometers per hour. type: object properties: velocityKph: type: integer minimum: 1 default: 805 required: - velocityKph BehaviorRuleType: type: string enum: - ANOMALOUS_DEVICE - ANOMALOUS_IP - ANOMALOUS_LOCATION - VELOCITY - ANOMALOUS_ASN BehaviorRuleVelocity: allOf: - $ref: '#/components/schemas/BehaviorRule' - type: object properties: settings: $ref: '#/components/schemas/BehaviorRuleSettingsVelocity' BindingMethod: description: The method used to bind the out-of-band channel with the primary channel. type: string enum: - none - prompt - transfer BookmarkApplication: x-okta-defined-as: name: bookmark allOf: - $ref: '#/components/schemas/Application' - type: object properties: credentials: $ref: '#/components/schemas/ApplicationCredentials' name: type: string description: '`bookmark` is the key name for a Bookmark app' enum: - bookmark settings: $ref: '#/components/schemas/BookmarkApplicationSettings' required: - name - settings BookmarkApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: app: $ref: '#/components/schemas/BookmarkApplicationSettingsApplication' BookmarkApplicationSettingsApplication: type: object properties: requestIntegration: type: boolean description: Would you like Okta to add an integration for this app? default: false url: type: string description: The URL of the launch page for this app required: - url BouncesRemoveListError: type: object properties: emailAddress: type: string description: An email address with a validation error reason: type: string description: Validation error reason BouncesRemoveListObj: type: object properties: emailAddresses: type: array description: A list of email addresses to remove from the email-service bounce list items: type: string description: Email address BouncesRemoveListResult: type: object properties: errors: type: array description: A list of emails that wasn't added to the email-bounced remove list and the error reason items: $ref: '#/components/schemas/BouncesRemoveListError' Brand: type: object properties: agreeToCustomPrivacyPolicy: type: boolean description: Consent for updating the custom privacy URL. Not required when resetting the URL. customPrivacyPolicyUrl: type: string description: Custom privacy policy URL default: null defaultApp: $ref: '#/components/schemas/DefaultApp' emailDomainId: type: string description: The ID of the email domain id: readOnly: true type: string description: The Brand ID isDefault: readOnly: true type: boolean description: If `true`, the Brand is used for the Okta subdomain locale: $ref: '#/components/schemas/Language' name: type: string description: The name of the Brand removePoweredByOkta: type: boolean default: false description: Removes "Powered by Okta" from the sign-in page in redirect authentication deployments, and "© [current year] Okta, Inc." from the Okta End-User Dashboard BrandDomains: description: Defines a list of domains with a subset of the properties for each domain type: object properties: domains: description: Each element of the array defines an individual domain type: array items: $ref: '#/components/schemas/DomainResponse' BrandRequest: type: object properties: agreeToCustomPrivacyPolicy: type: boolean description: Consent for updating the custom privacy URL. Not required when resetting the URL. customPrivacyPolicyUrl: type: string description: Custom privacy policy URL defaultApp: $ref: '#/components/schemas/DefaultApp' emailDomainId: type: string description: The ID of the email domain locale: $ref: '#/components/schemas/Language' name: type: string description: |- The name of the brand > **Note:** You can't use the reserved `DRAPP_DOMAIN_BRAND` name. removePoweredByOkta: type: boolean default: false description: Removes "Powered by Okta" from the sign-in page in redirect authentication deployments, and "© [current year] Okta, Inc." from the Okta End-User Dashboard required: - name BrandWithEmbedded: allOf: - $ref: '#/components/schemas/Brand' type: object properties: _embedded: type: object properties: themes: type: array items: $ref: '#/components/schemas/ThemeResponse' domains: items: $ref: '#/components/schemas/DomainResponse' type: array emailDomain: $ref: '#/components/schemas/EmailDomainResponse' readOnly: true _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: themes: $ref: '#/components/schemas/HrefObject' BrowserPluginApplication: allOf: - $ref: '#/components/schemas/Application' - type: object properties: credentials: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string description: The key name for the app definition enum: - template_swa - template_swa3field x-enumDescriptions: template_swa: The key name for a SWA app instance that requires a browser plugin template_swa3field: The key name for a SWA app instance that requires a browser plugin and supports three CSS selectors settings: $ref: '#/components/schemas/SwaApplicationSettings' required: - name - settings BulkDeleteRequestBody: type: object properties: entityType: description: The type of data to bulk delete in a session. Currently, only `USERS` is supported. type: string enum: - USERS profiles: type: array description: Array of profiles to be deleted items: $ref: '#/components/schemas/IdentitySourceUserProfileForDelete' BulkGroupDeleteRequestBody: type: object properties: externalIds: type: array description: Array of external IDs of groups that need to be deleted in Okta minItems: 1 maxItems: 200 items: type: string maxLength: 255 BulkGroupMembershipsDeleteRequestBody: type: object properties: memberships: $ref: '#/components/schemas/IdentitySourceGroupMembershipsDeleteProfile' BulkGroupMembershipsUpsertRequestBody: type: object properties: memberships: $ref: '#/components/schemas/IdentitySourceGroupMembershipsUpsertProfile' BulkGroupUpsertRequestBody: type: object properties: profiles: type: array description: Array of group profiles that needs to be inserted or updated in Okta minItems: 1 maxItems: 200 items: type: object properties: externalId: type: string description: The external ID of the group that needs to be created or updated in Okta maxLength: 255 profile: $ref: '#/components/schemas/IdentitySourceGroupProfileForUpsert' BulkUpsertRequestBody: type: object properties: entityType: description: The type of data to upsert into the session. Currently, only `USERS` is supported. type: string enum: - USERS profiles: type: array description: Array of user profiles to be uploaded items: type: object properties: externalId: type: string description: The external ID of the entity that needs to be created or updated in Okta maxLength: 512 profile: $ref: '#/components/schemas/IdentitySourceUserProfileForUpsert' BundleEntitlement: description: An entitlement in a governance bundle type: object properties: description: type: string description: The description of the role id: type: string description: Entitlement ID name: type: string description: The name of the role role: type: string description: The role key _links: type: object description: Link relations available properties: values: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the entitlement values resource BundleEntitlementsResponse: description: Entitlement list for a governance bundle type: object properties: entitlements: type: array description: List of bundle entitlements items: $ref: '#/components/schemas/BundleEntitlement' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - readOnly: true - properties: next: $ref: '#/components/schemas/HrefObjectNextLink' bundle: $ref: '#/components/schemas/BundleLink' BundleLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the bundle resource ByDateTimeAuthenticatorGracePeriodExpiry: allOf: - $ref: '#/components/schemas/EnrollmentPolicyAuthenticatorGracePeriod' - type: object properties: expiry: type: string description: | The expiry date for a `BY_DATE_TIME` grace period type. Valid format: `yyyy-MM-dd'T'HH:mm:ss.SSS'Z'` For example, `2025-01-01T18:30:45.000Z` ByDateTimeExpiry: type: object description: An ISO 8601 formatted date and time for BY_DATE_TIME grace period type. properties: value: type: string format: date-time description: The expiry date and time in ISO 8601 format. example: '2025-01-01T18:30:45.000Z' ByDurationExpiry: type: object description: |- A time duration specified as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). Must be between 1 and 180 days inclusive. properties: value: type: string description: A time duration in ISO 8601 duration format. pattern: ^P(?:$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?:\d)(\d+H)?(\d+M)?(\d+S)?)?$ CAPTCHAInstance: title: CAPTCHAInstance description: '' type: object properties: id: description: The unique key for the CAPTCHA instance type: string readOnly: true name: description: The name of the CAPTCHA instance type: string secretKey: description: The secret key issued from the CAPTCHA provider to perform server-side validation for a CAPTCHA token type: string writeOnly: true siteKey: description: The site key issued from the CAPTCHA provider to render a CAPTCHA on a page type: string type: $ref: '#/components/schemas/CAPTCHAType' _links: $ref: '#/components/schemas/LinksSelf' CAPTCHAType: description: The type of CAPTCHA provider type: string enum: - HCAPTCHA - RECAPTCHA_V2 CSRLinks: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of a CSR object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. properties: publish: $ref: '#/components/schemas/HrefCsrPublishLink' self: $ref: '#/components/schemas/HrefCsrSelfLink' readOnly: true CaepCredentialChangeEvent: description: The credential was created, changed, revoked or deleted type: object properties: change_type: type: string description: The type of action done towards the credential enum: - create - revoke - update - delete credential_type: type: string description: The credential type of the changed credential. It will one of the supported enum values or any other credential type supported mutually by the Transmitter and the Receiver. enum: - password - pin - x509 - fido2-platform - fido2-roaming - fido-u2f - verifiable-credential - phone-voice - phone-sms - app - SECURITY_QUESTION - SOFT_TOKEN - OKTA_SOFT_TOKEN - VIP_FACTOR - EMAIL_FACTOR - SECUREID_FACTOR - DUO_SECURITY - OKTA_VERIFY_PUSH - YUBIKEY_OTP_FACTOR - FIDO_WEBAUTHN - CUSTOM_APP_PUSH - CLAIMS_AS_FACTOR - HOTP_FACTOR - SIGNED_NONCE - ALL_FACTORS - TOTP event_timestamp: type: integer format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 fido2_aaguid: type: string description: FIDO2 Authenticator Attestation GUID example: accced6a-63f5-490a-9eea-e59bc1896cfc friendly_name: type: string description: Credential friendly name example: John's FIDO authenticator initiating_entity: type: string description: The entity that initiated the event enum: - admin - user - policy - system reason_admin: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized administrative message intended for logging and auditing reason_user: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user subject: $ref: '#/components/schemas/SsfTransmitterSecurityEventSubject' required: - credential_type - change_type CaepDeviceComplianceChangeEvent: description: The subject's device compliance was revoked type: object properties: current_status: type: string description: Current device compliance status enum: - compliant - not-compliant example: non-compliant event_timestamp: type: integer format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 initiating_entity: type: string description: The entity that initiated the event enum: - admin - user - policy - system previous_status: type: string description: Previous device compliance status enum: - compliant - not-compliant reason_admin: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required. reason_user: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required. subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - subject - current_status - previous_status CaepEvent: type: object properties: event_timestamp: type: integer format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 reason_admin: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized administrative message intended for logging and auditing reason_user: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user subject: $ref: '#/components/schemas/SsfTransmitterSecurityEventSubject' CaepSecurityEvent: type: object properties: event_timestamp: type: integer format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 initiating_entity: type: string description: The entity that initiated the event enum: - admin - user - policy - system reason_admin: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required. reason_user: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required. subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - subject CaepSessionRevokedEvent: description: The session of the subject was revoked type: object properties: current_ip: type: string description: Current IP of the session example: 123.4.5.6 current_user_agent: type: string description: Current User Agent of the session example: CurrentUserAgent event_timestamp: type: integer format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 initiating_entity: type: string description: The entity that initiated the event enum: - admin - user - policy - system last_known_ip: type: string description: Last known IP of the session example: 123.4.5.6 last_known_user_agent: type: string description: Last known User Agent of the session example: LastUserAgent reason_admin: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized administrative message intended for logging and auditing.
Either `reason_admin` or `reason_user` is required. reason_user: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.
Either `reason_admin` or `reason_user` is required. subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - subject CapabilitiesCreateObject: description: | Determines whether Okta assigns a new app account to each user managed by Okta. Okta doesn't create a new account if it detects that the username specified in Okta already exists in the app. The user's Okta username is assigned by default. type: object properties: lifecycleCreate: $ref: '#/components/schemas/LifecycleCreateSettingObject' CapabilitiesImportRulesObject: description: Defines user import rules type: object properties: userCreateAndMatch: $ref: '#/components/schemas/CapabilitiesImportRulesUserCreateAndMatchObject' CapabilitiesImportRulesUserCreateAndMatchObject: description: Rules for matching and creating users type: object properties: allowPartialMatch: type: boolean description: Allows user import upon partial matching. Partial matching occurs when the first and last names of an imported user match those of an existing Okta user, even if the username or email attributes don't match. autoActivateNewUsers: type: boolean description: If set to `true`, imported new users are automatically activated. autoConfirmExactMatch: type: boolean description: If set to `true`, exact-matched users are automatically confirmed on activation. If set to `false`, exact-matched users need to be confirmed manually. autoConfirmNewUsers: type: boolean description: If set to `true`, imported new users are automatically confirmed on activation. This doesn't apply to imported users that already exist in Okta. autoConfirmPartialMatch: type: boolean description: If set to `true`, partially matched users are automatically confirmed on activation. If set to `false`, partially matched users need to be confirmed manually. exactMatchCriteria: type: string description: Determines the attribute to match users enum: - EMAIL - USERNAME CapabilitiesImportSettingsObject: description: Defines import settings type: object properties: schedule: $ref: '#/components/schemas/ImportScheduleObject' username: $ref: '#/components/schemas/ImportUsernameObject' CapabilitiesInboundProvisioningObject: title: INBOUND_PROVISIONING description: Defines the configuration for the INBOUND_PROVISIONING feature x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true type: object properties: importRules: $ref: '#/components/schemas/CapabilitiesImportRulesObject' importSettings: $ref: '#/components/schemas/CapabilitiesImportSettingsObject' required: - importSettings - importRules CapabilitiesObject: title: USER_PROVISIONING description: Defines the configurations for the USER_PROVISIONING feature type: object properties: create: $ref: '#/components/schemas/CapabilitiesCreateObject' update: $ref: '#/components/schemas/CapabilitiesUpdateObject' CapabilitiesUpdateObject: description: Determines whether updates to a user's profile are pushed to the app type: object properties: lifecycleDeactivate: $ref: '#/components/schemas/LifecycleDeactivateSettingObject' password: $ref: '#/components/schemas/PasswordSettingObject' profile: $ref: '#/components/schemas/ProfileSettingObject' Capability: type: string enum: - ENTITLEMENTS - PROVISIONING - SSO - UNIVERSAL_LOGOUT CapabilityType: description: Capability type type: string enum: - PROVISIONING - SSO x-enumDescriptions: SSO: Express setup enabled for SSO PROVISIONING: Express setup enabled for provisioning CatalogApplication: description: An app in the OIN catalog type: object properties: category: type: string description: Category for the app in the OIN catalog example: SOCIAL readOnly: true description: type: string description: Description of the app in the OIN catalog readOnly: true displayName: type: string description: OIN catalog app display name readOnly: true features: type: array readOnly: true description: Features supported by the app. See app [features](/openapi/okta-management/management/tag/Application/#tag/Application/operation/listApplications!c=200&path=0/features&t=response). items: type: string id: type: string readOnly: true description: ID of the app instance. Okta returns this property only for apps not in the OIN catalog. lastUpdated: type: string description: Timestamp when the object was last updated format: date-time readOnly: true example: '2024-09-19T23:37:37.000Z' name: type: string description: App key name. For OIN catalog apps, this is a unique key for the app definition. signOnModes: type: array description: Authentication mode for the app. See app [signOnMode](/openapi/okta-management/management/tag/Application/#tag/Application/operation/listApplications!c=200&path=0/signOnMode&t=response). items: type: string status: $ref: '#/components/schemas/CatalogApplicationStatus' verificationStatus: type: string description: OIN verification status of the catalog app example: OKTA_VERIFIED website: type: string description: Website of the OIN catalog app _links: type: object description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification readOnly: true properties: logo: type: array description: List of app logo resources items: $ref: '#/components/schemas/HrefObjectLogoLink' self: $ref: '#/components/schemas/HrefObjectSelfLink' CatalogApplicationStatus: description: App status type: string enum: - ACTIVE - INACTIVE ChallengeType: type: string enum: - http://auth0.com/oauth/grant-type/mfa-oob - http://auth0.com/oauth/grant-type/mfa-otp ChangeEnum: description: Determines whether a change in a user's password also updates the user's password in the app default: KEEP_EXISTING example: CHANGE type: string enum: - CHANGE - KEEP_EXISTING ChangePasswordRequest: type: object properties: newPassword: $ref: '#/components/schemas/PasswordCredential' oldPassword: $ref: '#/components/schemas/PasswordCredential' revokeSessions: type: boolean description: When set to `true`, revokes all user sessions, except for the current session default: false Channel: description: The out-of-band channel for use with authentication. Required for all `/oob-authenticate` requests and any `/challenge` request with an out-of-band authenticator. type: string enum: - push - sms - voice ChannelBinding: type: object properties: required: $ref: '#/components/schemas/RequiredEnum' style: type: string enum: - NUMBER_CHALLENGE ChildOrg: type: object properties: admin: $ref: '#/components/schemas/OrgCreationAdmin' created: description: Timestamp when the org was created type: string format: date-time readOnly: true example: '2022-08-25T00:05:00.000Z' edition: description: Edition for the org. `SKU` is the only supported value. type: string enum: - SKU example: SKU id: type: string description: Org ID readOnly: true example: 00o1n8sbwArJ7OQRw406 lastUpdated: description: Timestamp when the org was last updated type: string format: date-time readOnly: true example: '2022-08-25T00:05:00.000Z' name: description: |- Unique name of the org. This name appears in the HTML `` tag of the new org sign-in page. Only less than 4-width UTF-8 encoded characters are allowed. type: string format: utf-8 minimum: 1 maximum: 100 example: My Child Org 1 settings: description: Settings associated with the created org readOnly: true type: object additionalProperties: true status: description: Status of the org. `ACTIVE` is returned after the org is created. type: string readOnly: true enum: - ACTIVE subdomain: description: Subdomain of the org. Must be unique and include no spaces. type: string minimum: 1 maximum: 57 example: my-child-org-1 token: description: |- API token associated with the child org super admin account. Use this API token to provision resources (such as policies, apps, and groups) on the newly created child org. This token is revoked if the super admin account is deactivated. > **Note:** If this API token expires, sign in to the Admin Console as the super admin user and create a new API token. See [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/). type: string readOnly: true tokenType: description: Type of returned `token`. See [Okta API tokens](https://developer.okta.com/docs/guides/create-an-api-token/main/#okta-api-tokens). type: string readOnly: true example: SSWS enum: - SSWS website: description: Default website for the org type: string example: https://www.okta.com _links: description: Specifies available link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification readOnly: true type: object additionalProperties: true required: - admin - edition - name - subdomain ChromeBrowserVersion: description: Current version of the Chrome Browser type: object properties: minimum: type: string Claim: type: string ClassificationType: description: The type of user classification type: string enum: - LITE - STANDARD x-enumDescriptions: LITE: Lite STANDARD: Standard Client: type: object properties: application_type: $ref: '#/components/schemas/ApplicationType' client_id: type: string description: Unique key for the client application. The `client_id` is immutable. When you create a client Application, you can't specify the `client_id` because Okta uses the application ID for the `client_id`. readOnly: true client_id_issued_at: type: integer readOnly: true description: Time at which the `client_id` was issued (measured in unix seconds) client_name: type: string description: Human-readable string name of the client application client_secret: type: string readOnly: true description: OAuth 2.0 client secret string (used for confidential clients). The `client_secret` is shown only on the response of the creation or update of a client Application (and only if the `token_endpoint_auth_method` is one that requires a client secret). You can't specify the `client_secret`. If the `token_endpoint_auth_method` requires one, Okta generates a random `client_secret` for the client Application. nullable: true client_secret_expires_at: type: integer readOnly: true description: Time at which the `client_secret` expires or 0 if it doesn't expire (measured in unix seconds) minimum: 0 nullable: true frontchannel_logout_session_required: type: boolean description: Include user session details frontchannel_logout_uri: type: string description: URL where Okta sends the logout request nullable: true grant_types: type: array description: 'Array of OAuth 2.0 grant type strings. Default value: `[authorization_code]`' items: $ref: '#/components/schemas/GrantType' initiate_login_uri: type: string description: URL that a third party can use to initiate a login by the client jwks_uri: type: string description: URL string that references a [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta logo_uri: type: string description: URL string that references a logo for the client consent dialog (not the sign-in dialog) nullable: true policy_uri: type: string description: URL string of a web page providing the client's policy document nullable: true post_logout_redirect_uris: type: string description: Array of redirection URI strings for use for relying party initiated logouts items: type: string redirect_uris: type: array description: 'Array of redirection URI strings for use in redirect-based flows. All redirect URIs must be absolute URIs and must not include a fragment component. At least one redirect URI and response type is required for all client types, with the following exceptions: If the client uses the Resource Owner Password flow (if `grant_type` contains the value password) or the Client Credentials flow (if `grant_type` contains the value `client_credentials`), then no redirect URI or response type is necessary. In these cases, you can pass either null or an empty array for these attributes.' items: type: string request_object_signing_alg: type: array description: The type of [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) algorithm that must be used for signing request objects items: $ref: '#/components/schemas/SigningAlgorithm' response_types: type: array description: 'Array of OAuth 2.0 response type strings. Default value: `[code]`' items: $ref: '#/components/schemas/ResponseType' token_endpoint_auth_method: $ref: '#/components/schemas/EndpointAuthMethod' tos_uri: type: string description: URL string of a web page providing the client's terms of service document nullable: true ClientPolicyCondition: description: Specifies which clients are included in the Policy type: object properties: include: type: array description: Which clients are included in the Policy items: type: string ClientPrivilegesSetting: description: The org setting that assigns the super admin role by default to a public client app type: object properties: clientPrivilegesSetting: type: boolean description: If true, assigns the super admin role by default to new public client apps example: true CodeChallengeMethod: type: string enum: - S256 Compliance: type: object properties: fips: $ref: '#/components/schemas/FipsEnum' Conditions: description: Conditions of applying realm assignment type: object properties: expression: $ref: '#/components/schemas/Expression' profileSourceId: description: ID of the profile source type: string ConnectionScopes: description: Array of scopes. Required for all `scopeCondition` values. For `ALL_SCOPES`, this array is required with a single value of `*`. For `INCLUDE_ONLY`, only these scopes are allowed. For `EXCLUDE`, all scopes except these are allowed. minItems: 1 items: type: string type: array ConnectionType: description: Type of connection authentication method type: string enum: - IDENTITY_ASSERTION_APP_INSTANCE - IDENTITY_ASSERTION_CUSTOM_AS - STS_SERVICE_ACCOUNT - STS_VAULT_SECRET x-enumDescriptions: IDENTITY_ASSERTION_APP_INSTANCE: Identity assertion connection for app instances IDENTITY_ASSERTION_CUSTOM_AS: Identity assertion connection for custom authorization servers STS_VAULT_SECRET: Security Token Service connection for vaulted secrets STS_SERVICE_ACCOUNT: Security Token Service connection for service accounts ConnectionsSigningRotationMode: description: The signing key rotation setting for the provisioning connection type: string enum: - AUTO - MANUAL x-enumDescriptions: AUTO: Okta manages key rotation for the provisioning connection. Use the [Retrieve a JWKS for the default provisioning connection](/openapi/okta-management/management/tag/ApplicationConnections/#tag/ApplicationConnections/operation/getUserProvisioningConnectionJWKS) endpoint for the latest key credentials. MANUAL: You need to rotate the keys for your provisioning connection manually based on your own schedule. See [Key rotation](https://developer.okta.com/docs/concepts/key-rotation/). ContentSecurityPolicySetting: type: object properties: mode: type: string enum: - enforced - report_only reportUri: type: string srcList: type: array items: type: string ContextPolicyRuleCondition: allOf: - $ref: '#/components/schemas/DevicePolicyRuleCondition' - type: object properties: expression: type: string CreateAIAgentRequest: type: object properties: appId: type: string description: The ID of the connected app for the AI agent readOnly: false profile: $ref: '#/components/schemas/AIAgentProfile' CreateBrandRequest: title: CreateBrandRequest type: object properties: name: type: string description: |- The name of the brand > **Note:** You can't use the reserved `DRAPP_DOMAIN_BRAND` name. required: - name CreateGroupPushMappingRequest: type: object properties: appConfig: type: object $ref: '#/components/schemas/AppConfig' sourceGroupId: description: The ID of the source group for the group push mapping type: string status: type: string $ref: '#/components/schemas/GroupPushMappingStatusUpsert' targetGroupId: description: The ID of the existing target group for the group push mapping. This is used to link to an existing group. Required if `targetGroupName` is not provided. type: string targetGroupName: description: The name of the target group for the group push mapping. This is used when creating a new downstream group. If the group already exists, it links to the existing group. Required if `targetGroupId` is not provided. type: string required: - sourceGroupId CreateGroupRuleRequest: type: object properties: actions: $ref: '#/components/schemas/GroupRuleAction' conditions: $ref: '#/components/schemas/GroupRuleConditions' name: type: string description: Name of the group rule minLength: 1 maxLength: 50 type: type: string enum: - group_rule CreateIamRoleRequest: type: object properties: description: type: string description: Description of the role label: type: string description: Unique label for the role permissions: type: array description: Array of permissions that the role grants. See [Permissions](/openapi/okta-management/guides/permissions). required: - label - description - permissions CreateOrUpdatePolicy: type: object properties: created: description: Timestamp when the policy was created type: string format: date-time readOnly: true default: Assigned description: description: Description of the policy type: string default: null id: description: Identifier of the policy type: string readOnly: true default: Assigned lastUpdated: description: Timestamp when the policy was last modified type: string format: date-time readOnly: true default: Assigned name: description: Name of the policy type: string priority: description: Specifies the order in which this policy is evaluated in relation to the other policies type: integer default: Last / Lowest Priority, for example `1` status: allOf: - $ref: '#/components/schemas/LifecycleStatus' - description: Whether or not the policy is active. Use the `activate` query parameter to set the status of a policy. system: description: Specifies whether Okta created the policy type: boolean default: false type: $ref: '#/components/schemas/PolicyType' _embedded: type: object additionalProperties: type: object properties: {} readOnly: true _links: $ref: '#/components/schemas/PolicyLinks' required: - name - type discriminator: propertyName: type mapping: ACCESS_POLICY: '#/components/schemas/AccessPolicy' MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicy' OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' PASSWORD: '#/components/schemas/PasswordPolicy' PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy' DEVICE_SIGNAL_COLLECTION: '#/components/schemas/DeviceSignalCollectionPolicy' CreateRealmAssignmentRequest: type: object properties: actions: $ref: '#/components/schemas/Actions' conditions: $ref: '#/components/schemas/Conditions' name: type: string description: Name of the realm priority: type: integer description: |- The priority of the realm assignment. The lower the number, the higher the priority. This helps resolve conflicts between realm assignments. > **Note:** When you create realm assignments in bulk, realm assignment priorities must be unique. CreateRealmRequest: type: object properties: profile: $ref: '#/components/schemas/RealmProfile' CreateResourceSetRequest: type: object properties: description: type: string description: Description of the resource set label: type: string description: Unique name for the resource set resources: type: array description: The endpoint (URL) that references all resource objects included in the resource set. Resources are identified by either an Okta Resource Name (ORN) or by a REST URL format. See [Okta Resource Name](/openapi/okta-management/guides/roles/#okta-resource-name-orn). maximum: 1000 items: type: string required: - description - label - resources CreateSessionRequest: type: object properties: sessionToken: type: string description: The session token obtained during authentication CreateUISchema: description: The request body properties for the new UI Schema type: object properties: uiSchema: $ref: '#/components/schemas/UISchemaObject' CreateUpdateIamRolePermissionRequest: type: object properties: conditions: $ref: '#/components/schemas/PermissionConditions' CreateUserRequest: type: object properties: credentials: $ref: '#/components/schemas/UserCredentialsWritable' groupIds: type: array description: The list of group IDs of groups that the user is added to at the time of creation items: type: string profile: $ref: '#/components/schemas/UserProfile' realmId: type: string description: The ID of the realm in which the user is residing. See [Realms](/openapi/okta-management/management/tag/Realm/). example: guo1bfiNtSnZYILxO0g4 type: type: object description: |- The ID of the user type. Add this value if you want to create a user with a non-default [User Type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/). The user type determines which [schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can only be assigned a different user type by an administrator through a full replacement (`PUT`) operation. properties: id: type: string description: The ID of the user type required: - profile Created: format: date-time description: Timestamp when the object was created example: '2016-01-03T18:15:47.000Z' type: string readOnly: true CredentialSyncInfo: type: object properties: errorCode: type: string description: The error code for the type of error readOnly: true errorReason: type: string description: A short description of the error readOnly: true secretVersionId: type: string description: The version ID of the password secret from the OPA vault. minLength: 1 maxLength: 36 example: 9f8400-e29b-41d4-a716-926655440034 syncState: $ref: '#/components/schemas/CredentialSyncState' syncTime: type: string description: Timestamp when the credential was changed format: date-time readOnly: true example: '2024-06-10T11:30:01.000Z' CredentialSyncState: description: Current credential sync status of the privileged resource type: string enum: - NOT_SYNCED - SYNCED - SYNCING - SYNC_FAILED x-enumDescriptions: NOT_SYNCED: Credentials are not yet synced SYNCING: Credentials are currently being synced SYNCED: Credentials are successfully synced SYNC_FAILED: Credential sync failed readOnly: true Csr: type: object properties: created: $ref: '#/components/schemas/createdProperty' csr: type: string readOnly: true example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= id: type: string readOnly: true example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 kty: type: string readOnly: true example: RSA _links: $ref: '#/components/schemas/CSRLinks' readOnly: true nullable: false CsrMetadata: type: object properties: subject: $ref: '#/components/schemas/CsrMetadataSubject' subjectAltNames: $ref: '#/components/schemas/CsrMetadataSubjectAltNames' CsrMetadataSubject: type: object properties: commonName: type: string description: Common name of the subject example: SP Issuer countryName: type: string description: Country name or code example: US localityName: type: string description: Locality (city) name example: San Francisco organizationalUnitName: type: string description: Name of the smaller organization, for example, the department or the division example: Dev organizationName: type: string description: Large organization name example: Okta, Inc. stateOrProvinceName: type: string description: State or province name example: California CsrMetadataSubjectAltNames: type: object properties: dnsNames: type: array description: DNS names of the subject items: type: string example: dev.okta.com CsrPublishHrefHints: description: Describes allowed HTTP verbs for the `href` type: object properties: allow: type: array items: type: string enum: - POST CsrSelfHrefHints: description: Describes allowed HTTP verbs for the `href` type: object properties: allow: type: array items: type: string enum: - GET - DELETE CustomAAGUIDCreateRequestObject: type: object properties: aaguid: description: An Authenticator Attestation Global Unique Identifier (AAGUID) is a 128-bit identifier indicating the model. type: string attestationRootCertificates: $ref: '#/components/schemas/AttestationRootCertificatesRequest' authenticatorCharacteristics: $ref: '#/components/schemas/AAGUIDAuthenticatorCharacteristics' CustomAAGUIDResponseObject: type: object properties: aaguid: description: A unique 128-bit identifier that's assigned to a specific model of security key or authenticator type: string attestationRootCertificates: $ref: '#/components/schemas/AttestationRootCertificatesResponse' authenticatorCharacteristics: $ref: '#/components/schemas/AAGUIDAuthenticatorCharacteristics' name: description: The product name associated with the AAGUID type: string _links: $ref: '#/components/schemas/LinksSelf' CustomAAGUIDUpdateRequestObject: type: object properties: attestationRootCertificates: $ref: '#/components/schemas/AttestationRootCertificatesRequest' authenticatorCharacteristics: $ref: '#/components/schemas/AAGUIDAuthenticatorCharacteristics' name: description: The product name associated with this AAGUID. type: string CustomAppUserVerificationEnum: description: User verification setting type: string enum: - PREFERRED - REQUIRED CustomAuthSettings: description: Set of AIPs used for authType `CUSTOM` type: object properties: appInstanceProperties: type: array items: $ref: '#/components/schemas/AppInstanceProperty' CustomAuthorizationServer: description: Custom authorization server for the managed connection type: object properties: issuerUrl: type: string description: Issuer URL for the authorization server logo: type: string description: Image URL for the authorization server name: type: string description: Display name of the authorization server orn: $ref: '#/components/schemas/AuthorizationServerOrn' _links: type: object required: - self properties: self: $ref: '#/components/schemas/HrefObject' description: Link to the authorization server via the Okta API web: $ref: '#/components/schemas/HrefObject' description: Link to the authorization server in the Okta UI (HTML) required: - orn - name - issuerUrl - _links CustomRole: title: Custom role assignment type: object properties: assignmentType: $ref: '#/components/schemas/RoleAssignmentType' created: type: string description: Timestamp when the object was created format: date-time readOnly: true id: type: string description: Binding object ID readOnly: true label: type: string description: Label for the role assignment readOnly: true lastUpdated: type: string description: Timestamp when the object was last updated format: date-time readOnly: true resource-set: type: string description: Resource set ID readOnly: true role: type: string description: Role ID readOnly: true status: allOf: - $ref: '#/components/schemas/LifecycleStatus' - description: Status of the role assignment type: $ref: '#/components/schemas/RoleType' _links: $ref: '#/components/schemas/LinksCustomRoleResponse' required: - type CustomRoleAssignmentSchema: title: Custom Role type: object properties: resource-set: type: string description: Resource set ID role: type: string description: Custom role ID type: type: string description: 'Specify a [standard admin role](/openapi/okta-management/guides/roles/#standard-roles), an [IAM-based standard role](/openapi/okta-management/guides/roles/#iam-based-standard-roles), or `CUSTOM` for a custom role type:' enum: - CUSTOM required: - type - role - resource-set CustomizablePage: type: object properties: pageContent: type: string description: The HTML for the page DNSRecordAuthenticators: description: DNS TXT record that must be registered for an RP ID domain that requires verification. This is used to verify the domain ownership for the WebAuthn RP ID configuration. After the domain ownership is verified, the `DNSRecord` isn't returned in the response. type: object properties: fqdn: description: The DNS record name type: string example: _oktaverification.mycustomdomain.com recordType: $ref: '#/components/schemas/DNSRecordTypeAuthenticators' verificationValue: description: The DNS record verification value type: string example: - 79496f234c814638b1cc44f51a782781 DNSRecordDomains: description: DNS TXT and CNAME records to be registered for the Domain type: object properties: expiration: description: DNS TXT record expiration type: string fqdn: description: DNS record name type: string example: _oktaverification.login.example.com recordType: $ref: '#/components/schemas/DNSRecordTypeDomains' values: description: DNS record value type: array items: type: string example: - 79496f234c814638b1cc44f51a782781 DNSRecordTypeAuthenticators: example: TXT type: string enum: - TXT DNSRecordTypeDomains: example: TXT type: string enum: - CNAME - TXT DRStatusItem: description: Status whether a domain has been failed over or not type: object properties: domain: type: string description: Domain for your org isFailedOver: type: boolean description: Indicates if the domain has been failed over nullable: false DTCChromeOS: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] description: Google Chrome Device Trust Connector provider type: object properties: allowScreenLock: description: Indicates whether the AllowScreenLock enterprise policy is enabled type: boolean browserVersion: $ref: '#/components/schemas/ChromeBrowserVersion' builtInDnsClientEnabled: description: Indicates if a software stack is used to communicate with the DNS server type: boolean chromeRemoteDesktopAppBlocked: description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy type: boolean deviceEnrollmentDomain: description: Enrollment domain of the customer that is currently managing the device type: string diskEncrypted: description: Indicates whether the main disk is encrypted type: boolean keyTrustLevel: $ref: '#/components/schemas/KeyTrustLevelOSMode' managedDevice: description: Indicates whether the device is enrolled in ChromeOS device management type: boolean osFirewall: description: Indicates whether a firewall is enabled at the OS-level on the device type: boolean osVersion: $ref: '#/components/schemas/OSVersionFourComponents' passwordProtectionWarningTrigger: $ref: '#/components/schemas/PasswordProtectionWarningTrigger' realtimeUrlCheckMode: description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled type: boolean safeBrowsingProtectionLevel: $ref: '#/components/schemas/SafeBrowsingProtectionLevel' screenLockSecured: description: Indicates whether the device is password-protected type: boolean siteIsolationEnabled: description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled type: boolean DTCMacOS: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] description: Google Chrome Device Trust Connector provider type: object properties: browserVersion: $ref: '#/components/schemas/ChromeBrowserVersion' builtInDnsClientEnabled: description: Indicates if a software stack is used to communicate with the DNS server type: boolean chromeRemoteDesktopAppBlocked: description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy type: boolean deviceEnrollmentDomain: description: Enrollment domain of the customer that is currently managing the device type: string diskEncrypted: description: Indicates whether the main disk is encrypted type: boolean keyTrustLevel: $ref: '#/components/schemas/KeyTrustLevelBrowserKey' osFirewall: description: Indicates whether a firewall is enabled at the OS-level on the device type: boolean osVersion: $ref: '#/components/schemas/OSVersionThreeComponents' passwordProtectionWarningTrigger: $ref: '#/components/schemas/PasswordProtectionWarningTrigger' realtimeUrlCheckMode: description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled type: boolean safeBrowsingProtectionLevel: $ref: '#/components/schemas/SafeBrowsingProtectionLevel' screenLockSecured: description: Indicates whether the device is password-protected type: boolean siteIsolationEnabled: description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled type: boolean DTCWindows: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] description: Google Chrome Device Trust Connector provider type: object properties: antivirusEnabled: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>Indicates whether antivirus software is enabled type: boolean browserVersion: $ref: '#/components/schemas/ChromeBrowserVersion' builtInDnsClientEnabled: description: Indicates if a software stack is used to communicate with the DNS server type: boolean chromeRemoteDesktopAppBlocked: description: Indicates whether access to the Chrome Remote Desktop application is blocked through a policy type: boolean crowdStrikeAgentId: description: Agent ID of an installed CrowdStrike agent type: string crowdStrikeCustomerId: description: Customer ID of an installed CrowdStrike agent type: string deviceEnrollmentDomain: description: Enrollment domain of the customer that is currently managing the device type: string diskEncrypted: description: Indicates whether the main disk is encrypted type: boolean keyTrustLevel: $ref: '#/components/schemas/KeyTrustLevelBrowserKey' osFirewall: description: Indicates whether a firewall is enabled at the OS-level on the device type: boolean osVersion: $ref: '#/components/schemas/OSVersionFourComponents' passwordProtectionWarningTrigger: $ref: '#/components/schemas/PasswordProtectionWarningTrigger' realtimeUrlCheckMode: description: Indicates whether enterprise-grade (custom) unsafe URL scanning is enabled type: boolean safeBrowsingProtectionLevel: $ref: '#/components/schemas/SafeBrowsingProtectionLevel' screenLockSecured: description: Indicates whether the device is password-protected type: boolean secureBootEnabled: description: Indicates whether the device's startup software has its Secure Boot feature enabled type: boolean siteIsolationEnabled: description: Indicates whether the Site Isolation (also known as **Site Per Process**) setting is enabled type: boolean thirdPartyBlockingEnabled: deprecated: true description: Indicates whether Chrome is blocking third-party software injection type: boolean windowsMachineDomain: description: Windows domain that the current machine has joined type: string windowsUserDomain: description: Windows domain for the current OS user type: string DateTime: description: An [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601#Combined_date_and_time_representations) formatted date and time. format: date-time example: '2024-12-01T00:00:00Z' type: string DefaultApp: type: object properties: appInstanceId: type: string description: ID for the App instance appLinkName: type: string description: Name for the app instance classicApplicationUri: type: string description: Application URI for classic Orgs DesktopMFAEnforceNumberMatchingChallengeOrgSetting: type: object properties: desktopMFAEnforceNumberMatchingChallengeEnabled: type: boolean description: Indicates whether or not the Desktop MFA Enforce Number Matching Challenge push notifications feature is enabled default: false DesktopMFARecoveryPinOrgSetting: type: object properties: desktopMFARecoveryPinEnabled: type: boolean description: Indicates whether or not the Desktop MFA Recovery PIN feature is enabled default: false DetailedHookKeyInstance: title: DetailedHookKeyInstance description: A key object with public key details type: object properties: created: type: string format: date-time description: Timestamp when the key was created readOnly: true nullable: true id: type: string description: The unique Okta ID of this key record readOnly: true nullable: false isUsed: type: string format: boolean description: Whether this key is currently in use by other applications nullable: false readOnly: true keyId: type: string description: The alias of the public key nullable: false readOnly: true lastUpdated: type: string format: date-time description: Timestamp when the key was updated readOnly: true nullable: true name: type: string description: Display name of the key readOnly: false nullable: false minLength: 1 maxLength: 255 _embedded: $ref: '#/components/schemas/_embedded' DetectedRiskEvents: type: string enum: - ADMIN_REPORTED_USER_RISK - BRUTE_FORCE_ATTACK - ENTITY_CRITICAL_ACTION_FROM_HIGH_THREAT_IP - OKTA_THREAT_INTELLIGENCE - SECURITY_EVENTS_PROVIDER_REPORTED_RISK - SESSION_INFLUENCED_USER_RISK - SUSPICIOUS_APP_ACCESS - USER_REPORTED_SUSPICIOUS_ACTIVITY Device: type: object properties: created: type: string format: date-time description: Timestamp when the device was created readOnly: true id: type: string description: Unique key for the device readOnly: true lastUpdated: type: string format: date-time description: Timestamp when the device record was last updated. Updates occur when Okta collects and saves device signals during authentication, and when the lifecycle state of the device changes. readOnly: true profile: $ref: '#/components/schemas/DeviceProfile' resourceAlternateId: type: string readOnly: true resourceDisplayName: $ref: '#/components/schemas/DeviceDisplayName' resourceId: type: string description: Alternate key for the `id` readOnly: true resourceType: type: string default: UDDevice readOnly: true status: $ref: '#/components/schemas/DeviceStatus' _links: $ref: '#/components/schemas/LinksSelfAndFullUsersLifecycle' DeviceAccessPolicyRuleCondition: description: <x-lifecycle class="oie"></x-lifecycle> Specifies the device condition to match on type: object properties: assurance: $ref: '#/components/schemas/DevicePolicyRuleConditionAssurance' managed: type: boolean description: Indicates if the device is managed. A device is considered managed if it's part of a device management system. registered: type: boolean description: | Indicates if the device is registered. A device is registered if the User enrolls with Okta Verify that's installed on the device. When the `managed` property is passed, you must also include the `registered` property and set it to `true`. DeviceAssurance: title: DeviceAssurance type: object properties: createdBy: type: string readOnly: true createdDate: type: string readOnly: true devicePostureChecks: $ref: '#/components/schemas/DevicePostureChecks' displayRemediationMode: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>Represents the remediation mode of this device assurance policy when users are denied access due to device noncompliance type: string enum: - HIDE - SHOW example: SHOW x-enumDescriptions: HIDE: Hide remediation instructions in the Sign-In Widget SHOW: Display remediation instructions in the Sign-In Widget gracePeriod: $ref: '#/components/schemas/GracePeriod' id: type: string readOnly: true lastUpdate: type: string readOnly: true lastUpdatedBy: type: string readOnly: true name: type: string description: Display name of the device assurance policy platform: $ref: '#/components/schemas/Platform' _links: $ref: '#/components/schemas/LinksSelf' discriminator: propertyName: platform mapping: WINDOWS: '#/components/schemas/DeviceAssuranceWindowsPlatform' MACOS: '#/components/schemas/DeviceAssuranceMacOSPlatform' CHROMEOS: '#/components/schemas/DeviceAssuranceChromeOSPlatform' IOS: '#/components/schemas/DeviceAssuranceIOSPlatform' ANDROID: '#/components/schemas/DeviceAssuranceAndroidPlatform' DeviceAssuranceAndroidPlatform: allOf: - $ref: '#/components/schemas/DeviceAssurance' - type: object properties: diskEncryptionType: type: object properties: include: type: array items: $ref: '#/components/schemas/DiskEncryptionTypeAndroid' jailbreak: type: boolean osVersion: $ref: '#/components/schemas/OSVersion' screenLockType: type: object properties: include: type: array items: $ref: '#/components/schemas/ScreenLockType' secureHardwarePresent: type: boolean thirdPartySignalProviders: type: object description: Settings for third-party signal providers (based on the `ANDROID` platform) properties: androidDeviceTrust: $ref: '#/components/schemas/AndroidDeviceTrust' devicePostureIdP: $ref: '#/components/schemas/DevicePostureIdP' DeviceAssuranceChromeOSPlatform: allOf: - $ref: '#/components/schemas/DeviceAssurance' - type: object properties: thirdPartySignalProviders: type: object description: Settings for third-party signal providers (based on the `CHROMEOS` platform) properties: dtc: $ref: '#/components/schemas/DTCChromeOS' devicePostureIdP: $ref: '#/components/schemas/DevicePostureIdP' DeviceAssuranceIOSPlatform: allOf: - $ref: '#/components/schemas/DeviceAssurance' - type: object properties: jailbreak: type: boolean osVersion: $ref: '#/components/schemas/OSVersion' screenLockType: type: object properties: include: type: array items: $ref: '#/components/schemas/ScreenLockType' thirdPartySignalProviders: type: object description: Settings for third-party signal providers (based on the `IOS` platform) properties: devicePostureIdP: $ref: '#/components/schemas/DevicePostureIdP' DeviceAssuranceMacOSPlatform: allOf: - $ref: '#/components/schemas/DeviceAssurance' - type: object properties: diskEncryptionType: type: object properties: include: type: array items: $ref: '#/components/schemas/DiskEncryptionTypeDesktop' osVersion: $ref: '#/components/schemas/OSVersion' screenLockType: type: object properties: include: type: array items: $ref: '#/components/schemas/ScreenLockType' secureHardwarePresent: type: boolean thirdPartySignalProviders: type: object description: Settings for third-party signal providers (based on the `MACOS` platform) properties: dtc: $ref: '#/components/schemas/DTCMacOS' devicePostureIdP: $ref: '#/components/schemas/DevicePostureIdP' DeviceAssuranceWindowsPlatform: allOf: - $ref: '#/components/schemas/DeviceAssurance' - type: object properties: diskEncryptionType: type: object properties: include: type: array items: $ref: '#/components/schemas/DiskEncryptionTypeDesktop' osVersion: $ref: '#/components/schemas/OSVersionFourComponents' osVersionConstraints: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] type: array description: | <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>Specifies the Windows version requirements for the assurance policy. Each requirement must correspond to a different major version (Windows 11 or Windows 10). If a requirement isn't specified for a major version, then devices on that major version satisfy the condition. There are two types of OS requirements: * **Static**: A specific Windows version requirement that doesn't change until you update the policy. A static OS Windows requirement is specified with `majorVersionConstraint` and `minimum`. * **Dynamic**: A Windows version requirement that is relative to the latest major release and security patch. A dynamic OS Windows requirement is specified with `majorVersionConstraint` and `dynamicVersionRequirement`. > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. The `osVersionConstraints` property is only supported for the Windows platform. You can't specify both `osVersion.minimum` and `osVersionConstraints` properties at the same time. items: $ref: '#/components/schemas/OSVersionConstraint' minItems: 1 maxItems: 2 screenLockType: type: object properties: include: type: array items: $ref: '#/components/schemas/ScreenLockType' secureHardwarePresent: type: boolean thirdPartySignalProviders: type: object description: Settings for third-party signal providers (based on the `WINDOWS` platform) properties: dtc: $ref: '#/components/schemas/DTCWindows' devicePostureIdP: $ref: '#/components/schemas/DevicePostureIdP' DeviceContextProvider: type: object properties: id: type: string description: Unique identifier for the device context provider key: type: string description: Identifies the type of device context provider enum: - OKTA_VERIFY - CHROME_DEVICE_TRUST - DEVICE_POSTURE_IDP userIdentification: type: string description: Whether or not the device context provider is used to identify the user. `IGNORE` prevents the device context provider from being used to authenticate the user. Identification of the device and device context collection happens regardless of this setting. enum: - ALLOW - IGNORE required: - key DeviceDisplayName: description: Display name of the device type: object properties: sensitive: type: boolean description: Indicates whether the associated value is Personal Identifiable Information (PII) and requires masking default: false value: type: string description: Display name of the device DeviceIntegrations: title: DeviceIntegrations type: object properties: displayName: type: string description: The display name of the device integration id: type: string readOnly: true description: The ID of the device integration metadata: $ref: '#/components/schemas/DeviceIntegrationsMetadata' name: $ref: '#/components/schemas/DeviceIntegrationsName' platform: $ref: '#/components/schemas/DeviceIntegrationsPlatform' status: $ref: '#/components/schemas/DeviceIntegrationsStatus' _links: $ref: '#/components/schemas/LinksSelfAndLifecycle' DeviceIntegrationsMetadata: description: The metadata of the device integration oneOf: - type: object properties: type: type: string enum: - CHROME serviceAccountName: type: string serviceAccountEmail: type: string required: - type - serviceAccountName - serviceAccountEmail - type: object properties: type: type: string enum: - WORKSPACE_ONE provider: type: string enrollmentUrl: type: string idpId: type: string required: - type - provider - enrollmentUrl - idpId - type: object properties: type: type: string enum: - DEVICE_IDP idpId: type: string required: - type - idpId type: object DeviceIntegrationsName: description: The namespace of the device integration type: string enum: - com.android.zero.trust - com.crowdstrike.zta - com.google.dtc - com.okta.device.osquery - com.okta.deviceidp - com.okta.windowssecuritycenter - com.okta.workspaceone DeviceIntegrationsPlatform: type: string enum: - ANDROID - CHROMEOS - IOS - MACOS - WINDOWS DeviceIntegrationsStatus: description: The status of the device integration type: string enum: - ACTIVE - DEACTIVATED DeviceIntegrity: description: Indicates how well a device can enforce app integrity type: string enum: - MEETS_BASIC_INTEGRITY - MEETS_DEVICE_INTEGRITY - MEETS_STRONG_INTEGRITY x-enumDescriptions: MEETS_BASIC_INTEGRITY: The app is running on a device that passes basic system integrity checks. The device may not meet Android compatibility requirements and may not be approved to run Google Play services. MEETS_DEVICE_INTEGRITY: The app is running on an Android-powered device with Google Play services. The device passes system integrity checks and meets Android compatibility requirements. MEETS_STRONG_INTEGRITY: The app is running on an Android-powered device with Google Play services. It has a strong guarantee of system integrity such as a hardware-backed proof of boot integrity. The device passes system integrity checks and meets Android compatibility requirements. DeviceList: allOf: - $ref: '#/components/schemas/Device' - properties: _embedded: type: object description: List of associated users for the device if the `expand=user` query parameter is specified in the request. Use `expand=userSummary` to get only a summary of each associated user for the device. properties: users: description: Users for the device type: array items: $ref: '#/components/schemas/DeviceUser' readOnly: true DevicePlatform: description: OS platform of the device type: string enum: - ANDROID - IOS - MACOS - WINDOWS DevicePolicyMDMFramework: type: string enum: - AFW - NATIVE - SAFE DevicePolicyPlatformType: type: string enum: - ANDROID - IOS - OSX - WINDOWS DevicePolicyRuleCondition: type: object properties: migrated: type: boolean platform: $ref: '#/components/schemas/DevicePolicyRuleConditionPlatform' rooted: type: boolean trustLevel: $ref: '#/components/schemas/DevicePolicyTrustLevel' DevicePolicyRuleConditionAssurance: description: Specifies [device assurance policies](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/DeviceAssurance/) in the policy rule type: object properties: include: type: array description: Specifies the device assurance policy ID items: type: string DevicePolicyRuleConditionPlatform: type: object properties: supportedMDMFrameworks: type: array items: $ref: '#/components/schemas/DevicePolicyMDMFramework' types: type: array items: $ref: '#/components/schemas/DevicePolicyPlatformType' DevicePolicyTrustLevel: type: string enum: - ANY - TRUSTED DevicePostureCheck: title: DevicePostureCheck type: object properties: createdBy: type: string readOnly: true description: User who created the device posture check example: 00u217pyf72CdUrBt1c5 createdDate: type: string readOnly: true description: Time the device posture check was created example: '2019-10-02T18:03:07.000Z' description: type: string description: Description of the device posture check example: Query macOS devices to check if firewall is enabled id: type: string readOnly: true description: The ID of the device posture check example: dch3m8o4rWhwReDeM1c5 lastUpdate: type: string readOnly: true description: Time the device posture check was updated example: '2019-10-02T18:03:07.000Z' lastUpdatedBy: type: string readOnly: true description: User who updated the device posture check example: 00u217pyf72CdUrBt1c5 mappingType: $ref: '#/components/schemas/DevicePostureChecksMappingType' name: type: string description: Display name of the device posture check example: Device posture check macOS platform: $ref: '#/components/schemas/DevicePostureChecksPlatform' query: type: string description: OSQuery for the device posture check example: SELECT CASE WHEN global_state = 0 THEN 0 ELSE 1 END AS firewall_enabled FROM alf; remediationSettings: $ref: '#/components/schemas/DevicePostureChecksRemediationSettings' type: $ref: '#/components/schemas/DevicePostureChecksType' variableName: type: string description: Unique name of the device posture check example: macOSFirewall _links: $ref: '#/components/schemas/LinksSelf' DevicePostureChecks: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>Represents the Device Posture Checks configuration for the device assurance policy type: object properties: include: type: array description: An array of key value pairs including Device Posture Check `variableNames` example: - variableName: macOSFirewall value: '1' - variableName: windowsFirewall value: '1' DevicePostureChecksMappingType: description: Represents how the device posture check is rendered in device assurance policies type: string enum: - CHECKBOX - TEXTBOX DevicePostureChecksPlatform: type: string enum: - MACOS - WINDOWS DevicePostureChecksRemediationSettings: description: Represents the remediation instructions shown to the end user when the device posture check fails type: object properties: link: type: object properties: defaultUrl: type: string description: Default URL for the link. This property is only relevant if type is set to `BUILTIN`. If type is set to `CUSTOM`, this field is ignored. example: https://help.okta.com/eu/en-us/content/topics/end-user/ov-device-health-macos.htm customUrl: type: string description: Custom URL for the link example: example.myremediationurl.com/docs message: type: object properties: defaultI18nKey: type: string description: Default i18n key for the message. This property is only relevant if type is set to `BUILTIN`. If type is set to `CUSTOM`, this field is ignored. example: macos.firewall.enabled.remediation.message customText: type: string description: Custom text for the message example: It is our company policy that all devices must have a firewall enabled. DevicePostureChecksType: type: string enum: - BUILTIN - CUSTOM DevicePostureIdP: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] description: <x-lifecycle-container><x-lifecycle class="oie"></x-lifecycle></x-lifecycle-container>Device Posture IdP provider type: object properties: compliant: description: Indicates whether the device is compliant according to the custom IDP type: boolean managed: description: Indicates whether the device is managed according to the custom IDP type: boolean DeviceProfile: type: object properties: diskEncryptionType: $ref: '#/components/schemas/DiskEncryptionTypeDef' displayName: type: string description: Display name of the device minLength: 1 maxLength: 255 imei: type: string description: International Mobile Equipment Identity (IMEI) of the device minLength: 14 maxLength: 17 integrityJailbreak: type: boolean description: Indicates if the device is jailbroken or rooted. Only applicable to `IOS` and `ANDROID` platforms managed: type: boolean description: Indicates if the device is managed by mobile device management (MDM) software manufacturer: type: string description: Name of the manufacturer of the device maxLength: 127 meid: type: string description: Mobile equipment identifier of the device maxLength: 14 model: type: string description: Model of the device maxLength: 127 osVersion: type: string description: Version of the device OS maxLength: 127 platform: $ref: '#/components/schemas/DevicePlatform' registered: type: boolean description: Indicates if the device is registered at Okta secureHardwarePresent: type: boolean description: Indicates if the device contains a secure hardware functionality serialNumber: type: string description: Serial number of the device maxLength: 127 sid: type: string description: Windows Security identifier of the device maxLength: 256 tpmPublicKeyHash: type: string description: Windows Trusted Platform Module hash value udid: type: string description: macOS Unique device identifier of the device maxLength: 47 required: - displayName - platform - registered DeviceSignalCollectionPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: type: string description: Policy conditions aren't supported. Conditions are applied at the rule level for this policy type. default: null nullable: true DeviceSignalCollectionPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' - type: object properties: actions: $ref: '#/components/schemas/DeviceSignalCollectionPolicyRuleActions' conditions: $ref: '#/components/schemas/DeviceSignalCollectionPolicyRuleConditions' DeviceSignalCollectionPolicyRuleActions: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>Specifies actions to be taken, or operations that may be allowed, if the rule conditions are satisfied type: object properties: deviceSignalCollection: $ref: '#/components/schemas/DeviceSignalCollectionPolicyRuleDeviceSignalCollection' DeviceSignalCollectionPolicyRuleConditions: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>Specifies conditions that must be met during policy evaluation to apply the rule. All policy conditions, as well as conditions for at least one rule must be met to apply the settings specified in the policy and the associated rule. type: object properties: network: $ref: '#/components/schemas/PolicyNetworkCondition' platform: $ref: '#/components/schemas/PlatformPolicyRuleCondition' DeviceSignalCollectionPolicyRuleDeviceSignalCollection: description: Specifies how device context is collected when a user attempts to sign in type: object properties: deviceContextProviders: type: array description: Contains the device context provider configuration items: $ref: '#/components/schemas/DeviceContextProvider' DeviceStatus: description: The state object of the device type: string enum: - ACTIVE - DEACTIVATED - SUSPENDED - UNSUSPENDED x-enumDescriptions: ACTIVE: Use activated devices to create and delete device user links DEACTIVATED: Deactivation causes a device to lose all device user links. Set the device status to `DEACTIVATED` before deleting it. SUSPENDED: Use suspended devices to create and delete device user links. You can only unsuspend or deactivate suspended devices. UNSUSPENDED: Returns a suspended device to `ACTIVE`. DeviceUser: type: object properties: created: type: string description: Timestamp when device was created managementStatus: type: string description: The management status of the device enum: - MANAGED - NOT_MANAGED x-enumDescriptions: MANAGED: The device has management software installed NOT_MANAGED: The device doesn't have management software installed screenLockType: type: string description: Screen lock type of the device enum: - NONE - PASSCODE - BIOMETRIC user: $ref: '#/components/schemas/User' DigestAlgorithm: description: Algorithm used to generate the key. Only required for the PBKDF2 algorithm. type: string enum: - SHA256_HMAC - SHA512_HMAC DiskEncryptionTypeAndroid: type: string enum: - FULL - USER DiskEncryptionTypeDef: description: |- Type of encryption used on the device > **Note:** The following values map to Disk Encryption ON: `FULL`, `USER`, `ALL_INTERNAL_VOLUMES`. All other values map to Disk Encryption OFF. type: string enum: - ALL_INTERNAL_VOLUMES - FULL - NONE - SYSTEM_VOLUME - USER x-enumDescriptions: NONE: No encryption has been set. FULL: Disk is fully encrypted. Only applicable to `IOS` and `ANDROID` platforms. USER: Encryption key is tied to the user or profile. Only applicable to `ANDROID` platform. ALL_INTERNAL_VOLUMES: All internal disks are encrypted. Only applicable to `WINDOWS` and `MACOS` platforms. SYSTEM_VOLUME: Only the system volume is encrypted. Only applicable to `WINDOWS` and `MACOS` platforms. DiskEncryptionTypeDesktop: type: string enum: - ALL_INTERNAL_VOLUMES DomainCertificate: description: Defines the properties of the certificate type: object properties: certificate: description: Certificate content type: string example: '"-----BEGIN CERTIFICATE-----\nMIIFNzCCBB+gAwIBAgHTAAXomJWRama3ypu8TIxdA9wzMA0GCSqGSIb3DQEBCwUA\nMDIzCzAJCgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTAyMTAwNTEzMDVaFw0yMTA1MTEwNTEzMDVaMCQxIjAgBgNVBAMT\nGWFuaXRhdGVzdC5zaWdtYW5ldGNvcnAudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQC5cyk6x63iBJSWvtgsOBqIxfO8euPHcRnyWsL9dsvnbNyOnyvc\nqFWxdiW3sh2cItzYtoN1Zfgj5lWGOVXbHxP0VaNG9fHVX3+NHP6LFHQz92BzAYQm\npqi9zaP/aKJklk6LdPFbVLGhuZfm34+ijW9YsgLTKR2WTaZJK5QtamVVmP+VsSCl\na2ifFzjz2FCkMMEc/Y0zUyP+en/mbL71K+VnpZdlEC1s38EvjRTFKFZTKVw5wpWg\nCZQq/AZYj9RxR23IIuRcUJ8TQ2pyoc3kIXPWjiIarSgBlA8G9kCsxgzXP2RyLwKr\nIBIo+qyHweifpPYW28ipdSbPjiypAMdpbGLDAgMBAAGjggJTMIICTzAOBgNVHQ8B\nAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB\n/wQCMAAwHQYDVR0OBBYEFPVZKiovtIK4Av/IBUQeLUs29pT6MB8GA1UdIwQYMBaA\nFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcw\nAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMu\naS5sZW5jci5vcmcvMCQGA1UdEQQdMBuCGWFuaXRhdGVzdC5zaWdtYW5ldGNvcnAu\ndXMwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEF\nBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQC\nBIH0BIHxAO8AdgBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXeK\nkmOsAAAEAwBHMEUCIQDSudPEWXk969BT8yz3ag6BJWCMRU5tefEw9nXEQMsh5gIg\nUmfGIuUlcNNI5PydVIHj+zns+SR8P7zfd3FIxW4gK0QAdQD2XJQv0XcwIhRUGAgw\nlFaO400TGTO/3wwvIAvMTvFk4wAAAXeKkmOlAAAEAwBGMEQCIHQkr2qOGuInvonv\nW4vvdI61nraax5V6SC3E0D2JSO91AiBVhpX4BBafRAh36r7l8LrxAfxBM3CjBmAC\nq8fUrWfIWDANBgkqhkiG9w0BAQsFAAOCAQEAgGDMKXofKpDdv5kkID3s5GrKdzaj\njFmb/6kyqd1E6eGXZAewCP1EF5BVvR6lBP2aRXiZ6sJVZktoIfztZnbxBGgbPHfv\nR3iXIG6fxkklzR9Y8puPMBFadANE/QV78tIRAlyaqeSNsoxHi7ssQjHTP111B2lf\n3KmuTpsruut1UesEJcPReLk/1xTkRx262wAncach5Wp+6GWWduTZYJbsNFyrK1RP\nYQ0qYpP9wt2qR+DGaRUBG8i1XLnZS8pkyxtKhVw/a5Fowt+NqCpEBjjJiWJRSGnG\nNSgRtSXq11j8O4JONi8EXe7cEtvzUiLR5PL3itsK2svtrZ9jIwQ95wOPaA==\n-----END CERTIFICATE-----",' certificateChain: description: Certificate chain type: string example: '"-----BEGIN CERTIFICATE-----\nMIIFPjCCBCbjAwIBAgISA7RikMltj36DkLk1DUzjwfYBMA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTEwMTExOTQ3MjRaFw0yMjAxMDkxOTQ3MjNaMCgxJjAkBgNVBAMT\nHWFuaXRhdGVzdHJhaW4uc2lnbWFuZXRjb3JwLnVzMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEA40EsG7YrFlsH3XdZKirdKKOC7/cca5g9L4rwyA/PlfeU\nB7mJhbQI/a3yZbtY+GjHmedBx15aPtyq+NFZLOkiRCXx0k2zNIJB4yC6Jr/Yp8C2\nrXO6mrCcuqpX7SuDPBtrfdYcIg8G6m0wjj1V1p2/XR8G//CBe8I2XTaTpHsx/VC8\nMNOAA27aSbeX4Nz6TQ69rFuxRG+neUbcz2hQKwroCsCHi6iBmqRkg19Uh8315Cx2\nBUqY0JecpP42KMiktzIoSlqS9yZSuNQh1kP1tPwkEzbs/t3FrfCnnRx5RDr2pJpV\nnonL3sB3TVotS3nFgPNHCfp65O0Bg/3ZpU9IvUpcdQIDAQABo4ICVjCCAlIwDgYD\nVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV\nHRMBAf8EAjAAMB0GA1UdDgQWBBSzWt3Dvp71cKA2Z54ESjjyM4dp+jAfBgNVHSME\nGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB\nBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov\nL3IzLmkubGVuY3Iub3JnLzAoBgNVHREEITAfgh1hbml0YXRlc3RyYWluLnNpZ21h\nbmV0Y29ycC51czBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo\nMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQIGCisG\nAQQB1nkCBAIEgfMEgfAA7gB1AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgia\nN9kTAAABfHEcLqAAAAQDAEYwRAIgMlyQ61FjuIKDfATjz0wfkskChD0csVe0TStq\nmC7NbLACICp3CYMvvDiWt1pr5pzCwTQO8F6v0/qNjmH4mjCutAgyAHUARqVV63X6\nkSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF8cRwvRAAABAMARjBEAiAZd6Vn\n7MLXT7JeIxZrfbNARrf5oCM4UAVjjJeaUhB1MwIgSLW5cVAZvkiwbQW+vIutFjBz\na8cNb/i+nM7RxFW+JPgwDQYJKoZIhvcNAQELBQADggEBAIlHZiHIuOvYFteqpwvR\n0ElqinIpkYsfI+0O5FwHBXz7vMCPGtfdlcX5M10eW3aEBo9lR59mjDMsMufbTb60\nJuSnguelkUoq4WzqjZI+2uy/FTztI5GPpXmXW3IyzbqmCWQt7u8N607g1TYLBaLL\nrbFIhl+LbTJAa//mxI6bb4l/86j/kSjht6U0OIde7ylscb+3MHobbpIWJYp8Jr1D\nubm/0glL46ExnuLbIKojLhDBnG/wHVunB0rJxGh1vPvwD75O1nSIdxuNlVcGwws+\n7wsOyPA1s0VWzrMN1olLMyIPFCwPvfCm1E8Dje1AXMpmyDlqjEoQsoMUH//GKF0S\nTgM=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\nWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\nRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\nAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\nR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\nsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\nNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\nZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\nAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\nAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\nFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\nAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\nOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\ngt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\nPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\nikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\nCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\nlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\navAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\nyJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\nyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\nhCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\nHlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\nMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\nnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\nTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\ncmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\nov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\nwYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\nLtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\nbHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\nsR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\nXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\nFQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\nSLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\nPRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\nTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\nSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\nc3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\nATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\nb3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\nU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\nMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\nWCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\nhe8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\nDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n-----END CERTIFICATE-----"' privateKey: description: Certificate private key type: string example: '"-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0AAQEFAASCBKgwghSkAgEAAoIBAQC5cyk6y63iBJSW\nstgsOBqIxfO8euPHcRnyWsL9dsvnbNyOnyvcqFWxdiW3sh2cItzYtoN1Zfgj5lWG\nOVXbHxP0VaNG9fHVX3+NHP6LFHQz92BzAYQmpqi9zaP/aKJklk6LdPFbVLGhuZfm\n34+ijW9YsgLTKR2WTaZJK5QtamVVmP+VsSCla2ifFzjz2FCkMMEc/Y0zUyP+en/m\nbL71K+VnpZdlEC1s38EvjRTFKFZTKVw5wpWgCZQq/AZYj9RxR23IIuRcUJ8TQ2py\noc3kIXPWjiIarSgBlA8G9kCsxgzXP2RyLwKrIBIo+qyHweifpPYW28ipdSbPjiyp\nAMdpbGLDAgMBAAECggEAUXVfT91z6IqghhKwO8QtC5T/+fN06B8rCYSKj/FFoZL0\n0oTiLFuYwImoCadoUDQUE/Efj0rKE2LSgFHg/44IItQXE01m+5WmHmL1ADxsyoLH\nz9yDosKj7jNM7RyV8F8Bg0pL1hU+rU4rhhL/MaS0mx4eFYjC4UmcWBmXTdelSVJa\nkvXvQLT5y86bqh7tqMjM/kALTWRz5CgNJFk/ONA1yo5RTX9S7SIXimBgAvuGqP8i\nMPEhJou7U3DfzXVfvP8byqNdsZs6ZNhG3wXspl61mRyrY+51SOaNLA7Bkji7x4bH\nNw6mJI0IJTAP9oc1Z8fYeMuxT1bfuD7VOupSP0mAMQKBgQDk+KuyQkmPymeP/Wwu\nII4DUpleVzxTK9obMQQoCEEElbQ6+jTb+8ixP0bWLvBXg/rX734j7OWfn/bljWLH\nXLrSoqQZF1+XMVeY4g4wx9UuTK/D2n791zdOgQivxbIPdWL3a4ap86ar8uyMgJu8\nBLXfFBAOc+9myqUkbeO7wt0e6QKBgQDPV04jPtIJoMrggpQDNreGrANKOmsXWxj4\nOHW13QNdJ2KGQpoTdoqQ8ZmlxuA8Bf2RjHsnB2kgGVTVQR74zRib4MByhvsdhvVm\nF2LNsJoIDfqtv3c+oj13VonRUGuzUeJpwT/snyaL+jQ/ZZcYz0jDgDhIODTcFYj8\nDMSD5SHgywKBgHH6MwWuJ44TNBAiF2qyu959jGjAxf+k0ZI9iRMgYLUWjDvbdtqW\ncCWDGRDfFraJtSEuTz003GzkJPPJuIUC7OCTI1p2HxhU8ITi6itwHfdJJyk4J4TW\nT+qdIqTUpTk6tsPw23zYE3x+lS+viVZDhgEArKl1HpOthh0nMnixnH6ZAoGBAKGn\nV+xy1h9bldFk/TFkP8Jn6ki9MzGKfPVKT7vzDORcCJzU4Hu8OFy5gSmW3Mzvfrsz\n4/CR/oxgM5vwoc0pWr5thJ3GT5K93iYypX3o6q7M91zvonDa3UFl3x2qrc2pUfVS\nDhzWGJ+Z+5JSCnP1aK3EEh18dPoCcELTUYPj6X3xAoGBALAllTb3RCIaqIqk+s3Y\n6KDzikgwGM6j9lmOI2MH4XmCVym4Z40YGK5nxulDh2Ihn/n9zm13Z7ul2DJwgQSO\n0zBc7/CMOsMEBaNXuKL8Qj4enJXMtub4waQ/ywqHIdc50YaPI5Ax8dD/10h9M6Qc\nnUFLNE8pXSnsqb0eOL74f3uQ\n-----END PRIVATE KEY-----"' type: $ref: '#/components/schemas/DomainCertificateType' required: - certificate - certificateChain - privateKey - type DomainCertificateMetadata: description: Certificate metadata for the domain type: object properties: expiration: description: Certificate expiration type: string example: '2021-05-11T05:13:05.000Z' fingerprint: description: Certificate fingerprint type: string example: 73:68:82:7B:83:2E:48:29:A5:5E:E8:40:41:80:B3:AA:03:C4:42:43:05:73:45:BC:AA:47:00:23:A3:70:E5:C4 subject: description: Certificate subject type: string example: CN=login.example.com DomainCertificateSourceType: description: Certificate source type that indicates whether the certificate is provided by the user or Okta. type: string enum: - MANUAL - OKTA_MANAGED DomainCertificateType: description: Certificate type type: string enum: - PEM DomainLinks: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: brand: allOf: - $ref: '#/components/schemas/HrefObject' - description: The associated brand certificate: allOf: - $ref: '#/components/schemas/HrefObject' - description: The certificate link references the domain certificate verify: allOf: - $ref: '#/components/schemas/HrefObject' - description: The verify link verifies the domain and transitions the domain status to `VERIFIED` DomainListResponse: description: Defines a list of domains with a subset of the properties for each domain type: object properties: domains: description: Each element of the array defines an individual domain type: array items: $ref: '#/components/schemas/DomainResponse' DomainRequest: type: object properties: certificateSourceType: $ref: '#/components/schemas/DomainCertificateSourceType' domain: description: |- Custom domain name > **Note:** You can't use the reserved `drapp.{yourOrgSubDomain}.okta.com` domain. type: string example: login.example.com required: - certificateSourceType - domain DomainResponse: description: The properties that define an individual domain. type: object properties: brandId: description: The ID number of the brand type: string example: bndul904tTZ6kWVhP0g3 certificateSourceType: $ref: '#/components/schemas/DomainCertificateSourceType' dnsRecords: type: array items: $ref: '#/components/schemas/DNSRecordDomains' domain: description: Custom domain name type: string example: login.example.com id: description: Unique ID of the domain type: string example: OcDz6iRyjkaCTXkdo0g3 publicCertificate: $ref: '#/components/schemas/DomainCertificateMetadata' validationStatus: $ref: '#/components/schemas/DomainValidationStatus' _links: $ref: '#/components/schemas/DomainLinks' DomainValidationStatus: description: Status of the domain example: VERIFIED type: string enum: - COMPLETED - IN_PROGRESS - NOT_STARTED - VERIFIED Duration: type: object properties: number: type: integer unit: type: string DynamicNetworkZone: allOf: - $ref: '#/components/schemas/NetworkZone' - title: Dynamic Network Zone - type: object properties: asns: allOf: - $ref: '#/components/schemas/NetworkZoneAsns' - description: An array of ASNs for a Network Zone proxyType: type: string description: The proxy type used for a Dynamic Network Zone enum: - 'null' - Any - Tor - NotTorAnonymizer x-enumDescriptions: 'null': (Or `""`) No proxy used Any: Use any proxy type for the Dynamic Zone. Tor: Use Tor Anonymizer proxy for the Dynamic Zone. NotTorAnonymizer: Use a non Tor Anonymizer proxy for the Dynamic Zone. locations: allOf: - $ref: '#/components/schemas/NetworkZoneLocationArray' - description: An array of geolocations for a Dynamic Network Zone ECKeyJWK: description: Elliptic curve key in JSON Web Key (JWK) format. It's used during enrollment to encrypt fulfillment requests to Yubico, or during activation to verify Yubico's JWS (JSON Web Signature) objects in fulfillment responses. The currently agreed protocol uses P-384. type: object properties: crv: type: string description: The elliptic curve protocol enum: - P-384 kid: type: string description: The unique identifier of the key kty: type: string enum: - EC description: The type of public key use: type: string description: The intended use for the key. This value is either `enc` (encryption) during enrollment, when Okta uses the ECKeyJWK to encrypt requests to Yubico. Or it's `sig` (signature) during activation, when Okta uses the ECKeyJWK to verify the responses from Yubico. enum: - enc - sig x: type: string description: The public x coordinate for the elliptic curve point 'y': type: string description: The public y coordinate for the elliptic curve point required: - x - 'y' - kty - crv - use - kid ETag: description: Header to track the completion time of the resource fetch job type: string EmailContent: type: object properties: body: type: string description: | The HTML body of the email. