{"Scopes define permissions and access levels for API requests and authentication tokens."}
140)
maxLength: 140
client_secret:
type: string
description: The secret used to sign tokens for the client
minLength: 1
logo_uri:
type: string
description: 'The URL of the client logo (recommended size: 150x150)'
format: absolute-uri-or-empty
callbacks:
type: array
description: >-
A set of URLs that are valid to call back from Auth0 when
authenticating users
items:
type: string
format: callback-url
oidc_logout:
$ref: '#/components/schemas/ClientOIDCBackchannelLogoutSettings'
oidc_backchannel_logout:
$ref: '#/components/schemas/ClientOIDCBackchannelLogoutSettings'
x-release-lifecycle: deprecated
description: >-
Configuration for OIDC backchannel logout (deprecated, in favor of
oidc_logout)
session_transfer:
$ref: '#/components/schemas/ClientSessionTransferConfiguration'
allowed_origins:
type: array
description: A set of URLs that represents valid origins for CORS
items:
type: string
format: url-with-placeholders
web_origins:
type: array
description: >-
A set of URLs that represents valid web origins for use with web
message response mode
items:
type: string
format: url-with-placeholders
grant_types:
type: array
description: >-
A set of grant types that the client is authorized to use. Can
include `authorization_code`, `implicit`, `refresh_token`,
`client_credentials`, `password`,
`http://auth0.com/oauth/grant-type/password-realm`,
`http://auth0.com/oauth/grant-type/mfa-oob`,
`http://auth0.com/oauth/grant-type/mfa-otp`,
`http://auth0.com/oauth/grant-type/mfa-recovery-code`,
`urn:openid:params:grant-type:ciba`,
`urn:ietf:params:oauth:grant-type:device_code`, and
`urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token`.
items:
type: string
minLength: 1
client_aliases:
type: array
description: List of audiences for SAML protocol
items:
type: string
minLength: 1
allowed_clients:
type: array
description: >-
Ids of clients that will be allowed to perform delegation requests.
Clients that will be allowed to make delegation request. By default,
all your clients will be allowed. This field allows you to specify
specific clients
items:
type: string
minLength: 1
allowed_logout_urls:
type: array
description: URLs that are valid to redirect to after logout from Auth0
items:
type: string
format: url-with-placeholders
jwt_configuration:
$ref: '#/components/schemas/ClientJwtConfiguration'
description: An object that holds settings related to how JWTs are created
encryption_key:
$ref: '#/components/schemas/ClientEncryptionKey'
description: The client's encryption key
sso:
type: boolean
description: >-
true to use Auth0 instead of the IdP to do Single Sign
On, false otherwise (default: false)
cross_origin_authentication:
type: boolean
description: >-
true if this client can be used to make cross-origin
authentication requests, false otherwise if cross
origin is disabled
cross_origin_loc:
type:
- string
- 'null'
description: >-
URL for the location in your site where the cross origin
verification takes place for the cross-origin auth flow when
performing Auth in your own domain instead of Auth0 hosted login
page.
format: url-or-null
sso_disabled:
type: boolean
description: >-
true to disable Single Sign On, false
otherwise (default: false)
custom_login_page_on:
type: boolean
description: >-
true if the custom login page is to be used,
false otherwise.
token_endpoint_auth_method:
$ref: '#/components/schemas/ClientTokenEndpointAuthMethodOrNullEnum'
is_token_endpoint_ip_header_trusted:
type: boolean
description: >-
If true, trust that the IP specified in the `auth0-forwarded-for`
header is the end-user's IP for brute-force-protection on token
endpoint.
default: false
app_type:
$ref: '#/components/schemas/ClientAppTypeEnum'
is_first_party:
type: boolean
description: Whether this client a first party client or not
default: true
oidc_conformant:
type: boolean
description: Whether this client will conform to strict OIDC specifications
default: false
custom_login_page:
type: string
description: The content (HTML, CSS, JS) of the custom login page
custom_login_page_preview:
type: string
token_quota:
$ref: '#/components/schemas/UpdateTokenQuota'
x-release-lifecycle: EA
form_template:
type: string
description: Form template for WS-Federation protocol
addons:
$ref: '#/components/schemas/ClientAddons'
client_metadata:
$ref: '#/components/schemas/ClientMetadata'
mobile:
$ref: '#/components/schemas/ClientMobile'
description: Configuration related to native mobile apps
initiate_login_uri:
type: string
description: Initiate login uri, must be https
format: absolute-https-uri-with-placeholders-or-empty
native_social_login:
$ref: '#/components/schemas/NativeSocialLoginPatch'
fedcm_login:
$ref: '#/components/schemas/FedCMLoginPatch'
x-release-lifecycle: EA
refresh_token:
$ref: '#/components/schemas/ClientRefreshTokenConfiguration'
default_organization:
$ref: '#/components/schemas/ClientDefaultOrganization'
organization_usage:
$ref: '#/components/schemas/ClientOrganizationUsagePatchEnum'
organization_require_behavior:
$ref: '#/components/schemas/ClientOrganizationRequireBehaviorPatchEnum'
organization_discovery_methods:
type:
- array
- 'null'
description: >-
Defines the available methods for organization discovery during the
`pre_login_prompt`. Users can discover their organization either by
`email`, `organization_name` or both.
minItems: 1
x-release-lifecycle: EA
items:
$ref: '#/components/schemas/ClientOrganizationDiscoveryEnum'
client_authentication_methods:
$ref: '#/components/schemas/ClientAuthenticationMethod'
require_pushed_authorization_requests:
type: boolean
description: >-
Makes the use of Pushed Authorization Requests mandatory for this
client
default: false
require_proof_of_possession:
type: boolean
description: Makes the use of Proof-of-Possession mandatory for this client
default: false
signed_request_object:
$ref: '#/components/schemas/ClientSignedRequestObjectWithCredentialId'
token_vault_privileged_access:
$ref: >-
#/components/schemas/ClientTokenVaultPrivilegedAccessWithCredentialId
x-release-lifecycle: EA
compliance_level:
$ref: '#/components/schemas/ClientComplianceLevelEnum'
skip_non_verifiable_callback_uri_confirmation_prompt:
type:
- boolean
- 'null'
description: >-
Controls whether a confirmation prompt is shown during login flows
when the redirect URI uses non-verifiable callback URIs (for
example, a custom URI schema such as `myapp://`, or `localhost`).