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). <x-lifecycle class="ea"></x-lifecycle> Not required if Custom languages for Okta Email Templates is enabled. A `null` body is replaced with a default value from one of the following in priority order: 1. An existing default email customization, if one exists 2. Okta-provided translated content for the specified language, if one exists 3. Okta-provided translated content for the brand locale, if it's set 4. Okta-provided content in English subject: type: string description: | The email subject. May contain [variable references](https://velocity.apache.org/engine/1.7/user-guide.html#references). <x-lifecycle class="ea"></x-lifecycle> Not required if Custom languages for Okta Email Templates is enabled. A `null` subject is replaced with a default value from one of the following in priority order: 1. An existing default email customization, if one exists 2. Okta-provided translated content for the specified language, if one exists 3. Okta-provided translated content for the brand locale, if it's set 4. Okta-provided content in English required: - subject - body EmailCustomization: allOf: - $ref: '#/components/schemas/EmailContent' - type: object properties: created: type: string format: date-time readOnly: true description: The UTC time at which this email customization was created. id: type: string readOnly: true description: A unique identifier for this email customization isDefault: type: boolean description: Whether this is the default customization for the email template. Each customized email template must have exactly one default customization. Defaults to `true` for the first customization and `false` thereafter. language: $ref: '#/components/schemas/Language' lastUpdated: type: string format: date-time readOnly: true description: The UTC time at which this email customization was last updated. _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: self: $ref: '#/components/schemas/HrefObject' template: $ref: '#/components/schemas/HrefObject' preview: $ref: '#/components/schemas/HrefObject' test: $ref: '#/components/schemas/HrefObject' required: - language EmailDefaultContent: allOf: - $ref: '#/components/schemas/EmailContent' - type: object properties: _links: type: object allOf: - $ref: '#/components/schemas/LinksSelf' - properties: template: $ref: '#/components/schemas/HrefObject' preview: $ref: '#/components/schemas/HrefObject' test: $ref: '#/components/schemas/HrefObject' EmailDomain: allOf: - $ref: '#/components/schemas/BaseEmailDomain' type: object properties: brandId: type: string domain: type: string validationSubdomain: type: string description: Subdomain for the email sender's custom mail domain. Specify your subdomain when you configure a custom mail domain. default: mail required: - domain - brandId EmailDomainDNSRecord: type: object properties: fqdn: type: string recordType: $ref: '#/components/schemas/EmailDomainDNSRecordType' verificationValue: type: string EmailDomainDNSRecordType: type: string enum: - CNAME - TXT EmailDomainResponse: allOf: - $ref: '#/components/schemas/BaseEmailDomain' type: object properties: dnsValidationRecords: type: array items: $ref: '#/components/schemas/EmailDomainDNSRecord' domain: type: string id: type: string validationStatus: $ref: '#/components/schemas/EmailDomainStatus' validationSubdomain: type: string description: The subdomain for the email sender's custom mail domain default: mail EmailDomainResponseWithEmbedded: allOf: - $ref: '#/components/schemas/EmailDomainResponse' type: object properties: _embedded: type: object properties: brands: type: array items: $ref: '#/components/schemas/Brand' readOnly: true EmailDomainStatus: type: string enum: - DELETED - ERROR - NOT_STARTED - POLLING - VERIFIED EmailPreview: type: object properties: body: type: string readOnly: true description: The email's HTML body subject: type: string readOnly: true description: The email's subject _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: contentSource: $ref: '#/components/schemas/HrefObject' template: $ref: '#/components/schemas/HrefObject' test: $ref: '#/components/schemas/HrefObject' defaultContent: $ref: '#/components/schemas/HrefObject' EmailServerListResponse: type: object properties: email-servers: type: array items: $ref: '#/components/schemas/EmailServerResponse' EmailServerPost: allOf: - $ref: '#/components/schemas/EmailServerRequest' - required: - host - port - username - password - alias EmailServerRequest: allOf: - $ref: '#/components/schemas/BaseEmailServer' - properties: password: type: string description: Password used to access your SMTP server EmailServerResponse: allOf: - $ref: '#/components/schemas/BaseEmailServer' - properties: id: type: string description: ID of your SMTP server EmailSettings: type: object properties: recipients: type: string enum: - ALL_USERS - ADMINS_ONLY - NO_USERS required: - recipients EmailSettingsResponse: type: object properties: recipients: type: string enum: - ALL_USERS - ADMINS_ONLY - NO_USERS _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: self: $ref: '#/components/schemas/HrefObject' template: $ref: '#/components/schemas/HrefObject' EmailTemplateResponse: type: object properties: name: type: string readOnly: true description: The name of this email template _embedded: type: object properties: settings: $ref: '#/components/schemas/EmailSettingsResponse' customizationCount: type: integer readOnly: true _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: settings: $ref: '#/components/schemas/HrefObject' defaultContent: $ref: '#/components/schemas/HrefObject' customizations: $ref: '#/components/schemas/HrefObject' test: $ref: '#/components/schemas/HrefObject' EmailTemplateTouchPointVariant: description: | Variant for email templates. You can publish a theme for email templates with different combinations of assets. Variants are preset combinations of those assets. default: OKTA_DEFAULT type: string enum: - FULL_THEME - OKTA_DEFAULT x-enumDescriptions: FULL_THEME: Uses the Okta logo and Okta colors in email templates OKTA_DEFAULT: Uses the logo from the theme. Uses `primaryColorHex` as the background color for buttons. EmailTestAddresses: type: object properties: fromAddress: type: string description: Email address that sends test emails example: sender@host.com toAddress: type: string description: Email address that receives test emails example: receiver@host.com required: - fromAddress - toAddress EmptyRequestSchema: title: Empty description: Empty object payload type: object EnabledStatus: description: Setting status type: string enum: - DISABLED - ENABLED EndUserDashboardTouchPointVariant: description: | Variant for the Okta End-User Dashboard. You can publish a theme for end-user dashboard with different combinations of assets. Variants are preset combinations of those assets. default: OKTA_DEFAULT type: string enum: - FULL_THEME - LOGO_ON_FULL_WHITE_BACKGROUND - OKTA_DEFAULT - WHITE_LOGO_BACKGROUND x-enumDescriptions: FULL_THEME: Uses the logo and favicon from the theme. Uses `primaryColorHex` for the logo and the side navigation bar background color. LOGO_ON_FULL_WHITE_BACKGROUND: Uses the logo and favicon from the theme. Uses white background color for the logo and the side navigation bar background color. OKTA_DEFAULT: Uses the Okta logo and favicon. Uses a white background color for the logo and the side navigation bar background color. WHITE_LOGO_BACKGROUND: Uses the logo and favicon from the theme, with a white background color for the logo. Uses `primaryColorHex` for the side navigation bar background color. EndpointAuthMethod: description: Requested authentication method for OAuth 2.0 endpoints. type: string enum: - client_secret_basic - client_secret_jwt - client_secret_post - none - private_key_jwt EnhancedDynamicNetworkZone: allOf: - $ref: '#/components/schemas/NetworkZone' - title: Enhanced Dynamic Network Zone - type: object x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] properties: asns: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] type: object description: The list of ASNs associated with an Enhanced Dynamic Network Zone properties: include: allOf: - $ref: '#/components/schemas/NetworkZoneAsns' - description: An array of ASNs to include for an Enhanced Dynamic Network Zone exclude: allOf: - $ref: '#/components/schemas/NetworkZoneAsns' - description: An array of ASNs to exclude for an Enhanced Dynamic Network Zone locations: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] type: object description: The list of geolocations to include or exclude for an Enhanced Dynamic Network Zone properties: include: - $ref: '#/components/schemas/NetworkZoneLocationArray' exclude: - $ref: '#/components/schemas/NetworkZoneLocationArray' ipServiceCategories: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] type: object description: IP services, such as a proxy or VPN, to include or exclude for an Enhanced Dynamic Network Zone properties: include: type: array description: IP services to include for an Enhanced Dynamic Network Zone items: $ref: '#/components/schemas/IPServiceCategory' maximum: 75 exclude: type: array description: IP services to exclude for an Enhanced Dynamic Network Zone items: $ref: '#/components/schemas/IPServiceCategory' maximum: 75 EnrollmentActivationRequest: description: Enrollment Initialization Request type: object properties: credResponses: description: List of credential responses from the fulfillment provider type: array items: $ref: '#/components/schemas/WebAuthnCredResponse' fulfillmentProvider: description: Name of the fulfillment provider for the WebAuthn preregistration factor type: string enum: - yubico pinResponseJwe: description: Encrypted JWE of the PIN response from the fulfillment provider type: string serial: description: Serial number of the YubiKey type: string userId: description: ID of an existing Okta user type: string version: description: Firmware version of the YubiKey type: string yubicoSigningJwks: description: List of usable signing keys from Yubico (in JSON Web Key Sets (JWKS) format). The signing keys are used to verify the JSON Web Signature (JWS) inside the JWE. type: array items: $ref: '#/components/schemas/ECKeyJWK' EnrollmentActivationResponse: description: Enrollment initialization response type: object properties: authenticatorEnrollmentIds: description: List of IDs for preregistered WebAuthn factors in Okta type: array items: type: string fulfillmentProvider: description: Name of the fulfillment provider for the WebAuthn preregistration factor type: string enum: - yubico userId: description: ID of an existing Okta user type: string EnrollmentInitializationRequest: description: Enrollment initialization request type: object properties: enrollmentRpIds: description: List of relying party hostnames to register on the YubiKey type: array items: type: string fulfillmentProvider: description: Name of the fulfillment provider for the WebAuthn preregistration factor type: string enum: - yubico userId: description: ID of an existing Okta user type: string yubicoTransportKeyJWK: description: Transport public key in JWK (JSON Web Key) format used to encrypt fulfillment requests to Yubico $ref: '#/components/schemas/ECKeyJWK' EnrollmentInitializationResponse: description: Yubico transport key in the form of a JSON Web Token (JWK), used to encrypt our fulfillment request to Yubico. The currently agreed protocol uses P-384. type: object properties: credRequests: description: List of credential requests for the fulfillment provider type: array items: $ref: '#/components/schemas/WebAuthnCredRequest' fulfillmentProvider: description: Name of the fulfillment provider for the WebAuthn preregistration factor type: string enum: - yubico pinRequestJwe: description: Encrypted JWE of PIN request for the fulfillment provider type: string userId: description: ID of an existing Okta user type: string EnrollmentPolicyAuthenticatorGracePeriod: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] description: <x-lifecycle-container><x-lifecycle class="oie"></x-lifecycle></x-lifecycle-container>Specifies the time period required to complete an authenticator enrollment or setup type: object properties: type: type: string description: Grace period type enum: - BY_DATE_TIME discriminator: propertyName: type mapping: BY_DATE_TIME: '#/components/schemas/ByDateTimeAuthenticatorGracePeriodExpiry' EntitlementValue: type: object properties: id: type: string description: Entitlement value ID name: type: string description: The entitlement value resource name value: type: string description: The entitlement value resource [ORN](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#okta-resource-name-orn) _links: type: object description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification readOnly: true properties: group: $ref: '#/components/schemas/HrefObjectGroupLink' app: $ref: '#/components/schemas/HrefObjectAppLink' resource-set: $ref: '#/components/schemas/HrefObjectResourceSetLink' EntitlementValuesResponse: type: object properties: entitlementValues: type: array description: List of entitlement values for a bundle entitlement items: $ref: '#/components/schemas/EntitlementValue' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: bundle: $ref: '#/components/schemas/BundleLink' entitlements: $ref: '#/components/schemas/EntitlementsLink' next: $ref: '#/components/schemas/HrefObjectNextLink' EntitlementsLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the entitlements resource EntityRiskPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: type: string description: Policy conditions aren't supported for this policy type. default: null nullable: true EntityRiskPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' - type: object properties: actions: type: object description: The action to take based on the risk event properties: entityRisk: type: object description: The object that contains the `actions` array properties: actions: type: array description: The `entityRisk` object's `actions` array can be empty or contain one of two `action` object value pairs. This object determines the specific response to a risk event. items: $ref: '#/components/schemas/EntityRiskPolicyRuleActionsObject' conditions: $ref: '#/components/schemas/EntityRiskPolicyRuleConditions' EntityRiskPolicyRuleActionRunWorkflow: type: object properties: action: type: string enum: - RUN_WORKFLOW workflow: type: object description: This action runs a workflow properties: id: type: integer description: The `id` of the workflow that runs. EntityRiskPolicyRuleActionTerminateAllSessions: type: object properties: action: type: string description: This action revokes or terminates all of the user's active sessions. enum: - TERMINATE_ALL_SESSIONS EntityRiskPolicyRuleActionsObject: type: object properties: action: type: string enum: - RUN_WORKFLOW - TERMINATE_ALL_SESSIONS discriminator: propertyName: action mapping: RUN_WORKFLOW: '#/components/schemas/EntityRiskPolicyRuleActionRunWorkflow' TERMINATE_ALL_SESSIONS: '#/components/schemas/EntityRiskPolicyRuleActionTerminateAllSessions' EntityRiskPolicyRuleConditions: allOf: - type: object - description: Specifies conditions that must be met during policy evaluation to apply the rule. All policy conditions and conditions for at least one rule must be met to apply the settings specified in the policy and the associated rule. properties: entityRisk: $ref: '#/components/schemas/EntityRiskScorePolicyRuleCondition' people: $ref: '#/components/schemas/PolicyPeopleCondition' riskDetectionTypes: $ref: '#/components/schemas/RiskDetectionTypesPolicyRuleCondition' EntityRiskScorePolicyRuleCondition: description: <x-lifecycle class="oie"></x-lifecycle> The risk score level of the entity risk policy rule type: object properties: level: type: string enum: - ANY - LOW - MEDIUM - HIGH required: - level Error: title: Error type: object properties: errorCauses: type: array items: $ref: '#/components/schemas/ErrorCause' errorCode: type: string description: An Okta code for this type of error errorId: type: string description: A unique identifier for this error. This can be used by Okta Support to help with troubleshooting. errorLink: type: string description: An Okta code for this type of error errorSummary: type: string description: A short description of what caused this error. Sometimes this contains dynamically-generated information about your specific error. Error409: description: Conflict error object type: object properties: errorCauses: type: array description: Another request has already been received for the settings for this email template readOnly: true errorCode: type: string description: E0000254 readOnly: true errorId: type: string description: sampleH3iLB6bpBcbnV9E09Fy readOnly: true errorLink: type: string description: E0000254 readOnly: true errorSummary: type: string description: Another request has already been received for the settings for this email template readOnly: true ErrorCause: type: object properties: errorSummary: type: string ErrorDetails: description: Details about an error that occurred during the operation type: object properties: code: type: string description: The error code message: type: string description: The error message ErrorPage: allOf: - $ref: '#/components/schemas/CustomizablePage' - type: object properties: contentSecurityPolicySetting: $ref: '#/components/schemas/ContentSecurityPolicySetting' ErrorPageTouchPointVariant: description: | Variant for the error page. You can publish a theme for error page with different combinations of assets. Variants are preset combinations of those assets. default: OKTA_DEFAULT type: string enum: - BACKGROUND_IMAGE - BACKGROUND_SECONDARY_COLOR - OKTA_DEFAULT x-enumDescriptions: BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the theme BACKGROUND_SECONDARY_COLOR: Uses the logo and favicon from the theme. Uses `secondaryColorHex` as the background color for the error page. OKTA_DEFAULT: Uses the Okta logo, favicon, and background color EventHook: type: object properties: channel: $ref: '#/components/schemas/EventHookChannel' created: description: Timestamp of the event hook creation type: string format: date-time readOnly: true createdBy: description: The ID of the user who created the event hook type: string readOnly: true description: description: Description of the event hook type: string nullable: true events: $ref: '#/components/schemas/EventSubscriptions' id: type: string description: Unique key for the event hook readOnly: true lastUpdated: description: Date of the last event hook update type: string format: date-time readOnly: true name: description: Display name for the event hook type: string status: description: Status of the event hook type: string enum: - ACTIVE - INACTIVE readOnly: true verificationStatus: $ref: '#/components/schemas/EventHookVerificationStatus' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: deactivate: $ref: '#/components/schemas/HrefObject' verify: $ref: '#/components/schemas/HrefObject' required: - name - events - channel EventHookChannel: type: object properties: config: $ref: '#/components/schemas/EventHookChannelConfig' type: $ref: '#/components/schemas/EventHookChannelType' version: description: Version of the channel. Currently the only supported version is `1.0.0`. type: string required: - type - config - version EventHookChannelConfig: type: object properties: authScheme: $ref: '#/components/schemas/EventHookChannelConfigAuthScheme' headers: description: |- Optional list of key/value pairs for headers that can be sent with the request to the external service. For example, `X-Other-Header` is an example of an optional header, with a value of `my-header-value`, that you want Okta to pass to your external service. type: array items: $ref: '#/components/schemas/EventHookChannelConfigHeader' method: description: The method of the Okta event hook request type: string readOnly: true uri: description: The external service endpoint called to execute the event hook handler type: string required: - uri EventHookChannelConfigAuthScheme: description: |- The authentication scheme used for this request. To use Basic Auth for authentication, set `type` to `HEADER`, `key` to `Authorization`, and `value` to the Base64-encoded string of "username:password". Ensure that you include the scheme (including space) as part of the `value` parameter. For example, `Basic YWRtaW46c3VwZXJzZWNyZXQ=`. type: object properties: key: description: The name for the authorization header type: string type: $ref: '#/components/schemas/EventHookChannelConfigAuthSchemeType' value: description: |- The header value. This secret key is passed to your external service endpoint for security verification. This property is not returned in the response. type: string writeOnly: true EventHookChannelConfigAuthSchemeType: description: The authentication scheme type. Currently only supports `HEADER`. type: string enum: - HEADER EventHookChannelConfigHeader: nullable: true type: object properties: key: description: The optional field or header name type: string value: description: The value for the key type: string EventHookChannelType: description: The channel type. Currently supports `HTTP`. type: string enum: - HTTP EventHookFilterMap: description: The object that maps the filter to the event type items: $ref: '#/components/schemas/EventHookFilterMapObject' type: array EventHookFilterMapObject: type: object properties: condition: $ref: '#/components/schemas/EventHookFilterMapObjectCondition' event: type: string description: The filtered event type EventHookFilterMapObjectCondition: type: object properties: expression: type: string description: The Okta Expression language statement that filters the event type version: type: string nullable: true description: Internal field readOnly: true EventHookFilters: nullable: true description: |- The optional filter defined on a specific event type > **Note:** Event hook filters is a [self-service Early Access (EA)](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) to enable. If you want to disable this feature, it's recommended to first remove all event filters. type: object properties: eventFilterMap: $ref: '#/components/schemas/EventHookFilterMap' type: type: string description: The type of filter. Currently only supports `EXPRESSION_LANGUAGE` readOnly: true EventHookSubscribedEventTypes: description: |- The subscribed event types that trigger the event hook. When you register an event hook you need to specify which events you want to subscribe to. To see the list of event types currently eligible for use in event hooks, use the [Event Types catalog](https://developer.okta.com/docs/reference/api/event-types/#catalog) and search with the parameter `event-hook-eligible`. items: type: string type: array EventHookVerificationStatus: description: Verification status of the event hook. `UNVERIFIED` event hooks won't receive any events. type: string enum: - UNVERIFIED - VERIFIED readOnly: true EventSubscriptionType: description: The events object type. Currently supports `EVENT_TYPE`. type: string enum: - EVENT_TYPE EventSubscriptions: type: object properties: filter: $ref: '#/components/schemas/EventHookFilters' items: $ref: '#/components/schemas/EventHookSubscribedEventTypes' type: $ref: '#/components/schemas/EventSubscriptionType' required: - type - items ExpiresAt: format: date-time description: Timestamp when the object expires example: '2016-01-03T18:15:47.000Z' type: string readOnly: true Expression: description: Conditional expression type: object properties: value: description: Value of the condition expression type: string FCMConfiguration: properties: fileName: type: string description: (Optional) File name for Admin Console display projectId: type: string description: Project ID of FCM configuration readOnly: true serviceAccountJson: type: object description: JSON containing the private service account key and service account details. See [Creating and managing service account keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for more information on creating service account keys in JSON. writeOnly: true FCMPushProvider: allOf: - $ref: '#/components/schemas/PushProvider' - type: object properties: configuration: $ref: '#/components/schemas/FCMConfiguration' FailbackRequestSchema: title: Domains type: object properties: domains: type: array description: List of Okta domains to failback items: type: string description: Okta domain to failback example: yourOktaDomain.okta.com FailoverRequestSchema: title: Domains type: object properties: domains: type: array description: List of Okta domains to failover items: type: string description: Okta domain to failover example: yourOktaDomain.okta.com Feature: description: Specifies feature release cycle information type: object properties: description: type: string description: Brief description of the feature and what it provides id: type: string description: Unique identifier for this feature readOnly: true name: type: string description: Name of the feature stage: $ref: '#/components/schemas/FeatureStage' status: $ref: '#/components/schemas/EnabledStatus' type: $ref: '#/components/schemas/FeatureType' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: dependents: description: Link to feature dependents type: object readOnly: true properties: href: description: Link URI type: string readOnly: true dependencies: description: Link to feature dependencies type: object readOnly: true properties: href: description: Link URI type: string readOnly: true FeatureLifecycle: example: ENABLE type: string enum: - DISABLE - ENABLE FeatureStage: description: |- Current release cycle stage of a feature If a feature's stage value is `EA`, the state is `null` and not returned. If the value is `BETA`, the state is `OPEN` or `CLOSED` depending on whether the `BETA` feature is manageable. > **Note:** If a feature's stage is `OPEN BETA`, you can update it only in Preview cells. If a feature's stage is `CLOSED BETA`, you can disable it only in Preview cells. type: object properties: state: $ref: '#/components/schemas/FeatureStageState' value: $ref: '#/components/schemas/FeatureStageValue' FeatureStageState: description: Indicates the release state of the feature type: string enum: - CLOSED - OPEN FeatureStageValue: description: Current release stage of the feature type: string enum: - BETA - EA FeatureType: description: Type of feature type: string enum: - self-service FederatedClaim: type: object properties: created: type: string description: Timestamp when the federated claim was created example: '2024-02-29T20:08:24.000Z' readOnly: true nullable: false expression: type: string description: The Okta Expression Language expression to be evaluated at runtime example: appuser.entitlements.role readOnly: false nullable: false id: type: string description: The unique ID of the federated claim example: ofc2f4zrZbs8nUa7p0g4 readOnly: true nullable: false lastUpdated: type: string description: Timestamp when the federated claim was updated example: '2023-02-21T20:08:24.000Z' readOnly: true nullable: false name: type: string description: The name of the claim to be used in the produced token example: roleg readOnly: false nullable: false FederatedClaimRequestBody: type: object properties: expression: type: string description: The Okta Expression Language expression to be evaluated at runtime example: appuser.entitlements.role name: type: string description: The name of the claim to be used in the produced token example: role FipsEnum: type: string enum: - OPTIONAL - REQUIRED ForgotPasswordResponse: type: object properties: resetPasswordUrl: type: string readOnly: true FulfillmentData: description: List of fulfillment order details items: $ref: '#/components/schemas/FulfillmentDataOrderDetails' type: array FulfillmentDataOrderDetails: description: Information about the fulfillment order that includes the factor’s make and model, the custom configuration of the factor, and inventory details. type: object properties: customizationId: description: ID for the set of custom configurations of the requested factor type: string inventoryProductId: description: ID for the specific inventory bucket of the requested factor type: string productId: description: ID for the make and model of the requested factor type: string FulfillmentRequest: description: Fulfillment request type: object properties: fulfillmentData: $ref: '#/components/schemas/FulfillmentData' fulfillmentProvider: description: Name of the fulfillment provider for the WebAuthn preregistration factor type: string enum: - yubico userId: description: ID of an existing Okta user type: string GoogleApplication: title: Google Workspace x-tags: - Application x-okta-defined-as: name: google example: name: google label: Sample Google App signOnMode: SAML_2_0 settings: app: domain: my-company-domain description: | Schema for the Google Workspace app (key name: `google`) To create a Google Workspace app, use the [Create an Application](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. > **Note:** The Google Workspace app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes. allOf: - $ref: '#/components/schemas/OINApplication' - type: object - required: - name - label - settings properties: name: type: string enum: - google example: google signOnMode: type: string enum: - BROWSER_PLUGIN - SAML_2_0 example: BROWSER_PLUGIN settings: $ref: '#/components/schemas/GoogleApplicationSettings' GoogleApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object - required: - app properties: app: $ref: '#/components/schemas/GoogleApplicationSettingsApplication' signOn: $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' GoogleApplicationSettingsApplication: description: Google app instance properties type: object properties: domain: type: string description: Your Google company domain rpId: type: string description: RPID required: - domain GovernanceBundle: type: object properties: description: type: string description: Description of the governance bundle id: type: string description: Governance bundle ID name: type: string description: Name of the governance bundle orn: type: string description: The governance bundle resource, in [ORN format](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#okta-resource-name-orn) status: type: string description: Status of the governance bundle _links: type: object description: Link relations available properties: entitlements: $ref: '#/components/schemas/EntitlementsLink' self: $ref: '#/components/schemas/HrefObjectSelfLink' GovernanceBundleCreateRequest: description: Request to create a governance bundle type: object properties: description: type: string description: Description of the governance bundle entitlements: type: array description: List of entitlements to include in the governance bundle items: $ref: '#/components/schemas/IAMBundleEntitlement' name: type: string description: Name of the governance bundle GovernanceBundleUpdateRequest: description: Request to update a governance bundle type: object properties: description: type: string description: Description of the governance bundle entitlements: type: array description: List of entitlements to include in the governance bundle items: $ref: '#/components/schemas/IAMBundleEntitlement' name: type: string description: Name of the governance bundle GovernanceBundlesResponse: type: object properties: bundles: type: array description: List of governance bundles items: $ref: '#/components/schemas/GovernanceBundle' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - readOnly: true - type: object properties: next: $ref: '#/components/schemas/HrefObjectNextLink' GovernanceSourceType: description: The grant type type: string enum: - CUSTOM - ENTITLEMENT-BUNDLE GracePeriod: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>Represents the Grace Period configuration for the device assurance policy type: object properties: expiry: oneOf: - $ref: '#/components/schemas/ByDateTimeExpiry' - $ref: '#/components/schemas/ByDurationExpiry' type: description: Represents the type of Grace Period configured for the device assurance policy type: string enum: - BY_DATE_TIME - BY_DURATION example: BY_DATE_TIME x-enumDescriptions: BY_DATE_TIME: The Grace Period configured for this device assurance policy expires at a specified date and time BY_DURATION: The Grace Period configured for this device assurance policy expires after a specified duration GrantOrTokenStatus: description: Status example: ACTIVE type: string enum: - ACTIVE - REVOKED readOnly: true GrantResourcesHrefObject: type: object properties: href: type: string description: Link URI example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/grants GrantType: description: Determines the mechanism Okta uses to authorize the creation of the tokens. type: string enum: - authorization_code - client_credentials - implicit - interaction_code - password - refresh_token - urn:ietf:params:oauth:grant-type:device_code - urn:ietf:params:oauth:grant-type:jwt-bearer - urn:ietf:params:oauth:grant-type:saml2-bearer - urn:ietf:params:oauth:grant-type:token-exchange - urn:openid:params:grant-type:ciba - urn:okta:params:oauth:grant-type:otp - urn:okta:params:oauth:grant-type:oob - http://auth0.com/oauth/grant-type/mfa-otp - http://auth0.com/oauth/grant-type/mfa-oob GrantTypePolicyRuleCondition: description: Array of grant types that this condition includes. Determines the mechanism that Okta uses to authorize the creation of the tokens. type: object properties: include: type: array description: Array of grant types that this condition includes. items: type: string Group: type: object properties: created: type: string format: date-time readOnly: true description: Timestamp when the group was created id: type: string readOnly: true example: 0gabcd1234 description: Unique ID for the group lastMembershipUpdated: type: string format: date-time readOnly: true description: Timestamp when the groups memberships were last updated lastUpdated: type: string format: date-time readOnly: true description: Timestamp when the group's profile was last updated objectClass: type: array readOnly: true description: Determines the group's `profile` items: type: string profile: $ref: '#/components/schemas/GroupProfile' type: $ref: '#/components/schemas/GroupType' _embedded: type: object description: Embedded resources related to the group readOnly: true properties: stats: description: Statistics about the group type: object properties: usersCount: type: integer format: int32 description: Number of users in the group appsCount: type: integer format: int32 description: Number of apps associated with the group groupPushMappingsCount: type: integer format: int32 description: Number of group push mappings associated with the group hasAdminPrivlege: type: boolean description: Indicates if the group has admin privileges via a group-level role assignment app: description: If the group is sourced from an app, this object contains information about that app type: object properties: id: type: string description: The ID of the `AppInstance` name: type: string description: The name of the `AppInstance` label: type: string description: The user-facing display name of the `AppInstance` signOnMode: type: string description: The configured sign-on mode for the `AppInstance` example: SAML_1_1 _links: description: '[Discoverable resources](/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroups!c=200&path=_links&t=response) related to the group' allOf: - $ref: '#/components/schemas/LinksSelf' - properties: apps: $ref: '#/components/schemas/HrefObject' logo: type: array items: $ref: '#/components/schemas/HrefObject' source: $ref: '#/components/schemas/HrefObject' users: $ref: '#/components/schemas/HrefObject' GroupAssignmentProfile: description: |- Specifies the profile properties applied to [application users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/ApplicationUsers/) that are assigned to the app through group membership. Some reference properties are imported from the target app and can't be configured. See [profile](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response). additionalProperties: true type: object GroupCondition: description: Specifies a set of groups whose users are to be included or excluded type: object properties: exclude: type: array description: Groups to be excluded items: type: string include: type: array description: Groups to be included items: type: string required: - exclude - include GroupMembershipsRequestSchema: type: object properties: memberExternalIds: type: array description: A list of app user external IDs to be inserted in this group in Okta items: type: string maxLength: 255 GroupMembershipsResponseSchema: type: object properties: memberExternalIds: type: array description: A list of app user external IDs that are members of the group in Okta items: type: string maxLength: 255 GroupOwner: type: object properties: displayName: description: The display name of the group owner type: string readOnly: true id: description: The `id` of the group owner type: string lastUpdated: description: Timestamp when the group owner was last updated type: string format: date-time readOnly: true originId: description: The ID of the app instance if the `originType` is `APPLICATION`. This value is `NULL` if `originType` is `OKTA_DIRECTORY`. type: string originType: $ref: '#/components/schemas/GroupOwnerOriginType' resolved: description: If `originType`is APPLICATION, this parameter is set to `FALSE` until the owner's `originId` is reconciled with an associated Okta ID. type: boolean type: $ref: '#/components/schemas/GroupOwnerType' GroupOwnerOriginType: description: The source where group ownership is managed type: string enum: - APPLICATION - OKTA_DIRECTORY GroupOwnerType: description: The entity type of the owner type: string enum: - GROUP - USER GroupPolicyRuleCondition: description: Specifies a set of groups whose users are to be included or excluded type: object properties: exclude: type: array description: Groups to be excluded items: type: string include: type: array description: Groups to be included items: type: string GroupProfile: description: |- Specifies required and optional properties for a group. The `objectClass` of a group determines which additional properties are available. You can extend group profiles with custom properties, but you must first add the properties to the group profile schema before you can reference them. Use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) to manage schema extensions. Custom properties can contain HTML tags. It is the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. oneOf: - $ref: '#/components/schemas/OktaUserGroupProfile' - $ref: '#/components/schemas/OktaActiveDirectoryGroupProfile' discriminator: propertyName: objectClass mapping: okta:user_group: '#/components/schemas/OktaUserGroupProfile' okta:windows_security_principal: '#/components/schemas/OktaActiveDirectoryGroupProfile' additionalProperties: true x-okta-extensible: true GroupPushMapping: type: object properties: appConfig: type: object readOnly: true $ref: '#/components/schemas/AppConfig' created: description: Timestamp when the group push mapping was created type: string format: date-time readOnly: true errorSummary: description: The error message summary if the latest push failed type: string readOnly: true id: description: The ID of the group push mapping type: string readOnly: true lastPush: description: Timestamp when the group push mapping was pushed type: string format: date-time readOnly: true lastUpdated: description: Timestamp when the group push mapping was last updated type: string format: date-time readOnly: true sourceGroupId: description: The ID of the source group for the group push mapping type: string readOnly: true status: description: The status of the group push mapping type: string $ref: '#/components/schemas/GroupPushMappingStatus' readOnly: true targetGroupId: description: The ID of the target group for the group push mapping type: string readOnly: true _links: $ref: '#/components/schemas/GroupPushMappingLinks' GroupPushMappingLinks: description: Discoverable resources related to the group push mapping type: object properties: app: $ref: '#/components/schemas/HrefObjectAppLink' sourceGroup: $ref: '#/components/schemas/HrefObjectGroupLink' targetGroup: $ref: '#/components/schemas/HrefObjectGroupLink' GroupPushMappingStatus: description: The status of the group push mapping type: string enum: - ACTIVE - ERROR - INACTIVE x-enumDescriptions: ACTIVE: The group push mapping is active and Okta pushes membership changes to the target group INACTIVE: The group push mapping is inactive and Okta doesn't push membership changes to the target group ERROR: The group push mapping is in an error state and Okta doesn't push membership changes to the target group GroupPushMappingStatusUpsert: description: The status of the group push mapping title: GroupPushMappingStatus default: ACTIVE type: string enum: - ACTIVE - INACTIVE GroupRule: type: object properties: actions: $ref: '#/components/schemas/GroupRuleAction' conditions: $ref: '#/components/schemas/GroupRuleConditions' created: type: string format: date-time readOnly: true description: Creation date for group rule id: type: string readOnly: true description: ID of the group rule lastUpdated: type: string format: date-time readOnly: true description: Date group rule was last updated name: type: string description: Name of the group rule minLength: 1 maxLength: 50 status: $ref: '#/components/schemas/GroupRuleStatus' type: type: string description: Type to indicate a group rule operation. Only `group_rule` is allowed. GroupRuleAction: description: Defines which users and groups to assign type: object properties: assignUserToGroups: $ref: '#/components/schemas/GroupRuleGroupAssignment' GroupRuleConditions: description: Defines group rule conditions type: object properties: expression: $ref: '#/components/schemas/GroupRuleExpression' people: $ref: '#/components/schemas/GroupRulePeopleCondition' GroupRuleExpression: description: Defines Okta specific [group-rules expression](https://developer.okta.com/docs/reference/okta-expression-language/#expressions-in-group-rules) type: object properties: type: type: string description: Expression type. Only valid value is '`urn:okta:expression:1.0`'. value: type: string description: Okta expression that would result in a Boolean value example: user.role==\"Engineer\" GroupRuleGroupAssignment: description: Contains the `groupIds` array type: object properties: groupIds: description: Array of `groupIds` to which users are added type: array items: type: string GroupRuleGroupCondition: description: Currently not supported type: object properties: exclude: type: array description: Currently not supported items: type: string GroupRulePeopleCondition: description: Defines conditions for `people` in a group rule type: object properties: groups: $ref: '#/components/schemas/GroupRuleGroupCondition' users: $ref: '#/components/schemas/GroupRuleUserCondition' GroupRuleStatus: description: Status of group rule. You can't update the status of a rule from `INACTIVE` to `ACTIVE`. You must use the activate and deactivate lifecycle operations. type: string enum: - ACTIVE - INACTIVE - INVALID GroupRuleUserCondition: description: Defines conditions specific to user exclusion type: object properties: exclude: type: array description: Excluded `userIds` when processing rules items: type: string GroupSchema: type: object properties: $schema: readOnly: true type: string description: JSON schema version identifier created: readOnly: true type: string description: Timestamp when the schema was created definitions: $ref: '#/components/schemas/GroupSchemaDefinitions' description: type: string description: Description for the schema id: readOnly: true type: string description: URI of group schema lastUpdated: readOnly: true type: string description: Timestamp when the schema was last updated name: readOnly: true type: string description: Name of the schema properties: $ref: '#/components/schemas/UserSchemaProperties' description: Group object properties title: type: string description: User-defined display name for the schema type: readOnly: true type: string description: Type of [root schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4) _links: $ref: '#/components/schemas/LinksSelf' x-okta-allow-null-property-value-for-updates: true GroupSchemaAttribute: type: object properties: description: type: string description: Description of the property enum: items: anyOf: - type: string - type: integer type: array nullable: true description: |- Enumerated value of the property. The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements. externalName: type: string description: Name of the property as it exists in an external application externalNamespace: type: string description: Namespace from the external application format: description: Identifies the type of data represented by the string allOf: - $ref: '#/components/schemas/UserSchemaAttributeFormat' items: $ref: '#/components/schemas/UserSchemaAttributeItems' nullable: true master: description: Identifies where the property is mastered allOf: - $ref: '#/components/schemas/UserSchemaAttributeMaster' maxLength: type: integer nullable: true description: Maximum character length of a string property minLength: type: integer nullable: true description: Minimum character length of a string property mutability: description: Defines the mutability of the property allOf: - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString' oneOf: items: $ref: '#/components/schemas/UserSchemaAttributeEnum' type: array nullable: true description: |- Non-empty array of valid JSON schemas. The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value.<br> Each schema has the following format: ``` { "const": "enumValue", "title": "display name" } ``` When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order.<br> For example: ``` "enum": ["S","M","L","XL"], "oneOf": [ {"const": "S", "title": "Small"}, {"const": "M", "title": "Medium"}, {"const": "L", "title": "Large"}, {"const": "XL", "title": "Extra Large"} ] ``` permissions: description: Access control permissions for the property items: $ref: '#/components/schemas/UserSchemaAttributePermission' type: array nullable: true required: type: boolean nullable: true description: Determines whether the property is required scope: description: Determines whether a group attribute can be set at the individual or group level allOf: - $ref: '#/components/schemas/UserSchemaAttributeScope' title: type: string minLength: 1 description: User-defined display name for the property type: description: Type of property allOf: - $ref: '#/components/schemas/UserSchemaAttributeType' unique: description: Determines whether property values must be unique type: string nullable: true GroupSchemaBase: type: object properties: id: readOnly: true type: string description: The subschema name properties: description: The `#base` object properties allOf: - $ref: '#/components/schemas/GroupSchemaBaseProperties' required: items: type: string type: array description: A collection indicating required property names readOnly: true type: description: The object type type: string readOnly: true GroupSchemaBaseProperties: description: All Okta-defined profile properties are defined in a profile subschema with the resolution scope `#base`. These properties can't be removed or edited, regardless of any attempt to do so. type: object properties: description: description: Human readable description of the group allOf: - $ref: '#/components/schemas/GroupSchemaAttribute' name: description: Unique identifier for the group allOf: - $ref: '#/components/schemas/GroupSchemaAttribute' GroupSchemaCustom: description: All custom profile properties are defined in a profile subschema with the resolution scope `#custom` type: object properties: id: readOnly: true type: string description: The subschema name properties: additionalProperties: $ref: '#/components/schemas/GroupSchemaAttribute' type: object description: The `#custom` object properties required: items: type: string type: array description: A collection indicating required property names readOnly: true type: type: string description: The object type readOnly: true GroupSchemaDefinitions: type: object properties: base: $ref: '#/components/schemas/GroupSchemaBase' custom: $ref: '#/components/schemas/GroupSchemaCustom' GroupType: description: Determines how a group's profile and memberships are managed type: string enum: - APP_GROUP - BUILT_IN - OKTA_GROUP x-enumDescriptions: APP_GROUP: Group profile and memberships are imported and must be managed within the app (such as Active Directory or LDAP) that imported the group BUILT_IN: Group profile and memberships are managed by Okta and can't be modified OKTA_GROUP: Group profile and memberships are directly managed in Okta via static assignments or indirectly through group rules GroupsLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the [Application Groups](/openapi/okta-management/management/tag/ApplicationGroups/#tag/ApplicationGroups/operation/listApplicationGroupAssignments) resource GroupsRequestSchema: type: object properties: externalId: type: string description: The external ID of the identity source group to be created maxLength: 255 profile: $ref: '#/components/schemas/IdentitySourceGroupProfileForUpsert' GroupsResponseSchema: type: object properties: externalId: type: string description: The external ID of the identity source group maxLength: 255 id: type: string description: The Okta group ID of the identity source group readOnly: true profile: type: object description: The profile information of the group properties: profile: $ref: '#/components/schemas/IdentitySourceGroupProfileForUpsert' HelpLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the app help resource HookKey: title: HookKeyInstance description: |- The `id` property in the response as `id` serves as the unique ID for the key, which you can specify when invoking other CRUD operations. The `keyId` provided in the response is the alias of the public key that you can use to get details of the public key data in a separate call. type: object properties: created: type: string format: date-time description: Timestamp when the key was created readOnly: true nullable: true id: type: string description: The unique identifier for the key readOnly: true nullable: false isUsed: type: string format: boolean description: Whether this key is currently in use by other applications nullable: false readOnly: true keyId: type: string description: The alias of the public key nullable: false readOnly: true lastUpdated: type: string format: date-time description: Timestamp when the key was updated readOnly: true nullable: true name: type: string description: Display name of the key readOnly: false nullable: false minLength: 1 maxLength: 255 HostedPage: type: object properties: type: $ref: '#/components/schemas/HostedPageType' url: type: string required: - type HostedPageType: type: string enum: - EXTERNALLY_HOSTED - OKTA_DEFAULT HrefCsrPublishLink: title: Link Object description: Link to publish CSR type: object properties: hints: $ref: '#/components/schemas/CsrPublishHrefHints' href: type: string description: Link URI example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish required: - href readOnly: true HrefCsrSelfLink: title: Link Object description: Link to the resource (self) type: object properties: hints: $ref: '#/components/schemas/CsrSelfHrefHints' href: type: string description: Link URI example: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 required: - href readOnly: true HrefHints: description: Describes allowed HTTP verbs for the `href` type: object properties: allow: type: array items: $ref: '#/components/schemas/HttpMethod' HrefHintsGuidanceObject: allOf: - $ref: '#/components/schemas/HrefHints' - description: Describes allowed HTTP verbs and guidance for the `href` - type: object properties: guidance: type: array description: | Specifies the URI to invoke for granting scope consent required to complete the OAuth 2.0 connection items: type: string HrefObject: title: Link Object additionalProperties: true type: object properties: hints: $ref: '#/components/schemas/HrefHints' readOnly: true href: type: string description: Link URI name: type: string description: Link name readOnly: true templated: type: boolean description: Indicates whether the link object's `href` property is a URI template. readOnly: true type: type: string description: The media type of the link. If omitted, it is implicitly `application/json`. readOnly: true required: - href HrefObjectActivateLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to activate the resource HrefObjectAppLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the app resource HrefObjectAssigneeLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the assignee resource HrefObjectAuthorizeLink: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true description: Link to authorize scopes type: object properties: hints: $ref: '#/components/schemas/HrefHintsGuidanceObject' href: type: string description: Link URI required: - href readOnly: true HrefObjectBindingLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the binding resource HrefObjectBindingsLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the bindings resource HrefObjectClientLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the client resource HrefObjectDeactivateLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to deactivate the resource HrefObjectDeleteLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to delete the resource HrefObjectGovernanceResourcesLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the resources HrefObjectGrantAerialConsent: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to grant Okta Aerial access to your Org HrefObjectGroupLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the group resource HrefObjectLogoLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the logo resource HrefObjectMappingsLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the mappings resource HrefObjectMemberLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the member resource HrefObjectMembersLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the members resource HrefObjectNextLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the next resource HrefObjectPermissionsLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the permissions resource HrefObjectResourceSetLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the resource set resource HrefObjectResourceSetResourcesLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to resource set resources HrefObjectRetrieveAerialConsent: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to retrieve Okta Aerial consent for your Org HrefObjectRevokeAerialConsent: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to revoke Okta Aerial consent for your Org HrefObjectRoleLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the role resource HrefObjectRulesLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the rules resource HrefObjectSelfLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the resource (self) HrefObjectSuspendLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to suspend the resource HrefObjectUnsuspendLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to unsuspend the resource HrefObjectUserLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the user resource HttpMethod: type: string enum: - DELETE - GET - POST - PUT IAMBundleEntitlement: description: An entitlement in a governance bundle type: object properties: resourceSets: type: array description: List of resource set IDs for the custom role items: type: string description: Resource set ID role: type: string description: The role targets: type: array description: List of target resource IDs to scope the entitlement with the role items: type: string description: Target resource (app or group ID) IDVAuthorizationEndpoint: description: IDV authorization endpoint type: object properties: binding: type: string enum: - HTTP-REDIRECT url: type: string description: URL of the `authorization` endpoint of the IDV vendor IDVCredentials: description: Credentials for verifying requests to the IDV vendor type: object properties: bearer: type: object description: Client credential for `IDV_PERSONA` IdP type properties: apiKey: type: string description: The API key that you generate in your Persona dashboard required: - apiKey client: type: object description: <x-lifecycle-container><x-lifecycle class="oie"></x-lifecycle></x-lifecycle-container>Client credentials for `IDV_CLEAR` and `IDV_INCODE` IdP types properties: client_id: type: string description: The client ID that you generate in your IDV vendor client_secret: type: string description: The client secret that you generate in your IDV vendor required: - client_id - client_secret x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] IDVEndpoints: description: Contains endpoints for the IDV vendor. When you create an `IDV_STANDARD` IdP, you must include the `par`, `authorization`, `token`, and `jwks` endpoints in the request body. type: object properties: authorization: $ref: '#/components/schemas/IDVAuthorizationEndpoint' jwks: $ref: '#/components/schemas/OidcJwksEndpoint' par: $ref: '#/components/schemas/IDVParEndpoint' token: $ref: '#/components/schemas/IDVTokenEndpoint' required: - par - authorization - token - jwks IDVParEndpoint: description: IDV [PAR](https://datatracker.ietf.org/doc/html/rfc9126) endpoint type: object properties: binding: type: string enum: - HTTP-POST url: type: string description: URL of the `par` endpoint of the IDV vendor IDVTokenEndpoint: description: Token endpoint of the IDV vendor type: object properties: binding: type: string enum: - HTTP-POST url: type: string description: URL of the `token` endpoint of the IDV vendor IPNetworkZone: allOf: - $ref: '#/components/schemas/NetworkZone' - title: IP Network Zone - type: object properties: useAsExemptList: type: boolean description: |- You can **only** use this parameter when making a request to the Replace the network zone endpoint (`/api/v1/zones/{zoneId}`). Set this parameter to `true` in your request when you update the `DefaultExemptIpZone` to allow IPs through the blocklist. gateways: type: array items: $ref: '#/components/schemas/NetworkZoneAddress' description: |- The IP addresses (range or CIDR form) for an IP Network Zone. The maximum array length is 150 entries for admin-created IP zones, 1000 entries for IP blocklist zones, and 5000 entries for the default system IP Zone. proxies: type: array items: $ref: '#/components/schemas/NetworkZoneAddress' nullable: true description: |- The IP addresses (range or CIDR form) that are allowed to forward a request from gateway addresses for an IP Network Zone. These proxies are automatically trusted by Threat Insights and used to identify the client IP of a request. The maximum array length is 150 entries for admin-created zones and 5000 entries for the default system IP Zone. IPServiceCategory: description: An IP service offered by a provider, such as a proxy or VPN type: string enum: - ABCPROXY_PROXY - ALL_ANONYMIZERS - ALL_ANONYMIZERS_EXCEPT_TOR - ALL_IP_SERVICES - ALL_PROXIES_VPNS - ANONYMIZER_TOR - APPLE_ICLOUD_RELAY_PROXY - ASTRILL_VPN - AVAST_VPN - BIGMAMA_PROXY - CYBERGHOST_VPN - DATAIMPULSE_PROXY - EXPRESS_VPN - FACELESS_PROXY - FROXY_PROXY - GEONODE_PROXY - GLOBALPROTECT_VPN - GOOGLE_VPN - IPCOLA_PROXY - IPIDEA_PROXY - IPROXYSHOP_PROXY - LUMINATI_PROXY - MULLVAD_VPN - NETNUT_PROXY - NEXUS_PROXY - NORD_VPN - OCULUS_PROXY - OXYLABS_PROXY - PIA_VPN - PROXYRACK_PROXY - SAMSUNG_VPN - SPACEPROXIES_PROXY - SURFSHARK_VPN - SYMANTEC_VPN - TRENDMICRO_VPN - ULTRASURF_VPN - WARP_VPN - YILU_PROXY IamRole: type: object properties: created: type: string format: date-time description: Timestamp when the role was created readOnly: true description: type: string description: Description of the role id: type: string description: Unique key for the role readOnly: true label: type: string description: Unique label for the role lastUpdated: type: string format: date-time description: Timestamp when the role was last updated readOnly: true _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: permissions: $ref: '#/components/schemas/HrefObject' required: - label - description IamRoles: type: object properties: roles: type: array items: $ref: '#/components/schemas/IamRole' _links: $ref: '#/components/schemas/LinksNext' IdPCertificateCredential: type: object properties: x5c: $ref: '#/components/schemas/X5c' required: - x5c IdPCsr: description: Defines a CSR for a signature or decryption credential for an IdP type: object properties: created: $ref: '#/components/schemas/Created' csr: description: Base64-encoded CSR in DER format type: string readOnly: true example: MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4= id: description: Unique identifier for the CSR type: string readOnly: true example: h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50 kty: description: Cryptographic algorithm family for the CSR's keypair type: string example: RSA _links: type: object additionalProperties: true allOf: - $ref: '#/components/schemas/LinksSelf' - properties: publish: description: Publish the CSR allOf: - $ref: '#/components/schemas/HrefObject' IdPCsrPkcs10: description: Base64URL-encoded CSR in DER format format: base64 type: string IdPKeyCredential: description: A [JSON Web Key](https://tools.ietf.org/html/rfc7517) for a signature or encryption credential for an IdP additionalProperties: true type: object properties: created: $ref: '#/components/schemas/Created' e: description: The exponent value for the RSA public key type: string example: AQAB expiresAt: $ref: '#/components/schemas/ExpiresAt' kid: description: Unique identifier for the key type: string example: your-key-id kty: description: Identifies the cryptographic algorithm family used with the key type: string example: RSA lastUpdated: $ref: '#/components/schemas/LastUpdated' 'n': description: The modulus value for the RSA public key type: string example: '101438407598598116085679865987760095721749307901605456708912786847324207000576780508113360584555007890315805735307890113536927352312915634368993759211767770602174860126854831344273970871509573365292777620005537635317282520456901584213746937262823585533063042033441296629204165064680610660631365266976782082747' use: description: Intended use of the public key type: string example: sig x5c: $ref: '#/components/schemas/X5c' x5t#S256: description: Base64url-encoded SHA-256 thumbprint of the DER encoding of an X.509 certificate type: string example: wzPVobIrveR1x-PCbjsFGNV-6zn7Rm9KuOWOG4Rk6jE IdProofingMethod: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: [] allOf: - $ref: '#/components/schemas/VerificationMethod' - type: object properties: id: type: string description: ID for ID proofing entity IdTokenKeyEncryptionAlgorithm: description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>JWE alg algorithm for encrypting the ID token issued to this client. If this is requested, the response is signed, and then encrypted with the result being a nested JWT. The default, if omitted, is that no encryption is performed. See the [Application Public Keys API](/openapi/okta-management/management/tag/ApplicationSSOPublicKeys/) for more information on encryption keys. See [Key management](https://developer.okta.com/docs/guides/key-management/main/) for more information on how encryption keys are used. x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true type: string enum: - RSA-OAEP-256 - RSA-OAEP-384 - RSA-OAEP-512 IdentityAssertionAppInstanceConnection: description: Identity assertion connection for an app instance additionalProperties: false type: object properties: app: $ref: '#/components/schemas/ManagedConnectionAppInstance' authorizationServer: $ref: '#/components/schemas/AppInstanceAuthorizationServer' connectionType: type: string enum: - IDENTITY_ASSERTION_APP_INSTANCE description: Type of connection authentication method id: $ref: '#/components/schemas/ManagedConnectionId' orn: $ref: '#/components/schemas/ManagedConnectionOrn' protocolType: type: string enum: - IDENTITY_ASSERTION description: The authentication protocol type used for the connection resourceIndicator: $ref: '#/components/schemas/ManagedConnectionResourceIndicator' scopeCondition: $ref: '#/components/schemas/ScopeCondition' scopes: $ref: '#/components/schemas/ConnectionScopes' status: $ref: '#/components/schemas/ManagedConnectionStatus' _links: $ref: '#/components/schemas/LinksSelf' required: - connectionType - app - resourceIndicator IdentityAssertionAppInstanceConnectionCreatable: description: Create an identity assertion connection for an app instance type: object properties: app: type: object description: Reference to an app instance in [ORN](/openapi/okta-management/guides/roles/#okta-resource-name-orn) format required: - orn properties: orn: $ref: '#/components/schemas/AppInstanceOrn' connectionType: type: string enum: - IDENTITY_ASSERTION_APP_INSTANCE description: Type of connection authentication method issuerUrl: type: string description: Issuer URL for the app instance's authorization server protocolType: type: string enum: - IDENTITY_ASSERTION description: The authentication protocol type used for the connection resourceIndicator: type: string format: uri description: Resource indicator used when requesting tokens. Defaults to the app instance's ORN if not specified. scopeCondition: $ref: '#/components/schemas/ScopeCondition' scopes: $ref: '#/components/schemas/ConnectionScopes' required: - connectionType - app - issuerUrl - scopeCondition - scopes IdentityAssertionCustomASConnection: description: Identity assertion connection for a custom authorization server additionalProperties: false type: object properties: authorizationServer: $ref: '#/components/schemas/CustomAuthorizationServer' connectionType: type: string enum: - IDENTITY_ASSERTION_CUSTOM_AS description: Type of connection authentication method id: $ref: '#/components/schemas/ManagedConnectionId' orn: $ref: '#/components/schemas/ManagedConnectionOrn' protocolType: type: string enum: - IDENTITY_ASSERTION description: The authentication protocol type used for the connection resourceIndicator: $ref: '#/components/schemas/ManagedConnectionResourceIndicator' scopeCondition: $ref: '#/components/schemas/ScopeCondition' scopes: $ref: '#/components/schemas/ConnectionScopes' status: $ref: '#/components/schemas/ManagedConnectionStatus' _links: $ref: '#/components/schemas/LinksSelf' required: - connectionType - authorizationServer - resourceIndicator IdentityAssertionCustomASConnectionCreatable: description: Create an identity assertion connection for a custom authorization server type: object properties: authorizationServer: type: object description: Reference to a custom authorization server and its configuration required: - orn properties: orn: $ref: '#/components/schemas/AuthorizationServerOrn' connectionType: type: string enum: - IDENTITY_ASSERTION_CUSTOM_AS description: Type of connection authentication method protocolType: type: string enum: - IDENTITY_ASSERTION description: The authentication protocol type used for the connection scopeCondition: $ref: '#/components/schemas/ScopeCondition' scopes: $ref: '#/components/schemas/ConnectionScopes' required: - connectionType - authorizationServer - scopeCondition - scopes IdentityProvider: type: object properties: created: $ref: '#/components/schemas/Created' id: type: string readOnly: true description: Unique key for the IdP example: 0oaWma58liwx40w6boYD issuerMode: $ref: '#/components/schemas/IdentityProviderIssuerMode' lastUpdated: $ref: '#/components/schemas/LastUpdated' name: type: string maxLength: 100 description: Unique name for the IdP example: Sample IdP policy: $ref: '#/components/schemas/IdentityProviderPolicy' properties: $ref: '#/components/schemas/IdentityProviderProperties' protocol: description: IdP-specific protocol settings for endpoints, bindings, and algorithms used to connect with the IdP and validate messages oneOf: - $ref: '#/components/schemas/ProtocolSaml' - $ref: '#/components/schemas/ProtocolOAuth' - $ref: '#/components/schemas/ProtocolOidc' - $ref: '#/components/schemas/ProtocolMtls' - $ref: '#/components/schemas/ProtocolIdVerification' status: $ref: '#/components/schemas/LifecycleStatus' type: $ref: '#/components/schemas/IdentityProviderType' _links: type: object additionalProperties: true allOf: - $ref: '#/components/schemas/LinksSelf' - properties: acs: description: SAML 2.0 Assertion Consumer Service URL for the Okta SP allOf: - $ref: '#/components/schemas/HrefObject' authorize: description: OAuth 2.0 authorization endpoint for the IdP OAuth 2.0 Authorization Code flow allOf: - $ref: '#/components/schemas/HrefObject' clientRedirectUri: description: Redirect URI for the OAuth 2.0 Authorization Code flow allOf: - $ref: '#/components/schemas/HrefObject' metadata: description: 'Federation metadata document for the IdP (for example: SAML 2.0 Metadata)' allOf: - $ref: '#/components/schemas/HrefObject' users: description: IdP users allOf: - $ref: '#/components/schemas/HrefObject' deactivate: description: Deactivate IdP allOf: - $ref: '#/components/schemas/HrefObject' activate: description: Activate IdP allOf: - $ref: '#/components/schemas/HrefObject' keys: description: IdP keys allOf: - $ref: '#/components/schemas/HrefObject' IdentityProviderApplicationUser: type: object properties: created: $ref: '#/components/schemas/Created' externalId: type: string description: Unique IdP-specific identifier for the user readOnly: true maxLength: 512 example: saml.jackson@example.com id: type: string description: Unique key of the user readOnly: true lastUpdated: $ref: '#/components/schemas/LastUpdated' profile: type: object description: |- IdP-specific profile for the user. IdP user profiles are IdP-specific but may be customized by the Profile Editor in the Admin Console. > **Note:** Okta variable names have reserved characters that may conflict with the name of an IdP assertion attribute. You can use the **External name** to define the attribute name as defined in an IdP assertion such as a SAML attribute name. additionalProperties: type: object properties: {} example: lastName: Jackson subjectNameQualifier: example.com subjectSpNameQualifier: urn:federation:example authnContextClassRef: null subjectNameId: saml.jackson@example.com subjectConfirmationAddress: null displayName: Saml Jackson mobilePhone: +1-415-555-5141 email: saml.jackson@example.com subjectNameFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress firstName: Saml subjectSpProvidedId: null subjectConfirmationMethod: null _embedded: type: object description: Embedded resources related to the IdP user additionalProperties: type: object properties: {} readOnly: true _links: type: object additionalProperties: true allOf: - $ref: '#/components/schemas/LinksSelf' - $ref: '#/components/schemas/LinksNext' - properties: idp: description: The IdP instance example: href: https://{yourOktaDomain}/api/v1/idps/0oa1k5d68qR2954hb0g4 allOf: - $ref: '#/components/schemas/HrefObject' user: description: The linked Okta user example: href: https://{yourOktaDomain}/api/v1/users/00ulwodIu7wCfdiVR0g3 allOf: - $ref: '#/components/schemas/HrefObject' IdentityProviderIssuerMode: description: Indicates whether Okta uses the original Okta org domain URL or a custom domain URL in the request to the social IdP default: DYNAMIC type: string enum: - CUSTOM_URL - DYNAMIC - ORG_URL x-enumDescriptions: ORG_URL: In the authorize request to the social IdP, Okta uses the Okta org's original domain URL (`https://${yourOktaDomain}`) as the domain in the `redirect_uri`. CUSTOM_URL: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri`. You can set `issuerMode` to `CUSTOM_URL` only if you have a custom URL domain configured. DYNAMIC: In the authorize request to the social IdP, Okta uses the custom domain URL as the domain in the `redirect_uri` if the request was made from the custom domain URL. Otherwise, Okta uses the Okta org's original domain URL if the request was made from the Okta org domain. IdentityProviderPolicy: description: |- Policy settings for the IdP. The following provisioning and account linking actions are supported by each IdP provider: | IdP type | User provisioning actions | Group provisioning actions | Account link actions | Account link filters | | ----------------------------------------------------------------- | ------------------------- | ------------------------------------- | -------------------- | -------------------- | | `SAML2` | `AUTO` or `DISABLED` | `NONE`, `ASSIGN`, `APPEND`, or `SYNC` | `AUTO`, `DISABLED` | `groups`, `users` | | `X509`, `IDV_PERSONA`, `IDV_INCODE`, `IDV_CLEAR` and `IDV_STANDARD`| `DISABLED` | No support for JIT provisioning | | | | All other IdP types | `AUTO`, `DISABLED` | `NONE` or `ASSIGN` | `AUTO`, `DISABLED` | `groups`, `users` | allOf: - type: object properties: accountLink: $ref: '#/components/schemas/PolicyAccountLink' maxClockSkew: type: integer description: Maximum allowable clock skew when processing messages from the IdP example: 120000 provisioning: $ref: '#/components/schemas/Provisioning' subject: $ref: '#/components/schemas/PolicySubject' IdentityProviderPolicyProvider: type: string enum: - ANY - OKTA - SPECIFIC_IDP IdentityProviderPolicyRuleCondition: description: Specifies the IdP that's used to sign in type: object properties: idpIds: type: array description: Specifies the IdP ID items: type: string provider: $ref: '#/components/schemas/IdentityProviderPolicyProvider' IdentityProviderProperties: nullable: true description: The properties in the IdP `properties` object vary depending on the IdP type type: object properties: aalValue: type: string nullable: true description: |- The [authentication assurance level](https://developers.login.gov/oidc/#aal-values) (AAL) value for the Login.gov IdP. See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. additionalAmr: type: array description: The additional Assurance Methods References (AMR) values for Smart Card IdPs. Applies to `X509` IdP type. nullable: true items: type: string enum: - sc - hwk - pin - mfa x-enumDescriptions: sc: Smart card hwk: Hardware-secured key pin: Personal identification number mfa: Multifactor authentication ialValue: type: string nullable: true description: |- The [type of identity verification](https://developers.login.gov/oidc/#ial-values) (IAL) value for the Login.gov IdP. See [Add a Login.gov IdP](https://developer.okta.com/docs/guides/add-logingov-idp/). Applies to `LOGINGOV` and `LOGINGOV_SANDBOX` IdP types. idvMetadata: type: object description: Metadata about the IDV vendor. Available only for `IDV_STANDARD` IdPs. properties: vendorDisplayName: type: string description: The display name of the IDV vendor termsOfUse: type: string description: A URL that links to the terms of use for the IDV vendor privacyPolicy: type: string description: A URL that links to the privacy policy for the IDV vendor inquiryTemplateId: type: string description: The ID of the inquiry template from your Persona dashboard. The inquiry template always starts with `itmpl`. Applies to the `IDV_PERSONA` IdP type. example: itmpl_HSctx8fNvXoHtrQfz2hxUVH8RBjG required: - inquiryTemplateId IdentityProviderType: description: |- The IdP object's `type` property identifies the social or enterprise IdP used for authentication. Each IdP uses a specific protocol, therefore the `protocol` object must correspond with the IdP `type`. If the protocol is OAuth 2.0-based, the `protocol` object's `scopes` property must also correspond with the scopes supported by the IdP `type`. For policy actions supported by each IdP type, see [IdP type policy actions](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy&t=request). | Type | Description | Corresponding protocol | Corresponding protocol scopes | | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | -------------------------------------------------------------------- | | `AMAZON` | [Amazon](https://developer.amazon.com/settings/console/registration?return_to=/) as the IdP | OpenID Connect | `profile`, `profile:user_id` | | `APPLE` | [Apple](https://developer.apple.com/sign-in-with-apple/) as the IdP | OpenID Connect | `names`, `email`, `openid` | | `DISCORD` | [Discord](https://discord.com/login) as the IdP | OAuth 2.0 | `identify`, `email` | | `FACEBOOK` | [Facebook](https://developers.facebook.com) as the IdP | OAuth 2.0 | `public_profile`, `email` | | `GITHUB` | [GitHub](https://github.com/join) as the IdP | OAuth 2.0 | `user` | | `GITLAB` | [GitLab](https://gitlab.com/users/sign_in) as the IdP | OpenID Connect | `openid`, `read_user`, `profile`, `email` | | `GOOGLE` | [Google](https://accounts.google.com/signup) as the IdP | OpenID Connect | `openid`, `email`, `profile` | | `IDV_PERSONA` | [Persona](https://app.withpersona.com/dashboard/login) as the IDV IdP | ID verification | | | `IDV_CLEAR` | [CLEAR Verified](https://www.clearme.com/) as the IDV IdP | ID verification | `openid`, `profile`, `identity_assurance` | | `IDV_INCODE` | [Incode](https://incode.com/) as the IDV IdP | ID verification | `openid`, `profile`, `identity_assurance` | | `IDV_STANDARD` | Custom IDV as the IDV IdP | ID verification | `openid`, `profile`, `identity_assurance` | | `LINKEDIN` | [LinkedIn](https://developer.linkedin.com/) as the IdP | OAuth 2.0 | `r_emailaddress`, `r_liteprofile` | | `LOGINGOV` | [Login.gov](https://developers.login.gov/) as the IdP | OpenID Connect | `email`, `profile`, `profile:name` | | `LOGINGOV_SANDBOX` | [Login.gov's identity sandbox](https://developers.login.gov/testing/) as the IdP | OpenID Connect | `email`, `profile`, `profile:name` | | `MICROSOFT` | [Microsoft Enterprise SSO](https://azure.microsoft.com/) as the IdP | OpenID Connect | `openid`, `email`, `profile`, `https://graph.microsoft.com/User.Read` | | `OIDC` | IdP that supports [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) | OpenID Connect | `openid`, `email`, `profile` | | `PAYPAL` | [Paypal](https://www.paypal.com/signin) as the IdP | OpenID Connect | `openid`, `email`, `profile` | | `PAYPAL_SANDBOX` | [Paypal Sandbox](https://developer.paypal.com/tools/sandbox/) as the IdP | OpenID Connect | `openid`, `email`, `profile` | | `SALESFORCE` | [SalesForce](https://login.salesforce.com/) as the IdP | OAuth 2.0 | `id`, `email`, `profile` | | `SAML2` | Enterprise IdP that supports the [SAML 2.0 Web Browser SSO Profile](https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf)| SAML 2.0 | | | `SPOTIFY` | [Spotify](https://developer.spotify.com/) as the IdP | OpenID Connect | `user-read-email`, `user-read-private` | | `X509` | [Smart Card IdP](https://tools.ietf.org/html/rfc5280) | Mutual TLS | | | `XERO` | [Xero](https://www.xero.com/us/signup/api/) as the IdP | OpenID Connect | `openid`, `profile`, `email` | | `YAHOO` | [Yahoo](https://login.yahoo.com/) as the IdP | OpenID Connect | `openid`, `profile`, `email` | | `YAHOOJP` | [Yahoo Japan](https://login.yahoo.co.jp/config/login) as the IdP | OpenID Connect | `openid`, `profile`, `email` | | `OKTA_INTEGRATION` | IdP that supports the [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) Org2Org IdP | OpenID Connect | `openid`, `email`, `profile` | type: string enum: - AMAZON - APPLE - DISCORD - FACEBOOK - GITHUB - GITLAB - GOOGLE - IDV_CLEAR - IDV_INCODE - IDV_PERSONA - IDV_STANDARD - LINKEDIN - LOGINGOV - LOGINGOV_SANDBOX - MICROSOFT - OIDC - OKTA_INTEGRATION - PAYPAL - PAYPAL_SANDBOX - SALESFORCE - SAML2 - SPOTIFY - X509 - XERO - YAHOO - YAHOOJP IdentitySourceGroupMembershipsDeleteProfile: description: Array of group memberships that need to be deleted in Okta minItems: 1 maxItems: 200 items: type: object properties: groupExternalId: type: string description: The external ID of the group whose memberships need to be deleted in Okta maxLength: 255 memberExternalIds: type: array description: Array of external IDs of member profiles that need to be inserted in this group in Okta items: type: string maxLength: 255 type: array IdentitySourceGroupMembershipsUpsertProfile: description: Array of group memberships that need to be inserted or updated in Okta minItems: 1 maxItems: 200 items: type: object properties: groupExternalId: type: string description: The external ID of the group whose memberships need to be inserted or updated in Okta maxLength: 255 memberExternalIds: type: array description: Array of external IDs of member profiles that need to be inserted in this group in Okta items: type: string maxLength: 255 type: array IdentitySourceGroupProfileForUpsert: description: |- Contains a set of external group attributes and their values that are mapped to Okta standard properties. See the group [`profile` object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/getGroup!c=200&path=profile&t=response) and Declaration of a Custom Identity Source Schema in [Using anything as a source](https://help.okta.com/okta_help.htm?type=oie&id=ext-anything-as-a-source). > **Note:** Profile attributes can only be of the string type. type: object properties: description: type: string description: Description of the group maxLength: 1024 nullable: true displayName: type: string description: Name of the group minLength: 1 maxLength: 255 IdentitySourceSession: type: object properties: created: type: string description: The timestamp when the identity source session was created format: date-time readOnly: true id: type: string description: The ID of the identity source session readOnly: true identitySourceId: type: string description: The ID of the custom identity source for which the session is created readOnly: true importType: type: string description: The type of import. All imports are `INCREMENTAL` imports. readOnly: true lastUpdated: type: string description: The timestamp when the identity source session was created format: date-time readOnly: true status: $ref: '#/components/schemas/IdentitySourceSessionStatus' IdentitySourceSessionStatus: description: The current status of the identity source session type: string enum: - CLOSED - COMPLETED - CREATED - ERROR - EXPIRED - IN_PROGRESS - TRIGGERED x-enumDescriptions: CREATED: This is a new identity source session that hasn't been processed. You can upload bulk data in this stage. IN_PROGRESS: The bulk data is being uploaded to Okta. TRIGGERED: Okta is processing the import data in this session. You can't load bulk data in this stage. COMPLETED: The bulk data was processed and imported into Okta. CLOSED: The identity source session was canceled and isn't available for further activity. EXPIRED: This identity source session had the `CREATED` status and timed-out after 24 hours of inactivity. ERROR: The processing of import data in the session encountered an error. You need to open a new session to upload the data again. IdentitySourceUserProfileForDelete: type: object properties: externalId: type: string description: The external ID of the entity that needs to be deleted in Okta maxLength: 512 IdentitySourceUserProfileForUpsert: description: |- Contains a set of external user attributes and their values that are mapped to Okta standard and custom profile properties. See the [`profile` object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response) and Declaration of a Custom Identity Source Schema in [Using anything as a source](https://help.okta.com/okta_help.htm?type=oie&id=ext-anything-as-a-source). > **Note:** Profile attributes can only be of the string type. type: object properties: email: type: string format: email description: Email address of the user minLength: 5 maxLength: 100 firstName: type: string description: First name of the user minLength: 1 maxLength: 50 nullable: true homeAddress: type: string description: Home address of the user maxLength: 4096 nullable: true lastName: type: string description: Last name of the user minLength: 1 maxLength: 50 nullable: true mobilePhone: type: string description: Mobile phone number of the user maxLength: 100 nullable: true secondEmail: type: string description: Alternative email address of the user format: email minLength: 5 maxLength: 100 userName: type: string description: Username of the user maxLength: 100 IdpDiscoveryPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: type: string description: Policy conditions aren't supported for this policy type. default: null nullable: true IdpDiscoveryPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' - type: object properties: actions: $ref: '#/components/schemas/IdpPolicyRuleAction' conditions: $ref: '#/components/schemas/IdpDiscoveryPolicyRuleCondition' IdpDiscoveryPolicyRuleCondition: allOf: - description: Specifies conditions that must be met during policy evaluation to apply the rule. All policy conditions and conditions for at least one rule must be met to apply the settings specified in the policy and the associated rule. - type: object properties: app: $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' network: $ref: '#/components/schemas/PolicyNetworkCondition' platform: $ref: '#/components/schemas/PlatformPolicyRuleCondition' userIdentifier: $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' IdpPolicyRuleAction: description: Specifies where to route users when they are attempting to sign in to your org, if the rule conditions are satisfied. You can add up to 10 providers to a single `idp` policy action. type: object properties: idp: type: object description: Specifies IdP settings properties: providers: items: $ref: '#/components/schemas/IdpPolicyRuleActionProvider' type: array description: List of configured identity providers that a given rule can route to. Ability to define multiple providers is a part of the Identity Engine. This allows users to choose a provider when they sign in. Contact support for information on the Identity Engine. idpSelectionType: description: Determines whether the rule should use expression language or a specific IdP $ref: '#/components/schemas/IdpSelectionType' matchCriteria: items: $ref: '#/components/schemas/IdpPolicyRuleActionMatchCriteria' type: array description: Required if `idpSelectionType` is set to `DYNAMIC` IdpPolicyRuleActionMatchCriteria: type: object properties: propertyName: type: string description: The IdP property that the evaluated string should match to providerExpression: type: string description: | You can provide an Okta Expression Language expression with the Login Context that's evaluated with the IdP. For example, the value `login.identifier` refers to the user's username. If the user is signing in with the username `john.doe@mycompany.com`, the expression `login.identifier.substringAfter(@))` is evaluated to the domain name of the user, for example: `mycompany.com`. IdpPolicyRuleActionProvider: type: object properties: id: type: string description: IdP types of `OKTA`, `AgentlessDSSO`, and `IWA` don't require an ID. name: type: string description: Provider `name` in Okta. Optional. Supported in `IDENTITY ENGINE`. type: $ref: '#/components/schemas/IdentityProviderType' IdpSelectionType: description: Determines whether the rule should use expression language or a specific IdP type: string enum: - DYNAMIC - SPECIFIC IframeEmbedScopeAllowedApps: type: string enum: - OKTA_ENDUSER ImageUploadResponse: type: object properties: url: readOnly: true type: string ImportScheduleObject: description: Import schedule configuration type: object properties: fullImport: allOf: - $ref: '#/components/schemas/ImportScheduleSettings' - description: Determines the full import schedule incrementalImport: allOf: - $ref: '#/components/schemas/ImportScheduleSettings' - description: Determines the incremental import schedule status: $ref: '#/components/schemas/EnabledStatus' ImportScheduleSettings: type: object properties: expression: type: string description: The import schedule in UNIX cron format example: 00 21 * * Mon,Thu,Fri,Sat timezone: type: string description: The import schedule time zone in Internet Assigned Numbers Authority (IANA) time zone name format minLength: 1 maxLength: 64 example: America/Los_Angeles required: - expression ImportUsernameObject: description: Determines the Okta username for the imported user type: object properties: userNameExpression: type: string description: For `usernameFormat=CUSTOM`, specifies the Okta Expression Language statement for a username format that imported users use to sign in to Okta usernameFormat: type: string description: Determines the username format when users sign in to Okta default: EMAIL enum: - EMAIL - CUSTOM required: - usernameFormat InactivityPolicyRuleCondition: type: object properties: number: type: integer unit: type: string InboundProvisioningApplicationFeature: allOf: - $ref: '#/components/schemas/ApplicationFeature' - type: object - properties: capabilities: $ref: '#/components/schemas/CapabilitiesInboundProvisioningObject' InlineHook: description: An inline hook object that specifies the details of the inline hook type: object properties: channel: $ref: '#/components/schemas/InlineHookChannel' created: type: string format: date-time readOnly: true description: Date of the inline hook creation id: type: string readOnly: true description: The unique identifier for the inline hook lastUpdated: type: string format: date-time readOnly: true description: Date of the last inline hook update name: type: string description: The display name of the inline hook maximum: 255 minimum: 1 status: $ref: '#/components/schemas/InlineHookStatus' type: $ref: '#/components/schemas/InlineHookType' version: type: string description: Version of the inline hook type. The currently supported version is `1.0.0`. readOnly: true _links: $ref: '#/components/schemas/InlineHookLinks' InlineHookBasePayload: type: object properties: cloudEventVersion: description: The inline hook cloud version example: 0.1 type: string contentType: description: The inline hook request header content example: application/JSON type: string eventId: type: string description: The individual inline hook request ID example: 3o9jBzq1SmOGmmsDsqyyeQ eventTime: type: string description: The time the inline hook request was sent example: '2020-01-17T21:23:56.000Z' eventTypeVersion: description: The inline hook version example: 1 type: string InlineHookChannel: type: object properties: type: $ref: '#/components/schemas/InlineHookChannelType' version: type: string description: Version of the inline hook type. The currently supported version is `1.0.0`. discriminator: propertyName: type mapping: HTTP: '#/components/schemas/InlineHookChannelHttp' OAUTH: '#/components/schemas/InlineHookChannelOAuth' InlineHookChannelConfig: description: Properties of the communications channel that are used to contact your external service type: object properties: headers: type: array description: An optional list of key/value pairs for headers that you can send with the request to the external service items: $ref: '#/components/schemas/InlineHookChannelConfigHeaders' method: type: string description: The method of the Okta inline hook request uri: type: string description: The external service endpoint that executes the inline hook handler. It must begin with `https://` and be reachable by Okta. No white space is allowed in the URI. maximum: 1024 InlineHookChannelConfigAuthSchemeBody: description: The authentication scheme to use for this request nullable: true type: object properties: key: type: string description: The header name for the authorization server type: type: string description: The authentication scheme type. Supported type—`HEADER`. value: type: string description: The header value. This secret value is passed to your external service endpoint. Your external service can check it as a security measure. InlineHookChannelConfigAuthSchemeResponse: description: The authentication scheme to use for this request nullable: true type: object properties: key: type: string description: The header name for the authorization server type: type: string description: The authentication scheme type. Supported type—`HEADER` InlineHookChannelConfigCreate: description: Properties of the communications channel that are used to contact your external service type: object properties: headers: type: array description: An optional list of key/value pairs for headers that you can send with the request to the external service. items: $ref: '#/components/schemas/InlineHookChannelConfigHeaders' method: type: string description: The method of the Okta inline hook request uri: type: string description: The external service endpoint that executes the inline hook handler. It must begin with `https://` and be reachable by Okta. No white space is allowed in the URI. maximum: 1024 InlineHookChannelConfigHeaders: type: object properties: key: type: string description: The optional field or header name value: type: string description: The value for the key InlineHookChannelCreate: type: object properties: type: $ref: '#/components/schemas/InlineHookChannelType' version: type: string description: Version of the inline hook type. The currently supported version is `1.0.0`. discriminator: propertyName: type mapping: HTTP: '#/components/schemas/InlineHookChannelHttpCreate' OAUTH: '#/components/schemas/InlineHookChannelOAuthCreate' InlineHookChannelHttp: allOf: - $ref: '#/components/schemas/InlineHookChannel' - type: object properties: config: $ref: '#/components/schemas/InlineHookHttpConfig' InlineHookChannelHttpCreate: allOf: - $ref: '#/components/schemas/InlineHookChannelCreate' - type: object properties: config: $ref: '#/components/schemas/InlineHookHttpConfigCreate' InlineHookChannelOAuth: allOf: - $ref: '#/components/schemas/InlineHookChannel' - type: object properties: config: $ref: '#/components/schemas/InlineHookOAuthChannelConfig' InlineHookChannelOAuthCreate: allOf: - $ref: '#/components/schemas/InlineHookChannelCreate' - type: object properties: config: $ref: '#/components/schemas/InlineHookOAuthChannelConfigCreate' InlineHookChannelType: type: string enum: - HTTP - OAUTH InlineHookCreate: description: An inline hook object that specifies the details of the inline hook type: object properties: channel: $ref: '#/components/schemas/InlineHookChannelCreate' name: type: string description: The display name of the inline hook maximum: 255 minimum: 1 type: $ref: '#/components/schemas/InlineHookType' version: type: string description: Version of the inline hook type. The currently supported version is `1.0.0`. InlineHookCreateResponse: description: An inline hook object that specifies the details of the inline hook type: object properties: channel: $ref: '#/components/schemas/InlineHookChannel' created: type: string format: date-time readOnly: true description: Date of the inline hook creation id: type: string readOnly: true description: The unique identifier for the inline hook lastUpdated: type: string format: date-time readOnly: true description: Date of the last inline hook update name: type: string description: The display name of the inline hook maximum: 255 minimum: 1 status: $ref: '#/components/schemas/InlineHookStatus' type: $ref: '#/components/schemas/InlineHookType' version: type: string description: Version of the inline hook type. The currently supported version is `1.0.0`. readOnly: true _links: $ref: '#/components/schemas/InlineHookLinksCreate' InlineHookHttpConfig: allOf: - $ref: '#/components/schemas/InlineHookChannelConfig' type: object properties: authScheme: $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeResponse' InlineHookHttpConfigCreate: allOf: - $ref: '#/components/schemas/InlineHookChannelConfigCreate' type: object properties: authScheme: $ref: '#/components/schemas/InlineHookChannelConfigAuthSchemeBody' InlineHookLinks: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: activate: description: URL to activate the inline hook allOf: - $ref: '#/components/schemas/HrefObject' deactivate: description: URL to deactivate the inline hook allOf: - $ref: '#/components/schemas/HrefObject' delete: description: URL to delete the inline hook allOf: - $ref: '#/components/schemas/HrefObject' execute: description: URL to test the inline hook allOf: - $ref: '#/components/schemas/HrefObject' InlineHookLinksCreate: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: deactivate: description: URL to deactivate the inline hook allOf: - $ref: '#/components/schemas/HrefObject' execute: description: URL to test the inline hook allOf: - $ref: '#/components/schemas/HrefObject' InlineHookOAuthBasicConfig: allOf: - $ref: '#/components/schemas/InlineHookChannelConfig' type: object properties: authType: type: string clientId: type: string description: A publicly exposed string provided by the service that's used to identify the OAuth app and build authorization URLs scope: type: string description: Include the scopes that allow you to perform the actions on the hook endpoint that you want to access tokenUrl: type: string description: The URI where inline hooks can exchange an authorization code for access and refresh tokens InlineHookOAuthChannelConfig: type: object properties: authType: type: string description: The authentication method for the token endpoint discriminator: propertyName: authType mapping: client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfig' private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig' InlineHookOAuthChannelConfigCreate: type: object properties: authType: type: string description: The authentication method for the token endpoint discriminator: propertyName: authType mapping: client_secret_post: '#/components/schemas/InlineHookOAuthClientSecretConfigCreate' private_key_jwt: '#/components/schemas/InlineHookOAuthPrivateKeyJwtConfig' InlineHookOAuthClientSecretConfig: allOf: - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' type: object properties: authScheme: type: string description: Not applicable. Must be `null`. nullable: true InlineHookOAuthClientSecretConfigCreate: allOf: - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' type: object properties: clientSecret: type: string description: A private value provided by the service used to authenticate the identity of the app to the service method: type: string description: The method of the Okta inline hook request. Only accepts `POST`. InlineHookOAuthPrivateKeyJwtConfig: allOf: - $ref: '#/components/schemas/InlineHookOAuthBasicConfig' type: object properties: authScheme: type: string description: Not applicable. Must be `null`. nullable: true hookKeyId: type: string description: An ID value of the hook key pair generated from the [Hook Keys API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/HookKey/#tag/HookKey) method: type: string description: The method of the Okta inline hook request. Only accepts `POST`. InlineHookPayload: type: object x-okta-extensible: true InlineHookReplace: description: An inline hook object that specifies the details of the inline hook type: object properties: channel: $ref: '#/components/schemas/InlineHookChannelCreate' name: type: string description: The display name of the inline hook maximum: 255 minimum: 1 version: type: string description: Version of the inline hook type. The currently supported version is `1.0.0`. InlineHookRequestObject: description: The API request that triggered the inline hook type: object properties: id: type: string description: The unique identifier that Okta assigned to the API request ipAddress: type: string description: The IP address of the client that made the API request method: type: string description: The HTTP request method of the API request url: type: object description: The URL of the API endpoint properties: value: type: string description: The URL value of the API endpoint InlineHookResponse: type: object properties: commands: type: array items: $ref: '#/components/schemas/InlineHookResponseCommands' InlineHookResponseCommandValue: type: object properties: op: type: string path: type: string value: type: string InlineHookResponseCommands: type: object properties: type: type: string value: type: array items: $ref: '#/components/schemas/InlineHookResponseCommandValue' InlineHookStatus: type: string enum: - ACTIVE - INACTIVE InlineHookType: description: One of the inline hook types type: string enum: - com.okta.import.transform - com.okta.oauth2.tokens.transform - com.okta.saml.tokens.transform - com.okta.telephony.provider - com.okta.user.credential.password.import - com.okta.user.pre-registration InterclientTrustMapping: type: object properties: appInstanceId: type: string description: The app ID of the target app example: 0oa8ghelqWXs70qD80g5 readOnly: true nullable: false created: type: string description: Timestamp when the interclient trust mapping was created example: '2025-11-25T22:44:06.000Z' readOnly: true nullable: false id: type: string description: The unique ID of the interclient trust mapping example: itmahqusSr3v8Kk3B0g5 readOnly: true nullable: false lastUpdated: type: string description: Timestamp when the interclient trust mapping was updated example: '2025-11-25T22:44:06.000Z' readOnly: true nullable: false lastUpdatedBy: type: string description: ID of the user who created the interclient trust mapping example: 00u102rhXmxEGFKiB0g5 readOnly: true nullable: false orgId: type: string description: ID of the org example: 00o102n9p4vX126Gp0g5 readOnly: true nullable: false trustedAppInstanceId: type: string description: The app ID of the allowed app example: 0oa5kw6q51dFckBE70g5 readOnly: true nullable: false InterclientTrustMappingRequestBody: type: object properties: id: type: string description: App ID of the allowed app example: 0oa1elyw9EAkUNUrW0g5 nullable: false IssuerMode: type: string enum: - CUSTOM_URL - DYNAMIC - ORG_URL JsonPatchOperation: description: The update action type: object properties: op: $ref: '#/components/schemas/PatchAction' path: type: string description: The resource path of the attribute to update value: type: object description: The update operation value JsonWebKey: type: object properties: created: $ref: '#/components/schemas/createdProperty' e: description: RSA key value (public exponent) for Key binding type: string readOnly: true expiresAt: description: Timestamp when the certificate expires type: string format: date-time readOnly: true kid: description: Unique identifier for the certificate type: string readOnly: true kty: description: 'Cryptographic algorithm family for the certificate''s keypair. Valid value: `RSA`' type: string readOnly: true lastUpdated: type: string format: date-time $ref: '#/components/schemas/lastUpdatedProperty' 'n': description: RSA modulus value that is used by both the public and private keys and provides a link between them type: string use: description: 'Acceptable use of the certificate. Valid value: `sig`' type: string readOnly: true x5c: description: X.509 certificate chain that contains a chain of one or more certificates type: array items: type: string readOnly: true x5t#S256: description: X.509 certificate SHA-256 thumbprint, which is the base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of an X.509 certificate type: string readOnly: true JsonWebKeyStatus: description: The status of the public key type: string enum: - ACTIVE - INACTIVE JsonWebKeyType: description: The type of public key type: string enum: - RSA JsonWebKeyUse: description: The intended use of the public key type: string enum: - enc JwkUse: type: object properties: use: $ref: '#/components/schemas/JwkUseType' JwkUseType: description: Purpose of the certificate. The only supported value is `sig`. type: string enum: - sig KeepCurrent: type: object properties: keepCurrent: description: Skip deleting the user's current session when set to `true` type: boolean default: true KeepMeSignedIn: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine description: <x-lifecycle-container><x-lifecycle class="oie"></x-lifecycle></x-lifecycle-container>Controls how often the post-authentication prompt is presented to users type: object properties: postAuth: description: Whether the post-authentication [Keep Me Signed In (KMSI)](https://help.okta.com/oie/en-us/content/topics/security/stay-signed-in.htm) flow is allowed type: string enum: - ALLOWED - NOT_ALLOWED postAuthPromptFrequency: description: If allowed, how often to display the post-authentication Keep Me Signed In prompt default: P30D $ref: '#/components/schemas/TimeDuration' KeyRequest: type: object properties: name: description: Display name for the key type: string uniqueItems: true readOnly: false minLength: 1 maxLength: 255 nullable: false KeyTrustLevelBrowserKey: description: Represents the attestation strength used by the Chrome Verified Access API example: CHROME_BROWSER_HW_KEY type: string enum: - CHROME_BROWSER_HW_KEY - CHROME_BROWSER_OS_KEY x-enumDescriptions: CHROME_BROWSER_HW_KEY: Identity of the device was attested using a key pair that is OS encapsulated by a hardware layer CHROME_BROWSER_OS_KEY: Identity of the device was attested using a key pair that is simply stored on the device but not in any specific hardware layer KeyTrustLevelOSMode: description: Represents the attestation strength used by the Chrome Verified Access API example: CHROME_OS_VERIFIED_MODE type: string enum: - CHROME_OS_DEVELOPER_MODE - CHROME_OS_VERIFIED_MODE x-enumDescriptions: CHROME_OS_VERIFIED_MODE: Identity of the device was attested using an enterprise-emitted certificate, and the device is in Verified mode CHROME_OS_DEVELOPER_MODE: Identity of the device was attested using an enterprise-emitted certificate, and the device is in Developer mode KnowledgeConstraint: allOf: - $ref: '#/components/schemas/AccessPolicyConstraint' Language: description: The language specified as an [IETF BCP 47 language tag](https://datatracker.ietf.org/doc/html/rfc5646) type: string LastUpdated: format: date-time description: Timestamp when the object was last updated example: '2016-01-03T18:15:47.000Z' type: string readOnly: true LifecycleCreateSettingObject: description: Determines whether to update a user in the app when a user in Okta is updated type: object properties: status: allOf: - $ref: '#/components/schemas/EnabledStatus' - default: DISABLED LifecycleDeactivateSettingObject: description: Determines whether deprovisioning occurs when the app is unassigned type: object properties: status: allOf: - $ref: '#/components/schemas/EnabledStatus' - default: DISABLED LifecycleExpirationPolicyRuleCondition: type: object properties: lifecycleStatus: type: string number: type: integer unit: type: string LifecycleStatus: type: string enum: - ACTIVE - INACTIVE LinkedHrefObject: title: Link Object additionalProperties: true type: object properties: href: type: string description: Link URI required: - href readOnly: true LinkedObject: title: LinkedObject type: object properties: associated: $ref: '#/components/schemas/LinkedObjectDetails' primary: $ref: '#/components/schemas/LinkedObjectDetails' _links: $ref: '#/components/schemas/LinkedObjectLinksSelf' LinkedObjectDetails: title: LinkedObjectDetails type: object properties: description: type: string description: Description of the `primary` or the `associated` relationship name: type: string description: 'API name of the `primary` or the `associated` link. The `name` parameter can''t start with a number and can only contain the following characters: `a-z`, `A-Z`,` 0-9`, and `_`.' title: type: string description: Display name of the `primary` or the `associated` link type: $ref: '#/components/schemas/LinkedObjectDetailsType' required: - name - title - type LinkedObjectDetailsType: description: The object type for this relationship type: string enum: - USER x-enumDescriptions: USER: Specifies the type of object LinkedObjectLinksSelf: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. type: object properties: self: $ref: '#/components/schemas/LinkedHrefObject' LinksActivate: type: object properties: activate: allOf: - description: Activates an enrolled factor. See [Activate a factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/activateFactor). - $ref: '#/components/schemas/HrefObject' readOnly: true LinksAerialConsentGranted: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: revoke: $ref: '#/components/schemas/HrefObjectRevokeAerialConsent' LinksAerialConsentRevoked: allOf: - type: object properties: grant: $ref: '#/components/schemas/HrefObjectGrantAerialConsent' LinksAppAndUser: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of resources related to the application user. type: object properties: app: $ref: '#/components/schemas/HrefObjectAppLink' group: $ref: '#/components/schemas/HrefObjectGroupLink' user: $ref: '#/components/schemas/HrefObjectUserLink' readOnly: true LinksAssignee: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. type: object properties: assignee: $ref: '#/components/schemas/HrefObjectAssigneeLink' LinksAuthenticator: type: object properties: authenticator: allOf: - description: Returns information about a specific authenticator. See [Retrieve an authenticator](/openapi/okta-management/management/tag/Authenticator/#tag/Authenticator/operation/getAuthenticator). - $ref: '#/components/schemas/HrefObject' readOnly: true LinksCancel: type: object properties: cancel: allOf: - description: Cancels a `push` factor challenge with a `WAITING` status - $ref: '#/components/schemas/HrefObject' readOnly: true LinksCustomRoleResponse: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources. type: object properties: assignee: $ref: '#/components/schemas/HrefObjectAssigneeLink' member: $ref: '#/components/schemas/HrefObjectMemberLink' permissions: $ref: '#/components/schemas/HrefObjectPermissionsLink' resource-set: $ref: '#/components/schemas/HrefObjectResourceSetLink' role: $ref: '#/components/schemas/HrefObjectRoleLink' LinksDeactivate: type: object properties: deactivate: allOf: - description: Deactivates the factor. See [Unenroll a factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/unenrollFactor). - $ref: '#/components/schemas/HrefObject' readOnly: true LinksEnroll: type: object properties: enroll: allOf: - description: Enrolls a supported factor. See [Enroll a factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/enrollFactor). - $ref: '#/components/schemas/HrefObject' readOnly: true LinksFactor: type: object properties: factor: allOf: - description: Link to the factor resource - $ref: '#/components/schemas/HrefObject' readOnly: true LinksGovernanceResources: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the resources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. type: object properties: resources: $ref: '#/components/schemas/HrefObjectGovernanceResourcesLink' readOnly: true LinksGovernanceSources: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the sources using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. type: object properties: assignee: $ref: '#/components/schemas/HrefObjectUserLink' self: $ref: '#/components/schemas/HrefObjectSelfLink' readOnly: true LinksNext: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. Use the `LinksNext` object for dynamic discovery of related resources and lifecycle operations. type: object properties: next: $ref: '#/components/schemas/HrefObjectNextLink' readOnly: true LinksNextForRoleAssignments: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. type: object properties: next: allOf: - $ref: '#/components/schemas/HrefObject' - description: The next page of results if [pagination](#pagination) is required readOnly: true LinksPoll: type: object properties: poll: allOf: - description: Polls the factor resource for status information. Always use the `poll` link instead of manually constructing your own URL. - $ref: '#/components/schemas/HrefObject' readOnly: true LinksQrcode: type: object properties: qrcode: allOf: - description: QR code that encodes the push activation code needed for enrollment on the device - $ref: '#/components/schemas/HrefObject' readOnly: true LinksQuestions: type: object properties: question: allOf: - description: Lists all supported security questions. See [List all supported security questions](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/listSupportedSecurityQuestions). - $ref: '#/components/schemas/HrefObject' readOnly: true LinksResend: type: object properties: resend: type: array description: Resends the factor enrollment challenge. See [Resend a factor enrollment](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/resendEnrollFactor). items: $ref: '#/components/schemas/HrefObject' readOnly: true LinksSelf: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. type: object properties: self: $ref: '#/components/schemas/HrefObjectSelfLink' readOnly: true LinksSelfAndFullUsersLifecycle: allOf: - $ref: '#/components/schemas/LinksSelfAndLifecycle' - type: object properties: suspend: $ref: '#/components/schemas/HrefObjectSuspendLink' unsuspend: $ref: '#/components/schemas/HrefObjectUnsuspendLink' users: description: Link to device users allOf: - $ref: '#/components/schemas/HrefObject' LinksSelfAndLifecycle: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: activate: $ref: '#/components/schemas/HrefObjectActivateLink' deactivate: $ref: '#/components/schemas/HrefObjectDeactivateLink' LinksSelfAndRoles: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: roles: $ref: '#/components/schemas/HrefObjectRoleLink' LinksSelfForRoleAssignment: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources. type: object properties: self: $ref: '#/components/schemas/HrefObjectSelfLink' LinksSelfLifecycleAndAuthorize: allOf: - $ref: '#/components/schemas/LinksSelfAndLifecycle' - type: object properties: authorize: $ref: '#/components/schemas/HrefObjectAuthorizeLink' LinksSend: type: object properties: send: allOf: - description: Sends an activation link through email or sms for users who can't scan the QR code - $ref: '#/components/schemas/HrefObject' readOnly: true LinksUserAuthenticators: type: object properties: user: allOf: - description: Returns information about the specified user - $ref: '#/components/schemas/HrefObject' LinksUserFactors: type: object properties: user: allOf: - description: Returns information on the specified user - $ref: '#/components/schemas/HrefObject' readOnly: true LinksUserRef: type: object properties: user: $ref: '#/components/schemas/HrefObjectUserLink' LinksVerify: type: object properties: verify: allOf: - description: Verifies the factor resource. See [Verify a factor](/openapi/okta-management/management/tag/UserFactor/#tag/UserFactor/operation/verifyFactor). - $ref: '#/components/schemas/HrefObject' readOnly: true ListProfileMappings: description: |- A collection of the profile mappings that include a subset of the profile mapping object's properties. The profile mapping object describes a mapping between an Okta user's and an app user's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). > **Note:** Same type source/target mappings aren't supported by this API. Profile mappings must either be Okta->App or App->Okta. type: object properties: id: type: string description: Unique identifier for profile mapping readOnly: true source: $ref: '#/components/schemas/ProfileMappingSource' target: $ref: '#/components/schemas/ProfileMappingTarget' _links: $ref: '#/components/schemas/LinksSelf' LoadingPageTouchPointVariant: description: | Variant for the Okta loading page. You can publish a theme for Okta loading page with different combinations of assets. Variants are preset combinations of those assets. default: OKTA_DEFAULT type: string enum: - NONE - OKTA_DEFAULT x-enumDescriptions: NONE: Uses no loading page animation during the redirect OKTA_DEFAULT: Uses the default Okta loading page animation during the redirect LocationGranularity: type: string enum: - CITY - COUNTRY - LAT_LONG - SUBDIVISION LogActor: description: Describes the user, app, client, or other entity (actor) who performs an action on a target. The actor is dependent on the action that is performed. All events have actors. type: object properties: alternateId: description: Alternative ID of the actor type: string readOnly: true detailEntry: description: Further details about the actor type: object additionalProperties: true readOnly: true displayName: description: Display name of the actor type: string readOnly: true id: description: ID of the actor type: string readOnly: true type: description: Type of actor type: string readOnly: true LogAuthenticationContext: description: |- All authentication relies on validating one or more credentials that prove the authenticity of the actor's identity. Credentials are sometimes provided by the actor, as is the case with passwords, and at other times provided by a third party, and validated by the authentication provider. The authenticationContext contains metadata about how the actor is authenticated. For example, an authenticationContext for an event, where a user authenticates with Integrated Windows Authentication (IWA), looks like the following: ``` { "authenticationProvider": "ACTIVE_DIRECTORY", "authenticationStep": 0, "credentialProvider": null, "credentialType": "IWA", "externalSessionId": "102N1EKyPFERROGvK9wizMAPQ", "interface": null, "issuer": null } ``` In this case, the user enters an IWA credential to authenticate against an Active Directory instance. All of the user's future-generated events in this sign-in session are going to share the same `externalSessionId`. Among other operations, this response object can be used to scan for suspicious sign-in activity or perform analytics on user authentication habits (for example, how often authentication scheme X is used versus authentication scheme Y). type: object properties: authenticationProvider: $ref: '#/components/schemas/LogAuthenticationProvider' authenticationStep: description: The zero-based step number in the authentication pipeline. Currently unused and always set to `0`. type: integer readOnly: true credentialProvider: $ref: '#/components/schemas/LogCredentialProvider' credentialType: $ref: '#/components/schemas/LogCredentialType' externalSessionId: description: A proxy for the actor's [session ID](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) type: string readOnly: true interface: description: The third-party user interface that the actor authenticates through, if any. type: string readOnly: true issuer: $ref: '#/components/schemas/LogIssuer' rootSessionId: description: The root session ID for the authentication session type: string readOnly: true LogAuthenticationProvider: description: The system that proves the identity of an actor using the credentials provided to it type: string enum: - ACTIVE_DIRECTORY - FACTOR_PROVIDER - FEDERATION - LDAP - OKTA_AUTHENTICATION_PROVIDER - SOCIAL LogClient: description: When an event is triggered by an HTTP request, the `client` object describes the [client](https://datatracker.ietf.org/doc/html/rfc2616) that issues the HTTP request. For instance, the web browser is the client when a user accesses Okta. When this request is received and processed, a sign-in event is fired. When the event isn't sourced to an HTTP request, such as an automatic update, the `client` object field is blank. type: object properties: device: description: Type of device that the client operates from (for example, computer) type: string readOnly: true geographicalContext: $ref: '#/components/schemas/LogGeographicalContext' id: description: For OAuth requests, this is the ID of the OAuth [client](https://datatracker.ietf.org/doc/html/rfc6749#section-1.1) making the request. For SSWS token requests, this is the ID of the agent making the request. type: string readOnly: true ipAddress: description: IP address that the client is making its request from type: string readOnly: true userAgent: $ref: '#/components/schemas/LogUserAgent' zone: description: The `name` of the [Zone](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/NetworkZone/#tag/NetworkZone/operation/getNetworkZone) that the client's location is mapped to type: string readOnly: true LogCredentialProvider: description: A credential provider is a software service that manages identities and their associated credentials. When authentication occurs through credentials provided by a credential provider, the credential provider is recorded here. type: string enum: - DUO - GOOGLE - OKTA_AUTHENTICATION_PROVIDER - OKTA_CREDENTIAL_PROVIDER - RSA - SYMANTEC - YUBIKEY LogCredentialType: description: The underlying technology/scheme used in the credential type: string enum: - ASSERTION - CERTIFICATE - DEVICE_UDID - EMAIL - IWA - JWT - OAuth 2.0 - OKTA_CLIENT_SESSION - OTP - PASSWORD - PRE_SHARED_SYMMETRIC_KEY - SMS LogDebugContext: description: |- For some kinds of events (for example, OLM provisioning, sign-in request, second factor SMS, and so on), the fields that are provided in other response objects aren't sufficient to adequately describe the operations that the event has performed. In such cases, the `debugContext` object provides a way to store additional information. For example, an event where a second factor SMS token is sent to a user may have a `debugContext` that looks like the following: ``` { "debugData": { "requestUri": "/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify", "smsProvider": "TELESIGN", "transactionId": "268632458E3C100F5F5F594C6DC689D4" } } ``` By inspecting the debugData field, you can find the URI that is used to trigger the second factor SMS (`/api/v1/users/00u3gjksoiRGRAZHLSYV/factors/smsf8luacpZJAva10x45/verify`), the SMS provider (`TELESIGN`), and the ID used by Telesign to identify this transaction (`268632458E3C100F5F5F594C6DC689D4`). If for some reason the information that is needed to implement a feature isn't provided in other response objects, you should scan the `debugContext.debugData` field for potentially useful fields. > **Important:** The information contained in `debugContext.debugData` is intended to add context when troubleshooting customer platform issues. Both key names and values may change from release to release and aren't guaranteed to be stable. Therefore, they shouldn't be viewed as a data contract but as a debugging aid instead. type: object properties: debugData: type: object description: A dynamic field that contains miscellaneous information that is dependent on the event type. additionalProperties: true readOnly: true LogDevice: description: The entity that describes a device enrolled with passwordless authentication using Okta Verify. example: LogDeviceObject: $ref: '#/components/examples/LogDeviceObject' type: object properties: device_integrator: description: The integration platform or software used with the device type: object readOnly: true disk_encryption_type: $ref: '#/components/schemas/LogDiskEncryptionType' id: description: ID of the device type: string readOnly: true jailbreak: description: If the device has removed software restrictions type: boolean readOnly: true managed: description: Indicates if the device is configured for device management and is registered with Okta type: boolean readOnly: true name: type: string readOnly: true os_platform: type: string readOnly: true os_version: type: string readOnly: true registered: description: Indicates if the device is registered with an Okta org and is bound to an Okta Verify instance on the device type: boolean readOnly: true screen_lock_type: $ref: '#/components/schemas/LogScreenLockType' secure_hardware_present: description: The availability of hardware security on the device type: boolean readOnly: true LogDiskEncryptionType: type: string enum: - ALL_INTERNAL_VALUES - FULL - NONE - SYSTEM_VOLUME - USER LogEvent: type: object properties: actor: $ref: '#/components/schemas/LogActor' authenticationContext: $ref: '#/components/schemas/LogAuthenticationContext' client: $ref: '#/components/schemas/LogClient' debugContext: $ref: '#/components/schemas/LogDebugContext' displayMessage: description: The display message for an event type: string readOnly: true eventType: description: |- The published event type. Event instances are categorized by action in the event type attribute. This attribute is key to navigating the System Log through expression filters. See [Event Types catalog](https://developer.okta.com/docs/reference/api/event-types/#catalog) for a complete list of System Log event types. type: string readOnly: true legacyEventType: description: Associated Events API Action `objectType` attribute value type: string readOnly: true outcome: $ref: '#/components/schemas/LogOutcome' published: description: Timestamp when the event is published type: string format: date-time readOnly: true request: $ref: '#/components/schemas/LogRequest' securityContext: $ref: '#/components/schemas/LogSecurityContext' severity: $ref: '#/components/schemas/LogSeverity' target: type: array readOnly: true description: |- The entity that an actor performs an action on. Targets can be anything, such as an app user, a sign-in token, or anything else. > **Note:** When searching the target array, search for a given `type` rather than the array location. Target types, such as `User` and `AppInstance`, for a given `eventType` are not always in the same array location. items: $ref: '#/components/schemas/LogTarget' transaction: $ref: '#/components/schemas/LogTransaction' uuid: description: Unique identifier for an individual event type: string readOnly: true version: description: Versioning indicator type: string readOnly: true LogGeographicalContext: description: Geographical context describes a set of geographic coordinates. In addition to containing latitude and longitude data, the `GeographicalContext` object also contains address data of postal code-level granularity. Within the `Client` object, the geographical context refers to the physical location of the client when it sends the request that triggers this event. All `Transaction` events with `type` equal to `WEB` have a geographical context set. `Transaction` events with `type` equal to `JOB` don't have a geographical context set. The geographical context data can be missing if the geographical data for a request can't be resolved. type: object properties: city: description: The city that encompasses the area that contains the geolocation coordinates, if available (for example, Seattle, San Francisco) type: string readOnly: true country: description: Full name of the country that encompasses the area that contains the geolocation coordinates (for example, France, Uganda) type: string readOnly: true geolocation: $ref: '#/components/schemas/LogGeolocation' postalCode: description: Postal code of the area that encompasses the geolocation coordinates type: string readOnly: true state: description: Full name of the state or province that encompasses the area that contains the geolocation coordinates (for example, Montana, Ontario) type: string readOnly: true LogGeolocation: description: The latitude and longitude of the geolocation where an action was performed. The object is formatted according to the [ISO 6709](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en) standard. type: object properties: lat: description: Latitude which uses two digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Latitude) type: number format: double readOnly: true lon: description: Longitude which uses three digits for the [integer part](https://www.iso.org/obp/ui/fr/#iso:std:iso:6709:ed-3:v1:en#Longitude) type: number format: double readOnly: true LogIpAddress: type: object properties: geographicalContext: $ref: '#/components/schemas/LogGeographicalContext' ip: description: IP address type: string readOnly: true source: description: Details regarding the source type: string readOnly: true version: description: IP address version type: string readOnly: true LogIssuer: description: Describes the issuer of the authorization server when the authentication is performed through OAuth. This is the location where well-known resources regarding the details of the authorization servers are published. type: object properties: id: description: Varies depending on the type of authentication. If authentication is SAML 2.0, `id` is the issuer in the SAML assertion. For social login, `id` is the issuer of the token. type: string readOnly: true type: description: Information on the `issuer` and source of the SAML assertion or token type: string readOnly: true LogOutcome: type: object properties: reason: description: Reason for the result, for example, `INVALID_CREDENTIALS` type: string readOnly: true minLength: 1 maxLength: 255 result: description: Result of the action type: string readOnly: true enum: - SUCCESS - FAILURE - SKIPPED - ALLOW - DENY - CHALLENGE - UNKNOWN - RATE_LIMIT - DEFERRED - SCHEDULED - ABANDONED - UNANSWERED LogRequest: description: The `Request` object describes details that are related to the HTTP request that triggers this event, if available. When the event isn't sourced to an HTTP request, such as an automatic update on the Okta servers, the `Request` object still exists, but the `ipChain` field is empty. type: object properties: ipChain: description: If the incoming request passes through any proxies, the IP addresses of those proxies are stored here in the format of clientIp, proxy1, proxy2, and so on. This field is useful when working with trusted proxies. type: array readOnly: true items: $ref: '#/components/schemas/LogIpAddress' LogScreenLockType: type: string enum: - BIOMETRIC - NONE - PASSCODE LogSecurityContext: description: The `securityContext` object provides security information that is directly related to the evaluation of the event's IP reputation. IP reputation is a trustworthiness rating that evaluates how likely a sender is to be malicious and is based on the sender's IP address. As the name implies, the `securityContext` object is useful for security applications-flagging and inspecting suspicious events. type: object properties: asNumber: description: The [Autonomous system](https://docs.telemetry.mozilla.org/datasets/other/asn_aggregates/reference) number that's associated with the autonomous system the event request was sourced to type: integer readOnly: true nullable: true asOrg: description: The organization that is associated with the autonomous system that the event request is sourced to type: string readOnly: true nullable: true domain: description: The domain name that's associated with the IP address of the inbound event request type: string readOnly: true nullable: true isp: description: The Internet service provider that's used to send the event's request type: string readOnly: true nullable: true isProxy: description: Specifies whether an event's request is from a known proxy type: boolean readOnly: true nullable: true userBehaviors: description: The result of the user behavior detection models associated with the event type: array readOnly: true nullable: true LogSeverity: description: Indicates how severe the event is type: string enum: - DEBUG - ERROR - INFO - WARN LogStream: type: object properties: created: type: string format: date-time description: Timestamp when the log stream object was created readOnly: true example: '2022-10-21T16:59:59.000Z' id: type: string description: Unique identifier for the log stream readOnly: true example: 0oa1orzg0CHSgPcjZ0g4 lastUpdated: type: string format: date-time description: Timestamp when the log stream object was last updated readOnly: true example: '2022-10-21T17:15:10.000Z' name: $ref: '#/components/schemas/LogStreamName' status: type: string description: Lifecycle status of the log stream object enum: - ACTIVE - INACTIVE readOnly: true type: $ref: '#/components/schemas/LogStreamType' _links: $ref: '#/components/schemas/LogStreamLinksSelfAndLifecycle' required: - created - id - lastUpdated - name - status - type - _links discriminator: propertyName: type mapping: aws_eventbridge: '#/components/schemas/LogStreamAws' splunk_cloud_logstreaming: '#/components/schemas/LogStreamSplunk' LogStreamActivateLink: allOf: - $ref: '#/components/schemas/LogStreamLinkObject' - description: Link to activate the resource LogStreamAws: allOf: - $ref: '#/components/schemas/LogStream' - type: object properties: settings: $ref: '#/components/schemas/LogStreamSettingsAws' required: - settings LogStreamAwsPutSchema: allOf: - $ref: '#/components/schemas/LogStreamPutSchema' - type: object properties: settings: $ref: '#/components/schemas/LogStreamSettingsAws' required: - settings LogStreamDeactivateLink: allOf: - $ref: '#/components/schemas/LogStreamLinkObject' - description: Link to deactivate the resource LogStreamLinkObject: title: Log stream link object type: object properties: href: type: string description: The URI of the resource method: type: string description: HTTP method allowed for the resource enum: - GET - POST required: - href readOnly: true LogStreamLinksSelfAndLifecycle: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. type: object properties: activate: $ref: '#/components/schemas/LogStreamActivateLink' deactivate: $ref: '#/components/schemas/LogStreamDeactivateLink' self: $ref: '#/components/schemas/LogStreamSelfLink' required: - self readOnly: true LogStreamName: description: Unique name for the log stream object example: My AWS EventBridge log stream type: string LogStreamPutSchema: type: object properties: name: $ref: '#/components/schemas/LogStreamName' type: $ref: '#/components/schemas/LogStreamType' required: - name - type discriminator: propertyName: type mapping: aws_eventbridge: '#/components/schemas/LogStreamAwsPutSchema' splunk_cloud_logstreaming: '#/components/schemas/LogStreamSplunkPutSchema' LogStreamSchema: type: object properties: $schema: type: string readOnly: true description: JSON schema version identifier errorMessage: type: object description: A collection of error messages for individual properties in the schema. Okta implements a subset of [ajv-errors](https://github.com/ajv-validator/ajv-errors). id: type: string readOnly: true description: URI of log stream schema oneOf: items: $ref: '#/components/schemas/UserSchemaAttributeEnum' type: array nullable: true description: |- Non-empty array of valid JSON schemas. Okta only supports `oneOf` for specifying display names for an `enum`. Each schema has the following format: ``` { "const": "enumValue", "title": "display name" } ``` pattern: type: string description: For `string` log stream schema property type, specifies the regular expression used to validate the property properties: type: object description: log stream schema properties object required: type: array items: type: string description: Required properties for this log stream schema object title: type: string description: Name of the log streaming integration type: type: string readOnly: true description: Type of log stream schema property _links: $ref: '#/components/schemas/LinksSelf' LogStreamSelfLink: allOf: - $ref: '#/components/schemas/LogStreamLinkObject' - description: Link to the resource (self) LogStreamSettingsAws: description: Specifies the configuration for the `aws_eventbridge` log stream type. This configuration can't be modified after creation. type: object properties: accountId: $ref: '#/components/schemas/AwsAccountId' eventSourceName: $ref: '#/components/schemas/AwsEventSourceName' region: $ref: '#/components/schemas/AwsRegion' required: - accountId - eventSourceName - region LogStreamSettingsSplunk: description: Specifies the configuration for the `splunk_cloud_logstreaming` log stream type. type: object properties: edition: $ref: '#/components/schemas/SplunkEdition' host: $ref: '#/components/schemas/SplunkHost' token: $ref: '#/components/schemas/SplunkToken' required: - edition - host - token LogStreamSettingsSplunkPut: description: Specifies the configuration for the `splunk_cloud_logstreaming` log stream type. type: object properties: edition: $ref: '#/components/schemas/SplunkEdition' host: $ref: '#/components/schemas/SplunkHost' required: - edition - host LogStreamSplunk: allOf: - $ref: '#/components/schemas/LogStream' - type: object properties: settings: $ref: '#/components/schemas/LogStreamSettingsSplunk' required: - settings LogStreamSplunkPutSchema: allOf: - $ref: '#/components/schemas/LogStreamPutSchema' - type: object properties: settings: $ref: '#/components/schemas/LogStreamSettingsSplunkPut' required: - settings LogStreamType: description: |- Specifies the streaming provider used Supported providers: * `aws_eventbridge` ([AWS EventBridge](https://aws.amazon.com/eventbridge)) * `splunk_cloud_logstreaming` ([Splunk Cloud](https://www.splunk.com/en_us/software/splunk-cloud-platform.html)) Select the provider type to see provider-specific configurations in the `settings` property: type: string enum: - aws_eventbridge - splunk_cloud_logstreaming LogTarget: type: object properties: alternateId: type: string description: The alternate ID of the target readOnly: true changeDetails: type: object example: LogTargetChangeDetails: $ref: '#/components/examples/LogTargetChangeDetails' description: |- Details on the target's changes. Not all event types support the `changeDetails` property, and not all `target` objects contain the `changeDetails` property. > **Note:** You can't run queries on `changeDetails` or the object's `to` or `from` properties. properties: from: type: object description: The original properties of the target additionalProperties: true to: type: object description: The updated properties of the target additionalProperties: true detailEntry: type: object description: Further details on the target additionalProperties: true readOnly: true displayName: type: string description: The display name of the target readOnly: true id: type: string description: The ID of the target readOnly: true type: type: string description: The type of target readOnly: true LogTransaction: description: |- A `transaction` object comprises contextual information associated with its respective event. This information is useful for understanding sequences of correlated events. For example, a `transaction` object such as the following: ``` { "id": "Wn4f-0RQ8D8lTSLkAmkKdQAADqo", "type": "WEB", "detail": null } ``` indicates that a `WEB` request with `id` `Wn4f-0RQ8D8lTSLkAmkKdQAADqo` has created this event. A `transaction` object with a `requestApiTokenId` in the `detail` object, for example : ``` { "id": "YjSlblAAqnKY7CdyCkXNBgAAAIU", "type": "WEB", "detail": { "requestApiTokenId": "00T94e3cn9kSEO3c51s5" } } ``` indicates that this event was the result of an action performed through an API using the token identified by 00T94e3cn9kSEO3c51s5. The token ID is visible in the Admin Console, **Security** > **API**. See [API token management](https://help.okta.com/okta_help.htm?id=Security_API). For more information on API tokens, see [Create an API token](https://developer.okta.com/docs/guides/create-an-api-token/). type: object properties: detail: description: Details for this transaction. type: object additionalProperties: true readOnly: true id: description: Unique identifier for this transaction. type: string readOnly: true type: description: Describes the kind of transaction. `WEB` indicates a web request. `JOB` indicates an asynchronous task. type: string readOnly: true LogUserAgent: description: | "A user agent is software (a software agent) that is acting on behalf of a user." ([Definition of User Agent](https://developer.mozilla.org/en-US/docs/Glossary/User_agent)) In the Okta event data object, the `UserAgent` object provides specifications about the client software that makes event-triggering HTTP requests. User agent identification is often useful for identifying interoperability problems between servers and clients, and also for browser and operating system usage analytics. type: object properties: browser: description: If the client is a web browser, this field identifies the type of web browser (for example, CHROME, FIREFOX) type: string readOnly: true os: description: The operating system that the client runs on (for example, Windows 10) type: string readOnly: true rawUserAgent: description: A raw string representation of the user agent that is formatted according to [section 5.5.3 of HTTP/1.1 Semantics and Content](https://datatracker.ietf.org/doc/html/rfc7231#section-5.5.3). Both the `browser` and the `OS` fields can be derived from this field. type: string readOnly: true MDMEnrollmentPolicyEnrollment: type: string enum: - ANY_OR_NONE - OMM MDMEnrollmentPolicyRuleCondition: type: object properties: blockNonSafeAndroid: type: boolean enrollment: $ref: '#/components/schemas/MDMEnrollmentPolicyEnrollment' ManagedConnection: oneOf: - $ref: '#/components/schemas/IdentityAssertionAppInstanceConnection' - $ref: '#/components/schemas/IdentityAssertionCustomASConnection' - $ref: '#/components/schemas/STSVaultSecretConnection' - $ref: '#/components/schemas/STSServiceAccountConnection' type: object discriminator: propertyName: connectionType mapping: IDENTITY_ASSERTION_APP_INSTANCE: '#/components/schemas/IdentityAssertionAppInstanceConnection' IDENTITY_ASSERTION_CUSTOM_AS: '#/components/schemas/IdentityAssertionCustomASConnection' STS_VAULT_SECRET: '#/components/schemas/STSVaultSecretConnection' STS_SERVICE_ACCOUNT: '#/components/schemas/STSServiceAccountConnection' ManagedConnectionAppInstance: description: App instance for the managed connection type: object properties: logo: type: string description: Image URL for the app logo name: type: string description: Display name of the app orn: $ref: '#/components/schemas/AppInstanceOrn' _links: type: object required: - self properties: self: $ref: '#/components/schemas/HrefObject' description: Link to the app instance via the Okta API web: $ref: '#/components/schemas/HrefObject' description: Link to the app instance in the Okta UI (HTML) required: - orn - name - _links ManagedConnectionCreatable: description: Create a new connection oneOf: - $ref: '#/components/schemas/IdentityAssertionAppInstanceConnectionCreatable' - $ref: '#/components/schemas/IdentityAssertionCustomASConnectionCreatable' - $ref: '#/components/schemas/STSVaultSecretConnectionCreatable' - $ref: '#/components/schemas/STSServiceAccountConnectionCreatable' type: object discriminator: propertyName: connectionType mapping: IDENTITY_ASSERTION_APP_INSTANCE: '#/components/schemas/IdentityAssertionAppInstanceConnectionCreatable' IDENTITY_ASSERTION_CUSTOM_AS: '#/components/schemas/IdentityAssertionCustomASConnectionCreatable' STS_VAULT_SECRET: '#/components/schemas/STSVaultSecretConnectionCreatable' STS_SERVICE_ACCOUNT: '#/components/schemas/STSServiceAccountConnectionCreatable' ManagedConnectionId: description: Unique identifier for the managed connection. Only present for managed connections. type: string ManagedConnectionList: type: object properties: data: description: All connections the agent has established type: array items: $ref: '#/components/schemas/ManagedConnection' _links: type: object description: Links available in managed list response required: - self allOf: - $ref: '#/components/schemas/LinksSelf' - $ref: '#/components/schemas/LinksNext' required: - data - _links ManagedConnectionOrn: description: The [ORN](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#okta-resource-name-orn) of the managed connection type: string ManagedConnectionPatchable: description: |- Update an existing managed connection. All fields are optional for partial updates. **Field Applicability by Connection Type:** - `resourceIndicator`: Valid for IDENTITY_ASSERTION_APP_INSTANCE, IDENTITY_ASSERTION_CUSTOM_AS, STS_SERVICE_ACCOUNT, and STS_VAULT_SECRET. Set to `null` to reset to the default value (the resource's ORN). - `scopeCondition` and `scopes`: Only valid for IDENTITY_ASSERTION_APP_INSTANCE and IDENTITY_ASSERTION_CUSTOM_AS connections. The server returns a validation error if these fields are sent for STS connection types. **Validation:** - If `scopeCondition` is provided, `scopes` must also be provided, and vice versa. - For STS_VAULT_SECRET and STS_SERVICE_ACCOUNT connection types, only `resourceIndicator` can be updated. type: object properties: resourceIndicator: $ref: '#/components/schemas/ManagedConnectionPatchableResourceIndicator' scopeCondition: $ref: '#/components/schemas/ManagedConnectionPatchableScopeCondition' scopes: $ref: '#/components/schemas/ManagedConnectionPatchableScopes' ManagedConnectionPatchableResourceIndicator: format: uri nullable: true description: Resource indicator used when requesting tokens. Set to `null` to reset to the default value based on the connection type (app instance ORN, authorization server ORN, secret ORN, or service account ORN). type: string ManagedConnectionPatchableScopeCondition: nullable: true description: |- Determines how Okta evaluates requested scopes for the connection. **Restrictions:** - Only valid for IDENTITY_ASSERTION_APP_INSTANCE and IDENTITY_ASSERTION_CUSTOM_AS connection types - Must be provided together with `scopes` - Returns a 400 error if sent for STS_VAULT_SECRET or STS_SERVICE_ACCOUNT connection types type: string enum: - ALL_SCOPES - EXCLUDE - INCLUDE_ONLY ManagedConnectionPatchableScopes: nullable: true description: |- Array of scopes for the connection. For `ALL_SCOPES`, this array must contain a single value of `*`. For `INCLUDE_ONLY`, only these scopes are allowed. For `EXCLUDE`, all scopes except these are allowed. **Restrictions:** - Only valid for IDENTITY_ASSERTION_APP_INSTANCE and IDENTITY_ASSERTION_CUSTOM_AS connection types - Must be provided together with `scopeCondition` - Returns a 400 error if sent for STS_VAULT_SECRET or STS_SERVICE_ACCOUNT connection types minItems: 1 items: type: string type: array ManagedConnectionResourceIndicator: format: uri description: Resource indicator used when requesting tokens. type: string ManagedConnectionServiceAccount: description: Service account for the managed connection type: object properties: name: type: string description: Display name of the service account orn: $ref: '#/components/schemas/ServiceAccountOrn' _links: type: object required: - self properties: self: $ref: '#/components/schemas/HrefObject' description: Link to the service account via the Okta API web: $ref: '#/components/schemas/HrefObject' description: Link to the service account in the Okta UI (HTML) required: - orn - name - _links ManagedConnectionStatus: description: The status of the connection type: string enum: - ACTIVE - INACTIVE x-enumDescriptions: ACTIVE: The agent connection is active INACTIVE: The agent connection is inactive ManagedConnectionVaultedSecret: description: Secret for the managed connection type: object properties: description: type: string description: Optional description of the secret name: type: string description: Display name of the secret orn: $ref: '#/components/schemas/VaultedSecretOrn' path: type: string description: Secret path in Okta Privileged Access (OPA) _links: type: object required: - self properties: self: $ref: '#/components/schemas/HrefObject' description: Link to the vaulted secret via the Okta API web: $ref: '#/components/schemas/HrefObject' description: Link to the vaulted secret in the Okta UI (HTML) required: - orn - name - _links MembershipRequestSchema: type: object properties: memberExternalId: type: string description: The external ID of the user to be added as a member of the group in Okta maxLength: 255 MetadataLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the [SAML metadata](/openapi/okta-management/management/tag/ApplicationSSO/#tag/ApplicationSSO/operation/previewSAMLmetadataForApplication) for SSO MtlsCredentials: description: Certificate chain description for verifying assertions from the Smart Card type: object properties: trust: $ref: '#/components/schemas/MtlsTrustCredentials' MtlsEndpoints: type: object properties: sso: $ref: '#/components/schemas/MtlsSsoEndpoint' MtlsSsoEndpoint: description: The Single Sign-On (SSO) endpoint is the IdP's `SingleSignOnService` endpoint type: object properties: url: type: string maxLength: 1014 example: https://{yourOktaDomain}.okta.com/login/cert MtlsTrustCredentials: type: object properties: audience: type: string description: Not used example: null issuer: type: string description: Description of the certificate issuer maxLength: 1024 example: CN=Test Smart Card, OU=Test OU, O=Test O, C=US kid: $ref: '#/components/schemas/ProtocolCredentialsKeyId' revocation: $ref: '#/components/schemas/MtlsTrustCredentialsRevocation' revocationCacheLifetime: type: number description: |- Time in minutes to cache the certificate revocation information > **Note:** This property isn't supported. Okta now handles CRL caching automatically. As of October 8, 2025, in Preview orgs, and October 13, 2025, in Production orgs, this property is ignored if it's specified in any API requests. Specifying this property in your API requests doesn't cause errors since the property has no effect. > > See [Deprecation Notice - Smart Card IdP Legacy CRL Cache Setting](https://support.okta.com/help/s/article/deprecation-notice-smart-card-idp-legacy-crl-cache-setting?language=en_US). deprecated: true maximum: 4320 example: 2880 MtlsTrustCredentialsRevocation: description: |- Mechanism to validate the certificate > **Note:** This property isn't supported. Okta now handles CRL caching automatically. As of October 8, 2025, in Preview orgs, and October 13, 2025, in Production orgs, this property is ignored if it's specified in any API requests. Specifying the property in your API requests doesn't cause any errors since the property has no effect. > > See [Deprecation Notice - Smart Card IdP Legacy CRL Cache Setting](https://support.okta.com/help/s/article/deprecation-notice-smart-card-idp-legacy-crl-cache-setting?language=en_US). deprecated: true example: CRL type: string enum: - CRL - DELTA_CRL - OCSP NetworkZone: type: object properties: created: type: string format: date-time description: Timestamp when the object was created readOnly: true id: type: string description: Unique identifier for the Network Zone readOnly: true lastUpdated: type: string format: date-time description: Timestamp when the object was last modified readOnly: true name: type: string description: Unique name for this Network Zone maxLength: 128 status: $ref: '#/components/schemas/NetworkZoneStatus' system: type: boolean readOnly: true description: | Indicates a system Network Zone: * `true` for system Network Zones * `false` for custom Network Zones The Okta org provides the following default system Network Zones: * `LegacyIpZone` * `BlockedIpZone` * `DefaultEnhancedDynamicZone` * `DefaultExemptIpZone` Admins can modify the name of the default system Network Zone and add up to 5000 gateway or proxy IP entries. type: $ref: '#/components/schemas/NetworkZoneType' usage: $ref: '#/components/schemas/NetworkZoneUsage' _links: $ref: '#/components/schemas/LinksSelfAndLifecycle' required: - name - type discriminator: propertyName: type mapping: IP: '#/components/schemas/IPNetworkZone' DYNAMIC: '#/components/schemas/DynamicNetworkZone' DYNAMIC_V2: '#/components/schemas/EnhancedDynamicNetworkZone' UNKNOWN: '#/components/schemas/NetworkZone' NetworkZoneAddress: description: Specifies the value of an IP address expressed using either `range` or `CIDR` form. type: object properties: type: $ref: '#/components/schemas/NetworkZoneAddressType' value: type: string description: Value in CIDR/range form, depending on the `type` specified NetworkZoneAddressType: description: Format of the IP addresses type: string enum: - CIDR - RANGE NetworkZoneAsns: items: type: string maximum: 75 type: array NetworkZoneLocation: type: object properties: country: type: string description: |- The two-character ISO 3166-1 country code. Don't use continent codes since they are treated as generic codes for undesignated countries. <br>For example: `US` maxLength: 2 minLength: 2 region: type: string description: |- (Optional) The ISO 3166-2 region code appended to the country code (`countryCode-regionCode`), or `null` if empty. Don't use continent codes since they are treated as generic codes for undesignated regions. <br>For example: `CA` (for `US-CA` country and region code) NetworkZoneLocationArray: items: $ref: '#/components/schemas/NetworkZoneLocation' maximum: 75 nullable: true type: array NetworkZoneStatus: description: Network Zone status type: string enum: - ACTIVE - INACTIVE NetworkZoneType: description: The type of Network Zone type: string enum: - DYNAMIC - IP - DYNAMIC_V2 - UNKNOWN NetworkZoneUsage: description: The usage of the Network Zone type: string enum: - BLOCKLIST - POLICY NotificationType: description: The type of notification type: string enum: - AD_AGENT - AGENT_AUTO_UPDATE_NOTIFICATION - AGENT_AUTO_UPDATE_NOTIFICATION_LDAP - APP_IMPORT - CONNECTOR_AGENT - IWA_AGENT - LDAP_AGENT - OKTA_ANNOUNCEMENT - OKTA_UPDATE - RATELIMIT_NOTIFICATION - REPORT_SUSPICIOUS_ACTIVITY - USER_DEPROVISION - USER_LOCKED_OUT x-enumDescriptions: AD_AGENT: System notification sent when an AD agent disconnects or reconnects AGENT_AUTO_UPDATE_NOTIFICATION: System notification sent when an agent automatically updates APP_IMPORT: System notification sent with the status of an app user import CONNECTOR_AGENT: System notification sent when an on-premises provisioning or Okta on-prem MFA agent disconnects or reconnects IWA_AGENT: System notification sent when an IGA agent disconnects or reconnects LDAP_AGENT: System notification sent when an LDAP agent disconnects or reconnects OKTA_ANNOUNCEMENT: Okta communication sent for announcements and release notes OKTA_UPDATE: Okta communication sent for scheduled system updates RATELIMIT_NOTIFICATION: System notification sent when an org reaches rate limit warning or violation thresholds REPORT_SUSPICIOUS_ACTIVITY: System notification sent when a user reports suspicious activity USER_DEPROVISION: System notification sent when a user is deprovisioned from apps USER_LOCKED_OUT: System notification sent when a user is locked out from logging in to Okta NumberFactorChallengeEmbeddedLinks: description: Contains the `challenge` and `correctAnswer` objects for `push` factors that use a number matching challenge x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] type: object properties: challenge: type: object description: Number matching challenge for a `push` factor properties: correctAnswer: description: The correct answer for a `push` factor that uses a number matching challenge type: integer example: 72 nullable: true OAuth2Actor: description: User that created the object type: object properties: id: type: string description: User ID readOnly: true example: 00u5t60iloOHN9pBi0h7 type: type: string description: Type of user example: User readOnly: true OAuth2Claim: type: object properties: alwaysIncludeInToken: type: boolean description: Specifies whether to include Claims in the token. The value is always `TRUE` for access token Claims. If the value is set to `FALSE` for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the `authorization_code`. The client instead uses the access token to get Claims from the `/userinfo` endpoint. claimType: $ref: '#/components/schemas/OAuth2ClaimType' conditions: $ref: '#/components/schemas/OAuth2ClaimConditions' group_filter_type: $ref: '#/components/schemas/OAuth2ClaimGroupFilterType' id: type: string description: ID of the Claim readOnly: true name: type: string description: Name of the Claim status: $ref: '#/components/schemas/LifecycleStatus' system: description: When `true`, indicates that Okta created the Claim type: boolean value: description: Specifies the value of the Claim. This value must be a string literal if `valueType` is `GROUPS`, and the string literal is matched with the selected `group_filter_type`. The value must be an Okta EL expression if `valueType` is `EXPRESSION`. type: string valueType: $ref: '#/components/schemas/OAuth2ClaimValueType' _links: $ref: '#/components/schemas/LinksSelf' OAuth2ClaimConditions: description: Specifies the scopes for the Claim type: object properties: scopes: type: array items: type: string OAuth2ClaimGroupFilterType: description: |- Specifies the type of group filter if `valueType` is `GROUPS` If `valueType` is `GROUPS`, then the groups returned are filtered according to the value of `group_filter_type`. If you have complex filters for Groups, you can [create a Groups allowlist](https://developer.okta.com/docs/guides/customize-tokens-groups-claim/main/) to put them all in a Claim. type: string enum: - CONTAINS - EQUALS - REGEX - STARTS_WITH x-enumDescriptions: STARTS_WITH: Group names start with `value` (not case-sensitive). For example, if `value` is `group1`, then `group123` and `Group123` are included. EQUALS: Group name is the same as `value` (not case-sensitive). For example, if `value` is `group1`, then `group1` and `Group1` are included, but `group123` isn't. CONTAINS: Group names contain `value` (not case-sensitive). For example, if `value` is `group1`, then `MyGroup123` and `group1` are included. REGEX: Group names match the regular expression in `value` (case-sensitive). For example if `value` is `/^[a-z0-9_-]{3,16}$/`, then any Group name that has at least three letters, no more than 16, and contains lowercase letters, a hyphen, or numbers is a match. OAuth2ClaimType: description: Specifies whether the Claim is for an access token (`RESOURCE`) or an ID token (`IDENTITY`) type: string enum: - IDENTITY - RESOURCE OAuth2ClaimValueType: description: Specifies whether the Claim is an Okta Expression Language (EL) expression (`EXPRESSION`), a set of groups (`GROUPS`), or a system claim (`SYSTEM`) type: string enum: - EXPRESSION - GROUPS - SYSTEM OAuth2Client: type: object properties: client_id: description: Unique key for the client application. The `client_id` is immutable. type: string readOnly: true example: 0oabskvc6442nkvQO0h7 client_name: description: Human-readable string name of the client application type: string readOnly: true example: My App client_uri: type: string readOnly: true example: https://www.example.com logo_uri: description: URL string that references a logo for the client consent dialog (not the sign-in dialog) type: string readOnly: true example: https://www.example.com/logo.png _links: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: grants: description: Link to the grant resources allOf: - $ref: '#/components/schemas/GrantResourcesHrefObject' tokens: description: Link to the token resources allOf: - $ref: '#/components/schemas/TokenResourcesHrefObject' OAuth2ClientJsonEncryptionKeyRequest: title: Encryption Key allOf: - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBase' description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON representation of a cryptographic key. Okta uses an encryption key to encrypt an ID token JWT minted by the org authorization server or custom authorization server. Okta supports only RSA keys for encrypting tokens. x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true type: object properties: e: type: string description: RSA key value (exponent) for key binding example: AQAB nullable: false kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: RSA nullable: false enum: - RSA 'n': type: string description: RSA key value (modulus) for key binding example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ nullable: false use: type: string description: Acceptable use of the JSON Web Key example: enc nullable: false enum: - enc OAuth2ClientJsonEncryptionKeyResponse: title: Encryption Key allOf: - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyRequestBase' - $ref: '#/components/schemas/OAuth2ClientJsonWebKeyResponseBase' description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON representation of a cryptographic key. Okta uses an encryption key to encrypt an ID token JWT minted by the org authorization server or custom authorization server. Okta supports only RSA keys for encrypting tokens. x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true type: object properties: e: type: string description: RSA key value (exponent) for key binding example: AQAB nullable: false kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: RSA nullable: false enum: - RSA 'n': type: string description: RSA key value (modulus) for key binding example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ nullable: false use: type: string description: Acceptable use of the JSON Web Key example: enc nullable: false enum: - enc OAuth2ClientJsonSigningKeyRequest: title: Signing Key description: A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON representation of a cryptographic key. Okta uses signing keys to verify the signature of a JWT when provided for the `private_key_jwt` client authentication method or for a signed authorize request object. Okta supports both RSA and Elliptic Curve (EC) keys for signing tokens. type: object properties: kid: type: string description: Unique identifier of the JSON Web Key in the OAuth 2.0 client's JWKS example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 nullable: true status: type: string enum: ['ACTIVE', 'INACTIVE'] description: Status of the OAuth 2.0 client JSON Web Key example: ACTIVE nullable: false default: ACTIVE kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: RSA nullable: false enum: - RSA - EC alg: type: string description: Algorithm used in the key example: RS256 nullable: false use: type: string description: Acceptable use of the JSON Web Key example: sig nullable: false enum: - sig discriminator: propertyName: kty mapping: RSA: '#/components/schemas/OAuth2ClientJsonWebKeyRsaRequest' EC: '#/components/schemas/OAuth2ClientJsonWebKeyECRequest' required: - kty - alg - use OAuth2ClientJsonSigningKeyResponse: title: Signing Key description: A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON representation of a cryptographic key. Okta uses signing keys to verify the signature of a JWT when provided for the `private_key_jwt` client authentication method or for a signed authorize request object. Okta supports both RSA and Elliptic Curve (EC) keys for signing tokens. type: object properties: id: type: string description: The unique ID of the OAuth Client JSON Web Key example: pks2f4zrZbs8nUa7p0g4 readOnly: true nullable: false created: type: string description: Timestamp when the OAuth 2.0 client JSON Web Key was created example: '2023-02-21T20:08:24.000Z' readOnly: true nullable: false lastUpdated: type: string description: Timestamp when the OAuth 2.0 client JSON Web Key was updated example: '2023-02-21T20:08:24.000Z' readOnly: true nullable: false _links: $ref: '#/components/schemas/OAuthClientSecretLinks' readOnly: true nullable: false kid: type: string description: Unique identifier of the JSON Web Key in the OAuth 2.0 client's JWKS example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 nullable: true status: type: string enum: ['ACTIVE', 'INACTIVE'] description: Status of the OAuth 2.0 client JSON Web Key example: ACTIVE nullable: false kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: RSA nullable: false enum: - RSA - EC alg: type: string description: Algorithm used in the key example: RS256 nullable: false use: type: string description: Acceptable use of the JSON Web Key example: sig nullable: false enum: - sig discriminator: propertyName: kty mapping: RSA: '#/components/schemas/OAuth2ClientJsonWebKeyRsaResponse' EC: '#/components/schemas/OAuth2ClientJsonWebKeyECResponse' required: - id - created - lastUpdated - kty - alg - use OAuth2ClientJsonWebKeyECRequest: title: EC Signing Key description: An EC signing key allOf: - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyRequest' - type: object properties: kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: RSA nullable: false enum: - EC x: type: string description: The public x coordinate for the elliptic curve point nullable: false y: type: string description: The public y coordinate for the elliptic curve point nullabe: false crv: type: string description: The cryptographic curve used with the key example: P-256 nullable: false enum: - P-256 - P-384 - P-521 required: - x - y - crv OAuth2ClientJsonWebKeyECResponse: title: EC Signing Key description: An EC signing key allOf: - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' - type: object properties: x: type: string description: The public x coordinate for the elliptic curve point y: type: string description: The public y coordinate for the elliptic curve point crv: type: string description: The cryptographic curve used with the key example: P-256 nullable: false enum: - P-256 - P-384 - P-521 required: - x - y - crv OAuth2ClientJsonWebKeyRequestBase: type: object properties: kid: type: string description: Unique identifier of the JSON Web Key in the OAUth 2.0 client's JWKS example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 nullable: true status: type: string enum: - ACTIVE - INACTIVE description: Status of the OAuth 2.0 client JSON Web Key example: ACTIVE nullable: false default: ACTIVE OAuth2ClientJsonWebKeyRequestBody: type: object properties: alg: type: string description: Algorithm used in the key example: RS256 nullable: false e: type: string description: RSA key value (exponent) for key binding example: AQAB nullable: false kid: type: string description: Unique identifier of the JSON Web Key in the OAUth 2.0 Client's JWKS example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 nullable: true kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: RSA nullable: false 'n': type: string description: RSA key value (modulus) for key binding example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ nullable: false status: type: string enum: - ACTIVE - INACTIVE description: Status of the OAuth 2.0 Client JSON Web Key example: ACTIVE use: type: string description: Acceptable use of the JSON Web Key example: sig nullable: false OAuth2ClientJsonWebKeyResponseBase: type: object properties: created: type: string description: Timestamp when the OAuth 2.0 client JSON Web Key was created example: '2023-02-21T20:08:24.000Z' readOnly: true nullable: false id: type: string description: The unique ID of the OAuth Client JSON Web Key example: pks2f4zrZbs8nUa7p0g4 readOnly: true nullable: false lastUpdated: type: string description: Timestamp when the OAuth 2.0 client JSON Web Key was updated example: '2023-02-21T20:08:24.000Z' readOnly: true nullable: false _links: $ref: '#/components/schemas/OAuthClientSecretLinks' readOnly: true nullable: false OAuth2ClientJsonWebKeyRsaRequest: title: RSA Signing Key description: An RSA signing key allOf: - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyRequest' type: object properties: e: type: string description: RSA key value (exponent) for key binding example: AQAB nullable: false kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: RSA nullable: false enum: - RSA n: type: string description: RSA key value (modulus) for key binding example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ nullable: false required: - e - n OAuth2ClientJsonWebKeyRsaResponse: title: RSA Signing Key description: An RSA signing key allOf: - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' type: object properties: e: type: string description: RSA key value (exponent) for key binding example: AQAB nullable: false n: type: string description: RSA key value (modulus) for key binding example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ nullable: false required: - e - n OAuth2ClientSecret: type: object properties: client_secret: type: string description: The OAuth 2.0 client secret string example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B readOnly: true nullable: false created: type: string description: Timestamp when the OAuth Client 2.0 Secret was created example: '2023-02-21T20:08:24.000Z' readOnly: true nullable: false id: type: string description: The unique ID of the OAuth Client Secret example: ocs2f4zrZbs8nUa7p0g4 readOnly: true nullable: false lastUpdated: type: string description: Timestamp when the OAuth Client 2.0 Secret was updated example: '2023-02-21T20:08:24.000Z' readOnly: true nullable: false secret_hash: type: string description: OAuth 2.0 client secret string hash example: yk4SVx4sUWVJVbHt6M-UPA readOnly: true nullable: false status: type: string enum: - ACTIVE - INACTIVE description: Status of the OAuth 2.0 Client Secret example: ACTIVE nullable: false default: ACTIVE _links: $ref: '#/components/schemas/OAuthClientSecretLinks' readOnly: true nullable: false OAuth2ClientSecretRequestBody: type: object properties: client_secret: type: string description: The OAuth 2.0 client secret string example: DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B status: type: string enum: - ACTIVE - INACTIVE description: Status of the OAuth 2.0 Client Secret example: ACTIVE OAuth2RefreshToken: type: object properties: clientId: type: string description: Client ID created: $ref: '#/components/schemas/createdProperty' expiresAt: type: string description: Expiration time of the OAuth 2.0 Token format: date-time readOnly: true id: type: string description: ID of the Token object readOnly: true example: oar579Mcp7OUsNTlo0g3 issuer: type: string description: The complete URL of the authorization server that issued the Token example: https://{yourOktaDomain}/oauth2/ausain6z9zIedDCxB0h7 lastUpdated: $ref: '#/components/schemas/lastUpdatedProperty' scopes: type: array description: The scope names attached to the Token items: type: string example: offline_access status: $ref: '#/components/schemas/GrantOrTokenStatus' userId: type: string description: The ID of the user associated with the Token example: 00u5t60iloOHN9pBi0h7 _embedded: type: object description: The embedded resources related to the object if the `expand` query parameter is specified properties: scopes: type: array description: The scope objects attached to the Token items: $ref: '#/components/schemas/OAuth2RefreshTokenScope' readOnly: true _links: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: app: description: Link to the app resource allOf: - $ref: '#/components/schemas/AppResourceHrefObject' revoke: description: Link to revoke the refresh Token allOf: - $ref: '#/components/schemas/RevokeRefreshTokenHrefObject' - properties: hints: properties: allow: items: enum: - DELETE default: DELETE client: description: Link to the client resource allOf: - $ref: '#/components/schemas/AppResourceHrefObject' user: description: Link to the user resource allOf: - $ref: '#/components/schemas/UserResourceHrefObject' authorizationServer: description: Link to the Token authorization server resource allOf: - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject' OAuth2RefreshTokenScope: type: object properties: description: type: string description: Description of the Scope example: Requests a refresh token by default, used to obtain more access tokens without re-prompting the user for authentication displayName: type: string description: Name of the end user displayed in a consent dialog id: type: string description: Scope object ID readOnly: true example: scppb56cIl4GvGxy70g3 name: type: string description: Scope name example: offline_access _links: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. type: object properties: scope: description: Link to Scope resource allOf: - $ref: '#/components/schemas/OfflineAccessScopeResourceHrefObject' OAuth2ResourceServerJsonWebKey: type: object properties: created: type: string description: Timestamp when the JSON Web Key was created example: '2023-02-21T20:08:24.000Z' readOnly: true nullable: false e: type: string description: RSA key value (exponent) for key binding example: AQAB nullable: false id: type: string description: The unique ID of the JSON Web Key example: apk2f4zrZbs8nUa7p0g4 readOnly: true nullable: false kid: type: string description: Unique identifier of the JSON Web Key in the Custom Authorization Server's Public JWKS example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 nullable: true kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: RSA nullable: false lastUpdated: type: string description: Timestamp when the JSON Web Key was updated example: '2023-02-21T20:08:24.000Z' readOnly: true nullable: false 'n': type: string description: RSA key value (modulus) for key binding example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ nullable: false status: type: string enum: - ACTIVE - INACTIVE description: The status of the encryption key. You can use only an `ACTIVE` key to encrypt tokens issued by the authorization server. example: ACTIVE nullable: false default: ACTIVE use: type: string description: Acceptable use of the JSON Web Key example: enc nullable: false _links: $ref: '#/components/schemas/OAuthResourceServerKeyLinks' readOnly: true nullable: false OAuth2ResourceServerJsonWebKeyRequestBody: type: object properties: e: type: string description: RSA key value (exponent) for key binding example: AQAB nullable: false kid: type: string description: Unique identifier of the JSON web key in the custom authorization server's public JWKS example: SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4 nullable: true kty: type: string description: Cryptographic algorithm family for the certificate's key pair example: RSA nullable: false 'n': type: string description: RSA key value (modulus) for key binding example: mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ nullable: false status: type: string enum: - ACTIVE - INACTIVE description: Status of the JSON Web Key example: ACTIVE use: type: string description: Acceptable use of the JSON Web Key example: enc nullable: false OAuth2Scope: type: object properties: consent: $ref: '#/components/schemas/OAuth2ScopeConsentType' default: type: boolean description: Indicates if this Scope is a default scope default: false description: type: string description: Description of the Scope displayName: type: string description: Name of the end user displayed in a consent dialog id: type: string description: Scope object ID readOnly: true metadataPublish: $ref: '#/components/schemas/OAuth2ScopeMetadataPublish' name: type: string description: Scope name optional: type: boolean description: Indicates whether the Scope is optional. When set to `true`, the user can skip consent for the scope. default: false system: type: boolean description: Indicates if Okta created the Scope default: false _links: $ref: '#/components/schemas/LinksSelf' required: - name OAuth2ScopeConsentGrant: description: Grant object that represents an app consent scope grant type: object properties: clientId: type: string description: Client ID of the app integration readOnly: true example: oag3ih1zrm1cBFOiq0h6 created: $ref: '#/components/schemas/createdProperty' createdBy: $ref: '#/components/schemas/OAuth2Actor' id: type: string description: ID of the Grant object readOnly: true example: oag3ih1zrm1cBFOiq0h6 issuer: type: string description: The issuer of your org authorization server. This is typically your Okta domain. example: https://my_test_okta_org.oktapreview.com lastUpdated: $ref: '#/components/schemas/lastUpdatedProperty' scopeId: type: string description: The name of the [Okta scope](https://developer.okta.com/docs/api/oauth2/#oauth-20-scopes) for which consent is granted example: okta.users.read source: $ref: '#/components/schemas/OAuth2ScopeConsentGrantSource' status: $ref: '#/components/schemas/GrantOrTokenStatus' userId: type: string description: User ID that granted consent (if `source` is `END_USER`) readOnly: true example: 00u5t60iloOHN9pBi0h7 _embedded: type: object description: Embedded resources related to the Grant properties: scope: type: object properties: id: type: string description: The name of the Okta scope for which consent is granted example: okta.users.read readOnly: true _links: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: app: description: Link to the app resource allOf: - $ref: '#/components/schemas/AppResourceHrefObject' client: description: Link to the client resource allOf: - $ref: '#/components/schemas/AppResourceHrefObject' scope: description: Link to the scope resource allOf: - $ref: '#/components/schemas/ScopeResourceHrefObject' user: description: Link to the user resource allOf: - $ref: '#/components/schemas/UserResourceHrefObject' authorizationServer: description: Link to the authorization server resource allOf: - $ref: '#/components/schemas/AuthorizationServerResourceHrefObject' - readOnly: true required: - issuer - scopeId OAuth2ScopeConsentGrantSource: description: User type source that granted consent example: ADMIN type: string enum: - ADMIN - END_USER readOnly: true OAuth2ScopeConsentType: description: Indicates whether a consent dialog is needed for the Scope default: IMPLICIT type: string enum: - FLEXIBLE - IMPLICIT - REQUIRED OAuth2ScopeMetadataPublish: description: Indicates whether the Scope is included in the metadata default: NO_CLIENTS type: string enum: - ALL_CLIENTS - NO_CLIENTS OAuth2ScopesMediationPolicyRuleCondition: description: Array of scopes that the condition includes type: object properties: include: type: array items: type: string OAuth2Settings: description: OAuth 2.0 configuration used for authType `OAUTH2` type: object properties: authorizeEndpoint: type: string format: uri description: The URL to the authorization server's authorization endpoint clientId: type: string description: The OAuth 2.0 client identifier clientSecret: type: string description: The OAuth 2.0 client secret scopes: type: array description: List of OAuth 2.0 scopes items: type: string tokenEndpoint: type: string format: uri description: The URL to the authorization server's token endpoint required: - authorizeEndpoint - tokenEndpoint - clientId - clientSecret OAuth2Token: type: object properties: clientId: type: string description: Client ID example: 0oabskvc6442nkvQO0h7 readOnly: true created: $ref: '#/components/schemas/createdProperty' expiresAt: type: string description: Expiration time of the OAuth 2.0 Token format: date-time readOnly: true id: type: string description: ID of the Token object readOnly: true issuer: type: string description: The complete URL of the authorization server that issued the Token lastUpdated: $ref: '#/components/schemas/lastUpdatedProperty' scopes: type: array description: Name of scopes attached to the Token items: type: string status: $ref: '#/components/schemas/GrantOrTokenStatus' userId: type: string _embedded: type: object description: Embedded resources related to the object if the `expand` query parameter is specified additionalProperties: type: object properties: {} readOnly: true _links: $ref: '#/components/schemas/LinksSelf' OAuthApplicationCredentials: allOf: - $ref: '#/components/schemas/ApplicationCredentials' - type: object properties: oauthClient: $ref: '#/components/schemas/ApplicationCredentialsOAuthClient' OAuthAuthorizationEndpoint: description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18) type: object properties: binding: $ref: '#/components/schemas/ProtocolEndpointBinding' url: type: string description: URL of the IdP Authorization Server (AS) authorization endpoint example: https://idp.example.com/authorize OAuthClientSecretLinks: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of an application using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. properties: activate: $ref: '#/components/schemas/HrefObjectActivateLink' deactivate: $ref: '#/components/schemas/HrefObjectDeactivateLink' delete: $ref: '#/components/schemas/HrefObjectDeleteLink' readOnly: true OAuthCredentials: description: Client authentication credentials for an [OAuth 2.0 Authorization Server](https://tools.ietf.org/html/rfc6749#section-2.3) type: object properties: client: $ref: '#/components/schemas/OAuthCredentialsClient' signing: $ref: '#/components/schemas/AppleClientSigning' OAuthCredentialsClient: description: |- OAuth 2.0 and OpenID Connect Client object > **Note:** You must complete client registration with the IdP Authorization Server for your Okta IdP instance to obtain client credentials. type: object properties: client_id: type: string description: The [Unique identifier](https://tools.ietf.org/html/rfc6749#section-2.2) issued by the AS for the Okta IdP instance maxLength: 1024 example: your-client-id client_secret: type: string description: The [Client secret](https://tools.ietf.org/html/rfc6749#section-2.3.1) issued by the AS for the Okta IdP instance maxLength: 1024 example: your-client-secret pkce_required: type: boolean description: Require Proof Key for Code Exchange (PKCE) for additional verification token_endpoint_auth_method: type: string description: Client authentication methods supported by the token endpoint enum: - private_key_jwt OAuthEndpointAuthenticationMethod: description: Requested authentication method for the token endpoint default: client_secret_basic type: string enum: - client_secret_basic - client_secret_jwt - client_secret_post - none - private_key_jwt OAuthEndpoints: description: |- The `OAUTH2` and `OIDC` protocols support the `authorization` and `token` endpoints. Also, the `OIDC` protocol supports the `userInfo` and `jwks` endpoints. The IdP Authorization Server (AS) endpoints are currently defined as part of the [IdP provider]((https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request)) and are read-only. type: object properties: authorization: $ref: '#/components/schemas/OAuthAuthorizationEndpoint' jwks: $ref: '#/components/schemas/OidcJwksEndpoint' slo: $ref: '#/components/schemas/OidcSloEndpoint' token: $ref: '#/components/schemas/OAuthTokenEndpoint' userInfo: $ref: '#/components/schemas/OidcUserInfoEndpoint' OAuthMetadata: type: object properties: authorization_endpoint: type: string description: URL of the authorization server's authorization endpoint. backchannel_authentication_request_signing_alg_values_supported: description: <x-lifecycle-container><x-lifecycle class="oie"></x-lifecycle></x-lifecycle-container>A list of signing algorithms that this authorization server supports for signed requests. type: array items: $ref: '#/components/schemas/SigningAlgorithm' x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine backchannel_token_delivery_modes_supported: description: <x-lifecycle-container><x-lifecycle class="oie"></x-lifecycle></x-lifecycle-container>The delivery modes that this authorization server supports for Client-Initiated Backchannel Authentication. type: array items: $ref: '#/components/schemas/TokenDeliveryMode' x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine claims_supported: description: A list of the claims supported by this authorization server. type: array items: $ref: '#/components/schemas/Claim' code_challenge_methods_supported: description: A list of PKCE code challenge methods supported by this authorization server. type: array items: $ref: '#/components/schemas/CodeChallengeMethod' device_authorization_endpoint: type: string dpop_signing_alg_values_supported: description: A list of signing algorithms supported by this authorization server for Demonstrating Proof-of-Possession (DPoP) JWTs. type: array items: type: string enum: - ES256 - ES384 - ES512 - RS256 - RS384 - RS512 x-okta-lifecycle: lifecycle: TOMBSTONE isGenerallyAvailable: true end_session_endpoint: description: URL of the authorization server's logout endpoint. type: string grant_types_supported: description: A list of the grant type values that this authorization server supports. type: array items: $ref: '#/components/schemas/GrantType' introspection_endpoint: description: URL of the authorization server's introspection endpoint. type: string introspection_endpoint_auth_methods_supported: description: A list of client authentication methods supported by this introspection endpoint. type: array items: $ref: '#/components/schemas/EndpointAuthMethod' issuer: type: string description: The authorization server's issuer identifier. In the context of this document, this is your authorization server's base URL. This becomes the `iss` claim in an access token. jwks_uri: description: URL of the authorization server's JSON Web Key Set document. type: string pushed_authorization_request_endpoint: type: string registration_endpoint: description: URL of the authorization server's JSON Web Key Set document. type: string request_object_signing_alg_values_supported: description: A list of signing algorithms that this authorization server supports for signed requests. type: array items: $ref: '#/components/schemas/SigningAlgorithm' request_parameter_supported: description: Indicates if Request Parameters are supported by this authorization server. type: boolean response_modes_supported: description: A list of the `response_mode` values that this authorization server supports. More information here. type: array items: $ref: '#/components/schemas/ResponseMode' response_types_supported: description: A list of the `response_type` values that this authorization server supports. Can be a combination of `code`, `token`, and `id_token`. type: array items: $ref: '#/components/schemas/ResponseTypesSupported' revocation_endpoint: description: URL of the authorization server's revocation endpoint. type: string revocation_endpoint_auth_methods_supported: description: A list of client authentication methods supported by this revocation endpoint. type: array items: $ref: '#/components/schemas/EndpointAuthMethod' scopes_supported: description: A list of the scope values that this authorization server supports. type: array items: $ref: '#/components/schemas/Scope' subject_types_supported: description: A list of the Subject Identifier types that this authorization server supports. Valid types include `pairwise` and `public`, but only `public` is currently supported. See the [Subject Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) section in the OpenID Connect specification. type: array items: $ref: '#/components/schemas/SubjectType' token_endpoint: description: URL of the authorization server's token endpoint. type: string token_endpoint_auth_methods_supported: description: A list of client authentication methods supported by this token endpoint. type: array items: $ref: '#/components/schemas/EndpointAuthMethod' OAuthProvisioningEnabledApp: description: Application name for the provisioning connection type: string enum: - google - office365 - slack - zoomus OAuthResourceServerKeyLinks: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of a JSON Web Key using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification. This object is used for dynamic discovery of related resources and lifecycle operations. properties: activate: $ref: '#/components/schemas/HrefObjectActivateLink' delete: $ref: '#/components/schemas/HrefObjectDeleteLink' readOnly: true OAuthResponseType: description: Array of OAuth 2.0 response type strings type: string enum: - code - id_token - token OAuthScopes: description: |- IdP-defined permission bundles to request delegated access from the user. > **Note:** The [identity provider type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each IdP. items: type: string example: public_profile type: array OAuthTokenEndpoint: description: Endpoint for an [OAuth 2.0 Authorization Server (AS)](https://tools.ietf.org/html/rfc6749#page-18) type: object properties: binding: $ref: '#/components/schemas/ProtocolEndpointBinding' url: type: string description: URL of the IdP Authorization Server (AS) token endpoint example: https://idp.example.com/token OINApplication: type: object properties: accessibility: $ref: '#/components/schemas/ApplicationAccessibility' credentials: $ref: '#/components/schemas/SchemeApplicationCredentials' label: $ref: '#/components/schemas/ApplicationLabel' licensing: $ref: '#/components/schemas/ApplicationLicensing' name: type: string description: The key name for the OIN app definition profile: type: object description: Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps) additionalProperties: type: object properties: {} signOnMode: type: string description: Authentication mode for the app status: $ref: '#/components/schemas/ApplicationLifecycleStatus' visibility: $ref: '#/components/schemas/ApplicationVisibility' OINSaml11ApplicationSettingsSignOn: title: SAML 1.1 settings description: Contains SAML 1.1 sign-on mode attributes type: object properties: audienceOverride: type: string description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). defaultRelayState: type: string description: Identifies a specific application resource in an IdP-initiated SSO scenario recipientOverride: type: string description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). ssoAcsUrlOverride: type: string description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). OINSaml20ApplicationSettingsSignOn: title: SAML 2.0 settings description: |- Contains SAML 2.0 sign-on mode attributes. > **Note:** Set `destinationOverride` to configure any other SAML 2.0 attributes in this section. type: object properties: attributeStatements: description: | A list of custom attribute statements for the app's SAML assertion. See [SAML 2.0 Technical Overview](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html). There are two types of attribute statements: | Type | Description | | ---- | ----------- | | EXPRESSION | Generic attribute statement that can be dynamic and supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/) | | GROUP | Group attribute statement | type: array items: $ref: '#/components/schemas/SamlAttributeStatement' audienceOverride: type: string description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). nullable: true defaultRelayState: type: string description: Identifies a specific application resource in an IdP-initiated SSO scenario nullable: true destinationOverride: type: string description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). nullable: true recipientOverride: type: string description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). nullable: true samlAssertionLifetimeSeconds: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true type: integer description: Determines the SAML app session lifetimes with Okta example: 3600 ssoAcsUrlOverride: type: string description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). nullable: true OSVersion: description: | Specifies the OS requirement for the policy. There are two types of OS requirements: * **Static**: A specific OS version requirement that doesn't change until you update the policy. A static OS requirement is specified with the `osVersion.minimum` property. * **Dynamic**: An OS version requirement that is relative to the latest major OS release and security patch. A dynamic OS requirement is specified with the `osVersion.dynamicVersionRequirement` property. > **Note:** Dynamic OS requirements are available only if the **Dynamic OS version compliance** [self-service EA](/openapi/okta-management/guides/release-lifecycle/#early-access-ea) feature is enabled. You can't specify both `osVersion.minimum` and `osVersion.dynamicVersionRequirement` properties at the same time. type: object properties: dynamicVersionRequirement: x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: [] description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>Contains the necessary properties for a dynamic version requirement type: object properties: type: type: string description: Indicates the type of the dynamic OS version requirement enum: - MINIMUM - EXACT - EXACT_ANY_SUPPORTED x-enumDescriptions: MINIMUM: The device version must be equal to or newer than the dynamically determined version. `distanceFromLatestMajor` must be specified for this type. EXACT: The device version must be on the same major version as the dynamically determined version. `distanceFromLatestMajor` must be specified for this type. EXACT_ANY_SUPPORTED: The device version must be on a major version which is supported. You can't specify `distanceFromLatestMajor` for this type. distanceFromLatestMajor: description: Indicates the distance from the latest major version type: integer minimum: 0 maximum: 1 latestSecurityPatch: description: Indicates whether the device needs to be on the latest security patch type: boolean minimum: description: The device version must be equal to or newer than the specified version string (maximum of three components for iOS and macOS, and maximum of four components for Android) type: string example: 12.4.5 OSVersionConstraint: type: object properties: dynamicVersionRequirement: type: object description: Contains the necessary properties for a dynamic Windows version requirement properties: type: type: string description: Indicates the type of the dynamic Windows version requirement enum: - MINIMUM - EXACT - EXACT_ANY_SUPPORTED - NOT_ALLOWED x-enumDescriptions: MINIMUM: The device version must be equal to or newer than the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type. EXACT: The device version must be on the same major version as the dynamically determined Windows version. `distanceFromLatestMajor` must be specified for this type. EXACT_ANY_SUPPORTED: The device version must be on a Windows major version which is supported. You can't specify `distanceFromLatestMajor` for this type. NOT_ALLOWED: The device version isn't allowed. You can't specify `distanceFromLatestMajor` or `latestSecurityPatch` for this type. distanceFromLatestMajor: description: Indicates the distance from the latest Windows major version type: integer minimum: 0 maximum: 1 latestSecurityPatch: description: Indicates whether the policy requires Windows devices to be on the latest security patch type: boolean majorVersionConstraint: type: string description: Indicates the Windows major version enum: - WINDOWS_11 - WINDOWS_10 x-enumDescriptions: WINDOWS_11: The device is on Windows 11 WINDOWS_10: The device is on Windows 10 or an older Windows version minimum: description: The Windows device version must be equal to or newer than the specified version type: string example: 12.4.5.9 required: - majorVersionConstraint OSVersionFourComponents: description: Current version of the operating system (maximum of four components in the versioning scheme) type: object properties: minimum: type: string example: 12.4.5.9 OSVersionThreeComponents: description: Current version of the operating system (maximum of three components in the versioning scheme) type: object properties: minimum: type: string example: 12.4.5 Office365Application: title: Microsoft Office 365 x-tags: - Application x-okta-defined-as: name: office365 description: | Schema for the Microsoft Office 365 app (key name: `office365`) To create a Microsoft Office 365 app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. > **Note:** The Office 365 app only supports `BROWSER_PLUGIN` and `SAML_1_1` sign-on modes. allOf: - $ref: '#/components/schemas/OINApplication' - type: object - required: - name - label - settings properties: name: type: string enum: - office365 example: office365 signOnMode: type: string enum: - BROWSER_PLUGIN - SAML_1_1 example: BROWSER_PLUGIN settings: $ref: '#/components/schemas/Office365ApplicationSettings' example: name: office365 label: Sample Office365 App signOnMode: SAML_1_1 settings: app: domain: myintegration.okta365test.net msftTenant: mycompanyinc Office365ApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object - required: - app properties: app: $ref: '#/components/schemas/Office365ApplicationSettingsApplication' signOn: $ref: '#/components/schemas/OINSaml11ApplicationSettingsSignOn' Office365ApplicationSettingsApplication: description: Office365 app instance properties type: object properties: domain: type: string description: The domain for your Office 365 account msftTenant: type: string description: Microsoft tenant name required: - msftTenant - domain Office365ProvisioningSettings: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true title: Microsoft Office 365 provisioning settings description: Settings required for the Microsoft Office 365 provisioning connection type: object properties: adminPassword: type: string description: Microsoft Office 365 global administrator password adminUsername: type: string description: Microsoft Office 365 global administrator username required: - adminUsername - adminPassword OfflineAccessScopeResourceHrefObject: type: object properties: href: type: string description: Link URI example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scppb56cIl4GvGxy70g3 title: type: string description: Link name example: offline_access Oidc: description: OIDC configuration details type: object properties: doc: type: string format: uri description: The URL to your customer-facing instructions for configuring your OIDC integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines). example: https://example.com/strawberry/help/oidcSetup initiateLoginUri: type: string format: uri description: The URL to redirect users when they click on your app from their Okta End-User Dashboard example: https://{app.subdomain}.example.com/strawberry/oidc/sp-init postLogoutUris: type: array description: The sign-out redirect URIs for your app. You can send a request to `/v1/logout` to sign the user out and redirect them to one of these URIs. items: type: string format: uri description: 'A sign-out redirect URI. You can use the app-level properties you defined in the `config` array as variables in your URI. For example: `https://{app.subdomain}.example.com/strawberry/oidc/logged-out`' example: https://{app.subdomain}.example.com/strawberry/oidc/logged-out redirectUris: type: array minItems: 1 description: List of sign-in redirect URIs items: type: string format: uri description: Sign-in redirect URI example: https://{app.subdomain}.example.com/strawberry/oidc/login required: - redirectUris - doc OidcAlgorithms: type: object properties: request: $ref: '#/components/schemas/OidcRequestAlgorithm' OidcJwksEndpoint: description: Endpoint for the JSON Web Key Set (JWKS) document. This document contains signing keys that are used to validate the signatures from the provider. For more information on JWKS, see [JSON Web Key](https://tools.ietf.org/html/rfc7517). type: object properties: binding: $ref: '#/components/schemas/ProtocolEndpointBinding' url: type: string description: URL of the endpoint to the JWK Set example: https://idp.example.com/keys OidcRequestAlgorithm: description: Algorithm settings used to sign an authorization request type: object properties: signature: $ref: '#/components/schemas/OidcRequestSignatureAlgorithm' OidcRequestSignatureAlgorithm: description: |- Signature Algorithm settings for signing authorization requests sent to the IdP > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`). type: object properties: algorithm: $ref: '#/components/schemas/OidcSigningAlgorithm' scope: $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' OidcSettings: description: Advanced settings for the OpenID Connect protocol type: object properties: participateSlo: type: boolean description: Set to `true` to have Okta send a logout request to the upstream IdP when a user signs out of Okta or a downstream app. sendApplicationContext: type: boolean description: Determines if the IdP should send the application context as `OktaAppInstanceId` and `OktaAppName` params in the request default: false OidcSigningAlgorithm: type: string enum: - HS256 - HS384 - HS512 - RS256 - RS384 - RS512 OidcSloEndpoint: description: OIDC IdP logout endpoint type: object properties: url: type: string description: IdP logout endpoint URL maxLength: 1014 example: https://idp.example.com/saml2/slo OidcUserInfoEndpoint: description: Endpoint for getting identity information about the user. For more information on the `/userinfo` endpoint, see [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). type: object properties: binding: $ref: '#/components/schemas/ProtocolEndpointBinding' url: type: string description: URL of the resource server's `/userinfo` endpoint example: https://idp.example.com/userinfo OktaActiveDirectoryGroupProfile: description: |- Profile for a group that is imported from Active Directory. The `objectClass` for such groups is `okta:windows_security_principal`. type: object properties: description: type: string example: All users in the engineering department description: Description of the Windows group dn: type: string example: CN=West Coast users,OU=West Coast,DC=example,DC=com description: The distinguished name of the Windows group externalId: type: string example: VKzYZ1C+IkSZxIWlrW5ITg== description: Base-64 encoded GUID (`objectGUID`) of the Windows group groupScope: type: string example: Global description: The scope of the Windows group (DomainLocal, Global, or Universal) groupType: type: string example: Security description: The type of the Windows group (Security or Distribution) managedBy: type: string nullable: true example: CN=IT Admin,CN=Users,DC=example,DC=com description: Distinguished name of the group that manages this group name: type: string example: West Coast users description: Name of the Windows group objectClass: type: string readOnly: true description: The object class type enum: - okta:windows_security_principal example: okta:windows_security_principal objectSid: type: string example: S-1-5-21-3623811015-3361044348-30300820-1013 description: The Windows Security Identifier (SID) for the group samAccountName: type: string example: West Coast users description: Pre-Windows 2000 name of the Windows group windowsDomainQualifiedName: type: string example: EXAMPLE\\West Coast users description: Fully qualified name of the Windows group additionalProperties: true x-okta-extensible: true OktaDeviceRiskChangeEvent: description: The device risk level changed type: object properties: current_level: type: string description: Current risk level of the device enum: - low - medium - high - secure - none example: low event_timestamp: type: integer format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 initiating_entity: type: string description: The entity that initiated the event enum: - admin - user - policy - system previous_level: type: string description: Previous risk level of the device enum: - low - medium - high - secure - none example: medium reason_admin: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. reason_user: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - subject - current_level - previous_level OktaIpChangeEvent: description: IP changed for the subject's session type: object properties: current_ip_address: type: string description: Current IP address of the subject example: 123.4.5.6 event_timestamp: type: integer format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 initiating_entity: type: string description: The entity that initiated the event enum: - admin - user - policy - system previous_ip_address: type: string description: Previous IP address of the subject example: 123.45.67.8 reason_admin: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. reason_user: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - subject - current_ip_address - previous_ip_address OktaPersonalAdminFeatureSettings: description: Defines a list of Okta Personal settings that can be enabled or disabled for the org type: object properties: enableEnduserEntryPoints: type: boolean description: Allow entry points for an Okta Personal account in a Workforce org enableExportApps: type: boolean description: Allow users to migrate apps from a Workforce account to an Okta Personal account OktaSignOnPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: $ref: '#/components/schemas/OktaSignOnPolicyConditions' OktaSignOnPolicyConditions: allOf: - type: object - description: Specifies the conditions that must be met during policy evaluation to apply the policy properties: people: type: object description: Identifies users and groups that are used together properties: groups: type: object description: Specifies a set of groups whose users are to be included or excluded properties: include: type: array description: Groups to be included items: type: string OktaSignOnPolicyFactorPromptMode: description: | Indicates if the User should be challenged for a second factor (MFA) based on the device being used, a Factor session lifetime, or on every sign-in attempt > **Note:** Required only if `requireFactor` is set to `true`. type: string enum: - ALWAYS - DEVICE - SESSION OktaSignOnPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' - type: object properties: actions: $ref: '#/components/schemas/OktaSignOnPolicyRuleActions' conditions: $ref: '#/components/schemas/OktaSignOnPolicyRuleConditions' OktaSignOnPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' - type: object - description: Specifies how users are allowed to sign in to Okta properties: signon: $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonActions' OktaSignOnPolicyRuleConditions: allOf: - type: object - description: Specifies conditions that must be met during policy evaluation to apply the rule. All policy conditions and conditions for at least one rule must be met to apply the settings specified in the policy and the associated rule. properties: authContext: $ref: '#/components/schemas/PolicyRuleAuthContextCondition' identityProvider: $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' network: $ref: '#/components/schemas/PolicyNetworkCondition' people: $ref: '#/components/schemas/PolicyPeopleCondition' OktaSignOnPolicyRuleSignonActions: description: Specifies settings for the policy rule type: object properties: access: type: string description: Indicates if a user is allowed to sign in enum: - ALLOW - DENY factorLifetime: type: integer description: | Interval of time that must elapse before the user is challenged for MFA, if the factor prompt mode is set to `SESSION` > **Note:** Required only if `requireFactor` is `true`. factorPromptMode: $ref: '#/components/schemas/OktaSignOnPolicyFactorPromptMode' primaryFactor: $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonPrimaryFactor' rememberDeviceByDefault: type: boolean description: Indicates if Okta should automatically remember the device default: false requireFactor: type: boolean default: false description: Indicates if multifactor authentication is required session: $ref: '#/components/schemas/OktaSignOnPolicyRuleSignonSessionActions' OktaSignOnPolicyRuleSignonPrimaryFactor: description: |- <x-lifecycle class="oie"></x-lifecycle> Indicates the primary factor used to establish a session for the org. Supported values: `PASSWORD_IDP_ANY_FACTOR` (users can use any factor required by the app's app sign-in policy to establish a session), `PASSWORD_IDP` (users must always use a password to establish a session). > **Note:** Required only if `access` is set to `ALLOW`. type: string enum: - PASSWORD_IDP - PASSWORD_IDP_ANY_FACTOR OktaSignOnPolicyRuleSignonSessionActions: description: Properties governing the user's session lifetime type: object properties: maxSessionIdleMinutes: description: Maximum number of minutes that a user session can be idle before the session is ended type: integer default: 120 maxSessionLifetimeMinutes: description: Maximum number of minutes (from when the user signs in) that a user's session is active. Set this to force users to sign in again after the number of specified minutes. Disable by setting to `0`. type: integer default: 0 usePersistentCookie: description: If set to `false`, user session cookies only last the length of a browser session. If set to `true`, user session cookies last across browser sessions. This setting doesn't impact administrators who can never have persistent session cookies. This property is read-only for the default rule of the default global session policy. type: boolean default: false OktaSupportAccessStatus: description: Status of Okta Support access type: string enum: - DISABLED - ENABLED - NOT_REQUESTED - REQUESTED x-enumDescriptions: NOT_REQUESTED: Okta Support access not requested REQUESTED: Okta Support access requested DISABLED: Okta Support access disabled ENABLED: Okta Support access enabled OktaSupportCase: type: object properties: caseNumber: type: string description: Okta Support case number readOnly: true impersonation: type: object description: Allows the Okta Support team to sign in to your org as an admin and troubleshoot issues properties: status: $ref: '#/components/schemas/OktaSupportAccessStatus' expiration: format: date-time type: string description: Expiration date of Okta Support access nullable: true selfAssigned: type: object description: Customer allows Okta Support access to self-assigned cases. Support cases are self-assigned when an Okta Support team member creates and assigns the case to themselves. properties: status: $ref: '#/components/schemas/SelfAssignedStatus' subject: type: string description: Subject of the support case readOnly: true OktaSupportCases: type: object properties: supportCases: type: array items: $ref: '#/components/schemas/OktaSupportCase' OktaUserGroupProfile: description: |- Profile for any group that is not imported from Active Directory. Specifies the standard and custom profile properties for a group. The `objectClass` for these groups is `okta:user_group`. type: object properties: description: type: string example: All users West of The Rockies description: Description of the group name: type: string example: West Coast users description: Name of the group objectClass: type: string readOnly: true description: The object class type enum: - okta:user_group example: okta:user_group x-okta-extensible: true additionalProperties: true OktaUserRiskChangeEvent: description: The user risk level changed type: object properties: current_level: type: string description: Current risk level of the user enum: - low - medium - high - secure - none example: low event_timestamp: type: integer format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 initiating_entity: type: string description: The entity that initiated the event enum: - admin - user - policy - system previous_level: type: string description: Previous risk level of the user enum: - low - medium - high - secure - none example: medium reason_admin: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized administrative message intended for logging and auditing.<br>Either `reason_admin` or `reason_user` is required. reason_user: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user.<br>Either `reason_admin` or `reason_user` is required. subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - subject - current_level - previous_level OktaUserServiceAccountCredentials: description: Credentials for an Okta user type: object properties: username: type: string description: The username associated with the service account minLength: 1 maxLength: 100 example: testuser@example.com readOnly: true readOnly: true OpenIdConnectApplication: x-okta-defined-as: name: oidc_client allOf: - $ref: '#/components/schemas/Application' - type: object properties: credentials: $ref: '#/components/schemas/OAuthApplicationCredentials' name: type: string description: '`oidc_client` is the key name for an OAuth 2.0 client app instance' enum: - oidc_client settings: $ref: '#/components/schemas/OpenIdConnectApplicationSettings' required: - name - settings - credentials OpenIdConnectApplicationConsentMethod: description: | Indicates whether user consent is required or implicit. A consent dialog appears for the end user depending on the values of three elements: * [prompt](/openapi/okta-oauth/oauth/tag/OrgAS/#tag/OrgAS/operation/authorize!in=query&path=prompt&t=request): A query parameter that is used in requests to `/authorize` * `consent_method` (this property) * [consent](/openapi/okta-management/management/tag/AuthorizationServerScopes/#tag/AuthorizationServerScopes/operation/createOAuth2Scope!path=consent&t=request): A [Scope](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/AuthorizationServerScopes/) property that allows you to enable or disable user consent for an individual scope | `prompt` | `consent_method` | `consent` | Result | ---------- | ----------- | ---------- | ----------- | | CONSENT | TRUSTED or REQUIRED | REQUIRED | Prompted | | CONSENT | TRUSTED or REQUIRED | FLEXIBLE | Prompted | | CONSENT | TRUSTED | IMPLICIT | Not prompted | | NONE | TRUSTED | FLEXIBLE, IMPLICIT, or REQUIRED | Not prompted | | NONE | REQUIRED | FLEXIBLE or REQUIRED | Prompted | | NONE | REQUIRED | IMPLICIT | Not prompted | > **Notes:** > * If you request a scope that requires consent while using the `client_credentials` flow, an error is returned because the flow doesn't support user consent. > * If the `prompt` value is set to `NONE`, but the `consent_method` and the consent values are set to `REQUIRED`, then an error occurs. > * When a scope is requested during a Client Credentials grant flow and `consent` is set to `FLEXIBLE`, the scope is granted in the access token with no consent prompt. This occurs because there is no user involved in a two-legged OAuth 2.0 [Client Credentials](https://developer.okta.com/docs/guides/implement-grant-type/clientcreds/main/) grant flow. default: TRUSTED type: string enum: - REQUIRED - TRUSTED x-enumDescriptions: TRUSTED: The client is fully trusted (for example, a first-party app). The default consent method for app instances created with a [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request REQUIRED: The client requires consent (for example, a third-party app). The default consent method for app instances created with a [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient) request OpenIdConnectApplicationIdpInitiatedLogin: description: The type of IdP-initiated sign-in flow that the client supports type: object properties: default_scope: type: array description: The scopes to use for the request when `mode` is `OKTA` items: type: string mode: type: string description: | The mode to use for the IdP-initiated sign-in flow. For `OKTA` or `SPEC` modes, the client must have an `initiate_login_uri` registered. > **Note:** For web and SPA apps, if the mode is `SPEC` or `OKTA`, you must set `grant_types` to `authorization_code`, `implicit`, or `interaction_code`. enum: - DISABLED - SPEC - OKTA x-enumDescriptions: DISABLED: The client doesn't support the IdP-initiated sign-in flow. SPEC: The client is redirected to the Relying Party's `initiate_login_uri`. OKTA: Tokens are directly sent to the Relying Party. This corresponds to the **Okta Simplified** option in the Admin Console. required: - mode OpenIdConnectApplicationIssuerMode: description: Indicates whether the Okta authorization server uses the original Okta org domain URL or a custom domain URL as the issuer of the ID token for this client type: string enum: - CUSTOM_URL - DYNAMIC - ORG_URL x-enumDescriptions: CUSTOM_URL: The issuer is returned in the appropriate OIDC token response. This is the default `issuer_mode` when you configured a custom domain for your org. DYNAMIC: A request for the ID token made from the custom domain has the custom URL as the issuer. A request for the ID token made from an Okta org has the Org URL as the issuer. You can only set `issuer_mode` as DYNAMIC if the Dynamic Issuer Mode feature is enabled. Contact Okta Support to enable this feature. ORG_URL: The issuer is returned based on the URL of your Okta organization. This is useful when you are using Okta’s default domain and do not have a custom domain configured. OpenIdConnectApplicationNetwork: description: The network restrictions of the client x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true type: object properties: connection: type: string description: | The connection type of the network. Can be `ANYWHERE` or `ZONE`. enum: - ANYWHERE - ZONE x-enumDescriptions: ANYWHERE: There is no restrictions on network zones. ZONE: There are network restrictions on network zones. Zones are specified in the `include` or `exclude` array. exclude: type: array description: If `ZONE` is specified as a connection, then specify the excluded IP network zones here. Value can be "ALL_IP_ZONES" or an array of zone IDs. items: type: string include: type: array description: If `ZONE` is specified as a connection, then specify the included IP network zones here. Value can be "ALL_IP_ZONES" or an array of zone IDs. items: type: string required: - connection OpenIdConnectApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: oauthClient: $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClient' OpenIdConnectApplicationSettingsClient: type: object properties: application_type: $ref: '#/components/schemas/OpenIdConnectApplicationType' backchannel_authentication_request_signing_alg: description: | The signing algorithm for Client-Initiated Backchannel Authentication (CIBA) signed requests using JWT. If this value isn't set and a JWT-signed request is sent, the request fails. > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. type: string enum: - HS256 - HS384 - HS512 - RS256 - RS384 - RS512 - ES256 - ES384 - ES512 backchannel_custom_authenticator_id: description: | The ID of the custom authenticator that authenticates the user > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. type: string maxLength: 20 minLength: 20 backchannel_token_delivery_mode: description: | The delivery mode for Client-Initiated Backchannel Authentication (CIBA). Currently, only `poll` is supported. > **Note:** This property appears for clients with `urn:openid:params:grant-type:ciba` defined as one of the `grant_types`. enum: - poll - ping - push type: string client_uri: type: string description: URL string of a web page providing information about the client maxLength: 1024 consent_method: $ref: '#/components/schemas/OpenIdConnectApplicationConsentMethod' dpop_bound_access_tokens: type: boolean description: | Indicates that the client application uses Demonstrating Proof-of-Possession (DPoP) for token requests. If `true`, the authorization server rejects token requests from this client that don't contain the DPoP header. > **Note:** If `dpop_bound_access_tokens` is true, then `client_credentials` and `implicit` aren't allowed in `grant_types`. default: false x-okta-lifecycle: lifecycle: TOMBSTONE isGenerallyAvailable: true frontchannel_logout_session_required: description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></x-lifecycle-container>Determines whether Okta sends `sid` and `iss` in the logout request type: boolean x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine frontchannel_logout_uri: description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></x-lifecycle-container>URL where Okta sends the logout request type: string maxLength: 1024 x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine grant_types: type: array items: $ref: '#/components/schemas/GrantType' id_token_encrypted_response_alg: $ref: '#/components/schemas/IdTokenKeyEncryptionAlgorithm' idp_initiated_login: $ref: '#/components/schemas/OpenIdConnectApplicationIdpInitiatedLogin' initiate_login_uri: type: string description: URL string that a third party can use to initiate the sign-in flow by the client issuer_mode: $ref: '#/components/schemas/OpenIdConnectApplicationIssuerMode' jwks: $ref: '#/components/schemas/OpenIdConnectApplicationSettingsClientKeys' jwks_uri: description: URL string that references a JSON Web Key Set for validating JWTs presented to Okta or for encrypting ID tokens minted by Okta for the client type: string logo_uri: type: string description: The URL string that references a logo for the client. This logo appears on the client tile in the End-User Dashboard. It also appears on the client consent dialog during the client consent flow. maxLength: 1024 network: $ref: '#/components/schemas/OpenIdConnectApplicationNetwork' participate_slo: description: | <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></x-lifecycle-container>Allows the app to participate in front-channel Single Logout > **Note:** You can only enable `participate_slo` for `web` and `browser` application types (`application_type`). type: boolean x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine policy_uri: type: string description: URL string of a web page providing the client's policy document post_logout_redirect_uris: type: array description: Array of redirection URI strings for relying party-initiated logouts items: type: string redirect_uris: type: array description: |- Array of redirection URI strings for use in redirect-based flows. > **Note:** At least one `redirect_uris` and `response_types` are required for all client types, with exceptions: if the client uses the [Resource Owner Password ](https://tools.ietf.org/html/rfc6749#section-4.3)flow (`grant_types` contains `password`) or [Client Credentials](https://tools.ietf.org/html/rfc6749#section-4.4)flow (`grant_types` contains `client_credentials`), then no `redirect_uris` or `response_types` is necessary. In these cases, you can pass either null or an empty array for these attributes. items: type: string refresh_token: $ref: '#/components/schemas/OpenIdConnectApplicationSettingsRefreshToken' request_object_signing_alg: description: The type of JSON Web Key Set (JWKS) algorithm that must be used for signing request objects type: string enum: - HS256 - HS384 - HS512 - RS256 - RS384 - RS512 - ES256 - ES384 - ES512 response_types: type: array description: Array of OAuth 2.0 response type strings items: $ref: '#/components/schemas/OAuthResponseType' sector_identifier_uri: type: string description: The sector identifier used for pairwise `subject_type`. See [OIDC Pairwise Identifier Algorithm](https://openid.net/specs/openid-connect-messages-1_0-20.html#idtype.pairwise.alg) maxLength: 1024 subject_type: description: Type of the subject type: string enum: - public - pairwise tos_uri: type: string description: URL string of a web page providing the client's terms of service document wildcard_redirect: type: string description: Indicates if the client is allowed to use wildcard matching of `redirect_uris` enum: - DISABLED - SUBDOMAIN x-enumDescriptions: DISABLED: All redirect URIs must be absolute URIs and not include a fragment component. SUBDOMAIN: | Any configured redirect URIs may contain a single `*` character in the lowest-level domain (for example, `https://redirect-*-domain.example.com/oidc/redirect`) to act as a wildcard. The wildcard subdomain must have at least one subdomain between it and the top level domain. The wildcard can match any valid hostname characters, but can't span more than one domain. For example, if `https://redirect-*-domain.example.com/oidc/redirect` is configured as a redirect URI, then `https://redirect-1-domain.example.com/oidc/redirect` and `https://redirect-sub-domain.example.com/oidc/redirect` match, but `https://redirect-1.sub-domain.example.com/oidc/redirect` doesn't match. Only the `https` URI scheme can use wildcard redirect URIs. > **Note:** The use of wildcard subdomains is discouraged as an insecure practice, since it may allow malicious actors to have tokens or authorization codes sent to unexpected or attacker-controlled pages. Exercise caution if you decide to include a wildcard redirect URI in your configuration. required: - grant_types OpenIdConnectApplicationSettingsClientKeys: description: A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for validating JWTs presented to Okta or for encrypting ID tokens minted by Okta for the client type: object properties: keys: type: array items: oneOf: - $ref: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' - $ref: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' discriminator: propertyName: use mapping: sig: '#/components/schemas/OAuth2ClientJsonSigningKeyResponse' enc: '#/components/schemas/OAuth2ClientJsonEncryptionKeyResponse' OpenIdConnectApplicationSettingsRefreshToken: description: | Refresh token configuration for an OAuth 2.0 client When you create or update an OAuth 2.0 client, you can configure refresh token rotation by setting the `rotation_type` and `leeway` properties. If you don't set these properties when you create an app integration, the default values are used. When you update an app integration, your previously configured values are used. type: object properties: leeway: type: integer minimum: 0 maximum: 60 description: | The leeway, in seconds, allowed for the OAuth 2.0 client. After the refresh token is rotated, the previous token remains valid for the specified period of time so clients can get the new token. > **Note:** A leeway of 0 doesn't necessarily mean that the previous token is immediately invalidated. The previous token is invalidated after the new token is generated and returned in the response. default: 30 example: 20 rotation_type: $ref: '#/components/schemas/OpenIdConnectRefreshTokenRotationType' required: - rotation_type OpenIdConnectApplicationType: description: |- The type of client app Specific `grant_types` are valid for each `application_type`. See [Create a Client Application](/openapi/okta-oauth/oauth/tag/Client/#tag/Client/operation/createClient). type: string enum: - browser - native - service - web x-enumDescriptions: browser: Single-Page app (SPA) native: Native app service: API service app web: Web app OpenIdConnectRefreshTokenRotationType: description: The refresh token rotation mode for the OAuth 2.0 client example: STATIC type: string enum: - ROTATE - STATIC x-enumDescriptions: ROTATE: The default rotation type for single-page apps (SPAs) STATIC: The default rotation type for all clients, except SPAs OperationRequest: type: object properties: assignmentId: type: string description: ID of the realm OperationResponse: type: object properties: completed: type: string description: Timestamp of when the operation completed format: date-time created: type: string description: Timestamp of when the operation was created format: date-time id: type: string description: ID of the asynchronous operation started: type: string description: Timestamp of when the operation started format: date-time status: type: string description: The status of the asynchronous operation enum: - COMPLETED - SCHEDULED - IN_PROGRESS - FAILED type: type: string description: The operation type required: - id - type - status - created OperationalStatus: description: Operational status of a given agent type: string enum: - DEGRADED - DISRUPTED - INACTIVE - OPERATIONAL OptInStatusResponse: type: object properties: optInStatus: type: string description: The entitlement management opt-in status for the Admin Console enum: - OPTING_IN - OPTED_IN - OPTING_OUT - OPTED_OUT x-enumDescriptions: OPTING_IN: Okta is enabling entitlement management for the Admin Console OPTED_IN: Entitlement management is enabled for the Admin Console OPTING_OUT: Okta is disabling entitlement management for the Admin Console OPTED_OUT: Entitlement management is disabled for the Admin Console _links: type: object description: Link relations available properties: optInStatus: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the opt-in status resource Org2OrgApplication: title: Org2Org x-tags: - Application x-okta-defined-as: name: okta_org2org example: name: okta_org2org label: Okta Org2Org signOnMode: SAML_2_0 settings: app: acsUrl: https://example.okta.com/sso/saml2/exampleid audRestriction: https://www.okta.com/saml2/service-provider/exampleid baseUrl: https://example.okta.com description: | Schema for the Okta Org2Org app (key name: `okta_org2org`) To create an Org2Org app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. > **Notes:** > * The Okta Org2Org (`okta_org2org`) app isn't available in Okta Integrator Free Plan orgs. If you need to test this feature in your Integrator Free Plan org, contact your Okta account team. > * The Okta Org2Org app supports `SAML_2_0` and `AUTO_LOGIN` sign-on modes. allOf: - $ref: '#/components/schemas/OINApplication' - type: object - required: - name - label - settings properties: name: type: string enum: - okta_org2org example: okta_org2org signOnMode: type: string default: SAML_2_0 enum: - SAML_2_0 - AUTO_LOGIN x-enumDescriptions: SAML_2_0: Federated Authentication with SAML 2.0 WebSSO AUTO_LOGIN: Secure Web Authentication (SWA) settings: $ref: '#/components/schemas/Org2OrgApplicationSettings' Org2OrgApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object - required: - app properties: app: $ref: '#/components/schemas/Org2OrgApplicationSettingsApplication' signOn: $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' Org2OrgApplicationSettingsApplication: description: Org2Org app instance properties type: object properties: acsUrl: type: string description: The Assertion Consumer Service (ACS) URL of the source org (for `SAML_2_0` sign-on mode) audRestriction: type: string description: The entity ID of the SP (for `SAML_2_0` sign-on mode) example: https://www.okta.com/saml2/service-provider/exampleid baseUrl: type: string description: The base URL of the target Okta org (for `SAML_2_0` sign-on mode) creationState: type: string description: Used to track and manage the state of the app's creation or the provisioning process between two Okta orgs preferUsernameOverEmail: type: boolean description: Indicates that you don't want to use an email address as the username token: type: string description: An API token from the target org that's used to secure the connection between the orgs tokenEncrypted: type: string description: Encrypted token to enhance security required: - baseUrl Org2OrgProvisioningOAuthSigningSettings: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] title: Org2Org Provisioning OAuth Signing Settings description: |- Only used for the Okta Org2Org (`okta_org2org`) app. The signing key rotation setting. type: object properties: rotationMode: $ref: '#/components/schemas/ConnectionsSigningRotationMode' required: - rotationMode OrgAerialConsent: type: object properties: accountId: description: The unique ID of the Aerial account type: string required: - accountId OrgAerialConsentDetails: type: object properties: accountId: description: The unique ID of the Aerial account type: string grantedBy: type: string description: Principal ID of the user who granted the permission example: 00u23ej02I2RLFxS5406 grantedDate: type: string description: Date when grant was created example: '2024-07-24T16:01:13.000Z' _links: $ref: '#/components/schemas/LinksAerialConsentGranted' required: - accountId OrgAerialConsentRevoked: type: object properties: _links: $ref: '#/components/schemas/LinksAerialConsentRevoked' OrgAerialGrantNotFound: type: object properties: accountId: description: The unique ID of the Aerial account type: string grantedBy: type: string description: Principal ID of the user who granted the permission example: 00u23ej02I2RLFxS5406 grantedDate: type: string description: Date when grant was created example: '2024-07-24T16:01:13.000Z' _links: $ref: '#/components/schemas/LinksAerialConsentGranted' OrgCAPTCHASettings: title: OrgCAPTCHASettings description: '' type: object properties: captchaId: description: The unique key of the associated CAPTCHA instance type: string enabledPages: description: An array of pages that have CAPTCHA enabled type: array items: $ref: '#/components/schemas/enabledPagesType' _links: type: object description: Link relations for the CAPTCHA settings object properties: self: $ref: '#/components/schemas/HrefObject' readOnly: true OrgContactType: description: Type of contact type: string enum: - BILLING - TECHNICAL OrgContactTypeObj: anyOf: - $ref: '#/components/schemas/orgBillingContactType' - $ref: '#/components/schemas/orgTechnicalContactType' type: object properties: contactType: $ref: '#/components/schemas/OrgContactType' discriminator: propertyName: contactType mapping: BILLING: '#/components/schemas/orgBillingContactType' TECHNICAL: '#/components/schemas/orgTechnicalContactType' OrgContactUser: type: object properties: userId: type: string description: Contact user ID _links: type: object description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the contact type user object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification readOnly: true properties: user: $ref: '#/components/schemas/HrefObjectUserLink' OrgCreationAdmin: description: |- Profile and credential information for the first super admin user of the child org. If you plan to configure and manage the org programmatically, create a system user with a dedicated email address and a strong password. > **Note:** If you don't provide `credentials`, the super admin user is prompted to set up their credentials when they sign in to the org for the first time. writeOnly: true type: object properties: credentials: type: object description: Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org. properties: password: type: object description: |- Specifies a password for a user > **Note:** For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation. properties: value: type: string writeOnly: true description: Password value (which is validated by the password policy) format: password example: pa$$word recovery_question: $ref: '#/components/schemas/RecoveryQuestionCredential' profile: type: object description: |- Specifies the profile attributes for the first super admin user. The minimal set of required attributes are `email`, `firstName`, `lastName`, and `login`. See [profile](/openapi/okta-management/management/tag/User/#tag/User/operation/getUser!c=200&path=profile&t=response) for additional profile attributes. properties: firstName: type: string description: Given name of the User (`givenName`) minLength: 1 maxLength: 50 nullable: true lastName: type: string description: The family name of the User (`familyName`) minLength: 1 maxLength: 50 nullable: true email: type: string description: The primary email address of the User. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). format: email minLength: 5 maxLength: 100 login: type: string description: The unique identifier for the User (`username`) maxLength: 100 additionalProperties: true required: - email - login - firstName - lastName required: - profile OrgCrossAppAccessConnection: description: Connection object for Cross App Access connections type: object properties: created: type: string description: The ISO 8601 formatted date and time when the connection was created format: date-time readOnly: true example: '2024-10-15T10:30:00.000Z' id: type: string description: Unique identifier for the connection readOnly: true example: cwofxqCAJWWGELFTYASJ lastUpdated: type: string description: The ISO 8601 formatted date and time when the connection was last updated format: date-time readOnly: true example: '2024-10-15T14:20:00.000Z' requestingAppInstanceId: type: string description: ID of the requesting app instance example: 0oafxqCAJWWGELFTYASJ resourceAppInstanceId: type: string description: ID of the resource app instance example: 0oafxqCBJWWGELFTYASK status: description: Indicates if the Cross App Access connection is active or inactive type: string enum: - ACTIVE - INACTIVE example: ACTIVE OrgCrossAppAccessConnectionPatchRequest: description: Patch request object for Cross App Access Connections type: object properties: status: type: string description: Requested value of Cross App Access connection status enum: - ACTIVE - INACTIVE example: ACTIVE required: - status OrgOktaCommunicationSetting: type: object properties: optOutEmailUsers: type: boolean description: Indicates whether org users receive Okta communication emails readOnly: true _links: type: object description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification readOnly: true properties: optIn: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to opt users in to communication emails optOut: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to opt users out of communication emails OrgOktaSupportSetting: description: Status of Okta Support Settings type: string enum: - DISABLED - ENABLED OrgOktaSupportSettingsObj: type: object properties: caseNumber: type: string description: Support case number for the Okta Support access grant readOnly: true nullable: true expiration: format: date-time type: string description: Expiration of Okta Support readOnly: true nullable: true support: $ref: '#/components/schemas/OrgOktaSupportSetting' _links: type: object description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the Okta Support Settings object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification readOnly: true properties: extend: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to [extend Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/extendOktaSupport) revoke: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to [revoke Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/revokeOktaSupport) grant: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to [grant Okta Support Access](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/grantOktaSupport) case: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to [update an Okta Support case](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/updateOktaSupportCase) cases: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to [List all Okta Support cases](/openapi/okta-management/management/tag/OrgSettingSupport/#tag/OrgSettingSupport/operation/listOktaSupportCases) OrgPreferences: type: object properties: showEndUserFooter: type: boolean description: Indicates if the footer is shown on the End-User Dashboard readOnly: true _links: type: object description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification readOnly: true properties: hideEndUserFooter: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to hide the footer in the End-User Dashboard showEndUserFooter: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to show the footer on the End-User Dashboard OrgSetting: type: object properties: address1: type: string description: Primary address of the organization associated with the org address2: type: string description: Secondary address of the organization associated with the org city: type: string description: City of the organization associated with the org companyName: type: string description: Name of org country: type: string description: County of the organization associated with the org created: format: date-time readOnly: true type: string description: When org was created endUserSupportHelpURL: type: string description: Support link of org expiresAt: format: date-time readOnly: true type: string description: Expiration of org id: readOnly: true type: string description: Org ID lastUpdated: format: date-time readOnly: true type: string description: When org was last updated phoneNumber: type: string description: Phone number of the organization associated with the org postalCode: type: string description: Postal code of the organization associated with the org state: type: string description: State of the organization associated with the org status: readOnly: true type: string description: Status of org enum: - ACTIVE - INACTIVE subdomain: readOnly: true type: string description: Subdomain of org supportPhoneNumber: type: string description: Support help phone of the organization associated with the org website: type: string description: Website of the organization associated with the org _links: $ref: '#/components/schemas/orgGeneralSettingLinks' OrganizationalUnit: type: object properties: name: type: string description: The name of the organizational unit where privileged app users are present maxLength: 1024 example: OU=example1,DN=globo,DN=com required: - name OtpProtocol: description: The protocol used type: string enum: - SYMANTEC - TOTP - YUBICO OtpTotpAlgorithm: description: HMAC algorithm type: string enum: - HMacSHA1 - HMacSHA256 - HMacSHA512 OtpTotpEncoding: description: The shared secret encoding type: string enum: - base32 - base64 - hexadecimal OtpTotpPassCodeLength: description: Number of digits in an OTP value minimum: 6 maximum: 10 multipleOf: 2 type: integer OtpTotpTimeIntervalInSeconds: description: Time interval for TOTP in seconds type: integer PageRoot: type: object properties: _embedded: type: object properties: default: $ref: '#/components/schemas/CustomizablePage' customized: $ref: '#/components/schemas/CustomizablePage' customizedUrl: type: string format: uri preview: $ref: '#/components/schemas/CustomizablePage' previewUrl: type: string format: uri readOnly: true _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: default: $ref: '#/components/schemas/HrefObject' customized: $ref: '#/components/schemas/HrefObject' preview: $ref: '#/components/schemas/HrefObject' Parameters: description: Attributes used for processing Active Directory group membership update type: object properties: action: type: string description: The update action to take enum: - ADD - REMOVE x-enumDescriptions: ADD: Add to the membership of the group REMOVE: Remove from the membership of the group attribute: type: string description: The attribute that tracks group memberships in Active Directory. For Active Directory, use `member`. example: member values: type: array description: List of user IDs whose group memberships to update items: type: string description: ID of an existing user PasswordCredential: description: |- Specifies a password for a user. When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, `password: {}`). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: **Security** > **Authenticators** > **Password** (or for Okta Classic orgs, use **Security** > **Authentication** > **Password**). For information on defaults and configuring your password policies, see [Configure the password authenticator](https://help.okta.com/okta_help.htm?type=oie&id=ext-configure-password) in the help documentation. type: object properties: hash: $ref: '#/components/schemas/PasswordCredentialHash' hook: $ref: '#/components/schemas/PasswordCredentialHook' value: type: string writeOnly: true description: Specifies the password for a user. The password policy validates this password. format: password example: pa$$word PasswordCredentialHash: description: |- Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a password object when creating or updating a user, but not for other operations. See the [Create user with imported hashed password](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#create-user-with-imported-hashed-password) description. When you update a user with a hashed password, the user must be in the `STAGED` status. type: object properties: algorithm: $ref: '#/components/schemas/PasswordCredentialHashAlgorithm' digestAlgorithm: $ref: '#/components/schemas/DigestAlgorithm' iterationCount: type: integer description: The number of iterations used when hashing passwords using PBKDF2. Must be >= 4096. Only required for PBKDF2 algorithm. keySize: type: integer description: Size of the derived key in bytes. Only required for PBKDF2 algorithm. salt: description: |- Only required for salted hashes. For BCRYPT, this specifies Radix-64 as the encoded salt used to generate the hash, which must be 22 characters long. For other salted hashes, this specifies the Base64-encoded salt used to generate the hash. type: string saltOrder: type: string description: Specifies whether salt was pre- or postfixed to the password before hashing. Only required for salted algorithms. value: description: |- For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual base64-encoded hash of the password (and salt, if used). This is the Base64-encoded `value` of the SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either pre-fixing or post-fixing the `salt` to the `password`, depending on the `saltOrder`. If a `salt` was not used in the `source` system, then this should just be the Base64-encoded `value` of the password's SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the actual Radix-64 encoded hashed password. type: string workFactor: type: integer description: Governs the strength of the hash and the time required to compute it. Only required for BCRYPT algorithm. minimum: 1 maximum: 20 PasswordCredentialHashAlgorithm: description: The algorithm used to generate the hash using the password (and salt, when applicable). type: string enum: - BCRYPT - MD5 - PBKDF2 - SHA-1 - SHA-256 - SHA-512 PasswordCredentialHook: description: Specify a [password import inline hook](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/createPasswordImportInlineHook) to trigger verification of the user's password the first time the user signs in. This allows an existing password to be imported into Okta directly from some other store. type: object properties: type: type: string description: The type of password inline hook. Currently, must be set to default. PasswordDictionary: description: Weak password dictionary lookup settings type: object properties: common: $ref: '#/components/schemas/PasswordDictionaryCommon' PasswordDictionaryCommon: description: Lookup settings for commonly used passwords type: object properties: exclude: type: boolean description: Indicates whether to check passwords against the common password dictionary default: false PasswordExpirationPolicyRuleCondition: type: object properties: number: type: integer unit: type: string PasswordImportRequest: type: object properties: data: $ref: '#/components/schemas/PasswordImportRequestData' eventType: type: string description: The type of inline hook. The password import inline hook type is `com.okta.user.credential.password.import`. source: description: The ID and URL of the password import inline hook type: string PasswordImportRequestData: type: object properties: action: type: object description: This object specifies the default action Okta is set to take. Okta takes this action if your external service sends an empty HTTP 204 response. You can override the default action by returning a commands object in your response specifying the action to take. properties: credential: description: The status of the user credential, either `UNVERIFIED` or `VERIFIED` default: UNVERIFIED type: string context: type: object properties: request: $ref: '#/components/schemas/InlineHookRequestObject' credential: type: object properties: username: description: The `username` that the user supplied when attempting to sign in to Okta. type: string password: description: The `password` that the user supplied when attempting to sign in to Okta. type: string PasswordImportRequestExecute: description: Password import inline hook request allOf: - $ref: '#/components/schemas/InlineHookBasePayload' - $ref: '#/components/schemas/PasswordImportRequest' PasswordImportResponse: description: Password import inline hook response type: object properties: commands: description: The `commands` object specifies whether Okta accepts the end user's sign-in credentials as valid or not. For the password import inline hook, you typically only return one `commands` object with one array element in it. type: array items: type: object properties: type: description: The location where you specify the command. For the password import inline hook, there's only one command, `com.okta.action.update`. value: description: |- The parameter value of the command. * To indicate that the supplied credentials are valid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "VERIFIED"}`. * To indicate that the supplied credentials are invalid, supply a type property set to `com.okta.action.update` together with a value property set to `{"credential": "UNVERIFIED"}`. Alternatively, you can send an empty response (`204`). By default, the `data.action.credential` is always set to `UNVERIFIED`. type: object properties: credential: type: string enum: - UNVERIFIED - VERIFIED PasswordPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: $ref: '#/components/schemas/PasswordPolicyConditions' settings: $ref: '#/components/schemas/PasswordPolicySettings' PasswordPolicyAuthenticationProviderCondition: description: Specifies an authentication provider that's the source of some or all users type: object properties: include: type: array items: type: string provider: $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderType' PasswordPolicyAuthenticationProviderType: type: string enum: - ACTIVE_DIRECTORY - ANY - LDAP - OKTA PasswordPolicyConditions: allOf: - type: object - description: Specifies the conditions that must be met during policy evaluation to apply the policy - properties: authProvider: $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' people: type: object description: Identifies users and groups that are used together properties: groups: type: object description: Specifies a set of groups whose users are to be included or excluded properties: include: type: array description: Groups to be included items: type: string PasswordPolicyDelegationSettings: description: Specifies how to handle password delegation type: object properties: options: $ref: '#/components/schemas/PasswordPolicyDelegationSettingsOptions' PasswordPolicyDelegationSettingsOptions: type: object properties: skipUnlock: type: boolean description: Indicates if, when performing an unlock operation on an Active Directory sourced User who is locked out of Okta, the system should also attempt to unlock the User's Windows account default: false PasswordPolicyPasswordSettings: description: Specifies the password settings for the policy type: object properties: age: $ref: '#/components/schemas/PasswordPolicyPasswordSettingsAge' complexity: $ref: '#/components/schemas/PasswordPolicyPasswordSettingsComplexity' lockout: $ref: '#/components/schemas/PasswordPolicyPasswordSettingsLockout' breachedProtection: $ref: '#/components/schemas/PasswordPolicyPasswordSettingsBreachedProtection' PasswordPolicyPasswordSettingsAge: description: Age settings type: object properties: expireWarnDays: type: integer description: 'Specifies the number of days prior to password expiration when a User is warned to reset their password: `0` indicates no warning' default: 0 historyCount: type: integer description: 'Specifies the number of distinct passwords that a User must create before they can reuse a previous password: `0` indicates none' default: 0 maxAgeDays: type: integer description: 'Specifies how long (in days) a password remains valid before it expires: `0` indicates no limit' default: 0 minAgeMinutes: type: integer description: 'Specifies the minimum time interval (in minutes) between password changes: `0` indicates no limit' default: 0 PasswordPolicyPasswordSettingsBreachedProtection: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true description: Breached Protection settings type: object properties: delegatedWorkflowId: type: string description: The `id` of the workflow that runs when a breached password is found during a sign-in attempt. default: null nullable: true expireAfterDays: type: integer description: |- Specifies the number of days after a breached password is found during a sign-in attempt that the user's password should expire. Valid values: 0 through 10. If set to 0, it happens immediately. default: null nullable: true logoutEnabled: type: boolean description: |- (Optional, default is false) If true, you must also specify a value for `expireAfterDays`. When enabled, the user's session(s) are terminated immediately the first time the user's credentials are detected as part of a breach. default: false nullable: true PasswordPolicyPasswordSettingsComplexity: description: Complexity settings type: object properties: dictionary: $ref: '#/components/schemas/PasswordDictionary' excludeAttributes: type: array description: 'The User profile attributes whose values must be excluded from the password: currently only supports `firstName` and `lastName`' default: [] items: type: string excludeUsername: type: boolean description: Indicates if the Username must be excluded from the password default: true minLength: type: integer description: Minimum password length default: 8 minLowerCase: type: integer description: 'Indicates if a password must contain at least one lower case letter: `0` indicates no, `1` indicates yes' default: 1 minNumber: type: integer description: 'Indicates if a password must contain at least one number: `0` indicates no, `1` indicates yes' default: 1 minSymbol: type: integer description: 'Indicates if a password must contain at least one symbol (For example: !@#$%^&*): `0` indicates no, `1` indicates yes' default: 1 minUpperCase: type: integer description: 'Indicates if a password must contain at least one upper case letter: `0` indicates no, `1` indicates yes' default: 1 oelStatement: type: string description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle> <x-lifecycle class="oie"></x-lifecycle></x-lifecycle-container>Use an [Expression Language](https://developer.okta.com/docs/reference/okta-expression-language-in-identity-engine/) expression to block a word from being used in a password. You can only block one word per expression. Use the `OR` operator to connect multiple expressions to block multiple words. example: - password.value.contains('Word1') OR password.value.contains('Word2') x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: false SKUs: - Okta Identity Engine PasswordPolicyPasswordSettingsLockout: description: Lockout settings type: object properties: autoUnlockMinutes: type: integer description: 'Specifies the time interval (in minutes) a locked account remains locked before it is automatically unlocked: `0` indicates no limit' default: 0 maxAttempts: type: integer description: 'Specifies the number of times Users can attempt to sign in to their accounts with an invalid password before their accounts are locked: `0` indicates no limit' default: 10 showLockoutFailures: type: boolean description: Indicates if the User should be informed when their account is locked default: false userLockoutNotificationChannels: type: array description: How the user is notified when their account becomes locked. The only acceptable values are `[]` and `['EMAIL']`. default: [] items: type: string PasswordPolicyRecoveryEmail: type: object properties: properties: $ref: '#/components/schemas/PasswordPolicyRecoveryEmailProperties' status: allOf: - $ref: '#/components/schemas/LifecycleStatus' - description: Whether or not the factor is active PasswordPolicyRecoveryEmailProperties: type: object properties: recoveryToken: $ref: '#/components/schemas/PasswordPolicyRecoveryEmailRecoveryToken' PasswordPolicyRecoveryEmailRecoveryToken: type: object properties: tokenLifetimeMinutes: description: Lifetime (in minutes) of the recovery token type: integer default: 10080 PasswordPolicyRecoveryFactorSettings: type: object properties: status: allOf: - $ref: '#/components/schemas/LifecycleStatus' - description: Whether or not the factor is active PasswordPolicyRecoveryFactors: description: Settings for the factors that can be used for recovery type: object properties: okta_call: description: Okta voice call $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' okta_email: description: Okta email $ref: '#/components/schemas/PasswordPolicyRecoveryEmail' okta_sms: description: Okta SMS $ref: '#/components/schemas/PasswordPolicyRecoveryFactorSettings' recovery_question: description: Okta security question $ref: '#/components/schemas/PasswordPolicyRecoveryQuestion' PasswordPolicyRecoveryQuestion: type: object properties: properties: $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionProperties' status: allOf: - $ref: '#/components/schemas/LifecycleStatus' - description: Whether or not the factor is active PasswordPolicyRecoveryQuestionComplexity: type: object properties: minLength: description: Minimum length of the password recovery question answer type: integer readOnly: true default: 4 PasswordPolicyRecoveryQuestionProperties: type: object properties: complexity: $ref: '#/components/schemas/PasswordPolicyRecoveryQuestionComplexity' PasswordPolicyRecoverySettings: description: |- Specifies the password recovery settings for the policy > **Note:** With Identity Engine, you can specify recovery factors inside the password policy rule instead of in the policy settings object. Recovery factors for the rule are defined inside the [`selfServicePasswordReset` action](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/createPolicyRule!path=1/actions/selfServicePasswordReset&t=request). type: object properties: factors: $ref: '#/components/schemas/PasswordPolicyRecoveryFactors' PasswordPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' - type: object properties: actions: $ref: '#/components/schemas/PasswordPolicyRuleActions' conditions: $ref: '#/components/schemas/PasswordPolicyRuleConditions' PasswordPolicyRuleAction: description: Indicates if a password can be changed type: object properties: access: $ref: '#/components/schemas/PolicyAccess' PasswordPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' - type: object - description: Specifies how passwords and password recovery are handled properties: passwordChange: $ref: '#/components/schemas/PasswordPolicyRuleAction' selfServicePasswordReset: $ref: '#/components/schemas/SelfServicePasswordResetAction' selfServiceUnlock: $ref: '#/components/schemas/PasswordPolicyRuleAction' PasswordPolicyRuleConditions: description: Specifies conditions that must be met during policy evaluation to apply the rule. All policy conditions and conditions for at least one rule must be met to apply the settings specified in the policy and the associated rule. type: object properties: network: $ref: '#/components/schemas/PolicyNetworkCondition' people: $ref: '#/components/schemas/PolicyPeopleCondition' PasswordPolicySettings: description: Specifies the policy level settings type: object properties: delegation: $ref: '#/components/schemas/PasswordPolicyDelegationSettings' password: $ref: '#/components/schemas/PasswordPolicyPasswordSettings' recovery: $ref: '#/components/schemas/PasswordPolicyRecoverySettings' PasswordProtectionWarningTrigger: description: Indicates whether the Password Protection Warning feature is enabled example: PHISHING_REUSE type: string enum: - PASSWORD_PROTECTION_OFF - PASSWORD_REUSE - PHISHING_REUSE x-enumDescriptions: PASSWORD_PROTECTION_OFF: Password protection warning is off PASSWORD_REUSE: Password protection warning is triggered by password reuse PHISHING_REUSE: Password protection warning is triggered by password reuse on a phishing page PasswordSettingObject: description: Determines whether Okta creates and pushes a password in the app for each assigned user type: object properties: change: $ref: '#/components/schemas/ChangeEnum' seed: $ref: '#/components/schemas/SeedEnum' status: allOf: - $ref: '#/components/schemas/EnabledStatus' - default: DISABLED - example: ENABLED PatchAIAgentProfile: description: Partial update for AI agent profile type: object properties: description: type: string description: Description of the AI agent nullable: true name: type: string description: Unique name of the AI agent nullable: true PatchAIAgentRequest: description: JSON Merge Patch for AI agent. Send only the fields to update. Use null to remove a value. type: object properties: appId: type: string description: The ID of the connected app for the AI Agent nullable: true profile: $ref: '#/components/schemas/PatchAIAgentProfile' PatchAction: description: The operation (PATCH action) type: string enum: - remove - replace x-enumDescriptions: remove: Removes the attribute in `path` if allowed replace: Replaces the attribute in content `path` with the content in `value` PerClientRateLimitMode: type: string enum: - DISABLE - ENFORCE - PREVIEW PerClientRateLimitSettings: title: PerClientRateLimitSettings description: '' type: object properties: defaultMode: $ref: '#/components/schemas/PerClientRateLimitMode' description: The default PerClientRateLimitMode that applies to any use case in the absence of a more specific override useCaseModeOverrides: description: A map of Per-Client Rate Limit Use Case to the applicable PerClientRateLimitMode. Overrides the `defaultMode` property for the specified use cases. type: object properties: LOGIN_PAGE: $ref: '#/components/schemas/PerClientRateLimitMode' OAUTH2_AUTHORIZE: $ref: '#/components/schemas/PerClientRateLimitMode' OIE_APP_INTENT: $ref: '#/components/schemas/PerClientRateLimitMode' required: - defaultMode Permission: type: object properties: conditions: $ref: '#/components/schemas/PermissionConditions' created: type: string format: date-time description: Timestamp when the permission was assigned readOnly: true label: type: string description: The assigned Okta [permission](/openapi/okta-management/guides/permissions) readOnly: true example: okta.users.read lastUpdated: type: string format: date-time description: Timestamp when the permission was last updated readOnly: true _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: role: $ref: '#/components/schemas/HrefObjectRoleLink' PermissionConditions: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true description: Conditions for further restricting a permission. See [Permission conditions](https://help.okta.com/okta_help.htm?type=oie&id=ext-permission-conditions). nullable: true type: object properties: exclude: type: object description: Exclude attributes with specific values for the permission additionalProperties: type: object properties: {} nullable: true include: type: object description: Include attributes with specific values for the permission additionalProperties: type: object properties: {} nullable: true Permissions: description: Permissions assigned to the role type: object properties: permissions: type: array description: Array of permissions assigned to the role. See [Permissions](/openapi/okta-management/guides/permissions). items: $ref: '#/components/schemas/Permission' PersonalAppsBlockList: description: Defines a list of email domains with a subset of the properties for each domain type: object properties: domains: type: array description: List of blocked email domains PinRequest: description: Pin request type: object properties: authenticatorEnrollmentId: description: ID for a WebAuthn preregistration factor in Okta type: string fulfillmentProvider: description: Name of the fulfillment provider for the WebAuthn preregistration factor type: string enum: - yubico userId: description: ID of an existing Okta user type: string PipelineType: description: The Okta authentication pipeline of the org type: string enum: - idx - v1 x-enumDescriptions: idx: '[Identity Engine](https://help.okta.com/okta_help.htm?type=oie&id=ext-get-started-oie)' v1: '[Classic Engine](https://help.okta.com/en-us/content/index-admin.htm)' Platform: type: string enum: - ANDROID - CHROMEOS - IOS - MACOS - WINDOWS PlatformConditionEvaluatorPlatform: type: object properties: os: $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystem' type: $ref: '#/components/schemas/PolicyPlatformType' PlatformConditionEvaluatorPlatformOperatingSystem: type: object properties: expression: type: string type: $ref: '#/components/schemas/PolicyPlatformOperatingSystemType' version: $ref: '#/components/schemas/PlatformConditionEvaluatorPlatformOperatingSystemVersion' PlatformConditionEvaluatorPlatformOperatingSystemVersion: type: object properties: matchType: $ref: '#/components/schemas/PlatformConditionOperatingSystemVersionMatchType' value: type: string PlatformConditionOperatingSystemVersionMatchType: type: string enum: - EXPRESSION - SEMVER PlatformPolicyRuleCondition: description: Specifies a particular platform or device to match on type: object properties: exclude: type: array items: $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' include: type: array items: $ref: '#/components/schemas/PlatformConditionEvaluatorPlatform' PlayProtectVerdict: description: Indicates if Google Play Protect is enabled on the device and whether it has found known malware type: string enum: - HIGH - LOW - MEDIUM x-enumDescriptions: LOW: Play Protect is turned on and didn't find any app issues on the device MEDIUM: Play Protect is turned on and either hasn't performed a scan yet or has found potentially harmful apps installed on the device HIGH: Play Protect is turned on and has either found dangerous apps installed on the device or its verdict wasn't evaluated. That is, the device isn't trustworthy enough. Policy: type: object properties: created: description: Timestamp when the policy was created type: string format: date-time readOnly: true default: Assigned description: description: Description of the policy type: string default: null id: description: Identifier of the policy type: string readOnly: true default: Assigned lastUpdated: description: Timestamp when the policy was last modified type: string format: date-time readOnly: true default: Assigned name: description: Name of the policy type: string priority: description: Specifies the order in which this policy is evaluated in relation to the other policies type: integer default: Last / Lowest Priority, for example `1` status: allOf: - $ref: '#/components/schemas/LifecycleStatus' - description: Whether or not the policy is active. Use the `activate` query parameter to set the status of a policy. system: description: Specifies whether Okta created the policy type: boolean default: false type: $ref: '#/components/schemas/PolicyType' _embedded: type: object additionalProperties: type: object properties: {} readOnly: true _links: $ref: '#/components/schemas/PolicyLinks' required: - name - type discriminator: propertyName: type mapping: ACCESS_POLICY: '#/components/schemas/AccessPolicy' IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicy' MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicy' OKTA_SIGN_ON: '#/components/schemas/OktaSignOnPolicy' PASSWORD: '#/components/schemas/PasswordPolicy' PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicy' POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicy' ENTITY_RISK: '#/components/schemas/EntityRiskPolicy' DEVICE_SIGNAL_COLLECTION: '#/components/schemas/DeviceSignalCollectionPolicy' PolicyAccess: type: string enum: - ALLOW - DENY PolicyAccountLink: description: Specifies the behavior for linking an IdP user to an existing Okta user type: object properties: action: $ref: '#/components/schemas/PolicyAccountLinkAction' filter: $ref: '#/components/schemas/PolicyAccountLinkFilter' PolicyAccountLinkAction: description: Specifies the account linking action for an IdP user type: string enum: - AUTO - DISABLED x-enumDescriptions: AUTO: The IdP user is automatically linked to an Okta user when the transformed IdP user matches an existing Okta user according to [subject match rules](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/subject&t=request). DISABLED: Okta never attempts to link the IdP user to an existing Okta user, but may still attempt to provision a new Okta user according to the [provisioning action type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=policy/provisioning/action&t=request). PolicyAccountLinkFilter: description: Specifies filters on which users are available for account linking by an IdP type: object properties: groups: $ref: '#/components/schemas/PolicyAccountLinkFilterGroups' users: $ref: '#/components/schemas/PolicyAccountLinkFilterUsers' PolicyAccountLinkFilterGroups: description: Group memberships used to determine link candidates type: object properties: include: type: array description: Specifies the allowlist of Group identifiers to match against. Group memberships are restricted to type `OKTA_GROUP`. items: type: string example: 00gjg5lzfBpn62wuF0g3 PolicyAccountLinkFilterUsers: description: Filters on which users are available for account linking x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true type: object properties: exclude: type: array description: Specifies the blocklist of user identifiers to exclude from account linking items: type: string example: 00u2c0nz7wj4UBs8V0g5 excludeAdmins: type: boolean description: Specifies whether admin users should be excluded from account linking default: false PolicyCommon: type: object properties: created: description: Timestamp when the policy was created type: string format: date-time readOnly: true default: Assigned description: description: Description of the Policy type: string default: null id: description: Identifier of the Policy type: string readOnly: true default: Assigned lastUpdated: description: Timestamp when the policy was last modified type: string format: date-time readOnly: true default: Assigned name: description: Name of the policy type: string priority: description: Specifies the order in which this policy is evaluated in relation to the other policies type: integer default: Last / Lowest Priority, for example `1` status: allOf: - $ref: '#/components/schemas/LifecycleStatus' - description: Whether or not the policy is active. Use the `activate` query parameter to set the status of a policy. system: description: Specifies whether Okta created the Policy type: boolean default: false type: $ref: '#/components/schemas/PolicyType' _embedded: type: object additionalProperties: type: object properties: {} readOnly: true _links: $ref: '#/components/schemas/PolicyLinks' required: - name - type PolicyContext: type: object properties: device: type: object properties: platform: type: string description: The platform of the device, for example, IOS. registered: type: boolean description: If the device is registered managed: type: boolean description: If the device is managed assuranceId: type: string description: The device assurance policy ID for the simulation groups: type: object description: An array of Group IDs for the simulate operation. Only user IDs or Group IDs are allowed, not both. properties: ids: type: array items: type: string uniqueItems: true required: - ids ip: type: string description: The network rule condition, zone, or IP address risk: type: object description: The risk rule condition level properties: level: type: string enum: - LOW - MEDIUM - HIGH user: type: object description: The user ID for the simulate operation. Only user IDs or Group IDs are allowed, not both. properties: id: type: string description: The unique ID number for the user. required: - id zones: type: object description: The zone ID under the network rule condition. properties: ids: type: array items: type: string required: - user - groups PolicyLinks: type: object properties: activate: $ref: '#/components/schemas/HrefObjectActivateLink' deactivate: $ref: '#/components/schemas/HrefObjectDeactivateLink' mappings: $ref: '#/components/schemas/HrefObjectMappingsLink' rules: $ref: '#/components/schemas/HrefObjectRulesLink' self: $ref: '#/components/schemas/HrefObjectSelfLink' readOnly: true PolicyMapping: type: object properties: id: type: string _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: application: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the mapped application policy: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the mapped policy PolicyMappingRequest: type: object properties: resourceId: type: string description: '[Policy ID](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/listPolicies!c=200&path=0/id&t=response) of the app sign-in policy that you want to map' resourceType: $ref: '#/components/schemas/PolicyMappingResourceType' PolicyMappingResourceType: description: Specifies the type of resource to map. You can only map an app sign-in policy to a device signal collection policy (the `policyId` path parameter). type: string enum: - ACCESS_POLICY PolicyNetworkCondition: description: Specifies a network selection mode and a set of network zones to be included or excluded. If the connection parameter's data type is `ZONE`, one of the `include` or `exclude` arrays is required. Specific zone IDs to include or exclude are enumerated in the respective arrays. type: object properties: connection: $ref: '#/components/schemas/PolicyNetworkConnection' exclude: type: array description: The zones to exclude. Required only if connection data type is `ZONE` items: type: string include: type: array description: The zones to include. Required only if connection data type is `ZONE` items: type: string PolicyNetworkConnection: description: Network selection mode type: string enum: - ANYWHERE - ZONE PolicyPeopleCondition: description: Identifies users and groups that are used together type: object properties: groups: $ref: '#/components/schemas/GroupCondition' users: $ref: '#/components/schemas/UserCondition' required: - groups - users PolicyPlatformOperatingSystemType: type: string enum: - ANDROID - ANY - IOS - OSX - OTHER - WINDOWS PolicyPlatformType: type: string enum: - ANY - DESKTOP - MOBILE - OTHER PolicyRule: type: object properties: created: type: string description: Timestamp when the rule was created format: date-time readOnly: true nullable: true id: type: string description: Identifier for the rule readOnly: true lastUpdated: type: string description: Timestamp when the rule was last modified format: date-time readOnly: true nullable: true name: type: string description: Name of the rule priority: type: integer description: Priority of the rule nullable: true status: allOf: - $ref: '#/components/schemas/LifecycleStatus' - description: Whether or not the rule is active. Use the `activate` query parameter to set the status of a rule. system: type: boolean description: Specifies whether Okta created the policy rule (`system=true`). You can't delete policy rules that have `system` set to `true`. default: false type: $ref: '#/components/schemas/PolicyRuleType' _links: $ref: '#/components/schemas/PolicyLinks' discriminator: propertyName: type mapping: ACCESS_POLICY: '#/components/schemas/AccessPolicyRule' PASSWORD: '#/components/schemas/PasswordPolicyRule' PROFILE_ENROLLMENT: '#/components/schemas/ProfileEnrollmentPolicyRule' SIGN_ON: '#/components/schemas/OktaSignOnPolicyRule' IDP_DISCOVERY: '#/components/schemas/IdpDiscoveryPolicyRule' POST_AUTH_SESSION: '#/components/schemas/PostAuthSessionPolicyRule' ENTITY_RISK: '#/components/schemas/EntityRiskPolicyRule' MFA_ENROLL: '#/components/schemas/AuthenticatorEnrollmentPolicyRule' DEVICE_SIGNAL_COLLECTION: '#/components/schemas/DeviceSignalCollectionPolicyRule' PolicyRuleActions: type: object PolicyRuleActionsEnroll: type: object properties: self: $ref: '#/components/schemas/PolicyRuleActionsEnrollSelf' PolicyRuleActionsEnrollSelf: type: string enum: - CHALLENGE - LOGIN - NEVER PolicyRuleAuthContextCondition: description: Specifies an authentication entry point type: object properties: authType: $ref: '#/components/schemas/PolicyRuleAuthContextType' PolicyRuleAuthContextType: description: Specifies how the user is authenticated type: string enum: - ANY - LDAP_INTERFACE - RADIUS PolicyRuleConditions: type: object properties: app: $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition' apps: $ref: '#/components/schemas/AppInstancePolicyRuleCondition' authContext: $ref: '#/components/schemas/PolicyRuleAuthContextCondition' authProvider: $ref: '#/components/schemas/PasswordPolicyAuthenticationProviderCondition' beforeScheduledAction: $ref: '#/components/schemas/BeforeScheduledActionPolicyRuleCondition' clients: $ref: '#/components/schemas/ClientPolicyCondition' context: $ref: '#/components/schemas/ContextPolicyRuleCondition' device: $ref: '#/components/schemas/DevicePolicyRuleCondition' grantTypes: $ref: '#/components/schemas/GrantTypePolicyRuleCondition' groups: $ref: '#/components/schemas/GroupPolicyRuleCondition' identityProvider: $ref: '#/components/schemas/IdentityProviderPolicyRuleCondition' mdmEnrollment: $ref: '#/components/schemas/MDMEnrollmentPolicyRuleCondition' network: $ref: '#/components/schemas/PolicyNetworkCondition' people: $ref: '#/components/schemas/PolicyPeopleCondition' platform: $ref: '#/components/schemas/PlatformPolicyRuleCondition' risk: $ref: '#/components/schemas/RiskPolicyRuleCondition' riskScore: $ref: '#/components/schemas/RiskScorePolicyRuleCondition' scopes: $ref: '#/components/schemas/OAuth2ScopesMediationPolicyRuleCondition' userIdentifier: $ref: '#/components/schemas/UserIdentifierPolicyRuleCondition' users: $ref: '#/components/schemas/UserPolicyRuleCondition' userStatus: $ref: '#/components/schemas/UserStatusPolicyRuleCondition' PolicyRuleType: description: Rule type type: string enum: - ACCESS_POLICY - DEVICE_SIGNAL_COLLECTION - ENTITY_RISK - IDP_DISCOVERY - MFA_ENROLL - PASSWORD - POST_AUTH_SESSION - PROFILE_ENROLLMENT - SIGN_ON PolicyRuleVerificationMethodType: description: Verification method type type: string enum: - ASSURANCE - AUTH_METHOD_CHAIN - ID_PROOFING PolicySubject: description: Specifies the behavior for establishing, validating, and matching a username for an IdP user type: object properties: filter: type: string description: |- Optional [regular expression pattern](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions) used to filter untrusted IdP usernames. * As a best security practice, you should define a regular expression pattern to filter untrusted IdP usernames. This is especially important if multiple IdPs are connected to your org. The filter prevents an IdP from issuing an assertion for any user, including partners or directory users in your Okta org. * For example, the filter pattern `(\S+@example\.com)` allows only Users that have an `@example.com` username suffix. It rejects assertions that have any other suffix such as `@corp.example.com` or `@partner.com`. * Only `SAML2` and `OIDC` IdP providers support the `filter` property. maxLength: 1024 example: (\S+@example\.com) matchAttribute: type: string description: |- Okta user profile attribute for matching a transformed IdP username. Only for matchType `CUSTOM_ATTRIBUTE`. The `matchAttribute` must be a valid Okta user profile attribute of one of the following types: * String (with no format or 'email' format only) * Integer * Number example: login matchType: $ref: '#/components/schemas/PolicySubjectMatchType' userNameTemplate: $ref: '#/components/schemas/PolicyUserNameTemplate' PolicySubjectMatchType: description: Determines the Okta user profile attribute match conditions for account linking and authentication of the transformed IdP username type: string enum: - CUSTOM_ATTRIBUTE - EMAIL - USERNAME - USERNAME_OR_EMAIL PolicyType: description: |- All Okta orgs contain only one IdP discovery policy with an immutable default rule routing to your org's sign-in page, one entity risk policy, and one session protection policy. Creating or replacing a policy with the `IDP_DISCOVERY` type, the `ENTITY_RISK` type, or the `POST_AUTH_SESSION` type isn't supported. The following policy types are available with Identity Engine: `ACCESS_POLICY`, `PROFILE_ENROLLMENT`, `POST_AUTH_SESSION`, <x-lifecycle class="ea"></x-lifecycle> `DEVICE_SIGNAL_COLLECTION`, `ENTITY_RISK`. type: string enum: - <x-lifecycle class="ea"></x-lifecycle> DEVICE_SIGNAL_COLLECTION - ACCESS_POLICY - ENTITY_RISK - IDP_DISCOVERY - MFA_ENROLL - OKTA_SIGN_ON - PASSWORD - POST_AUTH_SESSION - PROFILE_ENROLLMENT PolicyTypeSimulation: type: string enum: - ACCESS_POLICY - MFA_ENROLL - OKTA_SIGN_ON - PROFILE_ENROLLMENT PolicyUserNameTemplate: description: |- [Okta Expression Language (EL) expression](https://developer.okta.com/docs/reference/okta-expression-language/) to generate or transform a unique username for the IdP user. * IdP user profile attributes can be referenced with the `idpuser` prefix such as `idpuser.subjectNameId`. * You must define an IdP user profile attribute before it can be referenced in an Okta EL expression. To define an IdP user attribute policy, you may need to create a new IdP instance without a base profile property. Then edit the IdP user profile to update the IdP instance with an expression that references the IdP user profile attribute that you just created. type: object properties: template: type: string minLength: 9 maxLength: 1024 example: idpuser.subjectNameId PolicyUserStatus: type: string enum: - ACTIVATING - ACTIVE - DELETED - DELETING - EXPIRED_PASSWORD - INACTIVE - PENDING - SUSPENDED PossessionConstraint: allOf: - $ref: '#/components/schemas/AccessPolicyConstraint' - type: object properties: deviceBound: type: string description: Indicates if device-bound Factors are required. This property is only set for `POSSESSION` constraints. enum: - OPTIONAL - REQUIRED default: OPTIONAL hardwareProtection: type: string description: Indicates if any secrets or private keys used during authentication must be hardware protected and not exportable. This property is only set for `POSSESSION` constraints. enum: - OPTIONAL - REQUIRED default: OPTIONAL phishingResistant: type: string description: Indicates if phishing-resistant Factors are required. This property is only set for `POSSESSION` constraints. enum: - OPTIONAL - REQUIRED default: OPTIONAL userPresence: type: string description: Indicates if the user needs to approve an Okta Verify prompt or provide biometrics (meets NIST AAL2 requirements). This property is only set for `POSSESSION` constraints. enum: - OPTIONAL - REQUIRED default: REQUIRED userVerification: type: string description: Indicates the user interaction requirement (PIN or biometrics) to ensure verification of a possession factor enum: - OPTIONAL - REQUIRED default: OPTIONAL userVerificationMethods: description: Indicates which methods can be used for user verification. `userVerificationMethods` can only be used when `userVerification` is `REQUIRED`. `BIOMETRICS` is currently the only supported method. type: array items: type: string enum: - BIOMETRICS - PIN PostAuthKeepMeSignedInPrompt: x-okta-lifecycle: lifecycle: LIMITED_GA isGenerallyAvailable: false SKUs: - Okta Identity Engine type: object properties: acceptButtonText: type: string description: The label on the accept button when prompting for Stay signed in rejectButtonText: type: string description: The label on the reject button when prompting for Stay signed in subtitle: type: string description: The subtitle on the Sign-In Widget when prompting for Stay signed in title: type: string description: The title on the Sign-In Widget when prompting for Stay signed in PostAuthSessionFailureActionsObject: type: object properties: action: type: string enum: - RUN_WORKFLOW - TERMINATE_SESSION discriminator: propertyName: action mapping: RUN_WORKFLOW: '#/components/schemas/PostAuthSessionPolicyRuleRunWorkflow' TERMINATE_SESSION: '#/components/schemas/PostAuthSessionPolicyRuleTerminateSession' PostAuthSessionPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: type: string description: Policy conditions aren't supported for this policy type default: null nullable: true PostAuthSessionPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' - type: object properties: actions: type: object description: The action to take in response to a failure of the reevaluated global session policy or authentication polices properties: postAuthSession: type: object description: This object contains a `failureActions` array that defines the specific action to take when the session protection policy detects a failure properties: failureActions: type: array description: An array of objects that define the action. It can be empty or contain two `action` value pairs. items: $ref: '#/components/schemas/PostAuthSessionFailureActionsObject' conditions: type: object description: Specifies conditions that must be met during policy evaluation to apply the rule. All policy conditions and conditions for at least one rule must be met to apply the settings specified in the policy and the associated rule. properties: people: $ref: '#/components/schemas/PolicyPeopleCondition' PostAuthSessionPolicyRuleRunWorkflow: type: object properties: action: type: string enum: - RUN_WORKFLOW workflow: type: object description: This action runs a workflow properties: id: type: integer description: The `id` of the workflow that runs. PostAuthSessionPolicyRuleTerminateSession: type: object properties: action: type: string description: The action to take when the session protection policy detects a failure. enum: - TERMINATE_SESSION PotentialConnection: oneOf: - $ref: '#/components/schemas/IdentityAssertionAppInstanceConnection' - $ref: '#/components/schemas/IdentityAssertionCustomASConnection' - $ref: '#/components/schemas/STSVaultSecretConnection' - $ref: '#/components/schemas/STSServiceAccountConnection' type: object discriminator: propertyName: connectionType mapping: IDENTITY_ASSERTION_APP_INSTANCE: '#/components/schemas/IdentityAssertionAppInstanceConnection' IDENTITY_ASSERTION_CUSTOM_AS: '#/components/schemas/IdentityAssertionCustomASConnection' STS_VAULT_SECRET: '#/components/schemas/STSVaultSecretConnection' STS_SERVICE_ACCOUNT: '#/components/schemas/STSServiceAccountConnection' PotentialConnectionList: type: object properties: data: description: Potential connections that can be established type: array items: $ref: '#/components/schemas/PotentialConnection' _links: type: object description: Links available for the potential connection list required: - self properties: self: $ref: '#/components/schemas/HrefObjectSelfLink' next: $ref: '#/components/schemas/HrefObjectNextLink' required: - data - _links PreRegistrationInlineHook: type: object properties: inlineHookId: type: string PrincipalRateLimitEntity: title: PrincipalRateLimitEntity description: '' type: object properties: createdBy: description: The Okta user ID of the user who created the principle rate limit entity type: string readOnly: true createdDate: description: The date and time the principle rate limit entity was created type: string format: date-time readOnly: true defaultConcurrencyPercentage: description: The default percentage of a given concurrency limit threshold that the owning principal can consume type: integer defaultPercentage: description: The default percentage of a given rate limit threshold that the owning principal can consume type: integer id: description: The unique identifier of the principle rate limit entity type: string readOnly: true lastUpdate: description: The date and time the principle rate limit entity was last updated type: string format: date-time readOnly: true lastUpdatedBy: description: The Okta user ID of the user who last updated the principle rate limit entity type: string readOnly: true orgId: description: The unique identifier of the Okta org type: string readOnly: true principalId: description: The unique identifier of the principal. This is the ID of the API token or OAuth 2.0 app. type: string principalType: $ref: '#/components/schemas/PrincipalType' required: - principalId - principalType PrincipalType: description: The type of principal, either an API token or an OAuth 2.0 app type: string enum: - OAUTH_CLIENT - SSWS_TOKEN PrivilegedResource: description: Base class for PrivilegedResourceRequest and PrivilegedResourceResponse type: object properties: created: type: string description: Timestamp when the object was created format: date-time readOnly: true example: '2024-06-10T11:11:01.000Z' credentialSyncInfo: $ref: '#/components/schemas/CredentialSyncInfo' id: type: string description: ID of the privileged resource readOnly: true example: opa100xTfFs4MasRf0g4 lastUpdated: type: string description: Timestamp when the object was last updated format: date-time readOnly: true example: '2024-06-10T11:13:01.000Z' resourceType: $ref: '#/components/schemas/PrivilegedResourceType' status: $ref: '#/components/schemas/PrivilegedResourceStatus' required: - resourceType discriminator: propertyName: resourceType mapping: APP_ACCOUNT: '#/components/schemas/PrivilegedResourceAccountAppRequest' OKTA_USER_ACCOUNT: '#/components/schemas/PrivilegedResourceAccountOkta' PrivilegedResourceAccountAppRequest: allOf: - type: object properties: containerDetails: $ref: '#/components/schemas/AppAccountContainerDetails' credentials: $ref: '#/components/schemas/PrivilegedResourceCredentials' - $ref: '#/components/schemas/PrivilegedResource' required: - containerId PrivilegedResourceAccountAppResponse: allOf: - type: object properties: credentials: $ref: '#/components/schemas/PrivilegedResourceCredentials' profile: $ref: '#/components/schemas/profile' - $ref: '#/components/schemas/PrivilegedResource' PrivilegedResourceAccountOkta: allOf: - type: object properties: resourceId: type: string description: The user ID associated with the Okta privileged resource example: 00u100xTfFs4MasRf0g4 credentials: $ref: '#/components/schemas/PrivilegedResourceCredentials' profile: $ref: '#/components/schemas/profile' - $ref: '#/components/schemas/PrivilegedResource' PrivilegedResourceCredentials: description: Credentials for the privileged resource type: object properties: password: type: string description: The password associated with the privileged resource format: password writeOnly: true example: xf1bs9am2 userName: type: string description: The username associated with the privileged resource minLength: 1 maxLength: 100 example: testuser@example.com required: - userName PrivilegedResourceFilters: type: object properties: appGroups: type: array description: Array of app groups whose members might be privileged app users items: $ref: '#/components/schemas/AppGroup' organizationalUnits: type: array description: Array of organizational units where privileged app users are present items: $ref: '#/components/schemas/OrganizationalUnit' PrivilegedResourceStatus: description: Current status of the privileged resource type: string enum: - ACTIVE - CREATED - CREATION_FAILED - INACTIVE - PENDING x-enumDescriptions: CREATED: The privileged resource is created but not yet managed by OPA ACTIVE: The privileged resource is currently managed by OPA INACTIVE: The privileged resource is `INACTIVE` and not currently managed by OPA PENDING: The privileged resource is pending creation in Okta CREATION_FAILED: The privileged resource creation failed readOnly: true PrivilegedResourceType: description: The type of the resource type: string enum: - APP_ACCOUNT - OKTA_USER_ACCOUNT x-enumDescriptions: APP_ACCOUNT: Represents a privileged resource that belongs to an app OKTA_USER_ACCOUNT: Represents a privileged resource that belongs to Okta PrivilegedResourceUpdateRequest: description: Update request for a privileged resource type: object properties: profile: $ref: '#/components/schemas/profile' userName: type: string description: The username associated with the privileged resource minLength: 1 maxLength: 100 example: testuser@example.com ProfileEnrollmentPolicy: allOf: - $ref: '#/components/schemas/Policy' - type: object properties: conditions: type: string description: Policy conditions aren't supported for this policy type default: null nullable: true ProfileEnrollmentPolicyRule: allOf: - $ref: '#/components/schemas/PolicyRule' - type: object properties: actions: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActions' conditions: type: string description: Policy rule conditions aren't supported for this policy type default: null nullable: true ProfileEnrollmentPolicyRuleAction: type: object properties: access: type: string enum: - ALLOW - DENY description: |- Indicates if the user profile is granted access > **Note:** You can't set the `access` property to `DENY` after you create the policy activationRequirements: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleActivationRequirement' allowedIdentifiers: items: type: string type: array description: A list of attributes to identify an end user. Can be used across Okta sign-in, unlock, and recovery flows. default: - login enrollAuthenticatorTypes: items: type: string type: array description: Additional authenticator fields that can be used on the first page of user registration. Valid values only includes `'password'`. preRegistrationInlineHooks: items: $ref: '#/components/schemas/PreRegistrationInlineHook' type: array description: (Optional) The `id` of at most one registration inline hook profileAttributes: items: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleProfileAttribute' type: array description: A list of attributes to prompt the user for during registration or progressive profiling. Where defined on the user schema, these attributes are persisted in the user profile. You can also add non-schema attributes, which aren't persisted to the user's profile, but are included in requests to the registration inline hook. A maximum of 10 profile properties is supported. progressiveProfilingAction: type: string enum: - ENABLED - DISABLED description: Progressive profile enrollment helps evaluate the user profile policy at every user login. Users can be prompted to provide input for newly required attributes. targetGroupIds: items: type: string type: array description: (Optional, max 1 entry) The `id` of a group that this user should be added to uiSchemaId: type: string description: Value created by the backend. If present, all policy updates must include this attribute/value. unknownUserAction: type: string enum: - DENY - REGISTER description: Which action should be taken if this user is new ProfileEnrollmentPolicyRuleActions: allOf: - $ref: '#/components/schemas/PolicyRuleActions' - type: object - description: Specifies the settings that govern which profile attributes are required for creating new users properties: profileEnrollment: $ref: '#/components/schemas/ProfileEnrollmentPolicyRuleAction' ProfileEnrollmentPolicyRuleActivationRequirement: description: Contains a single Boolean property that indicates whether `emailVerification` should occur (`true`) or not (`false`, default) type: object properties: emailVerification: type: boolean ProfileEnrollmentPolicyRuleProfileAttribute: type: object properties: label: type: string description: A display-friendly label for this property name: type: string description: The name of a user profile property. Can be an existing property. required: type: boolean description: (Optional, default `FALSE`) Indicates if this property is required for enrollment default: false ProfileMapping: description: |- The profile mapping object describes a mapping between an Okta user's and an app user's properties using [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04). > **Note:** Same type source/target mappings aren't supported by this API. Profile mappings must be between Okta and an app. type: object properties: id: type: string description: Unique identifier for a profile mapping readOnly: true properties: type: object $ref: '#/components/schemas/ProfileMappingProperty' readOnly: false source: $ref: '#/components/schemas/ProfileMappingSource' target: $ref: '#/components/schemas/ProfileMappingTarget' _links: $ref: '#/components/schemas/LinksSelf' ProfileMappingProperty: description: A target property, in string form, that maps to a valid [JSON Schema Draft](https://tools.ietf.org/html/draft-zyp-json-schema-04) document. type: object properties: expression: description: Combination or single source properties that are mapped to the target property. See [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/). type: string pushStatus: $ref: '#/components/schemas/ProfileMappingPropertyPushStatus' ProfileMappingPropertyPushStatus: description: |- Indicates whether to update target properties for user create and update or just for user create. - Having a pushStatus of `PUSH` causes properties in the target to be updated on create and update. - Having a pushStatus of `DONT_PUSH` causes properties in the target to be updated only on create. type: string enum: - DONT_PUSH - PUSH ProfileMappingRequest: description: The updated request body properties type: object properties: properties: type: object $ref: '#/components/schemas/ProfileMappingProperty' required: - properties - expression - pushStatus ProfileMappingSource: description: |- The parameter is the source of a profile mapping and is a valid [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04) document with the following properties. The data type can be an app instance or an Okta object. > **Note:** If the source is Okta and the UserTypes feature isn't enabled, then the source `_links` only has a link to the schema. type: object properties: id: type: string description: Unique identifier for the application instance or userType readOnly: true name: type: string description: Variable name of the application instance or name of the referenced UserType readOnly: true type: type: string description: Type of user referenced in the mapping readOnly: true _links: $ref: '#/components/schemas/SourceLinks' ProfileMappingTarget: description: |- The parameter is the target of a profile mapping and is a valid [JSON Schema Draft 4](https://datatracker.ietf.org/doc/html/draft-zyp-json-schema-04) document with the following properties. The data type can be an app instance or an Okta object. > **Note:** If the target is Okta and the UserTypes feature isn't enabled, then the target `_links` only has a link to the schema. type: object properties: id: type: string description: Unique identifier for the application instance or UserType readOnly: true name: type: string description: Variable name of the application instance or name of the referenced userType readOnly: true type: type: string description: Type of user referenced in the mapping readOnly: true _links: $ref: '#/components/schemas/SourceLinks' ProfileSettingObject: description: | This setting determines whether a user in the app gets updated when they're updated in Okta. If enabled, Okta updates a user's attributes in the app when the app is assigned. Future changes made to the Okta user's profile automatically overwrite the corresponding attribute value in the app. type: object properties: status: allOf: - $ref: '#/components/schemas/EnabledStatus' - example: DISABLED - default: DISABLED Protocol: type: string enum: - ACTIONS - GTR - OIDC - SAML - SCIM ProtocolAlgorithmRequestScope: description: Specifies whether to digitally sign authorization requests to the IdP example: REQUEST type: string enum: - NONE - REQUEST ProtocolAlgorithmResponseScope: description: Specifies whether to verify responses from the IdP example: ANY type: string enum: - ANY - RESPONSE - TOKEN ProtocolCredentialsKeyId: description: IdP key credential reference to the Okta X.509 signature certificate example: your-key-id type: string ProtocolEndpointBinding: type: string enum: - HTTP-POST - HTTP-REDIRECT ProtocolIdVerification: title: ID Verification description: Protocol settings for the IDV vendor type: object properties: credentials: $ref: '#/components/schemas/IDVCredentials' endpoints: $ref: '#/components/schemas/IDVEndpoints' scopes: $ref: '#/components/schemas/OAuthScopes' type: type: string description: ID verification protocol enum: - ID_PROOFING ProtocolMtls: title: Mutual TLS Protocol description: Protocol settings for the [MTLS Protocol](https://tools.ietf.org/html/rfc5246#section-7.4.4) type: object properties: credentials: $ref: '#/components/schemas/MtlsCredentials' endpoints: $ref: '#/components/schemas/MtlsEndpoints' type: type: string description: Mutual TLS enum: - MTLS ProtocolOAuth: title: OAuth 2.0 Protocol description: Protocol settings for authentication using the [OAuth 2.0 Authorization Code flow](https://tools.ietf.org/html/rfc6749#section-4.1) type: object properties: credentials: $ref: '#/components/schemas/OAuthCredentials' endpoints: $ref: '#/components/schemas/OAuthEndpoints' scopes: $ref: '#/components/schemas/OAuthScopes' type: type: string description: OAuth 2.0 Authorization Code flow enum: - OAUTH2 ProtocolOidc: title: OpenID Connect Protocol description: Protocol settings for authentication using the [OpenID Connect Protocol](http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) type: object properties: algorithms: $ref: '#/components/schemas/OidcAlgorithms' credentials: $ref: '#/components/schemas/OAuthCredentials' endpoints: $ref: '#/components/schemas/OAuthEndpoints' oktaIdpOrgUrl: type: string description: URL of the IdP org example: https://idp.example.com scopes: type: array description: |- OpenID Connect and IdP-defined permission bundles to request delegated access from the user > **Note:** The [IdP type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=type&t=request) table lists the scopes that are supported for each IdP. items: type: string example: openid settings: $ref: '#/components/schemas/OidcSettings' type: type: string description: OpenID Connect Authorization Code flow enum: - OIDC ProtocolSaml: title: SAML 2.0 Protocol description: Protocol settings for the [SAML 2.0 Authentication Request Protocol](http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf) type: object properties: algorithms: $ref: '#/components/schemas/SamlAlgorithms' credentials: $ref: '#/components/schemas/SamlCredentials' endpoints: $ref: '#/components/schemas/SamlEndpoints' relayState: $ref: '#/components/schemas/SamlRelayState' settings: $ref: '#/components/schemas/SamlSettings' type: type: string description: SAML 2.0 protocol enum: - SAML2 ProtocolType: description: The authentication protocol type used for the connection type: string enum: - IDENTITY_ASSERTION - STS x-enumDescriptions: IDENTITY_ASSERTION: Identity assertion protocol for obtaining OAuth 2.0 access tokens STS: Security Token Service protocol for obtaining credentials or secrets ProviderType: type: string enum: - APNS - FCM Provisioning: description: Specifies the behavior for just-in-time (JIT) provisioning of an IdP user as a new Okta user and their group memberships type: object properties: action: $ref: '#/components/schemas/ProvisioningAction' conditions: $ref: '#/components/schemas/ProvisioningConditions' groups: $ref: '#/components/schemas/ProvisioningGroups' profileMaster: type: boolean description: Determines if the IdP should act as a source of truth for user profile attributes ProvisioningAction: description: |- Specifies the user provisioning action during authentication when an IdP user isn't linked to an existing Okta user. * To successfully provision a new Okta user, you must enable just-in-time (JIT) provisioning in your org security settings. * If the target username isn't unique or the resulting Okta user profile is missing a required profile attribute, JIT provisioning may fail. * New Okta users are provisioned with either a `FEDERATION` or `SOCIAL` authentication provider depending on the IdP type. type: string enum: - AUTO - DISABLED x-enumDescriptions: AUTO: The IdP user profile is transformed through defined universal directory profile mappings to an Okta user profile and automatically provisioned as an Okta user. DISABLED: Okta rejects the authentication request and skips provisioning of a new Okta user if the IdP user isn't linked to an existing Okta user. ProvisioningConditions: description: Conditional behaviors for an IdP user during authentication type: object properties: deprovisioned: $ref: '#/components/schemas/ProvisioningDeprovisionedCondition' suspended: $ref: '#/components/schemas/ProvisioningSuspendedCondition' ProvisioningConnectionAuthScheme: description: Defines the method of authentication type: string enum: - OAUTH2 - TOKEN - UNKNOWN x-enumDescriptions: TOKEN: A token is used to authenticate with the app. OAUTH2: OAuth 2.0 is used to authenticate with the app. UNKNOWN: The authentication scheme used by the app isn't supported, or the app doesn't support provisioning. ProvisioningConnectionOauthAuthScheme: description: OAuth 2.0 is used to authenticate with the app. type: string enum: - OAUTH2 ProvisioningConnectionOauthRequest: title: OAuth 2.0-based connection allOf: - $ref: '#/components/schemas/ProvisioningConnectionRequest' - description: OAuth 2.0-based provisioning connection request properties: profile: $ref: '#/components/schemas/ProvisioningConnectionOauthRequestProfile' required: - profile ProvisioningConnectionOauthRequestProfile: properties: authScheme: $ref: '#/components/schemas/ProvisioningConnectionOauthAuthScheme' clientId: type: string description: Only used for the Okta Org2Org (`okta_org2org`) app. The unique client identifier for the OAuth 2.0 service app from the target org. settings: $ref: '#/components/schemas/Office365ProvisioningSettings' signing: $ref: '#/components/schemas/Org2OrgProvisioningOAuthSigningSettings' required: - authScheme ProvisioningConnectionProfileOauth: description: | The app provisioning connection profile used to configure the method of authentication and the credentials. Currently, token-based and OAuth 2.0-based authentication are supported. properties: authScheme: $ref: '#/components/schemas/ProvisioningConnectionOauthAuthScheme' clientId: type: string required: - authScheme ProvisioningConnectionRequest: type: object ProvisioningConnectionRequestAuthScheme: type: string enum: - OAUTH2 - TOKEN ProvisioningConnectionResponse: type: object properties: authScheme: $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme' baseUrl: type: string description: Base URL profile: $ref: '#/components/schemas/ProvisioningConnectionResponseProfile' status: $ref: '#/components/schemas/ProvisioningConnectionStatus' _links: $ref: '#/components/schemas/LinksSelfLifecycleAndAuthorize' required: - profile - status ProvisioningConnectionResponseProfile: properties: authScheme: $ref: '#/components/schemas/ProvisioningConnectionAuthScheme' signing: $ref: '#/components/schemas/Org2OrgProvisioningOAuthSigningSettings' required: - authScheme ProvisioningConnectionStatus: description: Provisioning connection status default: DISABLED type: string enum: - DISABLED - ENABLED - UNKNOWN x-enumDescriptions: DISABLED: The provisioning connection is disabled. ENABLED: The provisioning connection is enabled. UNKNOWN: Provisioning isn't supported by the app, or the authentication method is unknown. ProvisioningConnectionTokenAuthScheme: description: A token is used to authenticate with the app. This property is only returned for the `TOKEN` authentication scheme. type: string enum: - TOKEN ProvisioningConnectionTokenRequest: title: Token-based connection allOf: - $ref: '#/components/schemas/ProvisioningConnectionRequest' - description: Token-based provisioning connection request properties: baseUrl: type: string description: Only used for the Zscaler 2.0 (`zscalerbyz`) app. The base URL for the Zscaler 2.0 target app, which also contains the Zscaler ID. x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true profile: $ref: '#/components/schemas/ProvisioningConnectionTokenRequestProfile' required: - profile ProvisioningConnectionTokenRequestProfile: properties: authScheme: $ref: '#/components/schemas/ProvisioningConnectionTokenAuthScheme' token: type: string description: Token used to authenticate with the app required: - authScheme ProvisioningDeprovisionedAction: description: Specifies the action during authentication when an IdP user is linked to a previously deprovisioned Okta user type: string enum: - NONE - REACTIVATE x-enumDescriptions: NONE: Take no action. If an IdP user that matches a previously deprovisioned Okta user attempts to authenticate, authentication fails. REACTIVATE: If an IdP user that matches a previously deprovisioned Okta user attempts to authenticate, reactivate the matching user in Okta and allow the authentication attempt to proceed. ProvisioningDeprovisionedCondition: description: Behavior for a previously deprovisioned IdP user during authentication. Not supported with OIDC IdPs. type: object properties: action: $ref: '#/components/schemas/ProvisioningDeprovisionedAction' ProvisioningDetails: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] description: Supported provisioning configurations for your integration type: object properties: features: type: array minItems: 1 description: List of provisioning features supported in this integration items: type: string description: Feature enum: - CREATE_USER - READ_USER - UPDATE_USER - DEACTIVATE_USER - CREATE_GROUP - READ_GROUP - UPDATE_GROUP - DEACTIVATE_GROUP x-enumDescriptions: CREATE_USER: Assigns a new external app account to each user managed by Okta. Okta doesn't create an account if it detects that the username specified in Okta exists in the external app. READ_USER: Imports users and their profiles from the external app to Okta. This feature is required. UPDATE_USER: Updates the profiles of users assigned to that app integration and synchronizes those changes to downstream apps. Profile changes made in the external app are overwritten with their respective Okta profile values. DEACTIVATE_USER: Automatically deactivates user accounts when they're unassigned in Okta or their Okta accounts are deactivated. Okta also reactivates the external app account if the app integration is reassigned to a user in Okta. CREATE_GROUP: Assigns new group in the external app for existing Okta groups READ_GROUP: Imports groups from the external app to Okta. This feature is required. UPDATE_GROUP: Updates the groups and their memberships DEACTIVATE_GROUP: Automatically deactivates groups when they're unassigned in Okta scim: $ref: '#/components/schemas/Scim' required: - features - scim ProvisioningGroups: description: Provisioning settings for a user's group memberships type: object properties: action: $ref: '#/components/schemas/ProvisioningGroupsAction' assignments: type: array description: List of `OKTA_GROUP` group identifiers to add an IdP user as a member with the `ASSIGN` action items: type: string example: 00gak46y5hydV6NdM0g4 filter: type: array description: Allowlist of `OKTA_GROUP` group identifiers for the `APPEND` or `SYNC` provisioning action items: type: string example: 00gak46y5hydV6NdM0g4 sourceAttributeName: type: string description: IdP user profile attribute name (case-insensitive) for an array value that contains group memberships maxLength: 1024 example: Groups ProvisioningGroupsAction: description: |- Provisioning action for the IdP user's group memberships | Enum | Description | Existing OKTA_GROUP Memberships | Existing APP_GROUP Memberships | Existing BUILT_IN Memberships | | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ------------------------------ | ----------------------------- | | `APPEND` | Adds a user to any group defined by the IdP as a value of the `sourceAttributeName` array that matches the name of the allow listed group defined in the `filter` | Unchanged | Unchanged | Unchanged | | `ASSIGN` | Assigns a user to groups defined in the `assignments` array | Unchanged | Unchanged | Unchanged | | `NONE` | Skips processing of group memberships | Unchanged | Unchanged | Unchanged | | `SYNC` | Group memberships are sourced by the IdP as a value of the `sourceAttributeName` array that matches the name of the group defined in the `filter` | Removed if not defined by the IdP in `sourceAttributeName` and matching name of the group in `filter` | Unchanged | Unchanged | > **Note:** Group provisioning action is processed independently from profile sourcing. You can sync group memberships through SAML with profile sourcing disabled. type: string enum: - APPEND - ASSIGN - NONE - SYNC ProvisioningSuspendedAction: description: Specifies the action during authentication when an IdP user is linked to a previously suspended Okta user type: string enum: - NONE - UNSUSPEND x-enumDescriptions: NONE: Take no action. If an IdP user that matches a previously suspended Okta user attempts to authenticate, authentication fails. UNSUSPEND: If an IdP user that matches a previously suspended Okta user attempts to authenticate, unsuspend the matching user in Okta and allow the authentication attempt to proceed. ProvisioningSuspendedCondition: description: Behavior for a previously suspended IdP user during authentication. Not supported with OIDC IdPs. type: object properties: action: $ref: '#/components/schemas/ProvisioningSuspendedAction' PublicAppleAppSiteWellKnownURI: description: The well-known URI content in JSON object format type: object PublicAssetLinksWellKnownURI: description: The well-known URI content in a JSON array of objects format items: type: object type: array PublicWebauthnSiteWellKnownURI: description: The well-known URI content in JSON object format type: object PushMethodKeyProtection: description: Indicates whether you must use a hardware key store type: string enum: - ANY - HARDWARE PushProvider: title: PushProvider type: object properties: id: type: string readOnly: true description: Unique key for the Push Provider lastUpdatedDate: type: string readOnly: true description: Timestamp when the Push Provider was last modified name: type: string description: Display name of the push provider providerType: $ref: '#/components/schemas/ProviderType' _links: $ref: '#/components/schemas/LinksSelf' discriminator: propertyName: providerType mapping: APNS: '#/components/schemas/APNSPushProvider' FCM: '#/components/schemas/FCMPushProvider' RateLimitAdminNotifications: title: RateLimitAdminNotifications description: '' type: object properties: notificationsEnabled: type: boolean required: - notificationsEnabled RateLimitWarningThresholdRequest: title: RateLimitWarningThreshold description: '' type: object properties: warningThreshold: description: The threshold value (percentage) of a rate limit that, when exceeded, triggers a warning notification. By default, this value is 90 for Workforce orgs and 60 for CIAM orgs. type: integer minimum: 30 maximum: 90 required: - warningThreshold RateLimitWarningThresholdResponse: title: RateLimitWarningThreshold description: '' type: object properties: warningThreshold: description: The threshold value (percentage) of a rate limit that, when exceeded, triggers a warning notification. By default, this value is 90 for Workforce orgs and 60 for CIAM orgs. type: integer minimum: 30 maximum: 90 Realm: type: object properties: created: type: string format: date-time description: Timestamp when the realm was created readOnly: true id: type: string description: Unique ID for the realm readOnly: true isDefault: type: boolean description: Indicates the default realm. Existing users will start out in the default realm and can be moved to other realms individually or through realm assignments. See [Realms Assignments API](/openapi/okta-management/management/tag/RealmAssignment/). readOnly: true lastUpdated: type: string format: date-time description: Timestamp when the realm was updated readOnly: true profile: $ref: '#/components/schemas/RealmProfile' _links: $ref: '#/components/schemas/LinksSelf' RealmAssignment: type: object properties: actions: $ref: '#/components/schemas/Actions' conditions: $ref: '#/components/schemas/Conditions' created: description: Timestamp when the realm assignment was created type: string format: date-time readOnly: true domains: type: array description: |- Array of allowed domains. No user in this realm can be created or updated unless they have a username and email from one of these domains. The following characters aren't allowed in the domain name: `!$%^&()=*+,:;<>'[]|/?\` id: description: Unique ID of the realm assignment type: string readOnly: true isDefault: description: Indicates the default realm. Existing users will start out in the default realm and can be moved individually to other realms. type: boolean readOnly: true lastUpdated: description: Timestamp of when the realm assignment was updated type: string format: date-time readOnly: true name: description: Name of the realm type: string priority: type: integer description: |- The priority of the realm assignment. The lower the number, the higher the priority. This helps resolve conflicts between realm assignments. > **Note:** When you create realm assignments in bulk, realm assignment priorities must be unique. status: $ref: '#/components/schemas/LifecycleStatus' _links: $ref: '#/components/schemas/LinksSelf' RealmAssignmentOperationResponse: allOf: - $ref: '#/components/schemas/OperationResponse' - type: object properties: assignmentOperation: type: object description: Definition of the realm assignment operation properties: configuration: description: Configuration defintion of the realm type: object properties: actions: type: object description: Realm assignment action properties: assignUserToRealm: type: object description: Action that assigns a user to a realm properties: realmId: description: ID of the realm type: string conditions: $ref: '#/components/schemas/Conditions' id: type: string description: ID of the realm assignment operation name: type: string description: Name of the realm assignment operation numUserMoved: description: Number of users moved type: number readOnly: true realmId: description: ID of the realm type: string readOnly: true realmName: description: Name of the realm type: string readOnly: true _links: $ref: '#/components/schemas/LinksSelf' RealmProfile: type: object properties: domains: type: array description: |- Array of allowed domains. No user in this realm can be created or updated unless they have a username and email from one of these domains. The following characters aren't allowed in the domain name: `!$%^&()=*+,:;<>'[]|/?\` name: type: string description: Name of a realm realmType: type: string description: Used to store partner users. This property must be set to `PARTNER` to access Okta's external partner portal. enum: - PARTNER - DEFAULT x-enumDescriptions: PARTNER: Realm with external partner portal DEFAULT: Default required: - name RecoveryQuestionCredential: description: |- Specifies a secret question and answer that's validated (case insensitive) when a user forgets their password or unlocks their account. The answer property is write-only. type: object properties: answer: type: string description: The answer to the recovery question minimum: 1 maximum: 100 writeOnly: true example: se7en question: type: string description: The recovery question minimum: 1 maximum: 100 example: what is your favourite movie? RefreshToken: description: The refresh token type: object properties: jti: description: The refresh token ID type: string RegistrationInlineHook: allOf: - $ref: '#/components/schemas/InlineHook' - type: object RegistrationInlineHookCommand: type: object properties: type: type: string enum: - com.okta.user.profile.update - com.okta.action.update - com.okta.user.progressive.profile.update RegistrationInlineHookPPData: allOf: - $ref: '#/components/schemas/InlineHookBasePayload' - $ref: '#/components/schemas/RegistrationInlineHookRequest' - type: object properties: data: type: object properties: context: type: object properties: request: $ref: '#/components/schemas/InlineHookRequestObject' user: type: object properties: passwordChanged: type: string format: date-time description: The last time the user's password was updated _links: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the current status of the user. These links are used to discover what groups the user is a part of and what factors they have enrolled. type: object properties: groups: description: URL to retrieve the individual user's group memberships allOf: - $ref: '#/components/schemas/HrefObject' factors: description: URL to retrieve individual user's factor enrollments allOf: - $ref: '#/components/schemas/HrefObject' profile: additionalProperties: true type: object description: The user to update's current attributes id: type: string action: description: The default action the system takes. Set to `ALLOW`. `DENY` is never sent to your external service type: string userProfileUpdate: additionalProperties: true type: object description: Name-value pairs for each new attribute supplied by the user in the Progressive Profile form RegistrationInlineHookRequest: description: Registration inline hook request type: object properties: eventType: type: string description: The type of inline hook. The registration inline hook type is `com.okta.user.pre-registration`. requestType: $ref: '#/components/schemas/RegistrationInlineHookRequestType' source: type: string description: The ID of the registration inline hook discriminator: propertyName: requestType mapping: self.service.registration: '#/components/schemas/RegistrationInlineHookSSRData' progressive.profile: '#/components/schemas/RegistrationInlineHookPPData' RegistrationInlineHookRequestType: description: The type of registration hook. Use either `self.service.registration` or `progressive.profile`. type: string enum: - progressive.profile - self.service.registration RegistrationInlineHookResponse: description: Registration inline hook response type: object properties: commands: type: array RegistrationInlineHookSSRData: allOf: - $ref: '#/components/schemas/InlineHookBasePayload' - $ref: '#/components/schemas/RegistrationInlineHookRequest' - type: object properties: data: type: object properties: context: type: object properties: request: $ref: '#/components/schemas/InlineHookRequestObject' action: description: The default action the system will take. Will be `ALLOW`. `DENY` will never be sent to your external service. type: string userProfile: additionalProperties: true type: object description: The name-value pairs for each registration-related attribute supplied by the user in the Profile Enrollment form. RegistrationResponse: type: object properties: commands: description: |- The `commands` object lets you invoke commands to modify or add values to the attributes in the Okta user profile that are created for this user. The object also lets you control whether or not the registration attempt is allowed to proceed. This object is an array, allowing you to send multiple commands in your response. Each array element requires a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you wish to execute, and `value` is where you supply parameters for that command. The registration inline hook supports these three commands: * `com.okta.user.profile.update`: Change attribute values in the user's Okta user profile. For SSR only. Invalid if used with a Progressive Profile response. * `com.okta.action.update`: Allow or deny the user's registration. * `com.okta.user.progressive.profile.update`: Change attribute values in the user's Okta Progressive Profile. type: array items: type: object properties: type: description: |- The location where you specify the command. To set attributes in the user's Okta profile, supply a `type` property set to `com.okta.user.