If set to true, a confirmation prompt will not be shown. We
recommend that this is set to false for improved protection from
malicious apps.
See
https://auth0.com/docs/secure/security-guidance/measures-against-app-impersonation
for more information.
token_exchange:
$ref: '#/components/schemas/ClientTokenExchangeConfigurationOrNull'
x-release-lifecycle: GA
par_request_expiry:
type:
- integer
- 'null'
description: >-
Specifies how long, in seconds, a Pushed Authorization Request URI
remains valid
minimum: 10
maximum: 600
express_configuration:
$ref: '#/components/schemas/ExpressConfigurationOrNull'
my_organization_configuration:
$ref: '#/components/schemas/ClientMyOrganizationPatchConfiguration'
x-release-lifecycle: EA
async_approval_notification_channels:
$ref: >-
#/components/schemas/ClientAsyncApprovalNotificationsChannelsAPIPatchConfiguration
third_party_security_mode:
$ref: '#/components/schemas/ClientThirdPartySecurityModeEnum'
x-release-lifecycle: GA
redirection_policy:
$ref: '#/components/schemas/ClientRedirectionPolicyEnum'
x-release-lifecycle: GA
UpdateClientResponseContent:
type: object
additionalProperties: true
properties:
client_id:
type: string
description: ID of this client.
default: AaiyAPdpYdesoKnqjj8HJqRn4T5titww
tenant:
type: string
description: Name of the tenant this client belongs to.
default: ''
name:
type: string
description: >-
Name of this client (min length: 1 character, does not allow `<` or
`>`).
default: My application
description:
type: string
description: 'Free text description of this client (max length: 140 characters).'
default: ''
global:
type: boolean
description: >-
Whether this is your global 'All Applications' client representing
legacy tenant settings (true) or a regular client (false).
default: false
client_secret:
type: string
description: Client secret (which you must not make public).
default: MG_TNT2ver-SylNat-_VeMmd-4m0Waba0jr1troztBniSChEw0glxEmgEi2Kw40H
app_type:
$ref: '#/components/schemas/ClientAppTypeEnum'
logo_uri:
type: string
description: >-
URL of the logo to display for this client. Recommended size is
150x150 pixels.
is_first_party:
type: boolean
description: Whether this client a first party client (true) or not (false).
default: false
oidc_conformant:
type: boolean
description: >-
Whether this client conforms to strict
OIDC specifications (true) or uses legacy features (false).
default: false
callbacks:
type: array
description: >-
Comma-separated list of URLs whitelisted for Auth0 to use as a
callback to the client after authentication.
items:
type: string
allowed_origins:
type: array
description: >-
Comma-separated list of URLs allowed to make requests from
JavaScript to Auth0 API (typically used with CORS). By default, all
your callback URLs will be allowed. This field allows you to enter
other origins if necessary. You can also use wildcards at the
subdomain level (e.g., https://*.contoso.com). Query strings and
hash information are not taken into account when validating these
URLs.
items:
type: string
web_origins:
type: array
description: >-
Comma-separated list of allowed origins for use with Cross-Origin
Authentication, Device
Flow, and web
message response mode.
items:
type: string
client_aliases:
type: array
description: List of audiences/realms for SAML protocol. Used by the wsfed addon.
items:
type: string
allowed_clients:
type: array
description: >-
List of allow clients and API ids that are allowed to make
delegation requests. Empty means all all your clients are allowed.
items:
type: string
allowed_logout_urls:
type: array
description: >-
Comma-separated list of URLs that are valid to redirect to after
logout from Auth0. Wildcards are allowed for subdomains.
items:
type: string
session_transfer:
$ref: '#/components/schemas/ClientSessionTransferConfiguration'
oidc_logout:
$ref: '#/components/schemas/ClientOIDCBackchannelLogoutSettings'
grant_types:
type: array
description: >-
List of grant types supported for this application. Can include
`authorization_code`, `implicit`, `refresh_token`,
`client_credentials`, `password`,
`http://auth0.com/oauth/grant-type/password-realm`,
`http://auth0.com/oauth/grant-type/mfa-oob`,
`http://auth0.com/oauth/grant-type/mfa-otp`,
`http://auth0.com/oauth/grant-type/mfa-recovery-code`,
`urn:openid:params:grant-type:ciba`,
`urn:ietf:params:oauth:grant-type:device_code`, and
`urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token`.
items:
type: string
jwt_configuration:
$ref: '#/components/schemas/ClientJwtConfiguration'
signing_keys:
$ref: '#/components/schemas/ClientSigningKeys'
encryption_key:
$ref: '#/components/schemas/ClientEncryptionKey'
sso:
type: boolean
description: >-
Applies only to SSO clients and determines whether Auth0 will handle
Single Sign On (true) or whether the Identity Provider will (false).
default: false
sso_disabled:
type: boolean
description: >-
Whether Single Sign On is disabled (true) or enabled (true).
Defaults to true.
default: false
cross_origin_authentication:
type: boolean
description: >-
Whether this client can be used to make cross-origin authentication
requests (true) or it is not allowed to make such requests (false).
cross_origin_loc:
type: string
description: >-
URL of the location in your site where the cross origin verification
takes place for the cross-origin auth flow when performing Auth in
your own domain instead of Auth0 hosted login page.
format: url
custom_login_page_on:
type: boolean
description: >-
Whether a custom login page is to be used (true) or the default
provided login page (false).
default: true
custom_login_page:
type: string
description: The content (HTML, CSS, JS) of the custom login page.
default: ''
custom_login_page_preview:
type: string
description: >-
The content (HTML, CSS, JS) of the custom login page. (Used on
Previews)
default: ''
form_template:
type: string
description: HTML form template to be used for WS-Federation.
default: ''
addons:
$ref: '#/components/schemas/ClientAddons'
token_endpoint_auth_method:
$ref: '#/components/schemas/ClientTokenEndpointAuthMethodEnum'
is_token_endpoint_ip_header_trusted:
type: boolean
description: >-
If true, trust that the IP specified in the `auth0-forwarded-for`
header is the end-user's IP for brute-force-protection on token
endpoint.