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Okta user profile attributes you want to set. The attributes must already exist in your user profile schema. To explicitly allow or deny registration to the user, supply a type property set to `com.okta.action.update`, together with a value property set to `{"registration": "ALLOW"}` or `{"registration": "DENY"}`. The default is to allow registration. In Okta Identity Engine, to set attributes in the user's profile, supply a `type` property set to `com.okta.user.progressive.profile.update`, together with a `value` property set to a list of key-value pairs corresponding to the Progressive Enrollment attributes that you want to set. See [Registration inline hook - Send response](https://developer.okta.com/docs/guides/registration-inline-hook/nodejs/main/#send-response). Commands are applied in the order that they appear in the array. Within a single `com.okta.user.profile.update` or `com.okta.user.progressive.profile.update command`, attributes are updated in the order that they appear in the `value` object. You can never use a command to update the user's password, but you are allowed to set the values of attributes other than password that are designated sensitive in your Okta user schema. However, the values of those sensitive attributes, if included as fields in the Profile Enrollment form, aren't included in the `data.userProfile` object sent to your external service by Okta. See [data.userProfile](/openapi/okta-management/management/tag/InlineHook/#tag/InlineHook/operation/create-registration-hook!path=0/data/userProfile&t=request). type: string value: additionalProperties: true description: |- The `value` object is the parameter to pass to the command. For `com.okta.user.profile.update` commands, `value` should be an object containing one or more name-value pairs for the attributes you wish to update. For `com.okta.action.update` commands, the value should be an object containing the attribute `action` set to a value of either `ALLOW` or `DENY`, indicating whether the registration should be permitted or not. Registrations are allowed by default, so setting a value of `ALLOW` for the action field is valid but superfluous. type: object Error: description: |- For the registration inline hook, the `error` object provides a way of displaying an error message to the end user who is trying to register or update their profile. * If you're using the Okta Sign-In Widget for Profile Enrollment, only the `errorSummary` messages of the `errorCauses` objects that your external service returns appear as inline errors, given the following: * You don't customize the error handling behavior of the widget. * The `location` of `errorSummary` in the `errorCauses` object specifies the request object's user profile attribute. * If you don't return a value for the `errorCauses` object, and deny the user's registration attempt through the `commands` object in your response to Okta, one of the following generic messages appears to the end user: * "Registration cannot be completed at this time." (SSR) * "We found some errors. Please review the form and make corrections." (Progressive Enrollment) * If you don't return an `error` object at all and the registration is denied, the following generic message appears to the end user: * "Registration denied." (SSR) * "Profile update denied." (Progressive Enrollment) >**Note:** If you include an error object in your response, no commands are executed and the registration fails. This holds true even if the top-level `errorSummary` and the `errorCauses` objects are omitted. type: object properties: errorSummary: type: string description: Human-readable summary of one or more errors errorCauses: type: array items: type: object properties: errorSummary: type: string description: Human-readable summary of the error. reason: type: string description: A brief, enum-like string that indicates the nature of the error. For example, `UNIQUE_CONSTRAINT` for a property uniqueness violation. locationType: type: string description: Where in the request the error was found (`body`, `header`, `url`, or `query`). location: description: The valid JSON path to the location of the error. For example, if there was an error in the user's `login` field, the `location` might be `data.userProfile.login`. type: string domain: type: string description: Indicates the source of the error. If the error was in the user's profile, for example, you might use `end-user`. If the error occurred in the external service, you might use `external-service`. ReleaseChannel: description: Release channel for auto-update type: string enum: - BETA - EA - GA - TEST ReplaceUserClassification: type: object properties: type: $ref: '#/components/schemas/ClassificationType' RequiredEnum: type: string enum: - ALWAYS - HIGH_RISK_ONLY - NEVER ResendUserFactor: type: object properties: factorType: description: Type of the factor type: string enum: - call - email - sms discriminator: propertyName: factorType mapping: call: '#/components/schemas/UserFactorCall' email: '#/components/schemas/UserFactorEmail' sms: '#/components/schemas/UserFactorSMS' ResetPasswordToken: type: object properties: resetPasswordUrl: type: string readOnly: true example: https://{yourOktaDomain}/signin/reset-password/XE6wE17zmphl3KqAPFxO ResourceConditions: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true description: Conditions for further restricting a resource. nullable: false type: object properties: Exclude: type: object description: Specific resources to exclude properties: okta:ORN: type: array description: List of specific resources to exclude in ORN format items: type: string ResourceServerJsonWebKey: description: 'A [JSON Web Key (JWK)](https://tools.ietf.org/html/rfc7517) is a JSON representation of a cryptographic key. Okta can use the active key to encrypt the access token minted by the authorization server. Okta supports only RSA keys with ''use: enc''.' type: object properties: e: type: string description: The key exponent of a RSA key kid: type: string description: The unique identifier of the key kty: $ref: '#/components/schemas/JsonWebKeyType' 'n': type: string description: The modulus of the RSA key status: $ref: '#/components/schemas/JsonWebKeyStatus' use: $ref: '#/components/schemas/JsonWebKeyUse' ResourceServerJsonWebKeys: description: <x-lifecycle-container><x-lifecycle class="ea"></x-lifecycle></x-lifecycle-container>A [JSON Web Key Set](https://tools.ietf.org/html/rfc7517#section-5) for encrypting JWTs minted by the custom authorization server x-okta-lifecycle: lifecycle: EA isGenerallyAvailable: true type: object properties: keys: type: array items: $ref: '#/components/schemas/ResourceServerJsonWebKey' ResourceSet: type: object properties: created: type: string format: date-time description: Timestamp when the role was created readOnly: true description: type: string description: Description of the resource set id: type: string description: Unique ID for the resource set object readOnly: true label: type: string description: Unique label for the resource set lastUpdated: type: string format: date-time description: Timestamp when the role was last updated readOnly: true _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: resources: $ref: '#/components/schemas/HrefObjectResourceSetResourcesLink' bindings: $ref: '#/components/schemas/HrefObjectBindingsLink' ResourceSetBindingAddMembersRequest: type: object properties: additions: type: array description: A list of member resources to add to the role resource set binding items: type: string description: User or group resources example: https://{yourOktaDomain}/api/v1/groups/{groupId} ResourceSetBindingCreateRequest: type: object properties: members: type: array description: URLs to user and/or group instances that are assigned to the role items: type: string role: type: string description: Unique key for the role ResourceSetBindingEditResponse: type: object properties: _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: resource-set: $ref: '#/components/schemas/HrefObjectResourceSetLink' bindings: $ref: '#/components/schemas/HrefObjectBindingsLink' ResourceSetBindingMember: type: object properties: created: type: string format: date-time description: Timestamp when the member was created readOnly: true id: type: string description: Role resource set binding member ID readOnly: true lastUpdated: type: string format: date-time description: Timestamp when the member was last updated readOnly: true _links: $ref: '#/components/schemas/LinksSelf' ResourceSetBindingMembers: type: object properties: members: type: array description: The members of the role resource set binding. If there are more than 100 members for the binding, then the `_links.next` resource is returned with the next list of members. items: $ref: '#/components/schemas/ResourceSetBindingMember' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: next: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the next list of binding members for the specified role and resource set binding: $ref: '#/components/schemas/HrefObjectBindingLink' ResourceSetBindingResponse: type: object properties: id: type: string description: '`id` of the role resource set binding' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: resource-set: $ref: '#/components/schemas/HrefObjectResourceSetLink' members: $ref: '#/components/schemas/HrefObjectMembersLink' ResourceSetBindingRole: type: object properties: id: type: string description: '`id` of the role' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: members: $ref: '#/components/schemas/HrefObjectMembersLink' ResourceSetBindings: type: object properties: roles: type: array description: Roles associated with the resource set binding. If there are more than 100 bindings for the specified resource set, then the `_links.next` resource is returned with the next list of bindings. items: $ref: '#/components/schemas/ResourceSetBindingRole' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: next: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the next list of bindings for the specified resource set resource-set: $ref: '#/components/schemas/HrefObjectResourceSetLink' ResourceSetResource: type: object properties: conditions: $ref: '#/components/schemas/ResourceConditions' created: type: string format: date-time description: Timestamp when the resource set resource object was created readOnly: true id: type: string description: Unique ID of the resource set resource object readOnly: true lastUpdated: type: string format: date-time description: Timestamp when this object was last updated readOnly: true orn: type: string description: The Okta Resource Name (ORN) of the resource _links: description: Related discoverable resources readOnly: true properties: self: allOf: - $ref: '#/components/schemas/HrefObject' - description: The REST API URL of the related resource resource: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to this resource set resource object (self) groups: allOf: - $ref: '#/components/schemas/HrefObject' - description: If applicable, the REST API URL of the related groups resource users: allOf: - $ref: '#/components/schemas/HrefObject' - description: If applicable, the REST API URL of the related users resource ResourceSetResourcePatchRequest: type: object properties: additions: type: array description: A list of resources to add to the resource set items: type: string description: Resource in ORN or REST API URL format ResourceSetResourcePostRequest: type: object properties: conditions: $ref: '#/components/schemas/ResourceConditions' resourceOrnOrUrl: type: string description: Resource in ORN or REST API URL format required: - resourceOrnOrUrl - conditions ResourceSetResourcePutRequest: type: object properties: conditions: $ref: '#/components/schemas/ResourceConditions' ResourceSetResources: type: object properties: resources: type: array items: $ref: '#/components/schemas/ResourceSetResource' _links: allOf: - $ref: '#/components/schemas/LinksNext' - properties: resource-set: $ref: '#/components/schemas/HrefObject' ResourceSets: type: object properties: resource-sets: type: array items: $ref: '#/components/schemas/ResourceSet' _links: $ref: '#/components/schemas/LinksNext' ResponseLinks: description: Link objects type: object properties: _links: $ref: '#/components/schemas/LinksSelf' ResponseMode: type: string enum: - form_post - fragment - okta_post_message - query x-enumDescriptions: fragment: Parameters are encoded in the URL fragment added to the `redirect_uri` when redirecting back to the client. query: Parameters are encoded in the query string added to the `redirect_uri` when redirecting back to the client. form_post: Parameters are encoded as HTML form values (`application/x-www-form-urlencoded` format) and are transmitted through the HTTP POST method to the client. okta_post_message: |- Uses [HTML5 Web Messaging](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) (for example, `window.postMessage()`) instead of the redirect for the authorization response from the `/authorize` endpoint. `okta_post_message` is an adaptation of the [Web Message Response Mode](https://tools.ietf.org/html/draft-sakimura-oauth-wmrm-00#section-4.1). This value provides a secure way for a single-page application to perform a sign-in flow in a pop-up window or an iFrame and receive the ID token, access token, and/or authorization code back in the parent page without leaving the context of that page. The data object for the `postMessage` call is in the next section. ResponseType: type: string enum: - code - id_token - none - token ResponseTypesSupported: type: string enum: - code - code id_token - code id_token token - code token - id_token - id_token token - token RevokeRefreshTokenHrefObject: type: object properties: href: type: string description: Link URI example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens/oar579Mcp7OUsNTlo0g3 RiscIdentifierChangedEvent: description: The subject's identifier has changed, which is either an email address or a phone number change type: object properties: event_timestamp: type: integer format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 new-value: type: string description: The new identifier value example: new.email@okta.example.com subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - subject RiskDetectionTypesPolicyRuleCondition: description: <x-lifecycle class="oie"></x-lifecycle> An object that references detected risk events. This object can have an `include` parameter or an `exclude` parameter, but not both. type: object properties: exclude: type: array description: An array of detected risk events to exclude in the entity policy rule items: $ref: '#/components/schemas/DetectedRiskEvents' include: type: array description: An array of detected risk events to include in the entity policy rule items: $ref: '#/components/schemas/DetectedRiskEvents' required: - exclude - include RiskEvent: type: object properties: expiresAt: type: string format: date-time description: 'Timestamp at which the event expires (expressed as a UTC time zone using ISO 8601 format: yyyy-MM-dd`T`HH:mm:ss.SSS`Z`). If this optional field isn''t included, Okta automatically expires the event 24 hours after the event is consumed.' subjects: type: array description: List of risk event subjects items: $ref: '#/components/schemas/RiskEventSubject' timestamp: type: string format: date-time description: 'Timestamp of when the event is produced (expressed as a UTC time zone using ISO 8601 format: yyyy-MM-dd`T`HH:mm:ss.SSS`Z`)' required: - subjects RiskEventSubject: type: object properties: ip: type: string description: The risk event subject IP address (either an IPv4 or IPv6 address) message: type: string description: Additional reasons for the risk level of the IP maxLength: 512 pattern: ^[a-zA-Z0-9 .\-_]*$ riskLevel: $ref: '#/components/schemas/RiskEventSubjectRiskLevel' required: - ip - riskLevel RiskEventSubjectRiskLevel: description: The risk level associated with the IP type: string enum: - HIGH - LOW - MEDIUM RiskPolicyRuleCondition: type: object properties: behaviors: uniqueItems: true type: array items: type: string RiskProvider: type: object properties: action: $ref: '#/components/schemas/RiskProviderAction' clientId: type: string description: The ID of the [OAuth 2.0 service app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/main/#create-a-service-app-and-grant-scopes) that's used to send risk events to Okta example: 00cjkjjkkgjkdkjdkkljjsd created: type: string format: date-time description: Timestamp when the risk provider object was created readOnly: true example: '2021-01-05 22:18:30' id: type: string description: The ID of the risk provider object readOnly: true example: 00rp12r4skkjkjgsn lastUpdated: type: string format: date-time description: Timestamp when the risk provider object was last updated readOnly: true example: '2021-01-05 22:18:30' name: type: string description: Name of the risk provider maxLength: 50 example: Risk-Partner-X _links: $ref: '#/components/schemas/LinksSelf' required: - name - clientId - action - id - _links RiskProviderAction: description: Action taken by Okta during authentication attempts based on the risk events sent by this provider default: log_only type: string enum: - enforce_and_log - log_only - none x-enumDescriptions: log_only: Include risk event information in the System Log none: No action enforce_and_log: Use risk event information to evaluate risks during authentication attempts and include risk event information in the System Log RiskScorePolicyRuleCondition: description: Specifies a particular level of risk to match on type: object properties: level: type: string description: The level to match enum: - ANY - LOW - MEDIUM - HIGH required: - level Role: type: object properties: assignmentType: $ref: '#/components/schemas/RoleAssignmentType' created: type: string format: date-time readOnly: true description: type: string id: type: string readOnly: true label: type: string readOnly: true lastUpdated: type: string format: date-time readOnly: true status: $ref: '#/components/schemas/LifecycleStatus' type: $ref: '#/components/schemas/RoleType' _embedded: type: object additionalProperties: type: object properties: {} readOnly: true _links: $ref: '#/components/schemas/LinksSelf' RoleAssignedUser: type: object properties: id: type: string readOnly: true description: The ID of the user orn: type: string readOnly: true description: ORN representing the assignee _links: $ref: '#/components/schemas/LinksSelfAndRoles' RoleAssignedUsers: type: object properties: value: type: array items: $ref: '#/components/schemas/RoleAssignedUser' _links: $ref: '#/components/schemas/LinksNextForRoleAssignments' RoleAssignmentType: description: Role assignment type type: string enum: - CLIENT - GROUP - USER x-enumDescriptions: USER: The role is assigned to a user GROUP: The role is assigned to a group CLIENT: The role is assigned to a client app RoleGovernance: description: List of all user role governance sources type: object properties: grants: type: array items: $ref: '#/components/schemas/RoleGovernanceSource' _links: $ref: '#/components/schemas/LinksGovernanceSources' RoleGovernanceResource: description: The resource of a grant type: object properties: label: type: string description: The resource name resource: type: string description: The resources id RoleGovernanceResources: description: The resources of a grant type: object properties: resources: type: array items: $ref: '#/components/schemas/RoleGovernanceResource' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - $ref: '#/components/schemas/LinksNext' RoleGovernanceSource: description: User role governance source type: object properties: bundleId: type: string readOnly: true description: '`id` of the entitlement bundle' expirationDate: type: string format: date-time readOnly: true description: The expiration date of the entitlement bundle grantId: type: string readOnly: true description: '`id` of the grant' type: $ref: '#/components/schemas/GovernanceSourceType' _links: allOf: - $ref: '#/components/schemas/LinksGovernanceResources' - $ref: '#/components/schemas/LinksSelf' required: - type - grantId RoleTarget: type: object properties: assignmentType: type: string readOnly: true example: GROUP description: The assignment type of how the user receives this target expiration: type: string format: date-time example: '2023-08-25T12:00:00.000Z' readOnly: true description: The expiry time stamp of the associated target. It's only included in the response if the associated target will expire. orn: type: string readOnly: true example: orn:okta:directory:00o5v1t2W4OSF9r4N0g4:groups:00g5vhi3rEJMOog1S0g4 description: The [Okta Resource Name (ORN)](https://support.okta.com/help/s/article/understanding-okta-resource-name-orn) of the app target or group target _links: $ref: '#/components/schemas/LinksSelf' RoleType: description: |- | Role type | Description | |------------------------------|-------------------------------------------------------------| | ACCESS_CERTIFICATIONS_ADMIN | Access Certifications Administrator IAM-based standard role | | ACCESS_REQUESTS_ADMIN | Access Requests Administrator IAM-based standard role | | API_ACCESS_MANAGEMENT_ADMIN | Access Management Administrator standard role | | APP_ADMIN | Application Administrator standard role | | CUSTOM | Custom admin role | | GROUP_MEMBERSHIP_ADMIN | Group Membership Administrator standard role | | HELP_DESK_ADMIN | Help Desk Administrator standard role | | ORG_ADMIN | Organizational Administrator standard role | | READ_ONLY_ADMIN | Read-Only Administrator standard role | | REPORT_ADMIN | Report Administrator standard role | | SUPER_ADMIN | Super Administrator standard role | | USER_ADMIN | User Administrator standard role | | WORKFLOWS_ADMIN | Workflows Administrator IAM-based standard role | type: string enum: - ACCESS_CERTIFICATIONS_ADMIN - ACCESS_REQUESTS_ADMIN - API_ACCESS_MANAGEMENT_ADMIN - APP_ADMIN - CUSTOM - GROUP_MEMBERSHIP_ADMIN - HELP_DESK_ADMIN - ORG_ADMIN - READ_ONLY_ADMIN - REPORT_ADMIN - SUPER_ADMIN - USER_ADMIN - WORKFLOWS_ADMIN RotatePasswordRequest: description: Rotate password request for the privileged resource type: object properties: password: type: string description: The password associated with the privileged resource format: password writeOnly: true example: xf1bs9am2 secretVersionId: type: string description: The version ID of the password secret from the OPA vault minLength: 1 maxLength: 36 example: 9f8400-e29b-41d4-a716-926655440034 required: - password - secretVersionId SAMLHookResponse: type: object properties: commands: description: |- The `commands` object is where you tell Okta to add additional claims to the assertion or to modify the existing assertion statements. `commands` is an array, allowing you to send multiple commands. In each array element, include a `type` property and a `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command. In the case of the SAML assertion inline hook, the `value` property is itself a nested object, in which you specify a particular operation, a path to act on, and a value. type: array items: type: object properties: type: type: string description: One of the supported commands `com.okta.assertion.patch` value: type: array items: type: object properties: op: type: string description: |- The name of one of the supported ops: `add`: Add a new claim to the assertion `replace`: Modify any element of the assertion > **Note:** If a response to the SAML assertion inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta process flow continues with the original SAML assertion returned. path: type: string description: Location, within the assertion, to apply the operation value: oneOf: - type: string - type: integer - type: object description: |- The value of the claim that you add or replace, and can also include other attributes. If adding to a claim, add another `value` attribute residing within an array called `attributeValues`. See the following examples: #### Simple value (integer or string) `"value": 300` or `"value": "replacementString"` #### Attribute value (object) ` "value": { "authContextClassRef": "replacementValue" }` #### AttributeValues array value (object) ` "value": { "attributes": { "NameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" }, "attributeValues": [ {"attributes": { "xsi:type": "xs:string" }, "value": "4321"} ] }` error: description: |- An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log. The string supplied in the `errorSummary` property is recorded in the System Log event. > **Note:** If the error object doesn't include the defined `errorSummary` property, the following common default message is returned to the end user: `The callback service returned an error`. > **Note:** If a response to a SAML inline hook request isn't received from your external service within three seconds, a timeout occurs. In this scenario, the Okta SAML inline hook process continues, and the user is created. type: object properties: errorSummary: description: A human-readable summary of the error type: string SAMLPayLoad: type: object properties: data: type: object properties: context: allOf: - $ref: '#/components/schemas/BaseContext' - type: object properties: protocol: description: Details of the assertion protocol being used type: object properties: type: description: The type of authentication protocol being used for the assertion type: string example: SAML2.0 issuer: type: object properties: id: description: The unique identifier of the issuer that provided the SAML assertion type: string example: 0oath92zlO60urQOP0g3 name: description: The name of the issuer that provided the SAML assertion type: string example: SAML 2.0 App uri: description: The base URI of the SAML endpoint that's used to assert the authorization type: string example: http://www.okta.com/exkth8lMzFm0HZOTU0g3 assertion: description: Details of the SAML assertion that was generated type: object properties: subject: description: Provides a JSON representation of the `<saml:Subject>` element of the SAML assertion type: object properties: nameId: description: The unique identifier of the user type: string example: user@example.com nameFormat: description: Indicates how to interpret the attribute name type: string example: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified confirmation: type: object properties: method: description: Used to indicate how the authorization server confirmed the SAML assertion type: string example: urn:oasis:names:tc:SAML:2.0:cm:bearer data: type: object properties: recipient: description: The token endpoint URL of the authorization server type: string example: http://www.example.com:7070/saml/sso authentication: description: Provides a JSON representation of the `<saml:AuthnStatement>` element of the SAML assertion type: object properties: sessionIndex: description: The unique identifier describing the assertion statement type: string example: id1553800523546.312669168 authnContext: description: Details of the authentication methods used for the SAML assertion type: object properties: authnContextClassRef: description: Describes the identity provider's supported authentication context classes type: string example: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport conditions: description: Provides a JSON representation of the `<saml:Conditions>` element of the SAML assertion type: object properties: audienceRestriction: description: Describes which service providers the assertion is valid for type: array items: type: string example: - urn:example:sp claims: description: Provides a JSON representation of the `<saml:AttributeStatement>` element contained in the generated SAML assertion. Contains any optional SAML attribute statements that you have defined for the app using the Admin Console's **SAML Settings**. type: object additionalProperties: type: object properties: attributes: type: object properties: NameFormat: type: string description: Indicates how to interpret the attribute name attributeValues: type: array items: type: object properties: attributes: type: object properties: xsi:type: type: string description: Used to derive the type of the attribute value: type: string description: The actual value of the attribute lifetime: description: Specifies the expiration time, in seconds, of the SAML assertion type: object properties: expiration: description: The expiration time in seconds type: integer example: 300 eventType: type: string description: The type of inline hook. The SAML assertion inline hook type is `com.okta.saml.tokens.transform`. source: description: The ID and URL of the SAML assertion inline hook type: string SAMLPayloadExecute: description: SAML assertion inline hook request allOf: - $ref: '#/components/schemas/InlineHookBasePayload' - $ref: '#/components/schemas/SAMLPayLoad' STSServiceAccountConnection: description: STS connection to a service account additionalProperties: false type: object properties: app: $ref: '#/components/schemas/ManagedConnectionAppInstance' connectionType: type: string enum: - STS_SERVICE_ACCOUNT description: Type of connection authentication method id: $ref: '#/components/schemas/ManagedConnectionId' orn: $ref: '#/components/schemas/ManagedConnectionOrn' protocolType: type: string enum: - STS description: The authentication protocol type used for the connection resourceIndicator: $ref: '#/components/schemas/ManagedConnectionResourceIndicator' serviceAccount: $ref: '#/components/schemas/ManagedConnectionServiceAccount' status: $ref: '#/components/schemas/ManagedConnectionStatus' _links: $ref: '#/components/schemas/LinksSelf' required: - connectionType - app - serviceAccount - resourceIndicator STSServiceAccountConnectionCreatable: description: Create an STS connection for a service account type: object properties: app: type: object description: Reference to an app instance in [ORN](/openapi/okta-management/guides/roles/#okta-resource-name-orn) format required: - orn properties: orn: $ref: '#/components/schemas/AppInstanceOrn' connectionType: type: string enum: - STS_SERVICE_ACCOUNT description: Type of connection authentication method protocolType: type: string enum: - STS description: The authentication protocol type used for the connection resourceIndicator: type: string format: uri description: Resource indicator used when requesting tokens. Defaults to the service account's ORN if not specified. serviceAccount: type: object description: Reference to a service account in [ORN](/openapi/okta-management/guides/roles/#okta-resource-name-orn) format required: - orn properties: orn: $ref: '#/components/schemas/ServiceAccountOrn' required: - connectionType - app - serviceAccount STSVaultSecretConnection: description: STS connection to a vaulted secret additionalProperties: false type: object properties: connectionType: type: string enum: - STS_VAULT_SECRET description: Type of connection authentication method id: $ref: '#/components/schemas/ManagedConnectionId' orn: $ref: '#/components/schemas/ManagedConnectionOrn' protocolType: type: string enum: - STS description: The authentication protocol type used for the connection resourceIndicator: $ref: '#/components/schemas/ManagedConnectionResourceIndicator' secret: $ref: '#/components/schemas/ManagedConnectionVaultedSecret' status: $ref: '#/components/schemas/ManagedConnectionStatus' _links: $ref: '#/components/schemas/LinksSelf' required: - connectionType - secret - resourceIndicator STSVaultSecretConnectionCreatable: description: Create an STS connection for a vaulted secret type: object properties: connectionType: type: string enum: - STS_VAULT_SECRET description: Type of connection authentication method protocolType: type: string enum: - STS description: The authentication protocol type used for the connection resourceIndicator: type: string format: uri description: Resource indicator used when requesting tokens. Defaults to the vaulted secret's ORN if not specified. secret: type: object description: Reference to a vaulted secret in [ORN](/openapi/okta-management/guides/roles/#okta-resource-name-orn) format required: - orn properties: orn: $ref: '#/components/schemas/VaultedSecretOrn' required: - connectionType - secret SafeBrowsingProtectionLevel: description: Represents the current value of the Safe Browsing protection level example: ENHANCED_PROTECTION type: string enum: - ENHANCED_PROTECTION - NO_SAFE_BROWSING - STANDARD_PROTECTION x-enumDescriptions: NO_SAFE_BROWSING: Safe Browsing is never active STANDARD_PROTECTION: Safe Browsing is active in the standard mode ENHANCED_PROTECTION: Safe Browsing is active in the enhanced mode SalesforceApplication: title: Salesforce x-tags: - Application x-okta-defined-as: name: salesforce example: name: salesforce label: Sample Salesforce App signOnMode: SAML_2_0 settings: app: instanceType: SANDBOX integrationType: STANDARD description: | Schema for the Salesforce app (key name: `salesforce`) To create a Salesforce app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. > **Note:** The Salesforce app only supports `BROWSER_PLUGIN`, `BOOKMARK`, and `SAML_2_0` sign-on modes. allOf: - $ref: '#/components/schemas/OINApplication' - type: object - required: - name - label - settings properties: name: type: string enum: - salesforce example: salesforce signOnMode: type: string enum: - BROWSER_PLUGIN - BOOKMARK - SAML_2_0 example: BROWSER_PLUGIN settings: $ref: '#/components/schemas/SalesforceApplicationSettings' SalesforceApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object - required: - app properties: app: $ref: '#/components/schemas/SalesforceApplicationSettingsApplication' signOn: $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' SalesforceApplicationSettingsApplication: description: Salesforce app instance properties type: object properties: instanceType: type: string description: Salesforce instance that you want to connect to enum: - SANDBOX - PRODUCTION - GOVERNMENT integrationType: type: string description: Salesforce integration type enum: - STANDARD - PORTAL - COMMUNITY loginUrl: type: string description: The Login URL specified in your Salesforce Single Sign-On settings logoutUrl: type: string description: Salesforce Logout URL required: - integrationType - instanceType Saml: description: SAML configuration details type: object properties: acs: type: array minItems: 1 description: 'List of Assertion Consumer Service (ACS) URLs. The default ACS URL is required and is indicated by a null `index` value. You can use the org-level variables you defined in the `config` array in the URL. For example: `https://${org.subdomain}.example.com/saml/login`' items: type: object properties: index: type: number minimum: 0 maximum: 65535 description: Index of ACS URL. You can't reuse the same index in the ACS URL array. example: 0 url: type: string format: uri maxLength: 1024 description: Assertion Consumer Service (ACS) URL example: https://${org.subdomain}.example.com/saml/login claims: type: array description: Attribute statements to appear in the Okta SAML assertion items: type: object properties: name: type: string description: The attribute name example: Address values: type: array description: The Okta values inserted in the attribute statement items: type: string example: ${user.homeAddress} doc: type: string format: uri description: The URL to your customer-facing instructions for configuring your SAML integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines). example: https://example.com/strawberry/help/samlSetup entityId: type: string description: Globally unique name for your SAML entity. For instance, your Identity Provider (IdP) or Service Provider (SP) URL. example: https://${org.subdomain}.example.com groups: type: array description: Defines the group attribute names for the SAML assertion statement. Okta inserts the list of Okta user groups into the attribute names in the statement. items: type: string description: A group attribute name in your SAML app example: groups required: - acs - entityId - doc Saml11Application: allOf: - $ref: '#/components/schemas/Application' - type: object properties: credentials: $ref: '#/components/schemas/ApplicationCredentials' name: type: string description: The key name for the SAML 1.1 app definition. You can't create a custom SAML 1.1 app integration instance. Only existing OIN SAML 1.1 app integrations are supported. settings: $ref: '#/components/schemas/Saml11ApplicationSettings' required: - name Saml11ApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: app: type: object additionalProperties: true signOn: $ref: '#/components/schemas/Saml11ApplicationSettingsSignOn' Saml11ApplicationSettingsSignOn: title: SAML 1.1 settings description: SAML 1.1 sign-on mode attributes type: object properties: audienceOverride: type: string description: The intended audience of the SAML assertion. This is usually the Entity ID of your application. defaultRelayState: type: string description: The URL of the resource to direct users after they successfully sign in to the SP using SAML. See the SP documentation to check if you need to specify a RelayState. In most instances, you can leave this field blank. recipientOverride: type: string description: The location where the application can present the SAML assertion. This is usually the Single Sign-On (SSO) URL. ssoAcsUrlOverride: type: string description: Assertion Consumer Services (ACS) URL value for the Service Provider (SP). This URL is always used for Identity Provider (IdP) initiated sign-on requests. SamlAcsEndpoint: description: Okta's `SPSSODescriptor` endpoint where the IdP sends a `<SAMLResponse>` message type: object properties: binding: $ref: '#/components/schemas/ProtocolEndpointBinding' type: $ref: '#/components/schemas/SamlEndpointType' SamlAlgorithms: description: Settings for signing and verifying SAML messages type: object properties: request: $ref: '#/components/schemas/SamlRequestAlgorithm' response: $ref: '#/components/schemas/SamlResponseAlgorithm' SamlApplication: allOf: - $ref: '#/components/schemas/Application' - type: object properties: credentials: $ref: '#/components/schemas/ApplicationCredentials' name: type: string description: A unique key is generated for the custom app instance when you use SAML_2_0 `signOnMode`. readOnly: true settings: $ref: '#/components/schemas/SamlApplicationSettings' SamlApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: signOn: $ref: '#/components/schemas/SamlApplicationSettingsSignOn' SamlApplicationSettingsSignOn: description: |- SAML 2.0 sign-on attributes. > **Note:** Set either `destinationOverride` or `ssoAcsUrl` to configure any other SAML 2.0 attributes in this section. type: object properties: acsEndpoints: type: array description: An array of ACS endpoints. You can configure a maximum of 100 endpoints. items: $ref: '#/components/schemas/AcsEndpoint' allowMultipleAcsEndpoints: description: Determines whether the app allows you to configure multiple ACS URIs type: boolean assertionEncryption: $ref: '#/components/schemas/SamlAssertionEncryption' assertionSigned: type: boolean description: Determines whether the SAML assertion is digitally signed attributeStatements: type: array description: | A list of custom attribute statements for the app's SAML assertion. See [SAML 2.0 Technical Overview](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html). There are two types of attribute statements: | Type | Description | | ---- | ----------- | | EXPRESSION | Generic attribute statement that can be dynamic and supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/) | | GROUP | Group attribute statement | items: $ref: '#/components/schemas/SamlAttributeStatement' audience: type: string description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP. audienceOverride: type: string description: Audience override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). authnContextClassRef: type: string description: Identifies the SAML authentication context class for the assertion's authentication statement enum: - urn:federation:authentication:windows - oasis:names:tc:SAML:2.0:ac:classes:Kerberos - urn:oasis:names:tc:SAML:2.0:ac:classes:Password - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport - urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient - urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified - urn:oasis:names:tc:SAML:2.0:ac:classes:X509 x-enumDescriptions: urn:federation:authentication:windows: Integrated Windows Authentication oasis:names:tc:SAML:2.0:ac:classes:Kerberos: Kerberos urn:oasis:names:tc:SAML:2.0:ac:classes:Password: Password urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport: PasswordProtectedTransport urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient: TLS Client urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified: Unspecified urn:oasis:names:tc:SAML:2.0:ac:classes:X509: X509 Certificate configuredAttributeStatements: type: array description: | The list of dynamic attribute statements for the SAML assertion inherited from app metadata (apps from the OIN) during app creation. There are two types of attribute statements: `EXPRESSION` and `GROUP`. items: $ref: '#/components/schemas/SamlAttributeStatement' defaultRelayState: type: string description: Identifies a specific application resource in an IdP-initiated SSO scenario destination: type: string description: Identifies the location inside the SAML assertion where the SAML response should be sent destinationOverride: type: string description: Destination override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). digestAlgorithm: type: string description: Determines the digest algorithm used to digitally sign the SAML assertion and response enum: - SHA1 - SHA256 honorForceAuthn: type: boolean description: Set to `true` to prompt users for their credentials when a SAML request has the `ForceAuthn` attribute set to `true` idpIssuer: type: string description: SAML Issuer ID inlineHooks: description: Associates the app with SAML inline hooks. See [the SAML assertion inline hook reference](https://developer.okta.com/docs/reference/saml-hook/). items: $ref: '#/components/schemas/SignOnInlineHook' type: array participateSlo: $ref: '#/components/schemas/SloParticipate' recipient: description: The location where the app may present the SAML assertion type: string recipientOverride: type: string description: Recipient override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). requestCompressed: type: boolean description: Determines whether the SAML request is expected to be compressed responseSigned: type: boolean description: |- Determines whether the SAML authentication response message is digitally signed by the IdP > **Note:** Either (or both) `responseSigned` or `assertionSigned` must be `TRUE`. samlAssertionLifetimeSeconds: x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true type: integer description: Determines the SAML app session lifetimes with Okta example: 3600 signatureAlgorithm: type: string description: Determines the signing algorithm used to digitally sign the SAML assertion and response enum: - RSA_SHA1 - RSA_SHA256 slo: $ref: '#/components/schemas/SingleLogout' spCertificate: $ref: '#/components/schemas/SamlSpCertificate' spIssuer: type: string description: The issuer ID for the Service Provider. This property appears when SLO is enabled. ssoAcsUrl: type: string description: Single Sign-On Assertion Consumer Service (ACS) URL ssoAcsUrlOverride: type: string description: Assertion Consumer Service (ACS) URL override for CASB configuration. See [CASB config guide](https://help.okta.com/en-us/Content/Topics/Apps/CASB-config-guide.htm). subjectNameIdFormat: type: string description: 'Identifies the SAML processing rules. Supported values:' enum: - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - urn:oasis:names:tc:SAML:2.0:nameid-format:transient - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified - urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName x-enumDescriptions: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress: Email Address urn:oasis:names:tc:SAML:2.0:nameid-format:persistent: Persistent urn:oasis:names:tc:SAML:2.0:nameid-format:transient: Transient urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified: Unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName: x509SubjectName subjectNameIdTemplate: type: string description: Template for app user's username when a user is assigned to the app required: - allowMultipleAcsEndpoints - assertionSigned - audience - authnContextClassRef - destination - digestAlgorithm - honorForceAuthn - idpIssuer - recipient - requestCompressed - responseSigned - signatureAlgorithm - ssoAcsUrl - subjectNameIdFormat - subjectNameIdTemplate SamlAssertionEncryption: description: Determines if the app supports encrypted assertions type: object properties: enabled: type: boolean description: Indicates whether Okta encrypts the assertions that it sends to the Service Provider encryptionAlgorithm: type: string description: The encryption algorithm used to encrypt the SAML assertion enum: - AES128_CBC - AES256_CBC - AES256_CBC - AES256_GCM keyTransportAlgorithm: type: string description: The key transport algorithm used to encrypt the SAML assertion enum: - RSA_OAEP - RSA_15 x5c: type: array description: A list that contains exactly one x509 encoded certificate which Okta uses to encrypt the SAML assertion with items: type: string SamlAttributeStatement: anyOf: - $ref: '#/components/schemas/SamlAttributeStatementExpression' - $ref: '#/components/schemas/SamlAttributeStatementGroup' type: object properties: type: type: string description: The type of attribute statements object enum: - EXPRESSION - GROUP discriminator: propertyName: type mapping: EXPRESSION: '#/components/schemas/SamlAttributeStatementExpression' GROUP: '#/components/schemas/SamlAttributeStatementGroup' SamlAttributeStatementExpression: description: Generic `EXPRESSION` attribute statements type: object properties: name: type: string description: The name of the attribute in your app. The attribute name must be unique across all user and group attribute statements. example: attributeOne namespace: type: string description: 'The name format of the attribute. Supported values:' enum: - urn:oasis:names:tc:SAML:2.0:attrname-format:basic - urn:oasis:names:tc:SAML:2.0:attrname-format:uri - urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified x-enumDescriptions: urn:oasis:names:tc:SAML:2.0:attrname-format:basic: Basic urn:oasis:names:tc:SAML:2.0:attrname-format:uri: URI reference urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified: Unspecified example: urn:oasis:names:tc:SAML:2.0:attrname-format:basic type: type: string description: The type of attribute statements object enum: - EXPRESSION example: EXPRESSION values: type: array description: The attribute values (supports [Okta Expression Language](https://developer.okta.com/docs/reference/okta-expression-language/)) items: type: string example: ValueOne SamlAttributeStatementGroup: description: '`GROUP` attribute statements' type: object properties: filterType: type: string description: The operation to filter groups based on `filterValue` enum: - STARTS_WITH - EQUALS - CONTAINS - REGEX filterValue: type: string description: Filter the groups based on a specific value. example: Team name: type: string description: The name of the group attribute in your app. The attribute name must be unique across all user and group attribute statements. namespace: type: string description: 'The name format of the group attribute. Supported values:' enum: - urn:oasis:names:tc:SAML:2.0:attrname-format:basic - urn:oasis:names:tc:SAML:2.0:attrname-format:uri - urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified x-enumDescriptions: urn:oasis:names:tc:SAML:2.0:attrname-format:basic: Basic urn:oasis:names:tc:SAML:2.0:attrname-format:uri: URI reference urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified: Unspecified example: urn:oasis:names:tc:SAML:2.0:attrname-format:basic type: type: string description: The type of attribute statements object enum: - GROUP example: GROUP SamlCredentials: description: Federation Trust Credentials for verifying assertions from the IdP and signing requests to the IdP type: object properties: signing: $ref: '#/components/schemas/SamlSigningCredentials' trust: $ref: '#/components/schemas/SamlTrustCredentials' SamlEndpointType: description: Determines whether to publish an instance-specific (trust) or organization (shared) ACS endpoint in the SAML metadata default: INSTANCE type: string enum: - INSTANCE - ORG SamlEndpoints: description: SAML 2.0 HTTP binding settings for IdP and SP (Okta) type: object properties: acs: $ref: '#/components/schemas/SamlAcsEndpoint' slo: $ref: '#/components/schemas/SamlSloEndpoint' sso: $ref: '#/components/schemas/SamlSsoEndpoint' SamlNameIdFormat: description: SAML 2.0 Name Identifier formats default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified type: string enum: - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified - urn:oasis:names:tc:SAML:2.0:nameid-format:persistent - urn:oasis:names:tc:SAML:2.0:nameid-format:transient SamlRelayState: description: Relay state settings for IdP type: object properties: format: $ref: '#/components/schemas/SamlRelayStateFormat' SamlRelayStateFormat: description: The format used to generate the `relayState` in the SAML request. The `FROM_URL` format is used if this value is null. type: string enum: - FROM_URL - OPAQUE SamlRequestAlgorithm: description: Algorithm settings used to secure an `<AuthnRequest>` message type: object properties: signature: $ref: '#/components/schemas/SamlRequestSignatureAlgorithm' SamlRequestSignatureAlgorithm: description: |- XML digital Signature Algorithm settings for signing `<AuthnRequest>` messages sent to the IdP > **Note:** The `algorithm` property is ignored when you disable request signatures (`scope` set as `NONE`). type: object properties: algorithm: $ref: '#/components/schemas/SamlSigningAlgorithm' scope: $ref: '#/components/schemas/ProtocolAlgorithmRequestScope' SamlResponseAlgorithm: description: Algorithm settings for verifying `<SAMLResponse>` messages and `<Assertion>` elements from the IdP type: object properties: signature: $ref: '#/components/schemas/SamlResponseSignatureAlgorithm' SamlResponseSignatureAlgorithm: description: XML digital Signature Algorithm settings for verifying `<SAMLResponse>` messages and `<Assertion>` elements from the IdP type: object properties: algorithm: $ref: '#/components/schemas/SamlSigningAlgorithm' scope: $ref: '#/components/schemas/ProtocolAlgorithmResponseScope' SamlSettings: description: Advanced settings for the SAML 2.0 protocol type: object properties: honorPersistentNameId: type: boolean description: Determines if the IdP should persist account linking when the incoming assertion NameID format is `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` default: true nameFormat: $ref: '#/components/schemas/SamlNameIdFormat' participateSlo: type: boolean description: Set to `true` to have Okta send a logout request to the upstream IdP when a user signs out of Okta or a downstream app. sendApplicationContext: type: boolean description: Determines if the IdP should send the application context as `<OktaAppInstanceId>` and `<OktaAppName>` in the `<saml2p:Extensions>` element of the `<AuthnRequest>` message default: false SamlSigningAlgorithm: example: SHA-256 type: string enum: - SHA-1 - SHA-256 SamlSigningCredentials: description: Key used for signing requests to the IdP type: object properties: kid: $ref: '#/components/schemas/ProtocolCredentialsKeyId' SamlSloEndpoint: description: IdP's `SingleLogoutService` endpoint where Okta sends a `<LogoutRequest>` message type: object properties: binding: $ref: '#/components/schemas/ProtocolEndpointBinding' url: type: string description: URL of the binding-specific IdP endpoint where Okta sends a `<LogoutRequest>` maxLength: 1014 example: https://idp.example.com/saml2/slo SamlSpCertificate: description: The certificate that Okta uses to validate Single Logout (SLO) requests and responses type: object properties: x5c: type: array description: A list that contains exactly one x509 encoded certificate items: type: string SamlSsoEndpoint: description: IdP's `SingleSignOnService` endpoint where Okta sends an `<AuthnRequest>` message type: object properties: binding: $ref: '#/components/schemas/ProtocolEndpointBinding' destination: type: string description: |- URI reference that indicates the address to which the `<AuthnRequest>` message is sent. The `destination` property is required if request signatures are specified. See [SAML 2.0 Request Algorithm object](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider!path=protocol/0/algorithms/request&t=request). maxLength: 512 example: https://idp.example.com/saml2/sso url: type: string description: |- URL of the binding-specific endpoint to send an `<AuthnRequest>` message to the IdP. The value of `url` defaults to the same value as the `sso` endpoint if omitted during creation of a new IdP instance. The `url` should be the same value as the `Location` attribute for a published binding in the IdP's SAML Metadata `IDPSSODescriptor`. maxLength: 1014 example: https://idp.example.com/saml2/sso SamlTrustCredentials: description: Federation Trust Credentials for verifying assertions from the IdP type: object properties: additionalKids: description: Additional IdP key credential reference to the Okta X.509 signature certificate type: array maxItems: 1 items: $ref: '#/components/schemas/ProtocolCredentialsKeyId' audience: type: string description: URI that identifies the target Okta IdP instance (SP) for an `<Assertion>` maxLength: 1024 example: https://www.okta.com/saml2/service-provider/spgv32vOnpdyeGSaiUpL issuer: type: string description: URI that identifies the issuer (IdP) of a `<SAMLResponse>` message `<Assertion>` element maxLength: 1024 example: urn:example:idp kid: $ref: '#/components/schemas/ProtocolCredentialsKeyId' ScheduledUserLifecycleAction: type: object properties: status: $ref: '#/components/schemas/PolicyUserStatus' SchemeApplicationCredentials: allOf: - $ref: '#/components/schemas/ApplicationCredentials' - type: object properties: password: $ref: '#/components/schemas/PasswordCredential' revealPassword: type: boolean description: Allow users to securely see their password scheme: $ref: '#/components/schemas/ApplicationCredentialsScheme' signing: $ref: '#/components/schemas/ApplicationCredentialsSigning' userName: type: string description: Shared username for the app minLength: 1 maxLength: 100 Scim: description: SCIM configuration details type: object properties: authMode: type: string description: |- The authentication mode for requests to your SCIM server | authMode | Description | | -------- | ----------- | | `header` | Uses authorization header with a customer-provided token value in the following format: `Authorization: {API token}` | | `bearer` | Uses authorization header with a customer-provided bearer token in the following format: `Authorization: Bearer {API token}` | | {authModeId} | The ID of the auth mode object that contains OAuth 2.0 credentials. <br> **Note:** Use the `/integrations/api/v1/internal/authModes` endpoint to create the auth mode object. | example: header baseUri: type: string format: uri description: |- The base URL that Okta uses to send outbound calls to your SCIM server. Only the HTTPS protocol is supported. You can use the app-level variables defined in the `config` array for the base URL. For example, if you have a `subdomain` variable defined in the `config` array and the URL to retrieve SCIM users for your integration is `https://${subdomain}.example.com/scim/v2/Users`, then specify the following base URL: `'https://' + app.subdomain + '.example.com/scim/v2'`. entitlementTypes: $ref: '#/components/schemas/entitlementTypes' scimServerConfig: type: object description: SCIM server schema configuration properties: patch: type: object description: PATCH operation options properties: supported: type: boolean description: Specifies if the PATCH operation is supported default: false changePassword: type: object description: Password change options properties: supported: type: boolean description: Specifies if password change is supported default: false setupInstructionsUri: type: string format: uri description: The URL to your customer-facing instructions for configuring your SCIM integration. See [Customer configuration document guidelines](https://developer.okta.com/docs/guides/submit-app-prereq/main/#customer-configuration-document-guidelines). required: - baseUri - authMode - setupInstructionsUri - scimServerConfig Scope: type: string ScopeCondition: description: Determines how Okta evaluates requested scopes for the connection. type: string enum: - ALL_SCOPES - EXCLUDE - INCLUDE_ONLY ScopeResourceHrefObject: type: object properties: href: type: string description: Link URI example: https://{yourOktaDomain}/api/v1/authorizationServers/ausain6z9zIedDCxB0h7/scopes/scpCmCCV1DpxVkCaye2X title: type: string description: Link name example: My phone ScreenLockComplexity: description: | Indicates whether a device has a screen lock set, and the type or complexity of the screen lock **Note:** This option requires a `screenLockType.include` value. type: string enum: - HIGH - LOW - MEDIUM x-enumDescriptions: LOW: A pattern or PIN is set MEDIUM: A complex PIN, or alphabetic or alphanumeric screen lock with at least 4 digits is set HIGH: A complex 8-digit PIN, or 6-character alphabetic or alphanumeric screen lock is set ScreenLockType: type: string enum: - BIOMETRIC - NONE - PASSCODE SecurePasswordStoreApplication: x-okta-defined-as: name: template_sps allOf: - $ref: '#/components/schemas/Application' - type: object properties: credentials: $ref: '#/components/schemas/SchemeApplicationCredentials' name: type: string description: '`template_sps` is the key name for a SWA app instance that uses HTTP POST and doesn''t require a browser plugin' enum: - template_sps settings: $ref: '#/components/schemas/SecurePasswordStoreApplicationSettings' required: - name - settings SecurePasswordStoreApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: app: $ref: '#/components/schemas/SecurePasswordStoreApplicationSettingsApplication' SecurePasswordStoreApplicationSettingsApplication: type: object properties: optionalField1: type: string description: Name of the optional parameter in the sign-in form optionalField1Value: type: string description: Name of the optional value in the sign-in form optionalField2: type: string description: Name of the optional parameter in the sign-in form optionalField2Value: type: string description: Name of the optional value in the sign-in form optionalField3: type: string description: Name of the optional parameter in the sign-in form optionalField3Value: type: string description: Name of the optional value in the sign-in form passwordField: type: string description: CSS selector for the **Password** field in the sign-in form url: type: string description: The URL of the sign-in page for this app usernameField: type: string description: CSS selector for the **Username** field in the sign-in form required: - passwordField - url - usernameField SecurityEvent: type: object properties: event_timestamp: type: integer format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 subject: $ref: '#/components/schemas/SecurityEventSubject' required: - event_timestamp - subject SecurityEventReason: type: object properties: en: type: string description: The event reason in English example: Event message example required: - en SecurityEventSubject: description: The event subjects properties: device: type: object description: The device involved with the event example: format: opaque id: device-identifier-001 user: type: object description: The user involved with the event example: format: email email: john@doe.net SecurityEventTokenError: title: Security Event Token Error description: Error object thrown when parsing the Security Event Token type: object properties: description: type: string description: | Describes the error > **Note:** SET claim fields with underscores (snake case) are presented in camelcase. For example, `previous_status` appears as `previousStatus`. example: 'Failed claim validation in security event token. ''events.mediationDeviceComplianceChangeEvent.previousStatus'': The field cannot be left blank' err: type: string description: A code that describes the category of the error example: invalid_request enum: - authentication_failed - invalid_audience - invalid_issuer - invalid_key - invalid_request SecurityEventTokenJwtBody: title: Security Event Token JWT body payload x-tags: - SSFTransmitter description: JSON Web Token body payload for a Security Event Token sent by the SSF Transmitter. For examples and more information, see [SSF Transmitter SET payload structures](https://developer.okta.com/docs/reference/ssf-transmitter-sets). type: object properties: aud: type: string description: Audience example: https://receiverexample.com/ events: $ref: '#/components/schemas/SecurityEventTokenJwtEvents' iat: type: integer format: int64 description: Token issue time (UNIX timestamp) example: 1702448550 iss: type: string description: Token issuer example: https://transmitter.okta.com jti: type: string description: Token ID example: set-24c63fb56f ... a9fa24 required: - iss - aud - jti - iat - events SecurityEventTokenJwtEvents: description: A non-empty set of events. Expected size is 1 for each SET type: object properties: https://schemas.openid.net/secevent/caep/event-type/credential-change: $ref: '#/components/schemas/CaepCredentialChangeEvent' https://schemas.openid.net/secevent/caep/event-type/session-revoked: $ref: '#/components/schemas/SsfTransmitterCaepSessionRevokedEvent' SecurityEventTokenJwtHeader: title: Security Event Token JWT header x-tags: - SSFTransmitter description: JSON Web Token header for a Security Event Token sent by the SSF Transmitter type: object properties: alg: type: string description: Algorithm used to sign or encrypt the JWT example: RS256 kid: type: string description: Key ID used to sign or encrypt the JWT typ: type: string description: The type of content being signed or encrypted example: secevent+jwt required: - kid - typ - alg SecurityEventTokenRequestJwtBody: title: Security Event Token JWT body payload x-tags: - SSFSecurityEventToken description: JSON Web Token body payload for a Security Event Token type: object properties: aud: type: string description: Audience example: https://receiverexample.okta.com/ events: $ref: '#/components/schemas/SecurityEventTokenRequestJwtEvents' iat: type: integer format: int64 description: Token issue time (UNIX timestamp) example: 1702448550 iss: type: string description: Token issuer example: https://transmitter.example.com jti: type: string description: Token ID example: 24c63fb56f ... a9fa24 required: - iss - aud - jti - iat - events SecurityEventTokenRequestJwtEvents: description: A non-empty collection of events type: object properties: https://schemas.okta.com/secevent/okta/event-type/device-risk-change: $ref: '#/components/schemas/OktaDeviceRiskChangeEvent' https://schemas.okta.com/secevent/okta/event-type/ip-change: $ref: '#/components/schemas/OktaIpChangeEvent' https://schemas.okta.com/secevent/okta/event-type/user-risk-change: $ref: '#/components/schemas/OktaUserRiskChangeEvent' https://schemas.openid.net/secevent/caep/event-type/device-compliance-change: $ref: '#/components/schemas/CaepDeviceComplianceChangeEvent' https://schemas.openid.net/secevent/caep/event-type/session-revoked: $ref: '#/components/schemas/CaepSessionRevokedEvent' https://schemas.openid.net/secevent/risc/event-type/identifier-changed: $ref: '#/components/schemas/RiscIdentifierChangedEvent' SecurityEventTokenRequestJwtHeader: title: Security Event Token JWT header x-tags: - SSFSecurityEventToken description: JSON Web Token header for a Security Event Token type: object properties: alg: type: string description: Algorithm used to sign or encrypt the JWT example: RS256 kid: type: string description: Key ID used to sign or encrypt the JWT typ: type: string description: The type of content being signed or encrypted example: secevent+jwt required: - kid - typ - alg SecurityEventsProviderRequest: title: Security Events Provider Request description: The request schema for creating or updating a Security Events Provider. The `settings` must match one of the schemas. type: object properties: name: description: The name of the Security Events Provider instance type: string maxLength: 100 example: Target SSF Provider settings: type: object description: Information about the Security Events Provider for signal ingestion oneOf: - $ref: '#/components/schemas/SecurityEventsProviderSettingsSSFCompliant' - $ref: '#/components/schemas/SecurityEventsProviderSettingsNonSSFCompliant' type: description: The application type of the Security Events Provider maxLength: 255 type: string example: okta required: - name - settings - type SecurityEventsProviderResponse: title: Security Events Provider Response description: The Security Events Provider response type: object properties: id: description: The unique identifier of this instance type: string readOnly: true example: sse1qg25RpusjUP6m0g5 name: description: The name of the Security Events Provider instance type: string maxLength: 100 example: Target SSF Provider settings: description: Information about the Security Events Provider for signal ingestion $ref: '#/components/schemas/SecurityEventsProviderSettingsResponse' status: description: Indicates whether the Security Events Provider is active or not type: string enum: - ACTIVE - INACTIVE readOnly: true type: description: The application type of the Security Events Provider maxLength: 255 type: string example: okta _links: $ref: '#/components/schemas/LinksSelfAndLifecycle' SecurityEventsProviderSettingsNonSSFCompliant: title: Provider with issuer and JWKS settings description: Security Events Provider with issuer and JWKS settings for signal ingestion type: object properties: issuer: type: string description: Issuer URL maxLength: 700 example: example.okta.com jwks_url: type: string format: url description: The public URL where the JWKS public key is uploaded maxLength: 1000 example: https://example.okta.com/oauth2/v1/keys required: - jwks_url - issuer SecurityEventsProviderSettingsResponse: title: Security Events Provider settings description: Security Events Provider settings type: object properties: issuer: type: string description: Issuer URL maxLength: 700 example: example.okta.com jwks_url: type: string format: url description: The public URL where the JWKS public key is uploaded maxLength: 1000 example: https://example.okta.com/oauth2/v1/keys well_known_url: type: string format: url description: The well-known URL of the Security Events Provider (the SSF transmitter) nullable: true maxLength: 1000 example: https://example.okta.com/.well-known/ssf-configuration SecurityEventsProviderSettingsSSFCompliant: title: Provider with well-known URL setting description: Security Events Provider with well-known URL setting type: object properties: well_known_url: type: string format: url description: The published well-known URL of the Security Events Provider (the SSF transmitter) maxLength: 1000 example: https://example.okta.com/.well-known/ssf-configuration required: - well_known_url SeedEnum: description: Determines whether the generated password is the user's Okta password or a randomly generated password default: RANDOM example: OKTA type: string enum: - OKTA - RANDOM SelfAssignedStatus: description: Okta Support access approval status for self-assigned cases type: string enum: - APPROVED - NOT_REQUIRED - REQUESTED x-enumDescriptions: NOT_REQUIRED: Approval isn't required because the case wasn't self-created and self-assigned by an Okta Support user REQUESTED: Customer approval for self-assigned case requested APPROVED: Okta Support access is approved by the customer for the self-assigned case SelfServicePasswordResetAction: description: Enables or disables users to reset their own password and defines the authenticators and constraints needed to complete the reset type: object properties: access: $ref: '#/components/schemas/PolicyAccess' requirement: $ref: '#/components/schemas/SsprRequirement' type: type: string description: <x-lifecycle class="oie"></x-lifecycle> The type of rule action enum: - selfServicePasswordReset ServiceAccount: type: object properties: accountType: $ref: '#/components/schemas/ServiceAccountType' created: type: string format: date-time description: Timestamp when the service account was created readOnly: true description: description: The description of the service account format: regex maxLength: 255 minLength: 0 type: string example: This is for accessing salesforce Prod-5 id: description: The UUID of the service account format: regex pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ readOnly: true type: string example: a747a818-a4c4-4446-8a87-704216495a08 lastUpdated: type: string format: date-time description: Timestamp when the service account was last updated readOnly: true name: description: The user-defined name for the service account format: regex maxLength: 50 minLength: 1 pattern: ^[\w\-_. ]+$ type: string example: AWS Prod-5 account ownerGroupIds: description: A list of IDs of the Okta groups that own the service account type: array items: type: string minItems: 0 maxItems: 10 example: - 00g57qp78yZT2XBA40g7 ownerUserIds: description: A list of IDs of the Okta users that own the service account type: array items: type: string minItems: 0 maxItems: 10 example: - 00u11s48P9zGW8yqm0g5 status: $ref: '#/components/schemas/ServiceAccountStatus' statusDetail: $ref: '#/components/schemas/ServiceAccountStatusDetail' required: - name - accountType discriminator: propertyName: accountType mapping: APP_ACCOUNT: '#/components/schemas/ServiceAccountDetailsAppAccount' OKTA_USER_ACCOUNT: '#/components/schemas/ServiceAccountDetailsOktaUserAccount' ServiceAccountDetailsAppAccount: description: Details for a SaaS app account, which will be managed as a service account allOf: - $ref: '#/components/schemas/ServiceAccount' - type: object properties: details: $ref: '#/components/schemas/ServiceAccountDetailsAppAccountSub' required: - details ServiceAccountDetailsAppAccountSub: description: Details for a SaaS app account, which will be managed as a service account type: object properties: appGlobalName: description: The name of the SaaS app in the Okta Integration Network catalog readOnly: true type: string example: Salesforce appInstanceName: description: The instance name of the SaaS app readOnly: true type: string example: Salesforce Prod credentials: $ref: '#/components/schemas/AppServiceAccountCredentials' oktaApplicationId: description: The Okta app instance ID of the SaaS app type: string example: aln1aqcs055ZRoizW0g8 required: - oktaApplicationId - credentials ServiceAccountDetailsOktaUserAccount: description: Details for managing an Okta user as a service account allOf: - $ref: '#/components/schemas/ServiceAccount' - type: object properties: details: $ref: '#/components/schemas/ServiceAccountDetailsOktaUserAccountSub' required: - details ServiceAccountDetailsOktaUserAccountSub: description: Details for managing an Okta user as a service account type: object properties: credentials: $ref: '#/components/schemas/OktaUserServiceAccountCredentials' email: description: The email address for the Okta user type: string example: foo@bar.com readOnly: true oktaUserId: description: The ID of the Okta user to manage as a service account type: string example: 00u11s48P9zGW8yqm0g5 required: - oktaUserId ServiceAccountForUpdate: type: object properties: description: description: The description of the service account format: regex maxLength: 255 minLength: 0 type: string example: This is for accessing AWS Prod-5 name: description: The human-readable name for the service account format: regex maxLength: 50 minLength: 1 pattern: ^[\w\-_. ]+$ type: string example: AWS Prod-5 account ownerGroupIds: description: A list of IDs of the Okta groups who own the service account type: array items: type: string minItems: 0 maxItems: 10 example: - 00g57qp78yZT2XBA40g7 ownerUserIds: description: A list of IDs of the Okta users who own the service account type: array items: type: string minItems: 0 maxItems: 10 example: - 00u11s48P9zGW8yqm0g5 ServiceAccountOrn: description: The [ORN](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#okta-resource-name-orn) of the service account type: string ServiceAccountStatus: description: Describes the current status of an app service account example: UNSECURED type: string enum: - ALERT - ERROR - INFO - NO_ISSUES - UNSECURED x-enumDescriptions: NO_ISSUES: The account is ready for use in Okta Privileged Access UNSECURED: The account needs to be assigned to a resource group and a project in Okta Privileged Access INFO: An action involving the account is in progress in Okta Privileged Access ALERT: The account requires attention from an admin ERROR: An error is preventing Okta Privileged Access from using the account readOnly: true ServiceAccountStatusDetail: description: Describes the detailed status of an app service account example: STAGED type: string enum: - CREATION_FAILED - MISSING_PASSWORD - PENDING - ROTATED - ROTATING - ROTATION_FAILED - STAGED - UNMANAGED - VAULTED x-enumDescriptions: PENDING: The account is being created CREATION_FAILED: The account can't be created STAGED: The account is in the Okta Privileged Access resource assignment area ROTATING: The account is assigned to a project in Okta Privileged Access. Credentials are currently being synced using Okta Lifecycle Management. ROTATED: The account is assigned to a project in Okta Privileged Access. Password rotations are fulfilled by Okta Lifecycle Management. ROTATION_FAILED: The account is assigned to a project in Okta Privileged Access. An error occurred while using Okta Lifecycle Management to rotate the password. VAULTED: The account is assigned to a project in Okta Privileged Access. A manually managed password is assigned to the account. MISSING_PASSWORD: The account is assigned to a project in Okta Privileged Access. A password isn't assigned to the account. UNMANAGED: The account is assigned to a project in Okta Privileged Access. Initial password sync hasn't been attempted. readOnly: true ServiceAccountType: description: The type of service account type: string enum: - APP_ACCOUNT - OKTA_USER_ACCOUNT x-enumDescriptions: APP_ACCOUNT: SaaS app account OKTA_USER_ACCOUNT: Okta user account Session: type: object properties: amr: type: array readOnly: true description: Authentication method reference items: $ref: '#/components/schemas/SessionAuthenticationMethod' createdAt: type: string format: date-time readOnly: true expiresAt: type: string format: date-time readOnly: true description: A timestamp when the Session expires id: type: string readOnly: true description: A unique key for the Session idp: $ref: '#/components/schemas/SessionIdentityProvider' lastFactorVerification: type: string format: date-time readOnly: true description: A timestamp when the user last performed multifactor authentication lastPasswordVerification: type: string format: date-time readOnly: true description: A timestamp when the user last performed the primary or step-up authentication with a password login: type: string readOnly: true description: A unique identifier for the user (username) status: $ref: '#/components/schemas/SessionStatus' description: Current Session status userId: type: string readOnly: true description: A unique key for the user _links: $ref: '#/components/schemas/LinksSelf' SessionAuthenticationMethod: type: string enum: - fpt - geo - hwk - kba - mca - mfa - otp - pwd - sc - sms - swk - tel x-enumDescriptions: pwd: Password authentication. **Inline hook value:** `PASSWORD` **Example:** Standard password-based sign-in swk: Proof-of-possession (PoP) of a software key. **Inline hook value:** `POP_SOFTWARE_KEY` **Example:** Okta Verify with Push hwk: Proof-of-possession (PoP) of a hardware key. **Inline hook value:** `POP_HARDWARE_KEY` **Example:** Yubikey factor opt: One-time password. **Inline hook value:** `ONE_TIME_PASSWORD`. **Example:** Okta Verify, Google Authenticator sms: SMS text message to the user at a registered number. **Inline hook value:** `SMS_MESSAGE`. **Example:** SMS factor tel: Telephone call to the user at a registered number. **Inline hook value:** `TELEPHONE_CALL`. **Example:** Phone call factor geo: Use of geo-location information. **Inline hook value:** `GEOLOCATION`. **Example:** IP Trust and Network Zone policy conditions fpt: Fingerprint biometric authentication. **Inline hook value:** `BIO_FINGERPRINT`. **Example:** Okta Verify with Touch ID kba: Knowledge-based authentication. **Inline hook value:** `KNOWLEDGE_BASED_AUTHENTICATION`. **Example:** Security Question factor mfa: Multifactor authentication. **Inline hook value:** `MULTIFACTOR_AUTHENTICATION`. **Example:** This value is present whenever any MFA factor verification is performed. mca: Multiple-channel authentication. **Inline hook value:** `MULTIPLE_CHANNEL_AUTHENTICATION`. **Example:** Authentication requires communication over more than one channel, such as Internet and mobile network sc: Smart card authentication. **Inline hook value:** `SMART_CARD. **Example:** User authenticated using a smart card, such as a Personal Identity Verification (PIV) card or Common Access Card (CAC) SessionIdentityProvider: type: object properties: id: type: string readOnly: true description: Identity Provider ID. If the `type` is `OKTA`, then the `id` is the org ID. type: $ref: '#/components/schemas/SessionIdentityProviderType' SessionIdentityProviderType: type: string enum: - ACTIVE_DIRECTORY - FEDERATION - LDAP - OKTA - SOCIAL SessionStatus: type: string enum: - ACTIVE - MFA_ENROLL - MFA_REQUIRED x-enumDescriptions: ACTIVE: The Session is established and fully validated. MFA_REQUIRED: The Session is established, but requires second factor verification. MFA_ENROLL: The Session is established, but the user needs to enroll a second factor. ShowSignInWithOV: description: Controls whether to show the Sign in with Okta Verify button on the Sign-In Widget type: string enum: - ALWAYS - NEVER SignInPage: allOf: - $ref: '#/components/schemas/CustomizablePage' - type: object properties: contentSecurityPolicySetting: $ref: '#/components/schemas/ContentSecurityPolicySetting' widgetCustomizations: type: object properties: signInLabel: type: string description: The label for the sign in widget usernameLabel: type: string description: The label for the username field usernameInfoTip: type: string description: The label for the username information tip passwordLabel: type: string description: The label for the password field passwordInfoTip: type: string description: The label for the password information tip showPasswordVisibilityToggle: type: boolean description: Allows users to see their passwords as they type showUserIdentifier: type: boolean description: Allows the user's identifier to appear on authentication and enrollment pages forgotPasswordLabel: type: string description: The label for the forgot password page forgotPasswordUrl: type: string description: The forgot password URL unlockAccountLabel: type: string description: The label for the unlock account link unlockAccountUrl: type: string description: The unlock account URL helpLabel: type: string description: The label for the help link helpUrl: type: string description: The help link URL customLink1Label: type: string description: The label for the first custom link customLink1Url: type: string description: The URL for the first custom link customLink2Label: type: string description: The label for the second custom link customLink2Url: type: string description: The URL for the second custom link authenticatorPageCustomLinkLabel: type: string description: The label for the authenticator page custom link authenticatorPageCustomLinkUrl: type: string description: The URL for the authenticator page custom link classicRecoveryFlowEmailOrUsernameLabel: type: string description: The label for the username field in the classic recovery flow widgetGeneration: $ref: '#/components/schemas/WidgetGeneration' postAuthKeepMeSignedInPrompt: $ref: '#/components/schemas/PostAuthKeepMeSignedInPrompt' classicFooterHelpTitle: type: string description: The title of the footer link on the sign-in page. Only applicable for Classic Engine orgs. widgetVersion: $ref: '#/components/schemas/Version' SignInPageTouchPointVariant: description: | Variant for the Okta sign-in page. You can publish a theme for sign-in page with different combinations of assets. Variants are preset combinations of those assets. > **Note:** For a non-`OKTA_DEFAULT` variant, `primaryColorHex` is used for button background color and `primaryColorContrastHex` is used to optimize the opacity for button text. type: string enum: - BACKGROUND_IMAGE - BACKGROUND_SECONDARY_COLOR - OKTA_DEFAULT x-enumDescriptions: BACKGROUND_IMAGE: Uses the logo, favicon, and background image from the theme BACKGROUND_SECONDARY_COLOR: Uses the logo and favicon from the theme. Uses `secondaryColorHex` as the background color for the Okta sign-in page. OKTA_DEFAULT: Uses the Okta logo and favicon with no background image. Uses the Okta colors on the Okta sign-in page. SignOnInlineHook: properties: id: type: string readOnly: false SigningAlgorithm: type: string enum: - ES256 - ES384 - ES512 - HS256 - HS384 - HS512 - RS256 - RS384 - RS512 SimulatePolicyBody: description: The request body required for a simulate policy operation type: object properties: appInstance: type: string description: The application instance ID for a simulate operation policyContext: $ref: '#/components/schemas/PolicyContext' policyTypes: type: array description: Supported policy types for a simulate operation. The default value, `null`, returns all types. items: $ref: '#/components/schemas/PolicyTypeSimulation' required: - appInstance SimulatePolicyEvaluations: type: object properties: evaluated: type: object description: A list of evaluated but not matched policies and rules properties: policies: $ref: '#/components/schemas/SimulateResultPolicies' policyType: type: array description: The policy type of the simulate operation items: $ref: '#/components/schemas/PolicyTypeSimulation' result: $ref: '#/components/schemas/SimulatePolicyResult' status: $ref: '#/components/schemas/SimulateResultStatus' undefined: type: object description: A list of undefined but not matched policies and rules properties: policies: $ref: '#/components/schemas/SimulateResultPolicies' SimulatePolicyResponse: description: The response body returned for a simulate policy operation. An array of `evaluations`. items: $ref: '#/components/schemas/SimulatePolicyEvaluations' type: array SimulatePolicyResult: description: The result of the policy evaluation type: object properties: policies: $ref: '#/components/schemas/SimulateResultPolicies' SimulateResultConditions: type: object properties: status: $ref: '#/components/schemas/SimulateResultStatus' type: type: string description: The type of condition SimulateResultPolicies: items: $ref: '#/components/schemas/SimulateResultPoliciesItems' type: array SimulateResultPoliciesItems: type: object properties: conditions: type: array description: List of all conditions involved for this policy evaluation items: $ref: '#/components/schemas/SimulateResultConditions' id: type: string description: ID of the specified policy type name: type: string description: Policy name rules: type: array items: $ref: '#/components/schemas/SimulateResultRules' status: $ref: '#/components/schemas/SimulateResultStatus' SimulateResultRules: type: object properties: conditions: type: array description: List of all conditions involved for this rule evaluation items: $ref: '#/components/schemas/SimulateResultConditions' id: type: string description: The unique ID number of the policy rule name: type: string description: The name of the policy rule status: $ref: '#/components/schemas/SimulateResultStatus' SimulateResultStatus: description: The result of this entity evaluation type: string enum: - MATCH - NOT_MATCH - UNDEFINED SingleLogout: description: Determines if the app supports Single Logout (SLO) type: object properties: enabled: type: boolean description: Whether the application supports SLO issuer: type: string description: The issuer of the Service Provider that generates the SLO request logoutUrl: type: string description: The location where the logout response is sent SlackApplication: title: Slack x-tags: - Application x-okta-defined-as: name: slack example: name: slack label: Sample Slack App signOnMode: SAML_2_0 settings: app: domain: my-company-domain description: | Schema for the Slack app (key name: `slack`) To create a Slack app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. > **Note:** The Slack app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes. allOf: - $ref: '#/components/schemas/OINApplication' - type: object - required: - name - label - settings properties: name: type: string enum: - slack example: slack signOnMode: type: string enum: - BROWSER_PLUGIN - SAML_2_0 settings: $ref: '#/components/schemas/SlackApplicationSettings' SlackApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object - required: - app properties: app: $ref: '#/components/schemas/SlackApplicationSettingsApplication' signOn: $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' SlackApplicationSettingsApplication: description: Slack app instance properties type: object properties: domain: type: string description: The Slack app domain name userEmailValue: type: string description: The `User.Email` attribute value required: - domain SloParticipate: description: Determines if the app participates in Single Logout (SLO) type: object properties: bindingType: type: string description: Request binding type enum: - POST - REDIRECT enabled: type: boolean description: Indicates whether the app is allowed to participate in front-channel SLO logoutRequestUrl: type: string description: URL where Okta sends the logout request sessionIndexRequired: type: boolean description: Determines whether Okta sends the `SessionIndex` elements in the logout request SmsTemplate: type: object properties: created: type: string format: date-time readOnly: true id: type: string readOnly: true lastUpdated: type: string format: date-time readOnly: true name: type: string description: Human-readable name of the Template maxLength: 50 minLength: 1 template: type: string description: Text of the Template, including any [macros](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Template/) maxLength: 161 minLength: 1 translations: $ref: '#/components/schemas/SmsTemplateTranslations' type: $ref: '#/components/schemas/SmsTemplateType' SmsTemplateTranslations: description: | - Template translations are optionally provided when you want to localize the SMS messages. Translations are provided as an object that contains `key:value` pairs: the language and the translated Template text. The key portion is a two-letter country code that conforms to [ISO 639-1](https://www.loc.gov/standards/iso639-2/php/code_list.php). The value is the translated SMS Template. - Just like with regular SMS Templates, the length of the SMS message can't exceed 160 characters. type: object x-okta-extensible: true SmsTemplateType: description: Type of the Template maxLength: 50 minLength: 1 type: string enum: - SMS_VERIFY_CODE SocialAuthToken: description: The social authentication token object provides the tokens and associated metadata provided by social providers during social authentication. type: object properties: expiresAt: $ref: '#/components/schemas/ExpiresAt' id: type: string description: Unique identifier for the token readOnly: true example: NXp9GaX1eOA-XVF_H9fn2Q scopes: type: array description: The scopes that the token is good for readOnly: true items: type: string example: - openid - foo token: type: string description: The raw token readOnly: true example: JBTWGV22G4ZGKV3N tokenAuthScheme: type: string readOnly: true description: The token authentication scheme as defined by the social provider example: Bearer tokenType: type: string readOnly: true description: The type of token defined by the [OAuth Token Exchange Spec](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07#section-3) example: urn:ietf:params:oauth:token-type:access_token SourceLinks: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: schema: allOf: - $ref: '#/components/schemas/HrefObject' - description: The associated schema SplunkEdition: description: Edition of the Splunk Cloud instance example: aws type: string enum: - aws - aws_govcloud - gcp SplunkHost: description: 'The domain name for your Splunk Cloud instance. Don''t include `http` or `https` in the string. For example: `acme.splunkcloud.com`' minLength: 17 maxLength: 116 example: acme.splunkcloud.com type: string SplunkToken: description: The HEC token for your Splunk Cloud HTTP Event Collector. The token value is set at object creation, but isn't returned. example: 11111111-1111-2222-2222-222222222222 writeOnly: true type: string pattern: (?i)^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$ SsfTransmitterCaepSessionRevokedEvent: description: The session of the subject was revoked type: object properties: event_timestamp: type: integer format: int64 description: The time of the event (UNIX timestamp) example: 1702448550 reason_admin: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized administrative message intended for logging and auditing reason_user: allOf: - $ref: '#/components/schemas/SecurityEventReason' - type: object description: A localized message intended for the end user subject: $ref: '#/components/schemas/SsfTransmitterSecurityEventSubject' SsfTransmitterSecurityEventSubject: description: The event subject properties: format: type: string description: The format of the subject example: iss_sub iss: type: string description: An identifier of the actor example: https://transmitter.okta.com sub: type: string description: An identifier for the subject that was acted on example: okta-user-id1 Sso: description: 'Supported SSO protocol configurations. You must configure at least one protocol: `oidc` or `saml`' type: object properties: oidc: $ref: '#/components/schemas/Oidc' saml: $ref: '#/components/schemas/Saml' SsprPrimaryRequirement: description: Defines the authenticators permitted for the initial authentication step of password recovery type: object properties: methodConstraints: description: Constraints on the values specified in the `methods` array. Specifying a constraint limits methods to specific authenticator(s). Currently, Google OTP is the only accepted constraint. x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: true type: array items: $ref: '#/components/schemas/AuthenticatorMethodConstraint' methods: type: array description: Authenticator methods allowed for the initial authentication step of password recovery. Method `otp` requires a constraint limiting it to a Google authenticator. items: type: string enum: - push - sms - voice - email - otp SsprRequirement: description: <x-lifecycle class="oie"></x-lifecycle> Describes the initial and secondary authenticator requirements a user needs to reset their password type: object properties: accessControl: description: Determines which authentication requirements a user needs to perform self-service operations. `AUTH_POLICY` defers conditions and authentication requirements to the [Okta account management policy](https://developer.okta.com/docs/guides/okta-account-management-policy/main/). `LEGACY` refers to the requirements described by this rule. type: string enum: - AUTH_POLICY - LEGACY primary: $ref: '#/components/schemas/SsprPrimaryRequirement' stepUp: $ref: '#/components/schemas/SsprStepUpRequirement' SsprStepUpRequirement: description: |- Defines the secondary authenticators needed for password reset if `required` is true. The following are three valid configurations: * `required`=false * `required`=true with no methods to use any SSO authenticator * `required`=true with `security_question` as the method type: object properties: methods: description: Authenticator methods required for secondary authentication step of password recovery. Specify this value only when `required` is true and `security_question` is permitted for the secondary authentication. type: array items: type: string enum: - security_question required: type: boolean StandardRole: title: Standard role assignment type: object properties: assignmentType: $ref: '#/components/schemas/RoleAssignmentType' created: type: string description: Timestamp when the object was created format: date-time readOnly: true id: type: string description: Role assignment ID readOnly: true label: type: string description: Label for the role assignment readOnly: true lastUpdated: type: string description: Timestamp when the object was last updated format: date-time readOnly: true status: allOf: - $ref: '#/components/schemas/LifecycleStatus' - description: Status of the role assignment type: $ref: '#/components/schemas/RoleType' _embedded: type: object description: Optional embedded resources for the role assignment properties: targets: type: object description: Targets configured for the role assignment properties: groups: type: array description: Group targets items: $ref: '#/components/schemas/Group' catalog: description: App targets properties: apps: type: array items: $ref: '#/components/schemas/CatalogApplication' _links: $ref: '#/components/schemas/LinksAssignee' required: - type StandardRoleAssignmentSchema: title: Standard role type: object properties: type: type: string description: 'Specify a [standard admin role](/openapi/okta-management/guides/roles/#standard-roles), an [IAM-based standard role](/openapi/okta-management/guides/roles/#iam-based-standard-roles), or `CUSTOM` for a custom role type:' enum: - ACCESS_CERTIFICATIONS_ADMIN - ACCESS_REQUESTS_ADMIN - API_ACCESS_MANAGEMENT_ADMIN - APP_ADMIN - GROUP_MEMBERSHIP_ADMIN - HELP_DESK_ADMIN - ORG_ADMIN - READ_ONLY_ADMIN - REPORT_ADMIN - SUPER_ADMIN - USER_ADMIN - WORKFLOWS_ADMIN required: - type StreamConfiguration: title: Stream Configuration type: object properties: aud: oneOf: - type: string format: uri example: https://example.com - type: array items: type: string format: uri example: https://example.com description: |- The audience used in the SET. This value is set as `aud` in the claim. A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. example: https://example.com delivery: $ref: '#/components/schemas/StreamConfigurationDelivery' events_delivered: type: array items: type: string format: uri description: |- The events (mapped by the array of event type URIs) that the transmitter actually delivers to the SSF Stream. A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. example: - https://schemas.openid.net/secevent/caep/event-type/session-revoked - https://schemas.openid.net/secevent/caep/event-type/credential-change events_requested: type: array maxItems: 50 items: type: string format: uri maxLength: 256 description: The events (mapped by the array of event type URIs) that the receiver wants to receive example: - https://schemas.openid.net/secevent/caep/event-type/session-revoked - https://schemas.openid.net/secevent/caep/event-type/credential-change events_supported: type: array items: type: string format: uri description: |- An array of event type URIs that the transmitter supports. A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. example: - https://schemas.openid.net/secevent/caep/event-type/session-revoked - https://schemas.openid.net/secevent/caep/event-type/credential-change format: type: string description: The Subject Identifier format expected for any SET transmitted. enum: - iss_sub iss: type: string description: |- The issuer used in Security Event Tokens (SETs). This value is set as `iss` in the claim. A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. example: https://{yourOktaDomain} min_verification_interval: type: integer nullable: true example: 60 description: |- The minimum amount of time, in seconds, between two verification requests. A read-only parameter that is set by the transmitter. If this parameter is included in the request, the value must match the expected value from the transmitter. stream_id: type: string description: The ID of the SSF Stream configuration example: esc1k235GIIztAuGK0g5 required: - events_requested - delivery StreamConfigurationCreateRequest: title: Stream Configuration Create Request type: object properties: delivery: $ref: '#/components/schemas/StreamConfigurationDelivery' events_requested: type: array maxItems: 50 items: type: string format: uri maxLength: 256 description: The events (mapped by the array of event type URIs) that the receiver wants to receive example: - https://schemas.openid.net/secevent/caep/event-type/session-revoked - https://schemas.openid.net/secevent/caep/event-type/credential-change format: type: string description: The Subject Identifier format expected for any SET transmitted. enum: - iss_sub required: - events_requested - delivery StreamConfigurationDelivery: title: Stream Configuration Delivery description: Contains information about the intended SET delivery method by the receiver type: object properties: authorization_header: type: string description: The HTTP Authorization header that is included for each HTTP POST request example: '{authorizationHeaderValue}' nullable: true maxLength: 8192 endpoint_url: type: string format: uri description: The target endpoint URL where the transmitter delivers the SET using HTTP POST requests example: https://example.com/ maxLength: 2048 method: type: string description: The delivery method that the transmitter uses for delivering a SET enum: - https://schemas.openid.net/secevent/risc/delivery-method/push - urn:ietf:rfc:8935 required: - method - endpoint_url StreamStatus: title: Stream Status description: Status corresponding to the `stream_id` of the SSF Stream type: object properties: status: type: string description: The status of the SSF Stream configuration enum: - enabled - disabled x-enumDescriptions: enabled: The transmitter MUST transmit events over the stream according to the stream’s configured delivery method. disabled: The transmitter MUST NOT transmit events over the stream and doesn't hold any events for later transmission. stream_id: type: string description: The ID of the SSF Stream configuration. This corresponds to the value in the query parameter of the request. example: esc1k235GIIztAuGK0g5 StreamVerificationRequest: title: Stream Verification Request type: object properties: state: type: string description: An arbitrary string that Okta as a transmitter must echo back to the Event Receiver in the Verification Event's payload example: VGhpcyBpcyBhbiBleGFtcGxlIHN0YXRlIHZhbHVlLgo= stream_id: type: string description: The ID of the SSF Stream Configuration example: esc1k235GIIztAuGK0g5 required: - stream_id SubjectType: type: string enum: - pairwise - public SubmissionAction: type: object properties: id: type: string description: Action identifier example: okta:action1 provider: $ref: '#/components/schemas/WorkflowActionProvider' required: - id - provider SubmissionActions: type: object properties: actions: type: array items: $ref: '#/components/schemas/SubmissionAction' SubmissionCapabilities: type: object properties: capabilities: type: array items: $ref: '#/components/schemas/SubmissionCapability' required: - capabilities SubmissionCapability: type: object properties: capability: $ref: '#/components/schemas/Capability' supportedProtocols: type: array items: $ref: '#/components/schemas/Protocol' required: - capability - supportedProtocols SubmissionRequest: allOf: - $ref: '#/components/schemas/SubmissionResponse' required: - name - description - logo SubmissionResponse: type: object properties: actions: type: array description: List of actions supported by this integration items: $ref: '#/components/schemas/SubmissionAction' appContactDetails: type: array description: List of contact details for the app integration items: type: object properties: contactType: type: string enum: - CUSTOMER_SUPPORT - ESCALATION_SUPPORT description: | Type of contact * `CUSTOMER_SUPPORT` - Public support contact details visible on your OIN catalog page for end users needing assistance with your integration. * `ESCALATION_SUPPORT` - Private support contact used by Okta to reach your organization during emergencies or escalations post-publication of the app (not shared with customers). example: CUSTOMER_SUPPORT contactValueType: type: string enum: - URL - EMAIL - PHONE description: Format of the contact value example: EMAIL contact: type: string description: The contact value (email, phone, or URL) example: support@example.com required: - contactType - contactValueType - contact authSettings: $ref: '#/components/schemas/AuthSettings' capabilities: type: array description: List of capabilities supported by this integration items: $ref: '#/components/schemas/SubmissionCapability' config: type: array description: 'List of org-level variables for the customer per-tenant configuration. For example, a `subdomain` variable can be used in the ACS URL: `https://${org.subdomain}.example.com/saml/login`' items: type: object properties: label: type: string description: Display name of the variable in the Admin Console example: Subdomain name: type: string maxLength: 1024 minLength: 1 description: Name of the variable example: subdomain description: type: string maxLength: 1024 minLength: 1 description: A general description of your application and the benefits provided to your customers example: Your one source for in-season strawberry deals. Okta's Strawberry Central integration allow users to securely access those sweet deals. globalTokenRevocation: type: object properties: endpoint: type: string format: uri description: URL of the authorization server's global token revocation endpoint subjectFormat: type: string description: The format of the subject enum: - EMAIL - ISS_SUB authMethod: type: string description: Authentication method <br> **Note:** Currently, only the `SIGNED_JWT` method is supported. enum: - SIGNED_JWT partialLogout: type: boolean description: Allow partial support for Universal Logout default: false required: - endpoint - subjectFormat - authMethod id: type: string description: OIN Integration ID readOnly: true example: acme_submissionapp_1 lastPublished: type: string description: Timestamp when the OIN Integration was last published readOnly: true example: '2023-08-24T14:15:22.000Z' lastUpdated: type: string description: Timestamp when the OIN Integration instance was last updated readOnly: true example: '2023-08-24T14:15:22.000Z' lastUpdatedBy: type: string description: ID of the user who made the last update readOnly: true example: 00ub0oNGTSWTBKOLGLNR logo: type: string format: uri description: URL to an uploaded application logo. This logo appears next to your app integration name in the OIN catalog. You must first [Upload an OIN Integration logo](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/uploadSubmissionLogo) to obtain the logo URL before you can specify this value. example: https://acme.okta.com/bc/image/fileStoreRecord?id=fs03xxd3KmkDBwJU80g4 name: type: string maxLength: 64 minLength: 1 description: The app integration name. This is the main title used for your integration in the OIN catalog. example: Strawberry Central provisioning: $ref: '#/components/schemas/ProvisioningDetails' sso: $ref: '#/components/schemas/Sso' status: type: string description: Status of the OIN Integration submission readOnly: true example: New Subscription: type: object properties: channels: description: |- An array of sources send notifications to users. > **Note**: Currently, Okta only allows `email` channels. items: type: string type: array notificationType: $ref: '#/components/schemas/NotificationType' status: $ref: '#/components/schemas/SubscriptionStatus' _links: type: object description: Discoverable resources related to the subscription properties: self: $ref: '#/components/schemas/HrefObject' readOnly: true SubscriptionStatus: description: The status of the subscription type: string enum: - subscribed - unsubscribed SupportedMethods: description: The supported methods of an authenticator type: object properties: settings: type: object properties: keyProtection: $ref: '#/components/schemas/PushMethodKeyProtection' algorithms: description: The encryption algorithm for this authenticator method type: array items: $ref: '#/components/schemas/AuthenticatorMethodAlgorithm' transactionTypes: type: array description: The transaction type for this authenticator method items: $ref: '#/components/schemas/AuthenticatorMethodTransactionType' status: description: The status of the authenticator method $ref: '#/components/schemas/LifecycleStatus' type: type: string description: The type of authenticator method enum: - push SwaApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: app: $ref: '#/components/schemas/SwaApplicationSettingsApplication' SwaApplicationSettingsApplication: type: object properties: buttonField: type: string description: CSS selector for the **Sign-In** button in the sign-in form (for SWA apps with the `template_swa` app name definition) buttonSelector: type: string description: CSS selector for the **Sign-In** button in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) extraFieldSelector: type: string description: Enter the CSS selector for the extra field (for three-field SWA apps with the `template_swa3field` app name definition). extraFieldValue: type: string description: Enter the value for the extra field in the form (for three-field SWA apps with the `template_swa3field` app name definition). loginUrlRegex: type: string description: A regular expression that further restricts targetURL to the specified regular expression passwordField: type: string description: CSS selector for the **Password** field in the sign-in form (for SWA apps with the `template_swa` app name definition) passwordSelector: type: string description: CSS selector for the **Password** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) targetURL: type: string description: The URL of the sign-in page for this app (for three-field SWA apps with the `template_swa3field` app name definition) url: type: string description: The URL of the sign-in page for this app (for SWA apps with the `template_swa` app name definition) usernameField: type: string description: CSS selector for the **Username** field in the sign-in form (for SWA apps with the `template_swa` app name definition) userNameSelector: type: string description: CSS selector for the **Username** field in the sign-in form (for three-field SWA apps with the `template_swa3field` app name definition) required: - buttonField - passwordField - usernameField - url TacAuthenticatorEnrollment: type: object properties: created: type: string description: Timestamp when the authenticator enrollment was created format: date-time id: description: A unique identifier of the authenticator enrollment type: string key: description: A human-readable string that identifies the authenticator type: string lastUpdated: type: string description: Timestamp when the authenticator enrollment was last updated format: date-time name: description: The authenticator display name type: string nickname: type: string description: A user-friendly name for the authenticator enrollment profile: $ref: '#/components/schemas/AuthenticatorProfileTacResponsePost' status: type: string description: Status of the enrollment type: $ref: '#/components/schemas/AuthenticatorType' _links: $ref: '#/components/schemas/AuthenticatorEnrollmentLinks' TelephonyRequest: type: object properties: data: $ref: '#/components/schemas/TelephonyRequestData' eventType: type: string description: The type of inline hook. The telephony inline hook type is `com.okta.telephony.provider`. requestType: type: string description: The type of inline hook request. For example, `com.okta.user.telephony.pre-enrollment`. source: description: The ID and URL of the telephony inline hook type: string TelephonyRequestData: type: object properties: context: type: object properties: request: $ref: '#/components/schemas/InlineHookRequestObject' messageProfile: type: object description: Message profile specifies information about the telephony (sms/voice) message to be sent to the Okta user properties: msgTemplate: description: Default or Okta org configured sms or voice message template type: string phoneNumber: description: The Okta's user's phone number type: string otpExpires: description: The time when OTP expires type: string deliveryChannel: description: The channel for OTP delivery - SMS or voice type: string otpCode: description: The OTP code requested by the Okta user type: string locale: description: The locale associated with the Okta user type: string userProfile: type: object description: User profile specifies information about the Okta user properties: firstName: description: The user's first name type: string lastName: description: The user's last name type: string login: description: The user's Okta login type: string userId: description: The user's Okta user ID type: string TelephonyRequestExecute: description: Telephony inline hook request body allOf: - $ref: '#/components/schemas/InlineHookBasePayload' - $ref: '#/components/schemas/TelephonyRequest' TelephonyResponse: description: Telephony inline hook response type: object properties: commands: description: The `commands` object specifies whether Okta accepts the end user's sign-in credentials as valid or not. For the telephony inline hook, you typically only return one `commands` object with one array element in it. type: array items: type: object properties: type: description: The location where you specify the command. For the telephony inline hook, there's only one command, `com.okta.telephony.action`. type: string value: description: The status of the telephony operation along with optional additional information about the provider, transaction ID and any other transaction metadata. type: array items: type: object properties: status: type: string description: Status of telephony callout enum: - SUCCESSFUL - PENDING - FAILED x-enumDescriptions: SUCCESSFUL: External web service was able to deliver the OTP to the Requester. PENDING: External web service wasn't able to confirm delivery of the OTP to the Requester. FAILED: External web service was unable to deliver the OTP to the Requester. provider: type: string description: Telephony provider for sms/voice transactionId: type: string description: Transaction ID for sms/voice transactionMetadata: type: string description: Any relevant metadata for the telephony transaction TempPassword: type: object properties: tempPassword: type: string readOnly: true TenantSettings: type: object properties: appInstanceProperties: type: array items: $ref: '#/components/schemas/AppInstanceProperty' TestInfo: description: Integration Testing Information type: object properties: escalationSupportContact: type: string maxLength: 255 description: An email for Okta to contact your company about your integration. This email isn't shared with customers. example: strawberry.support@example.com oidcTestConfiguration: type: object description: OIDC test details properties: idp: type: boolean description: Read only.<br>Indicates if your integration supports IdP-initiated sign-in flows. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) is specified, this property is set to `true`. If [`sso.oidc.initiateLoginUri`](/openapi/okta-management/management/tag/YourOinIntegrations/#tag/YourOinIntegrations/operation/createSubmission!path=sso/oidc/initiateLoginUri&t=request) isn't set for the integration submission, this property is set to `false` readOnly: true sp: type: boolean description: Read only.<br>Indicates if your integration supports SP-initiated sign-in flows and is always set to `true` for OIDC SSO readOnly: true jit: type: boolean description: Indicates if your integration supports Just-In-Time (JIT) provisioning spInitiateUrl: type: string format: uri maxLength: 512 description: URL for SP-initiated sign-in flows (required if `sp = true`) example: https://test.example.com/strawberry/oidc/sp-init required: - spInitiateUrl samlTestConfiguration: type: object description: SAML test details properties: idp: type: boolean description: Indicates if your integration supports IdP-initiated sign-in sp: type: boolean description: Indicates if your integration supports SP-initiated sign-in jit: type: boolean description: Indicates if your integration supports Just-In-Time (JIT) provisioning spInitiateUrl: type: string format: uri maxLength: 512 description: URL for SP-initiated sign-in flows (required if `sp = true`) example: https://test.example.com/strawberry/saml/sp-init spInitiateDescription: type: string maxLength: 2048 description: Instructions on how to sign in to your app using the SP-initiated flow (required if `sp = true`) example: Go to the app URL from a browser and enter your username required: - spInitiateUrl scimTestConfiguration: type: object description: SCIM test details properties: specTestResults: type: string format: uri maxLength: 512 description: The Runscope URL to your SCIM server specification test results. See [Test your SCIM API](https://developer.okta.com/docs/guides/build-provisioning-integration/test-scim-api/). example: https://www.runscope.com/radar/abcdefghijkl/m01nopq2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-3m4n5o678901 crudTestResults: type: string format: uri maxLength: 512 description: The Runscope URL to your Okta SCIM CRUD test results. See [Test your Okta SCIM integration](https://developer.okta.com/docs/guides/scim-provisioning-integration-test/main/). example: https://www.runscope.com/radar/radfebnsefbd/msdfsvx2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-cdgj455hw45u entitlementsTestResults: type: string format: uri maxLength: 512 description: The Runscope URL to your entitlements test results example: https://www.runscope.com/radar/fgdffghfghfg/m01nopq2-3456-7r8s-9012-t34567uvw890/history/123ef4gh-i567-89j0-1k2l-r434565g5451 required: - specTestResults - crudTestResults testAccount: type: object description: An account on a test instance of your app with admin privileges. A test admin account is required by Okta for integration testing. During OIN QA testing, an Okta analyst uses this admin account to configure your app for the various test case flows. properties: url: type: string format: uri maxLength: 512 description: The sign-in URL to a test instance of your app example: https://example.com/strawberry/login username: type: string maxLength: 255 description: The username for your app admin account example: test@example.com password: type: string maxLength: 255 description: The password for your app admin account example: sUperP@ssw0rd instructions: type: string maxLength: 2048 description: Additional instructions to test the app integration, including instructions for obtaining test accounts example: Go to your app URL from a browser and enter your credentials required: - url - username - password required: - escalationSupportContact ThemeResponse: type: object properties: backgroundImage: readOnly: true type: string emailTemplateTouchPointVariant: $ref: '#/components/schemas/EmailTemplateTouchPointVariant' endUserDashboardTouchPointVariant: $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' errorPageTouchPointVariant: $ref: '#/components/schemas/ErrorPageTouchPointVariant' favicon: readOnly: true type: string id: readOnly: true type: string loadingPageTouchPointVariant: $ref: '#/components/schemas/LoadingPageTouchPointVariant' logo: readOnly: true type: string primaryColorContrastHex: type: string description: Primary color contrast hex code primaryColorHex: type: string description: Primary color hex code secondaryColorContrastHex: type: string description: Secondary color contrast hex code secondaryColorHex: type: string description: Secondary color hex code signInPageTouchPointVariant: $ref: '#/components/schemas/SignInPageTouchPointVariant' _links: $ref: '#/components/schemas/LinksSelf' ThirdPartyAdminSetting: description: The third-party admin setting type: object properties: thirdPartyAdmin: type: boolean description: Indicates if the third-party admin functionality is enabled example: false ThreatInsightConfiguration: type: object properties: action: type: string description: Specifies how Okta responds to authentication requests from suspicious IP addresses enum: - none - audit - block x-enumDescriptions: none: Indicates that ThreatInsight is disabled audit: Indicates that Okta logs suspicious requests to the System Log block: Indicates that Okta logs suspicious requests to the System Log and blocks the requests example: none created: type: string format: date-time description: Timestamp when the ThreatInsight Configuration object was created example: '2020-08-05T22:18:30.629Z' readOnly: true excludeZones: type: array description: |- Accepts a list of [Network Zone](/openapi/okta-management/management/tag/NetworkZone/) IDs. IPs in the excluded network zones aren't logged or blocked. This ensures that traffic from known, trusted IPs isn't accidentally logged or blocked. items: type: string example: [] lastUpdated: type: string format: date-time description: Timestamp when the ThreatInsight Configuration object was last updated readOnly: true example: '2020-09-08T20:53:20.882Z' _links: $ref: '#/components/schemas/LinksSelf' required: - action TimeDuration: description: A time duration specified as an [ISO 8601 duration](https://en.wikipedia.org/wiki/ISO_8601#Durations). type: string pattern: ^P(?:$)(\d+Y)?(\d+M)?(\d+W)?(\d+D)?(T(?:\d)(\d+H)?(\d+M)?(\d+S)?)?$ TokenAuthorizationServerPolicyRuleAction: type: object properties: accessTokenLifetimeMinutes: type: integer description: Lifetime of the access token in minutes. The minimum is five minutes. The maximum is one day. inlineHook: $ref: '#/components/schemas/TokenAuthorizationServerPolicyRuleActionInlineHook' refreshTokenLifetimeMinutes: type: integer description: Lifetime of the refresh token is the minimum access token lifetime. refreshTokenWindowMinutes: type: integer description: Timeframe when the refresh token is valid. The minimum is 10 minutes. The maximum is five years (2,628,000 minutes). TokenAuthorizationServerPolicyRuleActionInlineHook: type: object properties: id: type: string readOnly: false TokenDeliveryMode: type: string enum: - poll TokenHookResponse: description: |- For the token inline hook, the `commands` and `error` objects that you can return in the JSON payload of your response are defined in the following sections. > **Note:** The size of your response payload must be less than 256 KB. type: object properties: commands: description: |- You can use the `commands` object to provide commands to Okta. It's where you can tell Okta to add more claims to the token. The `commands` object is an array, allowing you to send multiple commands. In each array element, there needs to be a `type` property and `value` property. The `type` property is where you specify which of the supported commands you want to execute, and `value` is where you supply an operand for that command. In the case of the token hook type, the `value` property is itself a nested object in which you specify a particular operation, a path to act on, and a value. type: array items: type: object properties: type: description: |- One of the supported commands: `com.okta.identity.patch`: Modify an ID token `com.okta.access.patch`: Modify an access token > **Note:** The `commands` array should only contain commands that can be applied to the requested tokens. For example, if only an ID token is requested, the `commands` array shouldn't contain commands of the type `com.okta.access.patch`. type: string value: description: The `value` object is where you specify the operation to perform. It's an array, which allows you to request more than one operation. type: array items: type: object properties: op: description: |- The name of one of the supported ops: `add`: Add a claim. `replace`: Modify an existing claim and update the token lifetime. `remove`: Remove an existing claim. #### `op: add` notes <details> <summary>Add a claim</summary> Add a claim **Existing JSON** ``` { "employeeId": "00u12345678" } ``` **Operation** ``` { "commands": [ { "type": "com.okta.assertion.patch", "value": [ { "op": "add", "path": "/claims/extPatientId", "value": "1234" } ] }, { "type": "com.okta.assertion.patch", "value": [ { "op": "add", "path": "/claims/external_guid", "value": "F0384685-F87D-474B-848D-2058AC5655A7" } ] } ] } ``` **Updated JSON** ``` { "employeeId": "00u12345678", "extPatientId": 1234, "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7" } ``` > **Note:** If you use the `add` operation and include an existing claim in your response with a different value, that value is replaced. Use the `replace` operation instead. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. See `op: replace` notes. </details> <details> <summary>Add new members to existing JSON objects</summary> If you have a JSON object in a claim called `employee_profile`, and you want to add the `department_id` member to the claim, the existing JSON is updated by specifying the claim in the path, followed by the name of the object member. **Existing JSON** ``` { "employee_profile": { "employee_id": "1234", "name": "Anna" } } ``` **Operation** ``` { "commands": [ { "type": "com.okta.identity.patch", "value": [ { "op": "add", "path": "/claims/employee_profile/department_id", "value": "4947" } ] } ] } ``` **Updated JSON** ``` { "employee_profile": { "employee_id": "1234", "name": "Anna", "department_id": "4947" } } ``` > **Note:** If you attempt to add a member within a JSON object that doesn't exist or using an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. </details> <details> <summary>Add new elements to existing arrays</summary> Append an element to an array by specifying the name of the array, followed by the index where you want to insert the element in the path. Alternatively, you can specify the array name followed by a hyphen (-) in the path to append an element at the end of the array. For example, you have an array that contains the user's preferred airports, and you want to add a new airport to the array. The existing target JSON object is updated by specifying the claim in the path, followed by the index of where to insert the claim. **Existing JSON** ``` { "preferred_airports":[ "sjc", "sfo", "oak" ] } ``` **Operation** ``` { "commands": [ { "type": "com.okta.identity.patch", "value": [ { "op": "add", "path": "/claims/preferred_airports/3", "value": "lax" } ] } ] } ``` **Updated JSON** ``` { "preferred_airports":[ "sjc", "sfo", "oak", "lax" ] } ``` > **Note:** If you attempt to add an element within an array that doesn't exist or specify an invalid index, the entire PATCH fails and errors are logged in the token hooks events. </details> #### `op: replace` notes <details> <summary>Modify an existing claim</summary> You can modify (`replace`) existing custom claims or OIDC standard profile claims, such as `birthdate` and `locale`. You can't, however, modify any system-specific claims, such as `iss` or `ver`. Also, you can't modify a claim that isn't currently part of the token in the request payload. Attempting to modify a system-specific claim or using an invalid operation results in the entire PATCH failing and errors logged in the token hooks events. See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify. > **Note:** Although the `aud` and `sub` claims are listed as reserved claims, you can modify those claims in access tokens. You can't modify these claims in ID tokens. See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify. **Existing target JSON object** ``` { "employeeId": "00u12345678", "extPatientId": 1234, "external_guid": "F0384685-F87D-474B-848D-2058AC5655A7" } ``` **Operation** ``` { "commands": [ { "type": "com.okta.identity.patch", "value": [ { "op": "replace", "path": "/claims/extPatientId", "value": "12345" }, { "op": "replace", "path": "/claims/external_guid", "value": "D1495796-G98E-585C-959E-1269CD6766B8" } ] } ] } ``` **Updated JSON*** ``` { "employeeId": "00u12345678", "extPatientId": 12345, "external_guid": "D1495796-G98E-585C-959E-1269CD6766B8" } ``` </details> <details> <summary>Modify members within existing JSON objects and arrays</summary> Use the `replace` operation to modify members within JSON objects and elements within arrays. For example, you have a JSON object in a claim called `employee_profile`, and you want to update the email address of the employee. The existing target JSON object is updated by specifying the claim in the path, followed by the name of the object member that you want to modify. **Existing target JSON object** ``` { "employee_profile": { "employee_id":"1234", "name":"Anna", "email":"anna.v@company.com" } } ``` **Operation** ``` { "commands": [ { "type": "com.okta.identity.patch", "value": [ { "op": "replace", "path": "/claims/employee_profile/email", "value": "anna@company.com" } ] } ] } ``` **Updated JSON** ``` { "employee_profile": { "employee_id":"1234", "name":"Anna", "email":"anna@company.com" } } ``` > **Note:** If you attempt to modify a member within a JSON object that doesn't exist or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. Similarly, you can replace elements in an array by specifying the array name and the valid index of the element that you want to replace in the path. </details> <details> <summary>Modify token lifetimes</summary> You can modify how long the access and ID tokens are valid by specifying the `lifetime` in seconds. The `lifetime` value must be a minimum of five minutes (300 seconds) and a maximum of 24 hours (86,400 seconds). **Operation** ``` { "commands": [ { "type": "com.okta.identity.patch", "value": [ { "op": "replace", "path": "/token/lifetime/expiration", "value": 36000 } ] }, { "type": "com.okta.access.patch", "value": [ { "op": "replace", "path": "/token/lifetime/expiration", "value": 36000 } ] } ] } ``` </details> #### `op: remove` notes <details> <summary>Remove a claim</summary> You can remove existing custom claims or OIDC standard profile claims, such as `birthdate` or `locale`. You can't, however, remove any system-specific claims, such as `iss` or `ver`. You also can't remove a claim that isn't currently part of the token in the request payload. If you attempt to remove a system-specific claim or use an invalid operation, the entire PATCH fails and errors are logged in the token hooks events. See [Access Tokens Scopes and Claims](/openapi/okta-oauth/guides/overview/#access-token-scopes-and-claims) for the list of access token-reserved claims that you can't modify. See [ID Token Claims](/openapi/okta-oauth/guides/overview/#id-token-claims) for a list of ID token-reserved claims that you can't modify. **Operation** ``` { "commands": [ { "type": "com.okta.identity.patch", "value": [ { "op": "remove", "path": "/claims/birthdate", "value": null } ] }, { "type": "com.okta.access.patch", "value": [ { "op": "remove", "path": "/claims/external_guid" } ] } ] } ``` > **Note:** The `value` property for the `remove` operation isn't required. If you provide it in the response, it should be set to `null`. Providing any other value fails the entire PATCH response. </details> <details> <summary>Remove members from existing arrays</summary> Use the `remove` operation to remove members from existing arrays. For example, you have an array that contains the user's preferred airports, and you want to remove an airport from the array. The existing target JSON object is updated by specifying the array name followed by the index of the element that you want to remove. You don't need to specify a value for the remove operation, but you can specify `null` as the value if you want. **Existing target JSON object** ``` { "preferred_airports": [ "sjc", "lax", "sfo", "oak" ] } ``` **Operation** ``` { "commands": [ { "type": "com.okta.identity.patch", "value": [ { "op": "remove", "path": "/claims/preferred_airports/1" } ] } ] } ``` **Updated JSON** ``` { "preferred_airports": [ "sjc", "sfo", "oak" ] } ``` </details> <details> <summary>Remove members from existing JSON objects</summary> Use the `remove` operation to remove members from existing JSON objects. Do this by specifying the JSON object in the path, followed by the claim member that you would like to remove. For example, you have an `employee_profile` claim, and you want to remove `email` from it. **Existing target JSON object** ``` { "employee_profile": { "employee_id":"1234", "name":"Anna", "email":"anna.v@company.com" } } ``` **Operation** ``` { "commands": [ { "type": "com.okta.identity.patch", "value": [ { "op": "remove", "path": "/claims/employee_profile/email" } ] } ] } ``` **Updated JSON** ``` { "employee_profile": { "employee_id":"1234", "name":"Anna", } } ``` </details> type: string path: description: Location within the token to apply the operation, specified as a slash-delimited path. When you add, replace, or remove a claim, this path always begins with `/claims/` and is followed by the name of the new claim that you're adding. When you replace a token lifetime, the path should always be `/token/lifetime/expiration`. type: string value: description: Value to set the claim to. oneOf: - type: string - type: integer - type: object error: description: When an error object is returned, it causes Okta to return an OAuth 2.0 error to the requester of the token. In the error response, the value of `error` is `server_error`, and the value of `error_description` is the string that you supplied in the `errorSummary` property of the `error` object that you returned. type: object properties: errorSummary: description: 'Human-readable summary of the error. If the error object doesn''t include the `errorSummary` property defined, the following common default message is returned to the end user: `The callback service returned an error`.' type: string TokenPayLoad: type: object properties: data: type: object properties: context: allOf: - $ref: '#/components/schemas/BaseContext' - type: object properties: protocol: description: Details of the authentication protocol type: object properties: type: description: The type of authentication protocol used type: string example: OAUTH2.0 request: $ref: '#/components/schemas/TokenProtocolRequest' OriginalGrant: description: Information about the original token request used to get the refresh token being used, when in a refresh token request type: object properties: authorization: $ref: '#/components/schemas/TokenProtocolRequest' refresh_token: $ref: '#/components/schemas/RefreshToken' issuer: description: The authorization server's issuer identifier type: object properties: uri: description: The authorization server's issuer identifier type: string format: uri client: description: The client making the token request type: object properties: id: description: The unique identifier of the client type: string name: description: The name of the client type: string type: description: The type of client type: string example: PUBLIC policy: description: The authorization server policy used to mint the token type: object properties: id: description: The unique identifier for the policy type: string example: 00p4ktaq2ryOYtsHC0g7 rule: description: The authorization server policy rule used to mint the token type: object properties: id: description: The unique identifier for the policy rule type: string example: 0pr4ktb7elD3ZvrMy0g7 identity: allOf: - description: Provides information on the properties of the ID token that Okta has generated, including the existing claims that it contains - $ref: '#/components/schemas/BaseToken' access: allOf: - description: Provides information on the properties of the access token that Okta has generated, including the existing claims that it contains - $ref: '#/components/schemas/BaseToken' - type: object properties: scopes: description: The scopes contained in the token. For descriptions of the scopes that you can include, see the Okta [OpenID Connect and OAuth 2.0 API reference](/openapi/okta-oauth/guides/overview/#scopes). type: object refresh_token: $ref: '#/components/schemas/RefreshToken' eventType: type: string description: The type of inline hook. The token inline hook type is `com.okta.oauth2.tokens.transform`. source: description: The URL of the token inline hook type: string TokenProtocolRequest: description: Details of the token request type: object properties: client_id: description: The ID of the client associated with the token type: string grant_type: $ref: '#/components/schemas/GrantType' redirect_uri: description: Specifies the callback location where the authorization was sent type: string format: uri response_mode: description: The authorization response mode type: string enum: - form_post - fragment - okta_post_message - query response_type: description: The authorization response type type: string enum: - code - id_token - token - none scope: description: The scopes requested type: string state: type: string TokenRequest: description: Token inline hook request allOf: - $ref: '#/components/schemas/InlineHookBasePayload' - $ref: '#/components/schemas/TokenPayLoad' TokenResourcesHrefObject: type: object properties: href: type: string description: Link URI example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7/clients/0oabskvc6442nkvQO0h7/tokens TokenResponse: type: object properties: access_token: type: string description: An access token. device_secret: type: string description: An opaque device secret. This is returned if the `device_sso` scope is granted. expires_in: type: integer description: The expiration time of the access token in seconds. id_token: type: string description: An ID token. This is returned if the `openid` scope is granted. issued_token_type: $ref: '#/components/schemas/TokenType' refresh_token: type: string description: An opaque refresh token. This is returned if the `offline_access` scope is granted. scope: type: string description: The scopes contained in the access token. token_type: $ref: '#/components/schemas/TokenResponseTokenType' TokenResponseTokenType: description: The token type in a `/token` response. The value is generally `Bearer` except for a few instances of token exchange. type: string enum: - Bearer - N_A TokenType: description: The type of token for token exchange. `urn:okta:params:oauth:token-type:interclient_token` is EA. type: string enum: - urn:ietf:params:oauth:token-type:access_token - urn:ietf:params:oauth:token-type:id_token - urn:ietf:params:oauth:token-type:jwt - urn:ietf:params:oauth:token-type:refresh_token - urn:ietf:params:oauth:token-type:saml1 - urn:ietf:params:oauth:token-type:saml2 - urn:okta:oauth:token-type:web_sso_token - urn:okta:params:oauth:token-type:interclient_token - urn:x-oath:params:oauth:token-type:device-secret TrendMicroApexOneServiceApplication: title: Trend Micro Apex One Service x-tags: - Application x-okta-defined-as: name: trendmicroapexoneservice example: name: trendmicroapexoneservice label: Sample Trend Micro Apex One as a Service App signOnMode: SAML_2_0 settings: app: baseURL: https://acme.trendmicro.com description: | Schema for Trend Micro Apex One as a Service app (key name: `trendmicroapexoneservice`) To create a Trend Micro Apex One as a Service app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. > **Note:** The Trend Micro Apex One as a Service app only supports `SAML_2_0` sign-on mode. allOf: - $ref: '#/components/schemas/OINApplication' - type: object - required: - name - label - settings properties: name: type: string enum: - trendmicroapexoneservice example: trendmicroapexoneservice signOnMode: type: string enum: - SAML_2_0 settings: $ref: '#/components/schemas/TrendMicroApexOneServiceApplicationSettings' TrendMicroApexOneServiceApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object - required: - app properties: app: $ref: '#/components/schemas/TrendMicroApexOneServiceApplicationSettingsApplication' signOn: $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' TrendMicroApexOneServiceApplicationSettingsApplication: description: Trend Micro Apex One as a Service app instance properties type: object properties: baseURL: type: string description: Base Trend Micro Apex One Service URL required: - baseURL TrustedOrigin: type: object properties: created: description: Timestamp when the trusted origin was created type: string format: date-time readOnly: true createdBy: description: The ID of the user who created the trusted origin type: string id: description: Unique identifier for the trusted origin type: string readOnly: true lastUpdated: description: Timestamp when the trusted origin was last updated type: string format: date-time readOnly: true lastUpdatedBy: description: The ID of the user who last updated the trusted origin type: string name: $ref: '#/components/schemas/TrustedOriginName' origin: $ref: '#/components/schemas/TrustedOriginOrigin' scopes: $ref: '#/components/schemas/TrustedOriginScopes' status: $ref: '#/components/schemas/LifecycleStatus' _links: $ref: '#/components/schemas/LinksSelfAndLifecycle' TrustedOriginName: maximum: 255 description: Unique name for the trusted origin type: string TrustedOriginOrigin: maximum: 255 description: Unique origin URL for the trusted origin. The supported schemes for this attribute are HTTP, HTTPS, FTP, Ionic 2, and Capacitor. type: string TrustedOriginScope: type: object properties: allowedOktaApps: type: array description: The allowed Okta apps for the trusted origin scope items: $ref: '#/components/schemas/IframeEmbedScopeAllowedApps' type: $ref: '#/components/schemas/TrustedOriginScopeType' TrustedOriginScopeType: description: | The scope type. Supported values: When you use `IFRAME_EMBED` as the scope type, leave the `allowedOktaApps` property empty to allow iFrame embedding of only Okta sign-in pages. Include `OKTA_ENDUSER` as a value for the `allowedOktaApps` property to allow iFrame embedding of both Okta sign-in pages and the Okta End-User Dashboard. type: string enum: - CORS - IFRAME_EMBED - REDIRECT TrustedOriginScopes: maximum: 3 description: Array of scope types that this trusted origin is used for items: $ref: '#/components/schemas/TrustedOriginScope' type: array TrustedOriginWrite: type: object properties: name: $ref: '#/components/schemas/TrustedOriginName' origin: $ref: '#/components/schemas/TrustedOriginOrigin' scopes: $ref: '#/components/schemas/TrustedOriginScopes' UIElement: description: Specifies the configuration of an input field on an enrollment form type: object properties: label: type: string description: Label name for the UI element options: type: object description: UI Schema element options object properties: format: type: string description: Specifies how the input appears enum: - text - radio - select - checkbox - radio_yes_no - radio_true_false x-enumDescriptions: text: The default format for the majority of property types radio: Radio button options. This option is only available for `string` data types with an `enum` or `one of` constraint. select: Displays input as a dropdown list. This option is only available for the `country-code` data type or a string data type with an enum or one of constraint. checkbox: Displays input as a checkbox. This option is only available for Boolean data types. radio_yes_no: Displays input as two radio buttons, one with the option `yes` and the other `no`. This option is only available for Boolean data types. radio_true_false: Displays input as two radio buttons, one with the option `true` and the other `false`. This option is only available for Boolean data types. scope: type: string description: Specifies the property bound to the input field. It must follow the format `#/properties/PROPERTY_NAME` where `PROPERTY_NAME` is a variable name for an attribute in `profile editor`. type: type: string description: Specifies the relationship between this input element and `scope`. The `Control` value specifies that this input controls the value represented by `scope`. UISchemaObject: description: Properties of the UI schema type: object properties: buttonLabel: type: string description: Specifies the button label for the `Submit` button at the bottom of the enrollment form default: Submit elements: type: array items: $ref: '#/components/schemas/UIElement' label: type: string description: Specifies the label at the top of the enrollment form under the logo default: Sign in type: type: string description: Specifies the type of layout UISchemasResponseObject: type: object properties: created: type: string format: date-time description: Timestamp when the UI Schema was created (ISO 86001) readOnly: true id: type: string description: Unique identifier for the UI Schema readOnly: true lastUpdated: type: string format: date-time description: Timestamp when the UI Schema was last modified (ISO 86001) readOnly: true uiSchema: $ref: '#/components/schemas/UISchemaObject' _links: $ref: '#/components/schemas/LinksSelf' required: - id - uiSchema - created - lastUpdated - _links UpdateAIAgentRequest: type: object properties: appId: type: string description: The ID of the connected app for the AI agent readOnly: false profile: $ref: '#/components/schemas/AIAgentProfile' UpdateDomain: type: object properties: brandId: description: The `id` of the brand used to replace the existing brand. type: string example: bndul904tTZ6kWVhP0g3 required: - brandId UpdateEmailDomain: allOf: - $ref: '#/components/schemas/BaseEmailDomain' UpdateGroupPushMappingRequest: type: object properties: status: description: |- The status of the group push mapping. If changing the group push mapping status to `ACTIVE`, Okta performs an initial push to the target group, and then begins pushing membership changes. If changing the group push mapping status to `INACTIVE`, Okta stops pushing membership changes to the target group. type: string $ref: '#/components/schemas/GroupPushMappingStatusUpsert' required: - status UpdateIamRoleRequest: type: object properties: description: type: string description: Description of the role label: type: string description: Unique label for the role required: - label - description UpdateRealmAssignmentRequest: type: object properties: actions: $ref: '#/components/schemas/Actions' conditions: $ref: '#/components/schemas/Conditions' name: type: string priority: type: integer description: |- The priority of the realm assignment. The lower the number, the higher the priority. This helps resolve conflicts between realm assignments. > **Note:** When you create realm assignments in bulk, realm assignment priorities must be unique. UpdateRealmRequest: type: object properties: profile: $ref: '#/components/schemas/RealmProfile' UpdateThemeRequest: type: object properties: emailTemplateTouchPointVariant: $ref: '#/components/schemas/EmailTemplateTouchPointVariant' endUserDashboardTouchPointVariant: $ref: '#/components/schemas/EndUserDashboardTouchPointVariant' errorPageTouchPointVariant: $ref: '#/components/schemas/ErrorPageTouchPointVariant' loadingPageTouchPointVariant: $ref: '#/components/schemas/LoadingPageTouchPointVariant' primaryColorContrastHex: type: string description: Primary color contrast hex code default: null primaryColorHex: type: string description: Primary color hex code default: null secondaryColorContrastHex: type: string description: Secondary color contrast hex code default: null secondaryColorHex: type: string description: Secondary color hex code default: null signInPageTouchPointVariant: $ref: '#/components/schemas/SignInPageTouchPointVariant' _links: $ref: '#/components/schemas/LinksSelf' required: - primaryColorHex - secondaryColorHex - signInPageTouchPointVariant - endUserDashboardTouchPointVariant - errorPageTouchPointVariant - emailTemplateTouchPointVariant UpdateUISchema: description: The updated request body properties type: object properties: uiSchema: $ref: '#/components/schemas/UISchemaObject' UpdateUserRequest: type: object properties: credentials: $ref: '#/components/schemas/UserCredentials' profile: $ref: '#/components/schemas/UserProfile' realmId: type: string description: The ID of the realm in which the user is residing. See [Realms](/openapi/okta-management/management/tag/Realm/). example: guo1bfiNtSnZYILxO0g4 type: type: object description: |- The ID of the user type. Add this value if you want to create a user with a non-default [User Type](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/). The user type determines which [schema](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/) applies to that user. After a user has been created, the user can only be assigned a different user type by an admin through a full replacement (`PUT`) operation. properties: id: type: string description: The ID of the user type User: type: object properties: activated: type: string description: The timestamp when the user status transitioned to `ACTIVE` format: date-time readOnly: true nullable: true created: type: string description: The timestamp when the user was created format: date-time readOnly: true credentials: $ref: '#/components/schemas/UserCredentials' id: type: string description: The unique key for the user readOnly: true lastLogin: type: string description: The timestamp of the last login format: date-time readOnly: true nullable: true lastUpdated: type: string description: The timestamp when the user was last updated format: date-time readOnly: true passwordChanged: type: string description: The timestamp when the user's password was last updated format: date-time readOnly: true nullable: true profile: $ref: '#/components/schemas/UserProfile' realmId: type: string description: The ID of the realm in which the user is residing. See [Realms](/openapi/okta-management/management/tag/Realm/). example: guo1bfiNtSnZYILxO0g4 readOnly: true status: $ref: '#/components/schemas/UserStatus' statusChanged: type: string description: The timestamp when the status of the user last changed format: date-time readOnly: true nullable: true transitioningToStatus: type: string description: The target status of an in-progress asynchronous status transition. This property is only returned if the user's state is transitioning. readOnly: true nullable: true enum: - ACTIVE - DEPROVISIONED - PROVISIONED type: type: object description: |- The user type that determines the schema for the user's profile. The `type` property is a map that identifies the [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/#tag/UserType). Currently it contains a single element, `id`. It can be specified when creating a new user, and can be updated by an admin on a full replace of an existing user (but not a partial update). properties: id: type: string description: The ID of the user type _embedded: type: object description: Embedded resources related to the user using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification additionalProperties: type: object properties: {} readOnly: true _links: description: |- Specifies link relations (see [Web Linking](https://datatracker.ietf.org/doc/html/rfc8288) available for the current status of a user. The links object is used for dynamic discovery of related resources, lifecycle operations, and credential operations. The links object is read-only. For an individual user result, the links object contains a full set of link relations available for that user as determined by your policies. For a collection of users, the links object contains only the `self` link. Operations that return a collection of users include [List all users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/User/#tag/User/operation/listUsers) and [List all group member users](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/listGroupUsers). allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: self: description: URL to the individual user allOf: - $ref: '#/components/schemas/HrefObject' activate: description: URL to activate the user allOf: - $ref: '#/components/schemas/HrefObject' resetPassword: description: URL to reset the user's password allOf: - $ref: '#/components/schemas/HrefObject' resetFactors: description: URL to reset the user's factors allOf: - $ref: '#/components/schemas/HrefObject' expirePassword: description: URL to expire the user's password allOf: - $ref: '#/components/schemas/HrefObject' forgotPassword: description: URL to initiate a forgot password operation allOf: - $ref: '#/components/schemas/HrefObject' changeRecoveryQuestion: description: URL to change the user's recovery question allOf: - $ref: '#/components/schemas/HrefObject' deactivate: description: URL to deactivate a user allOf: - $ref: '#/components/schemas/HrefObject' reactivate: description: URL to reactivate the user allOf: - $ref: '#/components/schemas/HrefObject' changePassword: description: URL to change the user's password allOf: - $ref: '#/components/schemas/HrefObject' schema: description: URL to the user's profile schema allOf: - $ref: '#/components/schemas/HrefObject' suspend: description: URL to suspend the user allOf: - $ref: '#/components/schemas/HrefObject' unsuspend: description: URL to unsuspend the user allOf: - $ref: '#/components/schemas/HrefObject' unlock: description: URL to unlock the locked-out user allOf: - $ref: '#/components/schemas/HrefObject' type: description: URL to the user type allOf: - $ref: '#/components/schemas/HrefObject' - readOnly: true UserActivationToken: type: object properties: activationToken: type: string readOnly: true example: XE6wE17zmphl3KqAPFxO description: |- Token received as part of an activation user request. If a password was set before the user was activated, then user must sign in with their password or the `activationToken` and not the activation link. More information about using the `activationToken` to login can be found in the [Authentication API](https://developer.okta.com/docs/reference/api/authn/#primary-authentication-with-activation-token). activationUrl: type: string readOnly: true example: https://{yourOktaDomain}/welcome/XE6wE17zmphl3KqAPFxO description: If `sendEmail` is `false`, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link. UserBlock: description: Describes how the account is blocked from access. If `appliesTo` is `ANY_DEVICES`, then the account is blocked for all devices. If `appliesTo` is `UNKNOWN_DEVICES`, then the account is only blocked for unknown devices. type: object properties: appliesTo: type: string readOnly: true description: The devices that the block applies to enum: - ANY_DEVICES - UNKNOWN_DEVICES x-enumDescriptions: ANY_DEVICES: The account is blocked for all devices UNKNOWN_DEVICES: The account is only blocked for unknown devices type: type: string readOnly: true description: Type of access block enum: - DEVICE_BASED UserClassification: type: object properties: lastUpdated: type: string description: The timestamp when the user classification was last updated format: date-time readOnly: true type: $ref: '#/components/schemas/ClassificationType' UserCondition: description: Specifies a set of users to be included or excluded type: object properties: exclude: description: Users to be excluded type: array items: type: string include: description: Users to be included type: array items: type: string required: - exclude - include UserCredentials: description: Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org. type: object properties: password: $ref: '#/components/schemas/PasswordCredential' provider: $ref: '#/components/schemas/AuthenticationProvider' recovery_question: $ref: '#/components/schemas/RecoveryQuestionCredential' UserCredentialsWritable: description: Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org. type: object properties: password: $ref: '#/components/schemas/PasswordCredential' provider: $ref: '#/components/schemas/AuthenticationProviderWritable' recovery_question: $ref: '#/components/schemas/RecoveryQuestionCredential' UserDevice: type: object properties: created: type: string format: date-time description: Timestamp when the device was created readOnly: true device: type: object $ref: '#/components/schemas/Device' deviceUserId: type: string description: Unique key for the user device link UserFactor: type: object properties: created: description: Timestamp when the factor was enrolled type: string format: date-time example: '2022-08-25T00:31:00.000Z' readOnly: true factorType: $ref: '#/components/schemas/UserFactorType' id: description: ID of the factor type: string example: caf8m6jbcvUH8mAep1d7 readOnly: true lastUpdated: description: Timestamp when the factor was last updated type: string format: date-time example: '2022-08-25T00:31:00.000Z' readOnly: true profile: type: object description: Specific attributes related to the factor provider: description: Provider for the factor. Each provider can support a subset of factor types. type: string status: $ref: '#/components/schemas/UserFactorStatus' vendorName: description: Name of the factor vendor. This is usually the same as the provider except for On-Prem MFA, which depends on admin settings. type: string example: OKTA readOnly: true _embedded: type: object additionalProperties: type: object properties: {} readOnly: true _links: $ref: '#/components/schemas/UserFactorLinks' discriminator: propertyName: factorType mapping: call: '#/components/schemas/UserFactorCall' email: '#/components/schemas/UserFactorEmail' push: '#/components/schemas/UserFactorPush' question: '#/components/schemas/UserFactorSecurityQuestion' sms: '#/components/schemas/UserFactorSMS' token: '#/components/schemas/UserFactorToken' token:hardware: '#/components/schemas/UserFactorTokenHardware' token:hotp: '#/components/schemas/UserFactorTokenHOTP' token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP' u2f: '#/components/schemas/UserFactorU2F' web: '#/components/schemas/UserFactorWeb' webauthn: '#/components/schemas/UserFactorWebAuthn' UserFactorActivatePush: description: Activation requests have a short lifetime and expire if the activation isn't completed before the indicated timestamp. If the activation expires, use the returned `activate` link to restart the process. type: object properties: expiresAt: description: Timestamp when the factor verification attempt expires type: string format: date-time example: '2022-08-25T00:31:00.000Z' readOnly: true factorResult: $ref: '#/components/schemas/UserFactorActivatePushResult' readOnly: true UserFactorActivatePushResult: description: Result of a factor activation type: string enum: - CANCELLED - ERROR - TIMEOUT - WAITING UserFactorActivateRequest: oneOf: - title: call description: Attempts to activate a `call` factor with the specified passcode properties: passCode: $ref: '#/components/schemas/UserFactorPassCode' - title: email description: Attempts to activate an `email` factor with the specified passcode properties: passCode: $ref: '#/components/schemas/UserFactorPassCode' - title: push type: object nullable: true description: |- Sends an asynchronous push notification to the device for approval by the user. You must poll the transaction to determine the state of the verification. See [Retrieve a factor transaction status](./#tag/UserFactor/operation/getFactorTransactionStatus). Activations have a short lifetime of several minutes and return a `TIMEOUT` if not completed before the timestamp specified in the `expiresAt` param. Use the published activate link to restart the activation process if the activation expires. properties: useNumberMatchingChallenge: $ref: '#/components/schemas/useNumberMatchingChallenge' - title: sms description: Attempts to activate an `sms` factor with the specified passcode properties: passCode: $ref: '#/components/schemas/UserFactorPassCode' - title: token:software:totp description: Attempts to activate a `token:software:totp` factor with the specified passcode properties: passCode: $ref: '#/components/schemas/UserFactorPassCode' - title: u2f description: Activates a `u2f` factor with the specified client and registration information from the U2F token properties: clientData: type: string description: Base64-encoded client data from the U2F token example: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ registrationData: type: string description: Base64-encoded registration data from the U2F token example: BQTEMUyOM8h1TiZG4DL-RdMr-tYgTYSf62Y52AmwEFTiSYWIRVO5L-MwWdRJOthmV3J3JrqpmGfmFb820-awx1YIQFlTvkMhxItHlpkzahEqicpw7SIH9yMfTn2kaDcC6JaLKPfV5ds0vzuxF1JJj3gCM01bRC-HWI4nCVgc-zaaoRgwggEcMIHDoAMCAQICCwD52fCSMoNczORdMAoGCCqGSM49BAMCMBUxEzARBgNVBAMTClUyRiBJc3N1ZXIwGhcLMDAwMTAxMDAwMFoXCzAwMDEwMTAwMDBaMBUxEzARBgNVBAMTClUyRiBEZXZpY2UwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFKJupuUgPQcRHUphaW5JPfLvkkwlEwlHKk_ntSp7MS4aTHJyGnpziqncrjiTC_oUVtb-wN-y_t_IMIjueGkhxMAoGCCqGSM49BAMCA0gAMEUCIQDBo6aOLxanIUYnBX9iu3KMngPnobpi0EZSTkVtLC8_cwIgC1945RGqGBKfbyNtkhMifZK05n7fU-gW37Bdnci5D94wRQIhAJv3VvclbRkHAQhaUR8rr8qFTg9iF-GtHoXU95vWaQdyAiAbEr-440U4dQAZF-Sj8G2fxgh5DkgkkWpyUHZhz7N9ew - title: webauthn description: Activates a `webauthn` factor with the specified attestation and registration information from the WebAuthn authenticator properties: attestation: type: string description: Base64-encoded attestation from the WebAuthn authenticator example: o2NmbXRmcGFja2VkZ2F0dFN0bXSiY2FsZyZjc2lnWEgwRgIhAMvf2+dzXlHZN1um38Y8aFzrKvX0k5dt/hnDu9lahbR4AiEAuwtMg3IoaElWMp00QrP/+3Po/6LwXfmYQVfsnsQ+da1oYXV0aERhdGFYxkgb9OHGifjS2dG03qLRqvXrDIRyfGAuc+GzF1z20/eVRV2wvl6tzgACNbzGCmSLCyXx8FUDAEIBvWNHOcE3QDUkDP/HB1kRbrIOoZ1dR874ZaGbMuvaSVHVWN2kfNiO4D+HlAzUEFaqlNi5FPqKw+mF8f0XwdpEBlClAQIDJiABIVgg0a6oo3W0JdYPu6+eBrbr0WyB3uJLI3ODVgDfQnpgafgiWCB4fFo/5iiVrFhB8pNH2tbBtKewyAHuDkRolcCnVaCcmQ== clientData: type: string description: Base64-encoded client data from the WebAuthn authenticator example: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0 type: object UserFactorActivateResponse: type: object properties: factorType: description: Type of the factor type: string enum: - call - email - sms - push - token:software:totp - u2f - webauthn _links: allOf: - $ref: '#/components/schemas/LinksSelf' - $ref: '#/components/schemas/LinksUserFactors' - $ref: '#/components/schemas/LinksVerify' discriminator: propertyName: factorType mapping: call: '#/components/schemas/UserFactorCall' email: '#/components/schemas/UserFactorEmail' sms: '#/components/schemas/UserFactorSMS' push: '#/components/schemas/UserFactorPush' token:software:totp: '#/components/schemas/UserFactorTokenSoftwareTOTP' u2f: '#/components/schemas/UserFactorU2F' webauthn: '#/components/schemas/UserFactorWebAuthn' UserFactorCall: title: call allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: $ref: '#/components/schemas/UserFactorCallProfile' UserFactorCallProfile: type: object properties: phoneExtension: description: Extension of the associated `phoneNumber` type: string example: 1234 nullable: true maxLength: 15 phoneNumber: description: Phone number of the factor. Format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/). example: '+15554151337' type: string pattern: ^\+[1-9]\d{1,14}$ maxLength: 15 UserFactorEmail: title: email allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: $ref: '#/components/schemas/UserFactorEmailProfile' UserFactorEmailProfile: type: object properties: email: description: |- Email address of the user. This must be either the primary or secondary email address associated with the Okta user account. > **Note:** For Identity Engine orgs, you can only enroll the primary email address of the user. maxLength: 100 example: z.cool@example.com type: string UserFactorLinks: allOf: - $ref: '#/components/schemas/LinksActivate' - $ref: '#/components/schemas/LinksCancel' - $ref: '#/components/schemas/LinksDeactivate' - $ref: '#/components/schemas/LinksEnroll' - $ref: '#/components/schemas/LinksFactor' - $ref: '#/components/schemas/LinksPoll' - $ref: '#/components/schemas/LinksQrcode' - $ref: '#/components/schemas/LinksQuestions' - $ref: '#/components/schemas/LinksResend' - $ref: '#/components/schemas/LinksSend' - $ref: '#/components/schemas/LinksSelf' - $ref: '#/components/schemas/LinksUserFactors' - $ref: '#/components/schemas/LinksVerify' readOnly: true UserFactorPassCode: description: OTP for the current time window example: 1234567890 type: string UserFactorProvider: type: string enum: - CUSTOM - DUO - FIDO - GOOGLE - OKTA - RSA - SYMANTEC - YUBICO UserFactorPush: title: push allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: $ref: '#/components/schemas/UserFactorPushProfile' UserFactorPushProfile: type: object properties: credentialId: description: ID for the factor credential example: dade.murphy@example.com type: string deviceToken: description: Token used to identify the device example: fwf7ku6bsiSCieh6y1d7 type: string deviceType: description: Type of device example: SmartPhone_IPhone type: string name: description: Name of the device example: My Phone type: string platform: description: OS version of the associated device example: IOS type: string version: description: Installed version of Okta Verify example: '9.0' type: string UserFactorPushTransaction: type: object properties: factorResult: description: Result of the verification transaction type: string enum: - WAITING (with number matching challenge) - WAITING - SUCCESS - REJECTED - TIMEOUT discriminator: propertyName: factorResult mapping: WAITING: '#/components/schemas/UserFactorPushTransactionWaitingNoNMC' WAITING (with number matching challenge): '#/components/schemas/UserFactorPushTransactionWaitingNMC' SUCCESS: '#/components/schemas/UserFactorPushTransaction' REJECTED: '#/components/schemas/UserFactorPushTransactionRejected' TIMEOUT: '#/components/schemas/UserFactorPushTransactionTimeout' UserFactorPushTransactionRejected: allOf: - $ref: '#/components/schemas/UserFactorPushTransaction' - type: object properties: profile: type: object properties: credentialId: description: ID for the factor credential example: dade.murphy@example.com type: string _links: allOf: - $ref: '#/components/schemas/LinksVerify' - type: object properties: factor: $ref: '#/components/schemas/UserFactor' UserFactorPushTransactionSuccess: $ref: '#/components/schemas/UserFactorPushTransaction' UserFactorPushTransactionTimeout: allOf: - $ref: '#/components/schemas/UserFactorPushTransaction' - type: object properties: profile: type: object properties: credentialId: description: ID for the factor credential example: dade.murphy@example.com type: string _links: allOf: - $ref: '#/components/schemas/LinksVerify' - type: object properties: factor: $ref: '#/components/schemas/UserFactor' UserFactorPushTransactionWaitingNMC: allOf: - $ref: '#/components/schemas/UserFactorPushTransaction' - type: object properties: profile: type: object properties: credentialId: description: ID for the factor credential example: dade.murphy@example.com type: string _embedded: $ref: '#/components/schemas/NumberFactorChallengeEmbeddedLinks' _links: allOf: - $ref: '#/components/schemas/LinksPoll' - $ref: '#/components/schemas/LinksCancel' UserFactorPushTransactionWaitingNoNMC: allOf: - $ref: '#/components/schemas/UserFactorPushTransaction' - type: object properties: profile: type: object properties: credentialId: description: ID for the factor credential example: dade.murphy@example.com type: string _links: allOf: - $ref: '#/components/schemas/LinksPoll' - $ref: '#/components/schemas/LinksCancel' UserFactorResultType: description: Result of a factor verification attempt type: string enum: - CANCELLED - CHALLENGE - ERROR - FAILED - PASSCODE_REPLAYED - REJECTED - SUCCESS - TIMEOUT - TIME_WINDOW_EXCEEDED - WAITING readOnly: true UserFactorSMS: title: sms allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: $ref: '#/components/schemas/UserFactorSMSProfile' UserFactorSMSProfile: type: object properties: phoneNumber: description: Phone number of the factor. You should format phone numbers to use the [E.164 standard](https://www.itu.int/rec/T-REC-E.164/). example: '+15554151337' type: string pattern: ^\+[1-9]\d{1,14}$ maxLength: 15 UserFactorSecurityQuestion: title: question allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: $ref: '#/components/schemas/UserFactorSecurityQuestionProfile' UserFactorSecurityQuestionProfile: type: object properties: answer: description: Answer to the question minLength: 4 type: string writeOnly: true question: description: Unique key for the question example: disliked_food enum: - disliked_food - name_of_first_plush_toy - first_award - favorite_security_question - favorite_toy - first_computer_game - favorite_movie_quote - first_sports_team_mascot - first_music_purchase - favorite_art_piece - grandmother_favorite_desert - first_thing_cooked - childhood_dream_job - first_kiss_location - place_where_significant_other_was_met - favorite_vacation_location - new_years_two_thousand - favorite_speaker_actor - favorite_book_movie_character - favorite_sports_player type: string questionText: description: Human-readable text that's displayed to the user example: What is the food you least liked as a child? type: string readOnly: true UserFactorSignatureData: description: Base64-encoded signature data from the WebAuthn authenticator type: string UserFactorStatus: example: ACTIVE description: Status of the factor type: string enum: - ACTIVE - DISABLED - ENROLLED - EXPIRED - INACTIVE - NOT_SETUP - PENDING_ACTIVATION readOnly: true UserFactorSupported: type: object properties: enrollment: type: string description: Indicates if the factor is required for the specified user example: OPTIONAL enum: - OPTIONAL - REQUIRED factorType: $ref: '#/components/schemas/UserFactorType' provider: $ref: '#/components/schemas/UserFactorProvider' status: $ref: '#/components/schemas/UserFactorStatus' vendorName: description: Name of the factor vendor. This is usually the same as the provider except for On-Prem MFA, which depends on admin settings. type: string example: OKTA readOnly: true _embedded: type: object description: Embedded resources related to the factor additionalProperties: type: object properties: {} readOnly: true _links: $ref: '#/components/schemas/UserFactorLinks' UserFactorToken: title: token allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: $ref: '#/components/schemas/UserFactorTokenProfile' verify: oneOf: - $ref: '#/components/schemas/UserFactorTokenVerifyRSA' - $ref: '#/components/schemas/UserFactorTokenVerifySymantec' UserFactorTokenFactorVerificationObject: type: object properties: nextPassCode: description: OTP for the next time window type: string example: 678195 passCode: description: OTP for the current time window type: string example: 875498 UserFactorTokenHOTP: title: token:hotp allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: factorProfileId: description: ID of an existing Custom TOTP factor profile. To create this, see [Custom TOTP factor](https://help.okta.com/okta_help.htm?id=ext-mfa-totp). type: string profile: $ref: '#/components/schemas/UserFactorTokenHOTPProfile' UserFactorTokenHOTPProfile: type: object properties: sharedSecret: description: Unique secret key used to generate the OTP type: string example: 484f97be3213b117e3a20438e291540a UserFactorTokenHardware: title: token:hardware allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: $ref: '#/components/schemas/UserFactorTokenProfile' verify: type: object properties: passCode: description: OTP for the current time window type: string example: cccccceukngdfgkukfctkcvfidnetljjiknckkcjulji UserFactorTokenProfile: type: object properties: credentialId: description: ID for the factor credential example: dade.murphy@example.com type: string UserFactorTokenSoftwareTOTP: title: token:software:totp allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: $ref: '#/components/schemas/UserFactorTokenProfile' UserFactorTokenVerifyRSA: title: RSA SecurID type: object properties: passCode: description: OTP for the current time window type: string example: 5275875498 UserFactorTokenVerifySymantec: title: Symantec VIP type: object properties: nextPassCode: description: OTP for the next time window type: integer example: 3956685498 passCode: description: OTP for the current time window type: string example: 5275875498 UserFactorType: description: Type of factor type: string enum: - call - email - push - question - signed_nonce - sms - token - token:hardware - token:hotp - token:software:totp - u2f - web - webauthn UserFactorU2F: title: u2f allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: $ref: '#/components/schemas/UserFactorU2FProfile' UserFactorU2FProfile: type: object properties: credentialId: description: ID for the factor credential example: dade.murphy@example.com type: string UserFactorVerifyRequest: oneOf: - title: call description: Verifies an OTP sent by a `call` factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone. properties: passCode: $ref: '#/components/schemas/UserFactorPassCode' - title: sms description: Verifies an OTP sent by an `sms` factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone. properties: passCode: $ref: '#/components/schemas/UserFactorPassCode' - title: push type: object nullable: true description: Sends an asynchronous push notification to the device for approval by the user. A successful request returns an HTTP 201 response, unlike other factors. You must poll the transaction to determine the state of the verification. See [Retrieve a factor transaction status](./#tag/UserFactor/operation/getFactorTransactionStatus). properties: useNumberMatchingChallenge: $ref: '#/components/schemas/useNumberMatchingChallenge' - title: email description: Verifies an OTP sent by an `email` factor challenge. If you omit `passCode` in the request, a new OTP is sent to the phone. properties: passCode: $ref: '#/components/schemas/UserFactorPassCode' - title: question description: Verifies an answer to a `question` factor properties: answer: description: Answer to the question minLength: 4 type: string writeOnly: true - title: token:software:totp description: Verifies an OTP for a `token:software:totp` factor properties: passCode: $ref: '#/components/schemas/UserFactorPassCode' - title: token:hotp description: Verifies an OTP for a `token:hotp` factor properties: passCode: $ref: '#/components/schemas/UserFactorPassCode' - title: token:hardware description: Verifies an OTP for a `token:hardware` factor properties: passCode: $ref: '#/components/schemas/UserFactorPassCode' - title: token description: Verifies an OTP for a `token` factor properties: passCode: $ref: '#/components/schemas/UserFactorPassCode' - title: u2f description: Verifies a `u2f` factor challenge by posting a signed assertion using the challenge `nonce` properties: clientData: type: string description: Base64-encoded client data from the U2F token example: eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IlhxR0h0RTBoUkxuVEoxYUF5U1oyIiwib3JpZ2luIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MzAwMCIsImNpZF9wdWJrZXkiOiJ1bnVzZWQifQ signatureData: description: Base64-encoded signature data from the U2F token - title: webauthn description: Verifies a `webauthn` factor challenge by posting a signed assertion using the challenge `nonce` properties: authenticatorData: description: Base64-encoded authenticator data from the WebAuthn authenticator type: string clientData: type: string description: Base64-encoded client data from the WebAuthn authenticator example: eyJjaGFsbGVuZ2UiOiJVSk5wYW9sVWt0dF9vcEZPNXJMYyIsIm9yaWdpbiI6Imh0dHBzOi8vcmFpbi5va3RhMS5jb20iLCJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIn0 signatureData: type: string description: Base64-encoded signature data from the WebAuthn authenticator UserFactorVerifyResponse: type: object properties: expiresAt: description: Timestamp when the verification expires type: string format: date-time example: '2022-08-25T00:31:00.000Z' readOnly: true factorMessage: description: Optional display message for factor verification type: string readOnly: true nullable: true factorResult: $ref: '#/components/schemas/UserFactorVerifyResult' readOnly: true profile: type: object additionalProperties: type: object properties: {} readOnly: true _embedded: type: object additionalProperties: type: object nullable: true readOnly: true _links: $ref: '#/components/schemas/UserFactorLinks' UserFactorVerifyResponseWaiting: type: object properties: expiresAt: description: Timestamp when the verification expires type: string format: date-time example: '2022-08-25T00:31:00.000Z' readOnly: true factorMessage: description: Optional display message for factor verification type: string readOnly: true nullable: true factorResult: $ref: '#/components/schemas/UserFactorVerifyResultWaiting' readOnly: true profile: type: object additionalProperties: type: object properties: {} readOnly: true _embedded: allOf: - $ref: '#/components/schemas/NumberFactorChallengeEmbeddedLinks' - additionalProperties: type: object nullable: true readOnly: true _links: $ref: '#/components/schemas/UserFactorLinks' UserFactorVerifyResult: description: Result of a factor verification type: string enum: - CHALLENGE - ERROR - EXPIRED - FAILED - PASSCODE_REPLAYED - REJECTED - SUCCESS - TIMEOUT - TIME_WINDOW_EXCEEDED x-enumDescriptions: CANCELED: User cancelled the verification CHALLENGE: Okta issued a verification challenge ERROR: Verification encountered an unexpected server error EXPIRED: User didn't complete the verification within the allowed time window FAILED: Verification failed PASSCODE_REPLAYED: User previously verified the factor within the same time window. Another verification is required during another time window. REJECTED: User rejected the verification SUCCESS: User completed the verification TIMEOUT: Okta didn't complete the verification within the allowed time window TIME_WINDOW_EXCEEDED: User completed the verification outside of the allowed time window. Another verification is required. UserFactorVerifyResultWaiting: description: Result of a factor verification type: string enum: - WAITING x-enumDescriptions: WAITING: Verification is in progress UserFactorWeb: title: web allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: $ref: '#/components/schemas/UserFactorWebProfile' UserFactorWebAuthn: title: webauthn allOf: - $ref: '#/components/schemas/UserFactor' - type: object properties: profile: $ref: '#/components/schemas/UserFactorWebAuthnProfile' UserFactorWebAuthnProfile: type: object properties: authenticatorName: description: |- Human-readable name of the authenticator > **Note:** This name is set from the AAGUID metadata during enrollment. It can't be changed in the Admin Console or by using any Okta APIs. example: MacBook Touch ID type: string credentialId: description: ID for the factor credential example: AHoOEhwvYiMv6SSwLp7KYRNttXtg_kYgQoQiEIWPFH_T3Ztp5Vj3bQ5H0LypIFR8ka8kfiCJ3I5qVpxrsd6JTMWKcE3xNh_U2QVF0Kwlan8Fiw type: string readOnly: true UserFactorWebProfile: type: object properties: credentialId: description: ID for the factor credential example: dade.murphy@example.com type: string UserFactorYubikeyOtpToken: type: object properties: created: description: Timestamp when the token was created type: string format: date-time example: '2022-08-25T00:31:00.000Z' readOnly: true id: description: ID of the token type: string example: ykkwcx13nrDq8g4oy0g3 readOnly: true lastUpdated: description: Timestamp when the token was last updated type: string format: date-time example: '2022-08-25T00:31:00.000Z' readOnly: true lastVerified: description: Timestamp when the token was last verified type: string format: date-time example: '2022-08-25T00:31:00.000Z' readOnly: true profile: type: object description: Specified profile information for token additionalProperties: type: object properties: {} status: description: Token status type: string enum: - BLOCKED - UNASSIGNED - ACTIVE - REVOKED - DELETED - INACTIVE _embedded: type: object additionalProperties: type: object properties: {} _links: $ref: '#/components/schemas/UserFactorLinks' UserGetSingleton: allOf: - $ref: '#/components/schemas/User' - type: object properties: _embedded: type: object description: The embedded resources related to the object if the `expand` query parameter is specified properties: blocks: type: array description: A list of access block details for the user account items: $ref: '#/components/schemas/UserBlock' UserIdentifierConditionEvaluatorPattern: description: Specifies the details of the patterns to match against type: object properties: matchType: $ref: '#/components/schemas/UserIdentifierMatchType' value: type: string description: The regular expression or simple match string required: - matchType - value UserIdentifierMatchType: description: The type of pattern. For regex, use `EXPRESSION`. type: string enum: - CONTAINS - EQUALS - EXPRESSION - STARTS_WITH - SUFFIX UserIdentifierPolicyRuleCondition: description: Specifies a user identifier condition to match on type: object properties: attribute: type: string description: The name of the profile attribute to match against. Only used when type is `ATTRIBUTE`. patterns: type: array items: $ref: '#/components/schemas/UserIdentifierConditionEvaluatorPattern' type: $ref: '#/components/schemas/UserIdentifierType' required: - patterns - type UserIdentifierType: description: What to match against, either user ID or an attribute in the user's Okta profile. type: string enum: - ATTRIBUTE - IDENTIFIER UserIdentityProviderLinkRequest: type: object properties: externalId: type: string description: Unique IdP-specific identifier for a user example: '121749775026145' UserImportRequest: type: object properties: data: $ref: '#/components/schemas/UserImportRequestData' eventType: type: string description: The type of inline hook. The user import inline hook type is `com.okta.import.transform`. source: description: The ID of the user import inline hook type: string UserImportRequestData: type: object properties: action: type: object description: The object that specifies the default action Okta is set to take properties: result: description: |- The current default action that results when Okta imports a user. The two possible values are `CREATE_USER` and `LINK_USER`. You can change the action that is taken by means of the commands object you return. type: string enum: - CREATE_USER - LINK_USER x-enumDescriptions: CREATE_USER: A new Okta user profile is created for the user LINK_USER: The user is treated as a match for the existing Okta user identified by the value of `data.user.id` appUser: type: object description: The app user profile being imported properties: profile: type: object description: |- Provides the name-value pairs of the attributes contained in the app user profile of the user who is being imported. You can change the values of attributes in the user's app profile by means of the `commands` object you return. If you change attributes in the app profile, they then flow through to the Okta user profile, based on matching and mapping rules. additionalProperties: type: string context: type: object properties: conflicts: description: An array of user profile attributes that are in conflict type: array items: additionalProperties: true type: string application: type: object description: Details of the app from which the user is being imported properties: name: type: string description: The app name id: type: string description: The app ID label: type: string description: The user-defined display name for the app status: type: string description: The status of the app enum: - ACTIVE - INACTIVE job: type: object description: The details of the running import job properties: id: type: string description: The ID number of the import job type: type: string description: The type of import job matches: type: array description: The list of Okta users currently matched to the app user based on import matching. There can be more than one match. items: additionalProperties: true type: string policy: type: array description: The list of any policies that apply to the import matching items: additionalProperties: true type: string user: type: object description: |- Provides information on the Okta user profile currently set to be used for the user who is being imported, based on the matching rules and attribute mappings that were applied. properties: profile: description: |- The `data.user.profile` contains the name-value pairs of the attributes in the user profile. If the user has been matched to an existing Okta user, a `data.user.id` object is included, containing the unique identifier of the Okta user profile. You can change the values of the attributes by means of the `commands` object you return. type: object additionalProperties: type: string UserImportRequestExecute: description: User import inline hook request allOf: - $ref: '#/components/schemas/InlineHookBasePayload' - $ref: '#/components/schemas/UserImportRequest' UserImportResponse: type: object properties: commands: description: |- The `commands` object is where you can provide commands to Okta. It is an array that allows you to send multiple commands. Each array element needs to consist of a type-value pair. type: array items: type: object properties: type: description: |- The command types supported for the import inline hook. When using the `com.okta.action.update` command to specify that the user should be treated as a match, you need to also provide a `com.okta.user.update` command that sets the ID of the Okta user. type: string enum: - com.okta.appUser.profile.update - com.okta.user.profile.update - com.okta.action.update - com.okta.user.update x-enumDescriptions: com.okta.appUser.profile.update: Change values of attributes in the user's app user profile com.okta.user.profile.update: Change values of attributes in the user's Okta user profile com.okta.action.update: Specify whether to create a new Okta user for the user being imported or treat them as a match of an existing Okta user com.okta.user.update: Specify the existing Okta user that the imported user should be treated as a match of. value: description: |- The `value` object is the parameter to pass to the command. In the case of the `com.okta.appUser.profile.update` and `com.okta.user.profile.update` commands, the parameter should be a list of one or more profile attributes and the values you wish to set them to. In the case of the `com.okta.action.update` command, the parameter should be a `result` property set to either `CREATE_USER` or `LINK_USER`. type: object additionalProperties: type: string error: description: |- An object to return an error. Returning an error causes Okta to record a failure event in the Okta System Log. The string supplied in the `errorSummary` property is recorded in the System Log event. >**Note:** If a response to an import inline hook request is not received from your external service within three seconds, a timeout occurs. In this scenario, the Okta import process continues and the user is created. type: object properties: errorSummary: description: A human-readable summary of the error type: string UserLifecycleAttributePolicyRuleCondition: type: object properties: attributeName: type: string matchingValue: type: string UserLockoutSettings: type: object properties: preventBruteForceLockoutFromUnknownDevices: type: boolean description: Prevents brute-force lockout from unknown devices for the password authenticator. default: false UserNextLogin: type: string enum: - changePassword UserPolicyRuleCondition: description: Specifies a set of Users to be included or excluded type: object properties: exclude: type: array description: Users to be excluded items: type: string inactivity: $ref: '#/components/schemas/InactivityPolicyRuleCondition' include: type: array description: Users to be included items: type: string lifecycleExpiration: $ref: '#/components/schemas/LifecycleExpirationPolicyRuleCondition' passwordExpiration: $ref: '#/components/schemas/PasswordExpirationPolicyRuleCondition' userLifecycleAttribute: $ref: '#/components/schemas/UserLifecycleAttributePolicyRuleCondition' UserProfile: additionalProperties: true description: |- Specifies the default and custom profile properties for a user. The default user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://datatracker.ietf.org/doc/html/rfc7643). The only permitted customizations of the default profile are to update permissions, change whether the `firstName` and `lastName` properties are nullable, and specify a [pattern](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation) for `login`. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to make schema modifications. You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UISchema/#tag/UISchema) to manage schema extensions. Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use [best-practices](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to prevent cross-site scripting. type: object properties: city: type: string description: The city or locality of the user's address (`locality`) maxLength: 128 nullable: true costCenter: type: string description: Name of the cost center assigned to a user nullable: true countryCode: description: The country name component of the user's address (`country`). For validation, see [ISO 3166-1 alpha 2 "short" code format](https://datatracker.ietf.org/doc/html/draft-ietf-scim-core-schema-22#ref-ISO3166). type: string maxLength: 2 nullable: true department: type: string description: Name of the user's department displayName: type: string description: Name of the user suitable for display to end users nullable: true division: type: string description: Name of the user's division nullable: true email: type: string description: The primary email address of the user. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). format: email minLength: 5 maxLength: 100 employeeNumber: description: The organization or company assigned unique identifier for the user type: string firstName: type: string description: Given name of the user (`givenName`) minLength: 1 maxLength: 50 nullable: true honorificPrefix: type: string description: Honorific prefix(es) of the user, or title in most Western languages nullable: true honorificSuffix: type: string description: Honorific suffix(es) of the user nullable: true lastName: type: string description: The family name of the user (`familyName`) minLength: 1 maxLength: 50 nullable: true locale: type: string description: |- The user's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example, en_US specifies the language English and country US. This value is `en_US` by default. login: type: string description: |- The unique identifier for the user (`username`). For validation, see [Login pattern validation](https://developer.okta.com/docs/reference/api/schemas/#login-pattern-validation). Every user within your Okta org must have a unique identifier for a login. This constraint applies to all users you import from other systems or applications such as Active Directory. Your organization is the top-level namespace to mix and match logins from all your connected applications or directories. Careful consideration of naming conventions for your login identifier will make it easier to onboard new applications in the future. Logins are not considered unique if they differ only in case and/or diacritical marks. If one of your users has a login of Isaac.Brock@example.com, there cannot be another user whose login is isaac.brock@example.com, nor isáàc.bröck@example.com. Okta has a default ambiguous name resolution policy for usernames that include @-signs. (By default, usernames must be formatted as email addresses and thus always include @-signs. You can remove that restriction using either the Admin Console or the [Schemas API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Schema/). Users can sign in with their non-qualified short name (for example: isaac.brock with username isaac.brock@example.com) as long as the short name is still unique within the organization. maxLength: 100 minLength: 5 manager: type: string description: The `displayName` of the user's manager nullable: true managerId: type: string description: The `id` of the user's manager nullable: true middleName: type: string description: The middle name of the user nullable: true mobilePhone: type: string description: The mobile phone number of the user maxLength: 100 minLength: 0 nullable: true nickName: type: string description: The casual way to address the user in real life nullable: true organization: type: string description: Name of the the user's organization nullable: true postalAddress: type: string description: Mailing address component of the user's address maxLength: 4096 nullable: true preferredLanguage: type: string description: The user's preferred written or spoken language. For validation, see [RFC 7231 Section 5.3.5](https://datatracker.ietf.org/doc/html/rfc7231#section-5.3.5). nullable: true primaryPhone: type: string description: The primary phone number of the user such as a home number maxLength: 100 minLength: 0 nullable: true profileUrl: type: string description: The URL of the user's online profile. For example, a web page. See [URL](https://datatracker.ietf.org/doc/html/rfc1808). nullable: true secondEmail: type: string format: email description: The secondary email address of the user typically used for account recovery. For validation, see [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). minLength: 5 maxLength: 100 nullable: true state: type: string description: The state or region component of the user's address (`region`) maxLength: 128 nullable: true streetAddress: type: string description: The full street address component of the user's address maxLength: 1024 nullable: true timezone: type: string description: The user's time zone nullable: true title: type: string description: The user's title, such as Vice President nullable: true userType: type: string description: The property used to describe the organization-to-user relationship, such as employee or contractor nullable: true zipCode: type: string description: The ZIP code or postal code component of the user's address (`postalCode`) maxLength: 50 nullable: true UserProvisioningApplicationFeature: allOf: - $ref: '#/components/schemas/ApplicationFeature' - type: object - properties: capabilities: $ref: '#/components/schemas/CapabilitiesObject' UserRequestSchema: type: object properties: externalId: type: string description: The external ID of the user in the identity source maxLength: 512 profile: $ref: '#/components/schemas/IdentitySourceUserProfileForUpsert' UserResourceHrefObject: type: object properties: href: type: string description: Link URI example: https://{yourOktaDomain}/api/v1/users/00u5t60iloOHN9pBi0h7 title: type: string description: Link name example: SAML Jackson UserResponseSchema: type: object properties: created: type: string description: The timestamp when the user was created in the identity source format: date-time readOnly: true externalId: type: string description: The external ID of the user in the identity source readOnly: true maxLength: 255 id: type: string description: The ID of the user in the identity source readOnly: true lastUpdated: type: string description: The timestamp when the user was last updated in the identity source format: date-time readOnly: true profile: $ref: '#/components/schemas/IdentitySourceUserProfileForUpsert' UserRiskGetResponse: type: object properties: riskLevel: $ref: '#/components/schemas/UserRiskLevelAll' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - $ref: '#/components/schemas/LinksUserRef' discriminator: propertyName: riskLevel mapping: HIGH: '#/components/schemas/UserRiskLevelExists' MEDIUM: '#/components/schemas/UserRiskLevelExists' LOW: '#/components/schemas/UserRiskLevelExists' NONE: '#/components/schemas/UserRiskLevelNone' UserRiskLevelAll: description: The risk level associated with the user type: string enum: - HIGH - LOW - MEDIUM - NONE UserRiskLevelExists: allOf: - $ref: '#/components/schemas/UserRiskGetResponse' - type: object properties: reason: $ref: '#/components/schemas/UserRiskReason' UserRiskLevelNone: allOf: - $ref: '#/components/schemas/UserRiskGetResponse' UserRiskLevelPut: description: The risk level associated with the user type: string enum: - HIGH - LOW UserRiskPutResponse: type: object properties: reason: $ref: '#/components/schemas/UserRiskReason' riskLevel: $ref: '#/components/schemas/UserRiskLevelPut' _links: allOf: - $ref: '#/components/schemas/LinksSelf' - $ref: '#/components/schemas/LinksUserRef' UserRiskReason: description: Describes the risk level for the user example: Admin override risk type: string UserRiskRequest: type: object properties: riskLevel: type: string description: The risk level associated with the user enum: - HIGH - LOW UserSchema: type: object properties: $schema: type: string readOnly: true description: JSON schema version identifier created: type: string readOnly: true description: Timestamp when the schema was created definitions: allOf: - $ref: '#/components/schemas/UserSchemaDefinitions' description: |- User profile subschemas The profile object for a user is defined by a composite schema of base and custom properties using a JSON path to reference subschemas. The `#base` properties are defined and versioned by Okta, while `#custom` properties are extensible. Custom property names for the profile object must be unique and can't conflict with a property name defined in the `#base` subschema. id: type: string readOnly: true description: URI of user schema lastUpdated: type: string readOnly: true description: Timestamp when the schema was last updated name: type: string readOnly: true description: Name of the schema properties: allOf: - $ref: '#/components/schemas/UserSchemaProperties' description: User Object Properties title: type: string description: User-defined display name for the schema type: type: string readOnly: true description: Type of [root schema](https://tools.ietf.org/html/draft-zyp-json-schema-04#section-3.4) _links: $ref: '#/components/schemas/LinksSelf' UserSchemaAttribute: type: object properties: default: oneOf: - type: string - type: boolean - type: integer - type: array - type: object - type: number description: If specified, assigns the value as the default value for the custom attribute. This is a nullable property. If you don't specify a value for this custom attribute during user creation or update, the `default` is used instead of setting the value to `null` or empty. description: type: string description: Description of the property enum: type: array nullable: true description: |- Enumerated value of the property. The value of the property is limited to one of the values specified in the enum definition. The list of values for the enum must consist of unique elements. items: anyOf: - type: string - type: integer externalName: type: string description: |- Name of the property as it exists in an external application **NOTE**: When you add a custom property, only Identity Provider app user schemas require `externalName` to be included in the request body. If an existing custom Identity Provider app user schema property has an empty `externalName`, requests aren't allowed to update other properties until the `externalName` is defined. externalNamespace: type: string description: Namespace from the external application format: description: Identifies the type of data represented by the string allOf: - $ref: '#/components/schemas/UserSchemaAttributeFormat' master: allOf: - $ref: '#/components/schemas/UserSchemaAttributeMaster' description: Identifies where the property is mastered maxLength: type: integer description: Maximum character length of a string property nullable: true minLength: type: integer description: Minimum character length of a string property nullable: true mutability: allOf: - $ref: '#/components/schemas/UserSchemaAttributeMutabilityString' description: Defines the mutability of the property oneOf: type: array nullable: true description: |- Non-empty array of valid JSON schemas. The `oneOf` key is only supported in conjunction with `enum` and provides a mechanism to return a display name for the `enum` value.<br> Each schema has the following format: ``` { "const": "enumValue", "title": "display name" } ``` When `enum` is used in conjunction with `oneOf`, you must keep the set of enumerated values and their order.<br> For example: ``` "enum": ["S","M","L","XL"], "oneOf": [ {"const": "S", "title": "Small"}, {"const": "M", "title": "Medium"}, {"const": "L", "title": "Large"}, {"const": "XL", "title": "Extra Large"} ] ``` items: $ref: '#/components/schemas/UserSchemaAttributeEnum' pattern: type: string description: For `string` property types, specifies the regular expression used to validate the property permissions: type: array nullable: true description: Access control permissions for the property items: $ref: '#/components/schemas/UserSchemaAttributePermission' required: type: boolean nullable: true description: Determines whether the property is required scope: $ref: '#/components/schemas/UserSchemaAttributeScope' title: type: string minLength: 1 description: User-defined display name for the property type: description: Type of property allOf: - $ref: '#/components/schemas/UserSchemaAttributeType' unique: description: Determines whether property values must be unique type: string nullable: true x-okta-allow-null-property-value-for-updates: true UserSchemaAttributeEnum: type: object properties: const: type: string description: The enumerated value title: type: string description: The display label for the enumerated value UserSchemaAttributeFormat: type: string enum: - country-code - date-time - email - encrypted - hashed - language-code - locale - ref-id - timezone - uri UserSchemaAttributeItems: type: object properties: enum: type: array items: type: string oneOf: type: array items: $ref: '#/components/schemas/UserSchemaAttributeEnum' type: type: string UserSchemaAttributeMaster: nullable: true type: object properties: priority: type: array items: $ref: '#/components/schemas/UserSchemaAttributeMasterPriority' type: $ref: '#/components/schemas/UserSchemaAttributeMasterType' UserSchemaAttributeMasterPriority: type: object properties: type: type: string value: type: string UserSchemaAttributeMasterType: type: string enum: - OKTA - OVERRIDE - PROFILE_MASTER UserSchemaAttributeMutabilityString: type: string enum: - IMMUTABLE - READ_ONLY - READ_WRITE - WRITE_ONLY UserSchemaAttributePermission: type: object properties: action: type: string description: Determines whether the principal can view or modify the property principal: type: string description: Security principal UserSchemaAttributeScope: type: string enum: - NONE - SELF UserSchemaAttributeType: type: string enum: - array - boolean - integer - number - string UserSchemaBase: description: |- All Okta-defined profile properties are defined in a profile subschema with the resolution scope `#base`. You can't modify these properties, except to update permissions, to change the nullability of `firstName` and `lastName`, or to specify a pattern for `login`. They can't be removed. The base user profile is based on the [System for Cross-domain Identity Management: Core Schema](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#section-4.1.1) and has the standard properties detailed below. type: object properties: id: type: string description: The subschema name readOnly: true properties: description: The `#base` object properties allOf: - $ref: '#/components/schemas/UserSchemaBaseProperties' required: type: array description: A collection indicating required property names readOnly: true items: type: string type: type: string description: The object type readOnly: true UserSchemaBaseProperties: type: object properties: city: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: City or locality component of the user's address (`locality`) costCenter: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Name of a cost center assigned to the user countryCode: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Country name component of the user's address (`country`.) This property uses [ISO 3166-1 alpha 2 "short" code format](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166). department: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Name of the user's department displayName: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Name of the user, suitable for display to end users division: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Name of the user's division email: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Primary email address of the user. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). employeeNumber: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Organization or company assigned unique identifier for the user firstName: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Given name of the user (`givenName`) honorificPrefix: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Honorific prefix(es) of the user or title in most Western languages honorificSuffix: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Honorific suffix(es) of the user lastName: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Family name of the user (`familyName`) locale: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: |- User's default location for purposes of localizing items such as currency, date time format, numerical representations, and so on. A locale value is a concatenation of the ISO 639-1 two-letter language code, an underscore, and the ISO 3166-1 two-letter country code. For example: `en_US` specifies the language English and country US. This value is `en_US` by default. login: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: |- Unique identifier for the user (`userName`) The login property is validated according to its pattern attribute, which is a string. By default, the attribute is null. When the attribute is null, the username is required to be formatted as an email address as defined by [RFC 6531 Section 3.3](http://tools.ietf.org/html/rfc6531#section-3.3). The pattern can be set through the API to one of the following forms. (The Admin Console provides access to the same forms.) * A login pattern of `".+"` indicates that there is no restriction on usernames. Any non-empty, unique value is permitted, and the minimum length of five isn't enforced. In this case, usernames don't need to include the `@` character. If a name does include `@`, the portion ahead of the `@` can be used for logging in, provided it identifies a unique user within the org. * A login pattern of the form `"[...]+"` indicates that usernames must only contain characters from the set given between the brackets. The enclosing brackets and final `+` are required for this form. Character ranges can be indicated using hyphens. To include the hyphen itself in the allowed set, the hyphen must appear first. Any characters in the set except the hyphen, a-z, A-Z, and 0-9 must be preceded by a backslash (`\`). For example, `"[a-z13579\.]+"` would restrict usernames to lowercase letters, odd digits, and periods, while `"[-a-zA-Z0-9]+"` would allow basic alphanumeric characters and hyphens. manager: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: The `displayName` of the user's manager managerId: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: The `id` of the user's manager middleName: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Middle name(s) of the user mobilePhone: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Mobile phone number of the user nickName: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Casual way to address the user in real life organization: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Name of the user's organization postalAddress: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Mailing address component of the user's address preferredLanguage: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: User's preferred written or spoken languages. This property is formatted according to [RFC 7231 Section 5.3.5](https://tools.ietf.org/html/rfc7231#section-5.3.5). primaryPhone: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Primary phone number of the user, such as home number profileUrl: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: URL of the user's online profile (for example, a web page.) This property is formatted according to the [Relative Uniform Resource Locators specification](https://tools.ietf.org/html/draft-ietf-scim-core-schema-22#ref-ISO3166). secondEmail: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Secondary email address of the user typically used for account recovery. This property is formatted according to [RFC 5322 Section 3.2.3](https://datatracker.ietf.org/doc/html/rfc5322#section-3.2.3). state: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: State or region component of the user's address (`region`) streetAddress: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: Full street address component of the user's address timezone: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: User's time zone. This property is formatted according to the [IANA Time Zone database format](https://tools.ietf.org/html/rfc6557). title: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: User's title, such as "Vice President" userType: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: |- Used to describe the organization to the user relationship such as "Employee" or "Contractor". **Note:** The `userType` field is an arbitrary string value and isn't related to the newer [User Types](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserType/) feature. zipCode: allOf: - $ref: '#/components/schemas/UserSchemaAttribute' description: ZIP code or postal code component of the user's address (`postalCode`) UserSchemaDefinitions: type: object properties: base: $ref: '#/components/schemas/UserSchemaBase' custom: $ref: '#/components/schemas/UserSchemaPublic' UserSchemaProperties: type: object properties: profile: $ref: '#/components/schemas/UserSchemaPropertiesProfile' UserSchemaPropertiesProfile: type: object properties: allOf: type: array items: $ref: '#/components/schemas/UserSchemaPropertiesProfileItem' UserSchemaPropertiesProfileItem: type: object properties: $ref: type: string UserSchemaPublic: description: |- All custom profile properties are defined in a profile subschema with the resolution scope `#custom`. > **Notes:** > * When you refer to custom profile attributes that differ only by case, name collisions occur. This includes naming custom profile attributes the same as base profile attributes, for example, `firstName` and `FirstName`. > * Certain attributes are reserved and can't be used for custom user profiles. See [Review reserved attributes](https://help.okta.com/okta_help.htm?type=oie&id=reserved-attributes). type: object properties: id: type: string description: The subschema name readOnly: true properties: type: object description: The `#custom` object properties additionalProperties: $ref: '#/components/schemas/UserSchemaAttribute' required: type: array description: A collection indicating required property names readOnly: true items: type: string type: type: string description: The object type readOnly: true UserStatus: description: |- The current status of the user. The status of a user changes in response to explicit events, such as admin-driven lifecycle changes, user login, or self-service password recovery. Okta doesn't asynchronously sweep through users and update their password expiry state, for example. Instead, Okta evaluates password policy at login time, notices the password has expired, and moves the user to the expired state. When running reports, remember that the data is valid as of the last login or lifecycle event for that user. type: string enum: - ACTIVE - DEPROVISIONED - LOCKED_OUT - PASSWORD_EXPIRED - PROVISIONED - RECOVERY - STAGED - SUSPENDED readOnly: true UserStatusPolicyRuleCondition: type: object properties: value: $ref: '#/components/schemas/PolicyUserStatus' UserType: type: object properties: created: type: string format: date-time description: A timestamp from when the user type was created readOnly: true createdBy: type: string description: The user ID of the account that created the user type readOnly: true default: type: boolean description: A boolean value to indicate if this is the default user type readOnly: true description: type: string description: The human-readable description of the user type displayName: type: string description: The human-readable name of the user type id: type: string description: The unique key for the user type readOnly: true lastUpdated: type: string format: date-time description: A timestamp from when the user type was most recently updated readOnly: true lastUpdatedBy: type: string description: The user ID of the most recent account to edit the user type readOnly: true name: type: string description: The name of the user type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters. This value becomes read-only after creation and can't be updated. _links: $ref: '#/components/schemas/UserTypeLinks' required: - name - displayName UserTypeCondition: description: <x-lifecycle class="oie"></x-lifecycle> Specifies which user types to include and/or exclude properties: exclude: items: type: string type: array description: The user types to exclude include: items: type: string type: array description: The user types to include required: - exclude - include UserTypeLinks: allOf: - $ref: '#/components/schemas/LinksSelf' - type: object properties: schema: allOf: - $ref: '#/components/schemas/HrefObject' - description: The associated schema UserTypePostRequest: type: object properties: description: type: string description: The updated human-readable description of the user type displayName: type: string description: The updated human-readable display name for the user type UserTypePutRequest: type: object properties: description: type: string description: The human-readable description of the user type displayName: type: string description: The human-readable name of the user type name: type: string description: The name of the existing type required: - name - displayName - description UserVerificationEnum: description: User verification setting. Possible values `DISCOURAGED` (the authenticator isn't asked to perform user verification, but may do so at its discretion), `PREFERRED` (the client uses an authenticator capable of user verification if possible), or `REQUIRED`(the client uses only an authenticator capable of user verification) type: string enum: - DISCOURAGED - PREFERRED - REQUIRED UsersLink: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the [Application Users](/openapi/okta-management/management/tag/ApplicationUsers/#tag/ApplicationUsers/operation/listApplicationUsers) resource UsersUpdateRequestSchema: type: object properties: profile: $ref: '#/components/schemas/IdentitySourceUserProfileForUpsert' ValidationDetail: description: Validation detail type: object properties: id: type: string description: Action identifier example: okta:action1 provider: $ref: '#/components/schemas/WorkflowsValidationDetailProvider' required: - id - provider ValidationDetailProvider: description: Action provider validation details type: object properties: externalId: type: string description: The unique identifier of the action flow in the provider system type: $ref: '#/components/schemas/ActionProviderPayloadType' required: - type - externalId discriminator: propertyName: type mapping: WORKFLOWS: '#/components/schemas/WorkflowsValidationDetailProvider' VaultedSecretOrn: description: The [ORN](https://developer.okta.com/docs/api/openapi/okta-management/guides/roles/#okta-resource-name-orn) of the vaulted secret type: string VerificationMethod: description: The method used to verify a user type: object properties: type: $ref: '#/components/schemas/PolicyRuleVerificationMethodType' discriminator: propertyName: type mapping: ASSURANCE: '#/components/schemas/AssuranceMethod' AUTH_METHOD_CHAIN: '#/components/schemas/AuthenticationMethodChainMethod' ID_PROOFING: '#/components/schemas/IdProofingMethod' Version: description: The version specified as a [Semantic Version](https://semver.org/). This value can be a wildcard (`*`), a major version range (for example, `^2`), a major-only version (for example, `7`), or a specific `Major.Minor` version (for example, `5.15`). type: string pattern: ^(?:\*|\^?\d+(?:\.\d+){0,2})$ WebAuthnAttachmentEnum: description: Method attachment type: string enum: - ANY - BUILT_IN - ROAMING WebAuthnCredRequest: description: Credential request object for the initialized credential, along with the enrollment and key identifiers to associate with the credential type: object properties: authenticatorEnrollmentId: description: ID for a WebAuthn preregistration factor in Okta type: string credRequestJwe: description: Encrypted JWE of credential request for the fulfillment provider type: string keyId: description: ID for the Okta response key-pair used to encrypt and decrypt credential requests and responses type: string WebAuthnCredResponse: description: Credential response object for enrolled credential details, along with enrollment and key identifiers to associate the credential type: object properties: authenticatorEnrollmentId: description: ID for a WebAuthn preregistration factor in Okta type: string credResponseJwe: description: Encrypted JSON Web Encryption (JWE) of the credential response from the fulfillment provider type: string WebAuthnPreregistrationFactor: description: User factor variant used for WebAuthn preregistration factors type: object properties: created: description: Timestamp indicating when the factor was enrolled type: string format: date-time readOnly: true factorType: $ref: '#/components/schemas/UserFactorType' id: description: ID of the factor type: string readOnly: true lastUpdated: description: Timestamp indicating when the factor was last updated type: string format: date-time readOnly: true profile: type: object description: Specific attributes related to the factor provider: $ref: '#/components/schemas/UserFactorProvider' status: $ref: '#/components/schemas/UserFactorStatus' vendorName: description: Name of the factor vendor. This is usually the same as the provider. type: string example: OKTA readOnly: true _links: $ref: '#/components/schemas/LinksSelf' WebAuthnRpId: description: The [RP ID](https://www.w3.org/TR/webauthn/#relying-party-identifier) object for WebAuthn configuration x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] type: object properties: domain: $ref: '#/components/schemas/WebAuthnRpIdDomain' enabled: type: boolean description: Indicates whether the RP ID is active and is used for WebAuthn operations. It can only be set to `true` once the `validationStatus` of the `domain` object is `VERIFIED`. `enabled` can only be `true` for this same `domain`. Its value must be `false` to be able to configure the `domain`. default: false WebAuthnRpIdDomain: description: The RP domain object for the WebAuthn configuration type: object properties: dnsRecord: allOf: - readOnly: true - $ref: '#/components/schemas/DNSRecordAuthenticators' name: type: string description: |- The [RP ID](https://www.w3.org/TR/webauthn/#relying-party-identifier) domain value to be used for all WebAuthn operations. If it isn't specified, the `domain` object isn't included in the request, and the domain value defaults to the domain of the current page (the domain of your org or a custom domain, for example). > **Note:** If you don't use a custom RP ID (the default behavior), the domain value defaults to the end user's current page. The domain value defaults to the full domain name of the page that the end user is on when they're attempting the WebAuthn credential operation (enrollment or verification). example: mycustomdomain.com validationStatus: type: string readOnly: true enum: - NOT_STARTED - IN_PROGRESS - VERIFIED - ERROR x-enumDescriptions: NOT_STARTED: The domain hasn't been verified yet. When configuring a registrable domain name of an existing brand custom domain, the `validationStatus` is initially returned as `NOT_STARTED`. This indicates that verification is required. IN_PROGRESS: The verification process is ongoing. This is a transient state that occurs only when the domain name is actively being checked by the server. VERIFIED: The domain has been successfully verified. When configuring the domain name to the default Okta org domain or the fully qualified domain name of an existing custom brand domain, the `validationStatus` is immediately returned as `VERIFIED`. No additional verification is required. ERROR: There was an error during the verification process. This isn't a terminal state and can be resolved by correcting the DNS record and retrying the verification. description: Indicates the validation status of the domain WellKnownAppAuthenticatorConfiguration: type: object properties: appAuthenticatorEnrollEndpoint: type: string description: The authenticator enrollment endpoint authenticatorId: type: string description: The unique identifier of the app authenticator createdDate: type: string description: Timestamp when the authenticator was created format: date-time key: $ref: '#/components/schemas/AuthenticatorKeyEnum' lastUpdated: type: string description: Timestamp when the authenticator was last modified format: date-time name: type: string description: The authenticator display name orgId: type: string description: The `id` of the Okta Org settings: type: object properties: userVerification: $ref: '#/components/schemas/CustomAppUserVerificationEnum' supportedMethods: type: array items: $ref: '#/components/schemas/SupportedMethods' type: type: string description: The type of authenticator enum: - app WellKnownOrgMetadata: type: object properties: id: type: string description: Org unique identifier pipeline: $ref: '#/components/schemas/PipelineType' _links: type: object description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for this object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification readOnly: true properties: alternate: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the custom domain org URL organization: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the org URL WellKnownSSFMetadata: title: Shared Signals Framework Metadata description: Metadata about Okta as a transmitter and relevant information for configuration. type: object properties: authorization_schemes: type: array description: An array of JSON objects that specify the authorization scheme properties supported by the transmitter items: $ref: '#/components/schemas/WellKnownSSFMetadataSpecUrn' configuration_endpoint: type: string format: uri description: The URL of the SSF Stream configuration endpoint example: https://{yourOktaDomain}/api/v1/ssf/stream default_subjects: type: string description: A string that indicates the default behavior of newly created streams enum: - ALL - NONE x-enumDescriptions: ALL: Indicates that any subjects that are appropriate for the stream are added to the stream by default. NONE: Indicates that no subjects are added by default delivery_methods_supported: type: array items: type: string format: uri description: An array of supported SET delivery methods example: - https://schemas.openid.net/secevent/risc/delivery-method/push - urn:ietf:rfc:8935 issuer: type: string description: The issuer used in Security Event Tokens. This value is set as `iss` in the claim. example: https://{yourOktaDomain} jwks_uri: type: string description: The URL of the JSON Web Key Set (JWKS) that contains the signing keys for validating the signatures of Security Event Tokens (SETs) format: uri example: https://{yourOktaDomain}/oauth2/v1/keys spec_version: type: string description: The version identifying the implementer's draft or final specification implemented by the transmitter example: 1_0-ID3 verification_endpoint: type: string format: uri description: The URL of the SSF Stream verification endpoint example: https://{yourOktaDomain}/api/v1/ssf/stream/verification WellKnownSSFMetadataSpecUrn: type: object properties: spec_urn: type: string format: uri description: The URN that describes the specification of the protocol being used example: urn:ietf:rfc:6749 WellKnownURIArrayResponse: type: object properties: representation: type: array description: The well-known URI content in a JSON array of objects format _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: self: $ref: '#/components/schemas/HrefObject' WellKnownURIObjectResponse: type: object properties: representation: type: object description: The well-known URI content in JSON format _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: self: $ref: '#/components/schemas/HrefObject' WellKnownURIRequest: type: object properties: representation: type: object description: The well-known URI content in JSON object format required: - representation WellKnownURIsRoot: type: object properties: _embedded: type: object properties: apple-app-site-association: type: object description: Contains the customized well-known URI content and links properties: customized: $ref: '#/components/schemas/WellKnownURIObjectResponse' assetlinks.json: type: object description: Contains the customized well-known URI content and links properties: customized: $ref: '#/components/schemas/WellKnownURIArrayResponse' webauthn: type: object description: Contains the customized well-known URI content and links properties: customized: $ref: '#/components/schemas/WellKnownURIObjectResponse' readOnly: true _links: allOf: - $ref: '#/components/schemas/LinksSelf' - properties: apple-app-site-association: $ref: '#/components/schemas/HrefObject' assetlinks.json: $ref: '#/components/schemas/HrefObject' webauthn: $ref: '#/components/schemas/HrefObject' WidgetGeneration: description: The generation of the Sign-in Widget type: string enum: - G2 - G3 WorkflowActionProvider: allOf: - $ref: '#/components/schemas/ActionProvider' WorkflowAvailableActionProvider: allOf: - $ref: '#/components/schemas/AvailableActionProvider' WorkflowsValidationDetailProvider: allOf: - $ref: '#/components/schemas/ValidationDetailProvider' properties: result: $ref: '#/components/schemas/WorkflowsValidationErrorType' required: - result WorkflowsValidationErrorType: description: Validation error type type: string enum: - DUPLICATE_FLOW_NAME - INVALID_CHAR_IN_AUTH_PARAM_LABEL - INVALID_DEPENDENT_OPTIONS - INVALID_DYNAMIC_INPUT_FLOW - INVALID_DYNAMIC_OUTPUT_FLOW - INVALID_EVENT_CARD - INVALID_FLOW_NAME - INVALID_FLOW_REFERENCE - MISSING_FIELDS - NO_CHILD_FLOW_FOR_AUTH_PARAM_LABEL - PROHIBITED_CHAR_IN_OPTION_LABEL WsFederationApplication: x-okta-defined-as: name: template_wsfed allOf: - $ref: '#/components/schemas/Application' - type: object properties: credentials: $ref: '#/components/schemas/ApplicationCredentials' name: type: string description: '`template_wsfed` is the key name for a WS-Federated app instance with a SAML 2.0 token' enum: - template_wsfed settings: $ref: '#/components/schemas/WsFederationApplicationSettings' required: - name - settings WsFederationApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object properties: app: $ref: '#/components/schemas/WsFederationApplicationSettingsApplication' WsFederationApplicationSettingsApplication: type: object properties: attributeStatements: type: string description: You can federate user attributes such as Okta profile fields, LDAP, Active Directory, and Workday values. The SP uses the federated WS-Fed attribute values accordingly. audienceRestriction: type: string description: The entity ID of the SP. Use the entity ID value exactly as provided by the SP. authnContextClassRef: type: string description: Identifies the SAML authentication context class for the assertion's authentication statement groupFilter: type: string description: A regular expression that filters for the User Groups you want included with the `groupName` attribute. If the matching User Group has a corresponding AD group, then the attribute statement includes the value of the attribute specified by `groupValueFormat`. If the matching User Group doesn't contain a corresponding AD group, then the `groupName` is used in the attribute statement. groupName: type: string description: The group name to include in the WS-Fed response attribute statement. This property is used in conjunction with the `groupFilter` property. Groups that are filtered through the `groupFilter` expression are included with the `groupName` in the attribute statement. Any users that belong to the group you've filtered are included in the WS-Fed response attribute statement. groupValueFormat: type: string description: Specifies the WS-Fed assertion attribute value for filtered groups. This attribute is only applied to Active Directory groups. enum: - windowsDomainQualifiedName - samAccountName - dn nameIDFormat: type: string description: The username format that you send in the WS-Fed response realm: type: string description: The uniform resource identifier (URI) of the WS-Fed app that's used to share resources securely within a domain. It's the identity that's sent to the Okta IdP when signing in. See [Realm name](https://help.okta.com/okta_help.htm?type=oie&id=ext_Apps_Configure_Okta_Template_WS_Federation#Realm). siteURL: type: string description: Launch URL for the web app usernameAttribute: type: string description: Specifies additional username attribute statements to include in the WS-Fed assertion enum: - username - upn - upnAndUsername - none wReplyOverride: type: boolean description: Enables a web app to override the `wReplyURL` URL with a reply parameter. wReplyURL: type: string description: The WS-Fed SP endpoint where your users sign in example: http://test.acme.com/example-post-sign/ required: - audienceRestriction - groupValueFormat - wReplyURL - nameIDFormat - authnContextClassRef - siteURL - usernameAttribute X5c: description: Base64-encoded X.509 certificate chain with DER encoding items: type: string example: MIIDnjCCAoagAwIBAgIGAVG3MN+PMA0GCSqGSIb3DQEBBQUAMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxEDAOBgNVBAMMB2V4YW1wbGUxHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMjE4MjIyMjMyWhcNMjUxMjE4MjIyMzMyWjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRAwDgYDVQQDDAdleGFtcGxlMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcnyvuVCrsFEKCwHDenS3Ocjed8eWDv3zLtD2K/iZfE8BMj2wpTfn6Ry8zCYey3mWlKdxIybnV9amrujGRnE0ab6Q16v9D6RlFQLOG6dwqoRKuZy33Uyg8PGdEudZjGbWuKCqqXEp+UKALJHV+k4wWeVH8g5d1n3KyR2TVajVJpCrPhLFmq1Il4G/IUnPe4MvjXqB6CpKkog1+ThWsItPRJPAM+RweFHXq7KfChXsYE7Mmfuly8sDQlvBmQyxZnFHVuiPfCvGHJjpvHy11YlHdOjfgqHRvZbmo30+y0X/oY/yV4YEJ00LL6eJWU4wi7ViY3HP6/VCdRjHoRdr5L/DwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCzzhOFkvyYLNFj2WDcq1YqD4sBy1iCia9QpRH3rjQvMKDwQDYWbi6EdOX0TQ/IYR7UWGj+2pXd6v0t33lYtoKocp/4lUvT3tfBnWZ5KnObi+J2uY2teUqoYkASN7F+GRPVOuMVoVgm05ss8tuMb2dLc9vsx93sDt+XlMTv/2qi5VPwaDtqduKkzwW9lUfn4xIMkTiVvCpe0X2HneD2Bpuao3/U8Rk0uiPfq6TooWaoW3kjsmErhEAs9bA7xuqo1KKY9CdHcFhkSsMhoeaZylZHtzbnoipUlQKSLMdJQiiYZQ0bYL83/Ta9fulr1EERICMFt3GUmtYaZZKHpWSfdJp9 type: array ZoomUsApplication: title: Zoom x-tags: - Application x-okta-defined-as: name: zoomus example: name: zoomus label: Sample Zoom App signOnMode: SAML_2_0 settings: app: subDomain: my-zoom-subdomain description: | Schema for the Zoom app (key name: `zoomus`) To create a Zoom app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. > **Note:** The Zoom app only supports `SAML_2_0` sign-on mode. allOf: - $ref: '#/components/schemas/OINApplication' - type: object - required: - name - label - settings properties: name: type: string enum: - zoomus example: zoomus signOnMode: type: string enum: - SAML_2_0 settings: $ref: '#/components/schemas/ZoomUsApplicationSettings' ZoomUsApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object - required: - app properties: app: $ref: '#/components/schemas/ZoomUsApplicationSettingsApplication' signOn: $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' ZoomUsApplicationSettingsApplication: description: Zoom app instance properties type: object properties: subDomain: type: string description: Your Zoom subdomain required: - subDomain ZscalerbyzApplication: title: Zscaler 2.0 x-tags: - Application x-okta-defined-as: name: zscalerbyz example: name: zscalerbyz label: Sample Zscaler 2.0 App signOnMode: SAML_2_0 description: | Schema for the Zscaler 2.0 app (key name: `zscalerbyz`) To create a Zscaler 2.0 app, use the [Create an Application](/openapi/okta-management/management/tag/Application/#tag/Application/operation/createApplication) request with the following parameters in the request body. > **Note:** The Zscaler 2.0 app only supports `BROWSER_PLUGIN` and `SAML_2_0` sign-on modes. allOf: - $ref: '#/components/schemas/OINApplication' - type: object - required: - name - label - settings properties: name: type: string enum: - zscalerbyz example: zscalerbyz signOnMode: type: string enum: - BROWSER_PLUGIN - SAML_2_0 settings: $ref: '#/components/schemas/ZscalerbyzApplicationSettings' ZscalerbyzApplicationSettings: allOf: - $ref: '#/components/schemas/ApplicationSettings' - type: object - required: - app properties: app: $ref: '#/components/schemas/ZscalerbyzApplicationSettingsApplication' signOn: $ref: '#/components/schemas/OINSaml20ApplicationSettingsSignOn' ZscalerbyzApplicationSettingsApplication: description: Zscaler app instance properties type: object properties: siteDomain: type: string description: Your Zscaler domain _embedded: description: The Public Key Details are defined in the `_embedded` property of the Key object. type: object properties: alg: description: Algorithm used in the key type: string nullable: false readOnly: true e: description: RSA key value (exponent) for key binding type: string nullable: false readOnly: true kid: description: Unique identifier for the certificate type: string uniqueItems: true nullable: false readOnly: true kty: description: Cryptographic algorithm family for the certificate's keypair type: string nullable: false readOnly: true 'n': description: RSA key value (modulus) for key binding type: string nullable: false readOnly: true use: description: Acceptable use of the certificate type: string nullable: true readOnly: true createdProperty: description: Timestamp when the object was created format: date-time example: '2017-03-28T01:11:10.000Z' type: string readOnly: true enabledPagesType: title: enabledPages type: string enum: - SIGN_IN - SSPR - SSR x-enumDescriptions: SIGN_IN: User sign-in page SSPR: Self-service Password Recovery page SSR: Self-service Registration page entitlementTypes: description: List of supported entitlement types items: type: object properties: name: type: string description: The entitlement type name description: type: string description: Description of the entitlement type endpoint: type: string description: URL of the entitlement type endpoint attributes: type: object description: Attributes for the entitlement type properties: required: type: boolean description: A boolean value to indicate if this entitlement type is required for the user default: false multivalued: type: boolean description: A boolean value to indicate if a user can have multiple entitlements of this type default: false mappings: type: object description: The property mapping between an Okta entitlement and an app entitlement properties: id: type: string description: The field that maps to the entitlement ID displayName: type: string description: The field that maps to the entitlement display name description: type: string description: The field that maps to entitlement description required: - id - displayName required: - name - endpoint - attributes - mappings type: array lastUpdatedProperty: format: date-time description: Timestamp when the object was last updated type: string readOnly: true orgBillingContactType: description: Org billing contact type: object properties: contactType: $ref: '#/components/schemas/OrgContactType' _links: type: object description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org billing contact type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification readOnly: true properties: billing: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the org billing [contact type user](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource orgGeneralSettingLinks: description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification type: object properties: contacts: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the [Org Contacts](/openapi/okta-management/management/tag/OrgSettingContact/) resource logo: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the org logo oktaCommunication: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the [Org Communication Settings](/openapi/okta-management/management/tag/OrgSettingCommunication/) resource oktaSupport: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the [Org Support Settings](/openapi/okta-management/management/tag/OrgSettingSupport/) resource preferences: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the [Org Preferences](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/getOrgPreferences) resource uploadLogo: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the [Upload Org Logo](/openapi/okta-management/management/tag/OrgSettingCustomization/#tag/OrgSettingCustomization/operation/uploadOrgLogo) resource readOnly: true orgTechnicalContactType: description: Org technical contact type: object properties: contactType: $ref: '#/components/schemas/OrgContactType' _links: type: object description: Specifies link relations (see [Web Linking](https://www.rfc-editor.org/rfc/rfc8288)) available for the org technical Contact Type object using the [JSON Hypertext Application Language](https://datatracker.ietf.org/doc/html/draft-kelly-json-hal-06) specification readOnly: true properties: technical: allOf: - $ref: '#/components/schemas/HrefObject' - description: Link to the org technical [Contact Type User](/openapi/okta-management/management/tag/OrgSettingContact/#tag/OrgSettingContact/operation/getOrgContactUser) resource postAPIServiceIntegrationInstance: allOf: - $ref: '#/components/schemas/APIServiceIntegrationInstance' - type: object properties: clientSecret: type: string description: The client secret for the API Service Integration instance. This property is only returned in a POST response. readOnly: true postAPIServiceIntegrationInstanceRequest: type: object properties: grantedScopes: type: array description: The list of Okta management scopes granted to the API Service Integration instance. See [Okta management OAuth 2.0 scopes](/oauth2/#okta-admin-management). items: type: string example: - okta.logs.read properties: $ref: '#/components/schemas/AppProperties' type: type: string description: The type of the API service integration. This string is an underscore-concatenated, lowercased API service integration name. For example, `my_api_log_integration`. example: my_app_cie required: - type - grantedScopes profile: description: Specific profile properties for the privileged resource additionalProperties: true type: object readOnly: true subject: nullable: false type: object properties: format: type: string description: The user identifier nullable: false writeOnly: true enum: - opaque id: type: string description: ID of the user writeOnly: true nullable: false useNumberMatchingChallenge: description: |- Select whether to use a number matching challenge for a `push` factor. > **Note:** Sending a request with a body is required when you verify a `push` factor with a number matching challenge. example: true x-okta-lifecycle: lifecycle: GA isGenerallyAvailable: false SKUs: [] type: boolean userLink: type: object properties: user: $ref: '#/components/schemas/HrefObjectUserLink' securitySchemes: apiToken: description: 'Pass the API token as the Authorization header value prefixed with SSWS: `Authorization: SSWS {API Token}`' name: Authorization type: apiKey in: header oauth2: type: oauth2 description: 'Pass the access_token as the value of the Authorization header: `Authorization: Bearer {access_token}`' flows: authorizationCode: authorizationUrl: /oauth2/v1/authorize tokenUrl: /oauth2/v1/token scopes: okta.agentPools.manage: Allows the app to create and manage agent pools in your Okta organization okta.agentPools.read: Allows the app to read agent pools in your Okta organization okta.aiAgents.manage: Allows the app to manage AI agents in your Okta organization. okta.aiAgents.read: Allows the app to read information about AI agents in your Okta organization. okta.apiTokens.manage: Allows the app to manage API Tokens in your Okta organization okta.apiTokens.read: Allows the app to read API Tokens in your Okta organization okta.appGrants.manage: Allows the app to create and manage grants in your Okta organization okta.appGrants.read: Allows the app to read grants in your Okta organization okta.apps.interclientTrust.manage: Allows the app to manage trusted relationship for native to web SSO okta.apps.interclientTrust.read: Allows the app to read configured trusted relationship for native to web SSO okta.apps.manage: Allows the app to create and manage Apps in your Okta organization okta.apps.read: Allows the app to read information about Apps in your Okta organization okta.authenticators.manage: Allows the app to manage all authenticators. For example, enrollments or resets. okta.authenticators.manage.self: Allows the app to manage a user's own authenticators. For example, enrollments or resets. okta.authenticators.read: Allows the app to read org authenticators information okta.authorizationServers.manage: Allows the app to create and manage Authorization Servers in your Okta organization okta.authorizationServers.read: Allows the app to read information about Authorization Servers in your Okta organization okta.behaviors.manage: Allows the app to create and manage behavior detection rules in your Okta organization okta.behaviors.read: Allows the app to read behavior detection rules in your Okta organization okta.brands.manage: Allows the app to create and manage Brands and Themes in your Okta organization okta.brands.read: Allows the app to read information about Brands and Themes in your Okta organization okta.captchas.manage: Allows the app to create and manage CAPTCHAs in your Okta organization okta.captchas.read: Allows the app to read information about CAPTCHAs in your Okta organization okta.deviceAssurance.manage: Allows the app to manage device assurances okta.deviceAssurance.read: Allows the app to read device assurances okta.deviceIntegrations.manage: Allows the app to manage device integrations okta.deviceIntegrations.read: Allows the app to read device integrations okta.devicePostureChecks.manage: Allows the app to manage device posture checks okta.devicePostureChecks.read: Allows the app to read device posture checks okta.devices.manage: Allows the app to manage device status transitions and delete a device okta.devices.read: Allows the app to read the existing device's profile and search devices okta.directories.groups.manage: Allows the app to manage AD/LDAP groups for your Okta organization okta.domains.manage: Allows the app to manage custom Domains for your Okta organization okta.domains.read: Allows the app to read information about custom Domains for your Okta organization okta.dr.manage: Allows the app to manage disaster recovery okta.dr.read: Allows the app to read the disaster recovery status okta.emailDomains.manage: Allows the app to manage Email Domains for your Okta organization okta.emailDomains.read: Allows the app to read information about Email Domains for your Okta organization okta.emailServers.manage: Allows the app to manage Email Servers for your Okta organization okta.emailServers.read: Allows the app to read information about Email Servers for your Okta organization okta.eventHooks.manage: Allows the app to create and manage Event Hooks in your Okta organization okta.eventHooks.read: Allows the app to read information about Event Hooks in your Okta organization okta.features.manage: Allows the app to create and manage Features in your Okta organization okta.features.read: Allows the app to read information about Features in your Okta organization okta.groups.manage: Allows the app to create and manage groups in your Okta organization okta.groups.read: Allows the app to read information about groups and their members in your Okta organization okta.identitySources.manage: Allows the custom identity sources to manage user entities in your Okta organization okta.identitySources.read: Allows to read session information for custom identity sources in your Okta organization okta.idps.manage: Allows the app to create and manage Identity Providers in your Okta organization okta.idps.read: Allows the app to read information about Identity Providers in your Okta organization okta.inlineHooks.manage: Allows the app to create and manage Inline Hooks in your Okta organization okta.inlineHooks.read: Allows the app to read information about Inline Hooks in your Okta organization okta.linkedObjects.manage: Allows the app to manage linked object definitions in your Okta organization okta.linkedObjects.read: Allows the app to read linked object definitions in your Okta organization okta.logStreams.manage: Allows the app to create and manage log streams in your Okta organization okta.logStreams.read: Allows the app to read information about log streams in your Okta organization okta.logs.read: Allows the app to read information about System Log entries in your Okta organization okta.manifests.manage: Allows the app to manage OIN submissions in your Okta organization okta.manifests.read: Allows the app to read OIN submissions in your Okta organization okta.networkZones.manage: Allows the app to create and manage Network Zones in your Okta organization okta.networkZones.read: Allows the app to read Network Zones in your Okta organization okta.oauthIntegrations.manage: Allows the app to create and manage API service Integration instances in your Okta organization okta.oauthIntegrations.read: Allows the app to read API service Integration instances in your Okta organization okta.operations.read: Allows the app to read the status of asynchronous operations in your Okta organization okta.orgs.manage: Allows the app to manage organization-specific details for your Okta organization okta.orgs.read: Allows the app to read organization-specific details about your Okta organization okta.personal.adminSettings.manage: Allows the app to manage the personal admin settings for the signed-in user okta.personal.adminSettings.read: Allows the app to read the personal admin settings for the signed-in user okta.policies.manage: Allows the app to manage policies in your Okta organization okta.policies.read: Allows the app to read information about policies in your Okta organization okta.principalRateLimits.manage: Allows the app to create and manage Principal Rate Limits in your Okta organization okta.principalRateLimits.read: Allows the app to read information about Principal Rate Limits in your Okta organization okta.privilegedResources.manage: Allows the app to create privileged resources and manage their details okta.privilegedResources.read: Allows the app to read the details of existing privileged resources okta.profileMappings.manage: Allows the app to manage user profile mappings in your Okta organization okta.profileMappings.read: Allows the app to read user profile mappings in your Okta organization okta.pushProviders.manage: Allows the app to create and manage push notification providers such as APNs and FCM okta.pushProviders.read: Allows the app to read push notification providers such as APNs and FCM okta.rateLimits.manage: Allows the app to create and manage rate limits in your Okta organization okta.rateLimits.read: Allows the app to read information about rate limits in your Okta organization okta.realmAssignments.manage: Allows a user to manage realm assignments okta.realmAssignments.read: Allows a user to read realm assignments okta.realms.manage: Allows the app to create new realms and to manage their details okta.realms.read: Allows the app to read the existing realms and their details okta.riskEvents.manage: (Deprecated) Allows the app to publish risk events to your Okta organization okta.riskProviders.manage: (Deprecated) Allows the app to create and manage risk provider integrations in your Okta organization okta.riskProviders.read: (Deprecated) Allows the app to read all risk provider integrations in your Okta organization okta.roles.manage: Allows the app to manage administrative role assignments for users in your Okta organization. Delegated admins with this permission can only manage user credential fields and not the credential values themselves. okta.roles.read: Allows the app to read administrative role assignments for users in your Okta organization. Delegated admins with this permission can only manage user credential fields and not the credential values themselves. okta.schemas.manage: Allows the app to create and manage Schemas in your Okta organization okta.schemas.read: Allows the app to read information about Schemas in your Okta organization okta.securityEventsProviders.manage: Allows the app to create and manage Security Events Providers in your Okta organization okta.securityEventsProviders.read: Allows the app to read information about Security Events Providers in your Okta organization okta.serviceAccounts.manage: Allows the app to manage service accounts in your Okta organization okta.serviceAccounts.read: Allows the app to read service accounts in your Okta organization okta.sessions.manage: Allows the app to manage all sessions in your Okta organization okta.sessions.read: Allows the app to read all sessions in your Okta organization okta.templates.manage: Allows the app to manage all custom templates in your Okta organization okta.templates.read: Allows the app to read all custom templates in your Okta organization okta.threatInsights.manage: Allows the app to manage all ThreatInsight configurations in your Okta organization okta.threatInsights.read: Allows the app to read all ThreatInsight configurations in your Okta organization okta.trustedOrigins.manage: Allows the app to manage all Trusted Origins in your Okta organization okta.trustedOrigins.read: Allows the app to read all Trusted Origins in your Okta organization okta.uischemas.manage: Allows the app to manage all the UI Schemas in your Okta organization okta.uischemas.read: Allows the app to read all the UI Schemas in your Okta organization okta.userRisk.manage: Allows the app to manage a user's risk in your Okta org okta.userRisk.read: Allows the app to read a user's risk in your Okta org okta.userTypes.manage: Allows the app to manage user types in your Okta org okta.userTypes.read: Allows the app to read user types in your Okta org okta.users.manage: Allows the app to create new users and to manage all users' profile and credentials information okta.users.manage.self: Allows the app to manage the signed-in user's profile and credentials okta.users.read: Allows the app to read the existing users' profiles and credentials okta.users.read.self: Allows the app to read the signed-in user's profile and credentials ssf.manage: Allows the app to create and manage Shared Signals Framework (SSF) in your Okta organization ssf.read: Allows the app to read information about Shared Signals Framework (SSF) in your Okta organization x-tagGroups: - name: Access Controls tags: - ApiToken - AttackProtection - Behavior - CAPTCHA - NetworkZone - Policy - Session - ThreatInsight - TrustedOrigin - name: Admin Roles tags: - RoleAssignmentAUser - RoleAssignmentBGroup - RoleAssignmentClient - RoleBTargetAdmin - RoleBTargetBGroup - RoleBTargetClient - RoleCResourceSet - RoleCResourceSetResource - RoleDResourceSetBinding - RoleDResourceSetBindingMember - RoleECustom - RoleECustomPermission - GovernanceBundle - Subscription - name: Applications tags: - Application - ApplicationConnections - ApplicationCrossAppAccessConnections - ApplicationFeatures - ApplicationGrants - ApplicationGroups - ApplicationLogos - ApplicationPolicies - ApplicationSSO - ApplicationSSOCredentialKey - ApplicationSSOPublicKeys - ApplicationSSOFederatedClaims - ApplicationTokens - ApplicationUsers - ApiServiceIntegrations - OktaApplicationSettings - GroupPushMapping - name: Authenticators tags: - Authenticator - WebAuthnPreregistration - PushProvider - name: Authorization Servers tags: - AuthorizationServer - AuthorizationServerAssoc - AuthorizationServerClaims - AuthorizationServerClients - AuthorizationServerKeys - OAuth2ResourceServerCredentialsKeys - AuthorizationServerPolicies - AuthorizationServerRules - AuthorizationServerScopes - name: Customizations tags: - AssociatedDomainCustomizations - Brands - CustomDomain - CustomPages - CustomTemplates - EmailDomain - EmailServer - Template - Themes - name: Devices tags: - Device - DeviceAssurance - DeviceIntegrations - DevicePostureCheck - name: External Identity Sources tags: - AgentPools - DirectoriesIntegration - IdentityProvider - IdentityProviderKeys - IdentityProviderSigningKeys - IdentityProviderUsers - IdentitySource - name: Groups tags: - Group - GroupOwner - GroupRule - name: Hooks tags: - EventHook - HookKey - InlineHook - name: Org Management tags: - OktaPersonalSettings - OrgSettingAdmin - OrgSettingCommunication - OrgSettingContact - OrgSettingCustomization - OrgSettingGeneral - OrgSettingMetadata - OrgSettingSupport - Feature - EmailCustomization - OrgCreator - name: Rate Limits tags: - RateLimitSettings - PrincipalRateLimit - name: Realms tags: - Realm - RealmAssignment - name: Schemas tags: - Schema - LinkedObject - UISchema - name: Service Accounts tags: - ServiceAccount - name: Signal Sharing tags: - SSFReceiver - SSFSecurityEventToken - SSFTransmitter - name: System Log tags: - SystemLog - LogStream - name: Users tags: - User - UserAuthenticatorEnrollments - UserClassification - UserCred - UserFactor - UserGrant - UserLifecycle - UserLinkedObject - UserOAuth - UserResources - UserRisk - UserSessions - UserType - ProfileMapping