default: false
client_metadata:
$ref: '#/components/schemas/ClientMetadata'
mobile:
$ref: '#/components/schemas/ClientMobile'
initiate_login_uri:
type: string
description: Initiate login uri, must be https
format: absolute-https-uri-with-placeholders-or-empty
native_social_login:
$ref: '#/components/schemas/NativeSocialLogin'
fedcm_login:
$ref: '#/components/schemas/FedCMLogin'
x-release-lifecycle: EA
refresh_token:
$ref: '#/components/schemas/ClientRefreshTokenConfiguration'
default_organization:
$ref: '#/components/schemas/ClientDefaultOrganization'
organization_usage:
$ref: '#/components/schemas/ClientOrganizationUsageEnum'
organization_require_behavior:
$ref: '#/components/schemas/ClientOrganizationRequireBehaviorEnum'
organization_discovery_methods:
type: array
description: >-
Defines the available methods for organization discovery during the
`pre_login_prompt`. Users can discover their organization either by
`email`, `organization_name` or both.
minItems: 1
x-release-lifecycle: EA
items:
$ref: '#/components/schemas/ClientOrganizationDiscoveryEnum'
client_authentication_methods:
$ref: '#/components/schemas/ClientAuthenticationMethod'
require_pushed_authorization_requests:
type: boolean
description: >-
Makes the use of Pushed Authorization Requests mandatory for this
client
default: false
require_proof_of_possession:
type: boolean
description: Makes the use of Proof-of-Possession mandatory for this client
default: false
signed_request_object:
$ref: '#/components/schemas/ClientSignedRequestObjectWithCredentialId'
token_vault_privileged_access:
$ref: >-
#/components/schemas/ClientTokenVaultPrivilegedAccessWithCredentialId
x-release-lifecycle: EA
compliance_level:
$ref: '#/components/schemas/ClientComplianceLevelEnum'
skip_non_verifiable_callback_uri_confirmation_prompt:
type: boolean
description: >-
Controls whether a confirmation prompt is shown during login flows
when the redirect URI uses non-verifiable callback URIs (for
example, a custom URI schema such as `myapp://`, or `localhost`).
If set to true, a confirmation prompt will not be shown. We
recommend that this is set to false for improved protection from
malicious apps.
See
https://auth0.com/docs/secure/security-guidance/measures-against-app-impersonation
for more information.
token_exchange:
$ref: '#/components/schemas/ClientTokenExchangeConfiguration'
x-release-lifecycle: GA
par_request_expiry:
type:
- integer
- 'null'
description: >-
Specifies how long, in seconds, a Pushed Authorization Request URI
remains valid
minimum: 10
maximum: 600
token_quota:
$ref: '#/components/schemas/TokenQuota'
x-release-lifecycle: EA
express_configuration:
$ref: '#/components/schemas/ExpressConfiguration'
my_organization_configuration:
$ref: '#/components/schemas/ClientMyOrganizationResponseConfiguration'
x-release-lifecycle: EA
third_party_security_mode:
$ref: '#/components/schemas/ClientThirdPartySecurityModeEnum'
x-release-lifecycle: GA
redirection_policy:
$ref: '#/components/schemas/ClientRedirectionPolicyEnum'
x-release-lifecycle: GA
resource_server_identifier:
type: string
description: The identifier of the resource server that this client is linked to.
async_approval_notification_channels:
$ref: >-
#/components/schemas/ClientAsyncApprovalNotificationsChannelsAPIPostConfiguration
external_metadata_type:
$ref: '#/components/schemas/ClientExternalMetadataTypeEnum'
external_metadata_created_by:
$ref: '#/components/schemas/ClientExternalMetadataCreatedByEnum'
external_client_id:
type: string
description: >-
An alternate client identifier to be used during authorization
flows. Only supports CIMD-based client identifiers.
format: absolute-https-uri-or-empty
jwks_uri:
type: string
description: >-
URL for the JSON Web Key Set (JWKS) containing the public keys used
for private_key_jwt authentication. Only present for CIMD clients
using private_key_jwt authentication.
format: absolute-https-uri-or-empty
ClientOIDCBackchannelLogoutSettings:
type: object
description: Configuration for OIDC backchannel logout
additionalProperties: true
properties:
backchannel_logout_urls:
type: array
description: >-
Comma-separated list of URLs that are valid to call back from Auth0
for OIDC backchannel logout. Currently only one URL is allowed.
items:
type: string
format: absolute-https-uri-with-placeholders-or-empty
backchannel_logout_initiators:
$ref: '#/components/schemas/ClientOIDCBackchannelLogoutInitiators'
backchannel_logout_session_metadata:
$ref: '#/components/schemas/ClientOIDCBackchannelLogoutSessionMetadata'
ClientSessionTransferConfiguration:
type:
- object
- 'null'
description: Native to Web SSO Configuration
additionalProperties: false
properties:
can_create_session_transfer_token:
type: boolean
description: >-
Indicates whether an app can issue a Session Transfer Token through
Token Exchange. If set to 'false', the app will not be able to issue
a Session Transfer Token. Usually configured in the native
application. Default value is `false`.
default: false
enforce_cascade_revocation:
type: boolean
description: >-
Indicates whether revoking the parent Refresh Token that initiated a
Native to Web flow and was used to issue a Session Transfer Token
should trigger a cascade revocation affecting its dependent child
entities. Usually configured in the native application. Default
value is `true`, applicable only in Native to Web SSO context.
default: true
allowed_authentication_methods:
type:
- array
- 'null'
description: >-
Indicates whether an app can create a session from a Session
Transfer Token received via indicated methods. Can include `cookie`
and/or `query`. Usually configured in the web application. Default
value is an empty array [].
items:
$ref: >-
#/components/schemas/ClientSessionTransferAllowedAuthenticationMethodsEnum
enforce_device_binding:
$ref: '#/components/schemas/ClientSessionTransferDeviceBindingEnum'
allow_refresh_token:
type: boolean
description: >-
Indicates whether Refresh Tokens are allowed to be issued when
authenticating with a Session Transfer Token. Usually configured in
the web application. Default value is `false`.
default: false
enforce_online_refresh_tokens:
type: boolean
description: >-
Indicates whether Refresh Tokens created during a Native to Web
session are tied to that session's lifetime. This determines if such
refresh tokens should be automatically revoked when their
corresponding sessions are. Usually configured in the web
application. Default value is `true`, applicable only in Native to
Web SSO context.
default: true
delegation:
$ref: '#/components/schemas/ClientSessionTransferDelegationConfiguration'
x-release-lifecycle: EA
ClientJwtConfiguration:
type: object
description: Configuration related to JWTs for the client.
additionalProperties: true
properties:
lifetime_in_seconds:
type: integer
description: Number of seconds the JWT will be valid for (affects `exp` claim).
default: 36000
secret_encoded:
type: boolean
description: >-
Whether the client secret is base64 encoded (true) or unencoded
(false).
default: true
scopes:
$ref: '#/components/schemas/ClientJwtConfigurationScopes'
alg:
$ref: '#/components/schemas/SigningAlgorithmEnum'
ClientEncryptionKey:
type:
- object
- 'null'
description: Encryption used for WsFed responses with this client.
additionalProperties: true
properties:
pub:
type: string
description: Encryption Public RSA Key.
cert:
type: string
description: Encryption certificate for public key in X.509 (.CER) format.
subject:
type: string
description: >-
Encryption certificate name for this certificate in the format
`/CN={domain}`.
ClientTokenEndpointAuthMethodOrNullEnum:
type:
- string
- 'null'
description: >-
Defines the requested authentication method for the token endpoint. Can
be `none` (public client without a client secret), `client_secret_post`
(client uses HTTP POST parameters), or `client_secret_basic` (client
uses HTTP Basic).
default: none
enum:
- none
- client_secret_post
- client_secret_basic
- null
ClientAppTypeEnum:
type: string
description: The type of application this client represents
enum:
- native
- spa
- regular_web
- non_interactive
- resource_server
- express_configuration
- rms
- box
- cloudbees
- concur
- dropbox
- mscrm
- echosign
- egnyte
- newrelic
- office365
- salesforce
- sentry
- sharepoint
- slack
- springcm
- zendesk
- zoom
- sso_integration
- oag
UpdateTokenQuota:
type:
- object
- 'null'
additionalProperties: false
required:
- client_credentials
x-release-lifecycle: EA
properties:
client_credentials:
$ref: '#/components/schemas/TokenQuotaClientCredentials'
ClientAddons:
type: object
description: Addons enabled for this client and their associated configurations.
additionalProperties: false
properties:
aws:
$ref: '#/components/schemas/ClientAddonAWS'
azure_blob:
$ref: '#/components/schemas/ClientAddonAzureBlob'
azure_sb:
$ref: '#/components/schemas/ClientAddonAzureSB'
rms:
$ref: '#/components/schemas/ClientAddonRMS'
mscrm:
$ref: '#/components/schemas/ClientAddonMSCRM'
slack:
$ref: '#/components/schemas/ClientAddonSlack'
sentry:
$ref: '#/components/schemas/ClientAddonSentry'
box:
$ref: '#/components/schemas/ClientAddonBox'
cloudbees:
$ref: '#/components/schemas/ClientAddonCloudBees'
concur:
$ref: '#/components/schemas/ClientAddonConcur'
dropbox:
$ref: '#/components/schemas/ClientAddonDropbox'
echosign:
$ref: '#/components/schemas/ClientAddonEchoSign'
egnyte:
$ref: '#/components/schemas/ClientAddonEgnyte'
firebase:
$ref: '#/components/schemas/ClientAddonFirebase'
newrelic:
$ref: '#/components/schemas/ClientAddonNewRelic'
office365:
$ref: '#/components/schemas/ClientAddonOffice365'
salesforce:
$ref: '#/components/schemas/ClientAddonSalesforce'
salesforce_api:
$ref: '#/components/schemas/ClientAddonSalesforceAPI'
salesforce_sandbox_api:
$ref: '#/components/schemas/ClientAddonSalesforceSandboxAPI'
samlp:
$ref: '#/components/schemas/ClientAddonSAML'
layer:
$ref: '#/components/schemas/ClientAddonLayer'
sap_api:
$ref: '#/components/schemas/ClientAddonSAPAPI'
sharepoint:
$ref: '#/components/schemas/ClientAddonSharePoint'
springcm:
$ref: '#/components/schemas/ClientAddonSpringCM'
wams:
$ref: '#/components/schemas/ClientAddonWAMS'
wsfed:
$ref: '#/components/schemas/ClientAddonWSFed'
zendesk:
$ref: '#/components/schemas/ClientAddonZendesk'
zoom:
$ref: '#/components/schemas/ClientAddonZoom'
sso_integration:
$ref: '#/components/schemas/ClientAddonSSOIntegration'
oag:
$ref: '#/components/schemas/ClientAddonOAG'
ClientMetadata:
type: object
description: "Metadata associated with the client, in the form of an object with string values (max 255 chars). Maximum of 10 metadata properties allowed. Field names (max 255 chars) are alphanumeric and may only include the following special characters: :,-+=_*?\"/\\()<>@\t[Tab] [Space]"
additionalProperties: true
maxProperties: 10
ClientMobile:
type: object
description: Additional configuration for native mobile apps.
additionalProperties: true
properties:
android:
$ref: '#/components/schemas/ClientMobileAndroid'
ios:
$ref: '#/components/schemas/ClientMobileiOS'
NativeSocialLoginPatch:
type:
- object
- 'null'
description: Configure native social settings
additionalProperties: false
minProperties: 1
properties:
apple:
$ref: '#/components/schemas/NativeSocialLoginApplePatch'
facebook:
$ref: '#/components/schemas/NativeSocialLoginFacebookPatch'
google:
$ref: '#/components/schemas/NativeSocialLoginGooglePatch'
FedCMLoginPatch:
type:
- object
- 'null'
description: Configure FedCM login settings for New Universal Login
additionalProperties: false
minProperties: 1
x-release-lifecycle: EA
properties:
google:
$ref: '#/components/schemas/FedCMLoginGooglePatch'
ClientRefreshTokenConfiguration:
type:
- object
- 'null'
description: Refresh token configuration
additionalProperties: false
required:
- rotation_type
- expiration_type
properties:
rotation_type:
$ref: '#/components/schemas/RefreshTokenRotationTypeEnum'
expiration_type:
$ref: '#/components/schemas/RefreshTokenExpirationTypeEnum'
leeway:
type: integer
description: >-
Period in seconds where the previous refresh token can be exchanged
without triggering breach detection
default: 0
minimum: 0
token_lifetime:
type: integer
description: Period (in seconds) for which refresh tokens will remain valid
minimum: 1
maximum: 157788000
infinite_token_lifetime:
type: boolean
description: >-
Prevents tokens from having a set lifetime when `true` (takes
precedence over `token_lifetime` values)
idle_token_lifetime:
type: integer
description: >-
Period (in seconds) for which refresh tokens will remain valid
without use
minimum: 1
infinite_idle_token_lifetime:
type: boolean
description: >-
Prevents tokens from expiring without use when `true` (takes
precedence over `idle_token_lifetime` values)
default: false
policies:
type:
- array
- 'null'
description: >-
A collection of policies governing multi-resource refresh token
exchange (MRRT), defining how refresh tokens can be used across
different resource servers
minItems: 1
items:
$ref: '#/components/schemas/ClientRefreshTokenPolicy'
ClientDefaultOrganization:
type:
- object
- 'null'
description: Defines the default Organization ID and flows
additionalProperties: false
required:
- organization_id
- flows
properties:
organization_id:
type: string
description: The default Organization ID to be used
format: organization-id
flows:
type: array
description: The default Organization usage
items:
$ref: '#/components/schemas/ClientDefaultOrganizationFlowsEnum'
ClientOrganizationUsagePatchEnum:
type:
- string
- 'null'
description: >-
Defines how to proceed during an authentication transaction with regards
an organization. Can be `deny` (default), `allow` or `require`.
default: deny
enum:
- deny
- allow
- require
- null
ClientOrganizationRequireBehaviorPatchEnum:
type:
- string
- 'null'
description: >-
Defines how to proceed during an authentication transaction when
`client.organization_usage: 'require'`. Can be `no_prompt` (default),
`pre_login_prompt` or `post_login_prompt`. `post_login_prompt` requires
`oidc_conformant: true`.
default: no_prompt
enum:
- no_prompt
- pre_login_prompt
- post_login_prompt
- null
ClientOrganizationDiscoveryEnum:
type: string
description: >-
Method for discovering organizations during the `pre_login_prompt`.
`email` allows users to find their organization by entering their email
address and performing domain matching, while `organization_name`
requires users to enter the organization name directly. These methods
can be combined.
enum:
- email
- organization_name
ClientAuthenticationMethod:
type:
- object
- 'null'
description: Defines client authentication methods.
additionalProperties: false
minProperties: 1
maxProperties: 1
properties:
private_key_jwt:
$ref: '#/components/schemas/ClientAuthenticationMethodPrivateKeyJWT'
tls_client_auth:
$ref: '#/components/schemas/ClientAuthenticationMethodTLSClientAuth'
self_signed_tls_client_auth:
$ref: >-
#/components/schemas/ClientAuthenticationMethodSelfSignedTLSClientAuth
ClientSignedRequestObjectWithCredentialId:
type: object
description: JWT-secured Authorization Requests (JAR) settings.
additionalProperties: false
properties:
required:
type: boolean
description: Indicates whether the JAR requests are mandatory
default: false
credentials:
type: array
minItems: 0
items:
$ref: '#/components/schemas/CredentialId'
ClientTokenVaultPrivilegedAccessWithCredentialId:
type: object
description: Settings for Token Vault Privileged Access.
additionalProperties: false
required:
- credentials
x-release-lifecycle: EA
properties:
credentials:
type: array
minItems: 0
items:
$ref: '#/components/schemas/CredentialId'
ip_allowlist:
type: array
minItems: 0
items:
$ref: '#/components/schemas/TokenVaultPrivilegedAccessIpAllowlistEntry'
ClientComplianceLevelEnum:
type:
- string
- 'null'
description: >-
Defines the compliance level for this client, which may restrict it's
capabilities
enum:
- none
- fapi1_adv_pkj_par
- fapi1_adv_mtls_par
- fapi2_sp_pkj_mtls
- fapi2_sp_mtls_mtls
- null
ClientTokenExchangeConfigurationOrNull:
type:
- object
- 'null'
description: Configuration for token exchange.
additionalProperties: false
x-release-lifecycle: GA
properties:
allow_any_profile_of_type:
type: array
description: List the enabled token exchange types for this client.
minItems: 0
items:
$ref: '#/components/schemas/ClientTokenExchangeTypeEnum'
ExpressConfigurationOrNull:
type:
- object
- 'null'
description: >-
Application specific configuration for use with the OIN Express
Configuration feature.
additionalProperties: false
required:
- initiate_login_uri_template
- user_attribute_profile_id
- connection_profile_id
- enable_client
- enable_organization
- okta_oin_client_id
- admin_login_domain
properties:
initiate_login_uri_template:
type: string
description: >-
The URI users should bookmark to log in to this application.
Variable substitution is permitted for the following properties:
organization_name, organization_id, and connection_name.
format: ec-initiate-login-uri-template-url
user_attribute_profile_id:
type: string
description: The ID of the user attribute profile to use for this application.
format: user-attribute-profile-id
connection_profile_id:
type: string
description: The ID of the connection profile to use for this application.
format: connection-profile-id
enable_client:
type: boolean
description: >-
When true, all connections made via express configuration will be
enabled for this application.
enable_organization:
type: boolean
description: >-
When true, all connections made via express configuration will have
the associated organization enabled.
linked_clients:
type: array
description: >-
List of client IDs that are linked to this express configuration
(e.g. web or mobile clients).
items:
$ref: '#/components/schemas/LinkedClientConfiguration'
okta_oin_client_id:
type: string
description: >-
This is the unique identifier for the Okta OIN Express Configuration
Client, which Okta will use for this application.
format: client-id
admin_login_domain:
type: string
description: >-
This is the domain that admins are expected to log in via for
authenticating for express configuration. It can be either the
canonical domain or a registered custom domain.
minLength: 1
oin_submission_id:
type: string
description: The identifier of the published application in the OKTA OIN.
minLength: 1
maxLength: 200
ClientMyOrganizationPatchConfiguration:
type:
- object
- 'null'
description: >-
Configuration related to the My Organization Configuration for the
client.
additionalProperties: false
required:
- allowed_strategies
- connection_deletion_behavior
x-release-lifecycle: EA
properties:
connection_profile_id:
type: string
description: The connection profile ID that this client should validate against.
format: connection-profile-id
user_attribute_profile_id:
type: string
description: >-
The user attribute profile ID that this client should validate
against.
format: user-attribute-profile-id
allowed_strategies:
type: array
description: >-
The allowed connection strategies for the My Organization
Configuration.
items:
$ref: >-
#/components/schemas/ClientMyOrganizationConfigurationAllowedStrategiesEnum
connection_deletion_behavior:
$ref: '#/components/schemas/ClientMyOrganizationDeletionBehaviorEnum'
invitation_landing_client_id:
type: string
description: >-
The client ID this client uses while creating invitations through My
Organization API.
format: client-id
ClientAsyncApprovalNotificationsChannelsAPIPatchConfiguration:
type:
- array
- 'null'
description: >-
Array of notification channels for contacting the user when their
approval is required. Valid values are `guardian-push`, `email`.
minItems: 1
items:
$ref: '#/components/schemas/AsyncApprovalNotificationsChannelsEnum'
ClientThirdPartySecurityModeEnum:
type: string
description: >-
Security mode for third-party clients. `strict` enforces enhanced
security controls: OAuth 2.1 alignment, explicit API authorization,
and a curated set of supported features. `permissive` preserves pre-existing
behavior and is only available to tenants with prior third-party
client usage. Set on creation and cannot be modified.
enum:
- strict
- permissive
x-release-lifecycle: GA
ClientRedirectionPolicyEnum:
type: string
description: >-
Controls whether Auth0 redirects users to the application's callback URL
on authentication errors or in email verification flows.
`open_redirect_protection` shows an error page instead of redirecting,
and hides the callback domain from email templates. `allow_always`
enables standard redirect behavior. Defaults to
`open_redirect_protection` for third-party clients. Only applies when
`is_first_party` is `false` and `third_party_security_mode` is `strict`.
To learn more, read Redirect
protection.
enum:
- allow_always
- open_redirect_protection
x-release-lifecycle: GA
ClientSigningKeys:
type:
- array
- 'null'
description: Signing certificates associated with this client.
items:
$ref: '#/components/schemas/ClientSigningKey'
ClientTokenEndpointAuthMethodEnum:
type: string
description: >-
Defines the requested authentication method for the token endpoint. Can
be `none` (public client without a client secret), `client_secret_post`
(client uses HTTP POST parameters), or `client_secret_basic` (client
uses HTTP Basic).
default: none
enum:
- none
- client_secret_post
- client_secret_basic
NativeSocialLogin:
type: object
description: Configure native social settings
additionalProperties: false
minProperties: 1
properties:
apple:
$ref: '#/components/schemas/NativeSocialLoginApple'
facebook:
$ref: '#/components/schemas/NativeSocialLoginFacebook'
google:
$ref: '#/components/schemas/NativeSocialLoginGoogle'
FedCMLogin:
type: object
description: Configure FedCM login settings for New Universal Login
additionalProperties: false
minProperties: 1
x-release-lifecycle: EA
properties:
google:
$ref: '#/components/schemas/FedCMLoginGoogle'
ClientOrganizationUsageEnum:
type: string
description: >-
Defines how to proceed during an authentication transaction with regards
an organization. Can be `deny` (default), `allow` or `require`.
default: deny
enum:
- deny
- allow
- require
ClientOrganizationRequireBehaviorEnum:
type: string
description: >-
Defines how to proceed during an authentication transaction when
`client.organization_usage: 'require'`. Can be `no_prompt` (default),
`pre_login_prompt` or `post_login_prompt`. `post_login_prompt` requires
`oidc_conformant: true`.
default: no_prompt
enum:
- no_prompt
- pre_login_prompt
- post_login_prompt
ClientTokenExchangeConfiguration:
type: object
description: Configuration for token exchange.
additionalProperties: false
x-release-lifecycle: GA
properties:
allow_any_profile_of_type:
type: array
description: List the enabled token exchange types for this client.
minItems: 0
items:
$ref: '#/components/schemas/ClientTokenExchangeTypeEnum'
TokenQuota:
type: object
additionalProperties: false
required:
- client_credentials
x-release-lifecycle: EA
properties:
client_credentials:
$ref: '#/components/schemas/TokenQuotaClientCredentials'
ExpressConfiguration:
type: object
description: >-
Application specific configuration for use with the OIN Express
Configuration feature.
additionalProperties: false
required:
- initiate_login_uri_template
- user_attribute_profile_id
- connection_profile_id
- enable_client
- enable_organization
- okta_oin_client_id
- admin_login_domain
properties:
initiate_login_uri_template:
type: string
description: >-
The URI users should bookmark to log in to this application.
Variable substitution is permitted for the following properties:
organization_name, organization_id, and connection_name.
format: ec-initiate-login-uri-template-url
user_attribute_profile_id:
type: string
description: The ID of the user attribute profile to use for this application.
format: user-attribute-profile-id
connection_profile_id:
type: string
description: The ID of the connection profile to use for this application.
format: connection-profile-id
enable_client:
type: boolean
description: >-
When true, all connections made via express configuration will be
enabled for this application.
enable_organization:
type: boolean
description: >-
When true, all connections made via express configuration will have
the associated organization enabled.
linked_clients:
type: array
description: >-
List of client IDs that are linked to this express configuration
(e.g. web or mobile clients).
items:
$ref: '#/components/schemas/LinkedClientConfiguration'
okta_oin_client_id:
type: string
description: >-
This is the unique identifier for the Okta OIN Express Configuration
Client, which Okta will use for this application.
format: client-id
admin_login_domain:
type: string
description: >-
This is the domain that admins are expected to log in via for
authenticating for express configuration. It can be either the
canonical domain or a registered custom domain.
minLength: 1
oin_submission_id:
type: string
description: The identifier of the published application in the OKTA OIN.
minLength: 1
maxLength: 200
ClientMyOrganizationResponseConfiguration:
type: object
description: >-
Configuration related to the My Organization Configuration for the
client.
additionalProperties: false
required:
- allowed_strategies
- connection_deletion_behavior
x-release-lifecycle: EA
properties:
connection_profile_id:
type: string
description: The connection profile ID that this client should validate against.
format: connection-profile-id
user_attribute_profile_id:
type: string
description: >-
The user attribute profile ID that this client should validate
against.
format: user-attribute-profile-id
allowed_strategies:
type: array
description: >-
The allowed connection strategies for the My Organization
Configuration.
items:
$ref: >-
#/components/schemas/ClientMyOrganizationConfigurationAllowedStrategiesEnum
connection_deletion_behavior:
$ref: '#/components/schemas/ClientMyOrganizationDeletionBehaviorEnum'
invitation_landing_client_id:
type: string
description: >-
The client ID this client uses while creating invitations through My
Organization API.
format: client-id
ClientAsyncApprovalNotificationsChannelsAPIPostConfiguration:
type: array
description: >-
Array of notification channels for contacting the user when their
approval is required. Valid values are `guardian-push`, `email`.
minItems: 1
items:
$ref: '#/components/schemas/AsyncApprovalNotificationsChannelsEnum'
ClientExternalMetadataTypeEnum:
type: string
description: >-
Indicates the type of external metadata used to register the client.
This field is omitted for regular clients. The value cimd
identifies clients registered via a Client ID Metadata Document. The
value dcr identifies clients registered via Dynamic Client
Registration.
enum:
- cimd
- dcr
ClientExternalMetadataCreatedByEnum:
type: string
description: >-
Indicates who created the external metadata client. The value
admin indicates the client was registered via the
Management API. The value client indicates the client was
registered dynamically. This field is only present when
external_metadata_type is set.
enum:
- admin
- client
ClientOIDCBackchannelLogoutInitiators:
type: object
description: Configuration for OIDC backchannel logout initiators
additionalProperties: true
properties:
mode:
$ref: '#/components/schemas/ClientOIDCBackchannelLogoutInitiatorsModeEnum'
selected_initiators:
type: array
items:
$ref: '#/components/schemas/ClientOIDCBackchannelLogoutInitiatorsEnum'
ClientOIDCBackchannelLogoutSessionMetadata:
type:
- object
- 'null'
description: >-
Controls whether session metadata is included in the logout token.
Default value is null.
additionalProperties: true
properties:
include:
type: boolean
description: >-
The `include` property determines whether session metadata is
included in the logout token.
ClientSessionTransferAllowedAuthenticationMethodsEnum:
type: string
enum:
- cookie
- query
ClientSessionTransferDeviceBindingEnum:
type: string
description: >-
Indicates whether device binding security should be enforced for the
app. If set to 'ip', the app will enforce device binding by IP, meaning
that consumption of Session Transfer Token must be done from the same IP
of the issuer. Likewise, if set to 'asn', device binding is enforced by
ASN, meaning consumption of Session Transfer Token must be done from the
same ASN as the issuer. If set to 'none', device binding is not
enforced. Usually configured in the web application. Default value is
`ip`.
default: ip
enum:
- ip
- asn
- none
ClientSessionTransferDelegationConfiguration:
type:
- object
- 'null'
description: >-
Configuration for delegation (impersonation) access using Session
Transfer Tokens
additionalProperties: false
x-release-lifecycle: EA
properties:
allow_delegated_access:
type: boolean
description: >-
Indicates whether delegation (impersonation) access is allowed using
Session Transfer Tokens. Default value is `false`.
default: false
enforce_device_binding:
$ref: >-
#/components/schemas/ClientSessionTransferDelegationDeviceBindingEnum
ClientJwtConfigurationScopes:
type: object
description: Configuration related to id token claims for the client.
additionalProperties: true
SigningAlgorithmEnum:
type: string
description: >-
Algorithm used to sign JWTs. Can be `HS256` (default) or `RS256`.
`PS256` available via addon.
default: HS256
enum:
- HS256
- RS256
- RS512
- PS256
TokenQuotaClientCredentials:
type: object
description: The token quota configuration
additionalProperties: false
minProperties: 1
properties:
enforce:
type: boolean
description: >-
If enabled, the quota will be enforced and requests in excess of the
quota will fail. If disabled, the quota will not be enforced, but
notifications for requests exceeding the quota will be available in
logs.
per_day:
type: integer
description: Maximum number of issued tokens per day
minimum: 1
maximum: 2147483647
per_hour:
type: integer
description: Maximum number of issued tokens per hour
minimum: 1
maximum: 2147483647
ClientAddonAWS:
type: object
description: AWS addon configuration.
additionalProperties: true
properties:
principal:
type: string
description: >-
AWS principal ARN, e.g.
`arn:aws:iam::010616021751:saml-provider/idpname`
role:
type: string
description: AWS role ARN, e.g. `arn:aws:iam::010616021751:role/foo`
lifetime_in_seconds:
type: integer
description: AWS token lifetime in seconds
minimum: 900
maximum: 43200
ClientAddonAzureBlob:
type: object
description: Azure Blob Storage addon configuration.
additionalProperties: true
properties:
accountName:
type: string
description: >-
Your Azure storage account name. Usually first segment in your Azure
storage URL. e.g. `https://acme-org.blob.core.windows.net` would be
the account name `acme-org`.
pattern: ^([a-z0-9]){3,24}$
storageAccessKey:
type: string
description: Access key associated with this storage account.
pattern: ^([A-Za-z0-9+/]){86}==$
containerName:
type: string
description: Container to request a token for. e.g. `my-container`.
pattern: ^([a-z0-9]){1}([a-z0-9-]){2,62}$
blobName:
type: string
description: >-
Entity to request a token for. e.g. `my-blob`. If blank the computed
SAS will apply to the entire storage container.
pattern: ^(.){1,1024}$
expiration:
type: integer
description: >-
Expiration in minutes for the generated token (default of 5
minutes).
minimum: 0
signedIdentifier:
type: string
description: >-
Shared access policy identifier defined in your storage account
resource.
blob_read:
type: boolean
description: >-
Indicates if the issued token has permission to read the content,
properties, metadata and block list. Use the blob as the source of a
copy operation.
blob_write:
type: boolean
description: >-
Indicates if the issued token has permission to create or write
content, properties, metadata, or block list. Snapshot or lease the
blob. Resize the blob (page blob only). Use the blob as the
destination of a copy operation within the same account.
blob_delete:
type: boolean
description: Indicates if the issued token has permission to delete the blob.
container_read:
type: boolean
description: >-
Indicates if the issued token has permission to read the content,
properties, metadata or block list of any blob in the container. Use
any blob in the container as the source of a copy operation
container_write:
type: boolean
description: >-
Indicates that for any blob in the container if the issued token has
permission to create or write content, properties, metadata, or
block list. Snapshot or lease the blob. Resize the blob (page blob
only). Use the blob as the destination of a copy operation within
the same account.
container_delete:
type: boolean
description: >-
Indicates if issued token has permission to delete any blob in the
container.
container_list:
type: boolean
description: >-
Indicates if the issued token has permission to list blobs in the
container.
ClientAddonAzureSB:
type: object
description: Azure Storage Bus addon configuration.
additionalProperties: true
properties:
namespace:
type: string
description: >-
Your Azure Service Bus namespace. Usually the first segment of your
Service Bus URL (e.g. `https://acme-org.servicebus.windows.net`
would be `acme-org`).
sasKeyName:
type: string
description: Your shared access policy name defined in your Service Bus entity.
sasKey:
type: string
description: Primary Key associated with your shared access policy.
entityPath:
type: string
description: Entity you want to request a token for. e.g. `my-queue`.'
expiration:
type: integer
description: >-
Optional expiration in minutes for the generated token. Defaults to
5 minutes.
ClientAddonRMS:
type: object
description: Active Directory Rights Management Service SSO configuration.
additionalProperties: true
required:
- url
properties:
url:
type: string
description: >-
URL of your Rights Management Server. It can be internal or
external, but users will have to be able to reach it.
format: url
ClientAddonMSCRM:
type: object
description: Microsoft Dynamics CRM SSO configuration.
additionalProperties: true
required:
- url
properties:
url:
type: string
description: Microsoft Dynamics CRM application URL.
format: url
ClientAddonSlack:
type: object
description: >-
Slack team or workspace name usually first segment in your Slack URL.
e.g. `https://acme-org.slack.com` would be `acme-org`.
additionalProperties: true
required:
- team
properties:
team:
type: string
description: Slack team name.
ClientAddonSentry:
type: object
description: Sentry SSO configuration.
additionalProperties: true
properties:
org_slug:
type: string
description: >-
Generated slug for your Sentry organization. Found in your Sentry
URL. e.g. `https://sentry.acme.com/acme-org/` would be `acme-org`.
base_url:
type: string
description: >-
URL prefix only if running Sentry Community Edition, otherwise leave
should be blank.
ClientAddonBox:
type: object
description: Box SSO indicator (no configuration settings needed for Box SSO).
additionalProperties: true
ClientAddonCloudBees:
type: object
description: >-
CloudBees SSO indicator (no configuration settings needed for CloudBees
SSO).
additionalProperties: true
ClientAddonConcur:
type: object
description: Concur SSO indicator (no configuration settings needed for Concur SSO).
additionalProperties: true
ClientAddonDropbox:
type: object
description: >-
Dropbox SSO indicator (no configuration settings needed for Dropbox
SSO).
additionalProperties: true
ClientAddonEchoSign:
type: object
description: Adobe EchoSign SSO configuration.
additionalProperties: true
properties:
domain:
type: string
description: >-
Your custom domain found in your EchoSign URL. e.g.
`https://acme-org.echosign.com` would be `acme-org`.
ClientAddonEgnyte:
type: object
description: Egnyte SSO configuration.
additionalProperties: true
properties:
domain:
type: string
description: >-
Your custom domain found in your Egnyte URL. e.g.
`https://acme-org.egnyte.com` would be `acme-org`.
ClientAddonFirebase:
type: object
description: Google Firebase addon configuration.
additionalProperties: true
properties:
secret:
type: string
description: Google Firebase Secret. (SDK 2 only).
private_key_id:
type: string
description: >-
Optional ID of the private key to obtain kid header in the issued
token (SDK v3+ tokens only).
private_key:
type: string
description: Private Key for signing the token (SDK v3+ tokens only).
client_email:
type: string
description: >-
ID of the Service Account you have created (shown as `client_email`
in the generated JSON file, SDK v3+ tokens only).
lifetime_in_seconds:
type: integer
description: >-
Optional expiration in seconds for the generated token. Defaults to
3600 seconds (SDK v3+ tokens only).
ClientAddonNewRelic:
type: object
description: New Relic SSO configuration.
additionalProperties: true
properties:
account:
type: string
description: >-
Your New Relic Account ID found in your New Relic URL after the
`/accounts/` path. e.g.
`https://rpm.newrelic.com/accounts/123456/query` would be `123456`.
ClientAddonOffice365:
type: object
description: Microsoft Office 365 SSO configuration.
additionalProperties: true
properties:
domain:
type: string
description: Your Office 365 domain name. e.g. `acme-org.com`.
connection:
type: string
description: >-
Optional Auth0 database connection for testing an already-configured
Office 365 tenant.
ClientAddonSalesforce:
type: object
description: Salesforce SSO configuration.
additionalProperties: true
properties:
entity_id:
type: string
description: >-
Arbitrary logical URL that identifies the Saleforce resource. e.g.
`https://acme-org.com`.
format: url
ClientAddonSalesforceAPI:
type: object
description: Salesforce API addon configuration.
additionalProperties: true
properties:
clientid:
type: string
description: Consumer Key assigned by Salesforce to the Connected App.
principal:
type: string
description: >-
Name of the property in the user object that maps to a Salesforce
username. e.g. `email`.
communityName:
type: string
description: Community name.
community_url_section:
type: string
description: Community url section.
ClientAddonSalesforceSandboxAPI:
type: object
description: Salesforce Sandbox addon configuration.
additionalProperties: true
properties:
clientid:
type: string
description: Consumer Key assigned by Salesforce to the Connected App.
principal:
type: string
description: >-
Name of the property in the user object that maps to a Salesforce
username. e.g. `email`.
communityName:
type: string
description: Community name.
community_url_section:
type: string
description: Community url section.
ClientAddonSAML:
type: object
description: >-
SAML2 addon indicator (no configuration settings needed for SAML2
addon).
additionalProperties: true
properties:
mappings:
$ref: '#/components/schemas/ClientAddonSAMLMapping'
audience:
type: string
recipient:
type: string
createUpnClaim:
type: boolean
mapUnknownClaimsAsIs:
type: boolean
passthroughClaimsWithNoMapping:
type: boolean
mapIdentities:
type: boolean
signatureAlgorithm:
type: string
digestAlgorithm:
type: string
issuer:
type: string
destination:
type: string
lifetimeInSeconds:
type: integer
signResponse:
type: boolean
nameIdentifierFormat:
type: string
nameIdentifierProbes:
type: array
items:
type: string
minLength: 1
authnContextClassRef:
type: string
ClientAddonLayer:
type: object
description: Layer addon configuration.
additionalProperties: true
required:
- providerId
- keyId
- privateKey
properties:
providerId:
type: string
description: Provider ID of your Layer account
keyId:
type: string
description: Authentication Key identifier used to sign the Layer token.
privateKey:
type: string
description: Private key for signing the Layer token.
principal:
type: string
description: >-
Name of the property used as the unique user id in Layer. If not
specified `user_id` is used.
expiration:
type: integer
description: >-
Optional expiration in minutes for the generated token. Defaults to
5 minutes.
minimum: 0
ClientAddonSAPAPI:
type: object
description: SAP API addon configuration.
additionalProperties: true
properties:
clientid:
type: string
description: >-
If activated in the OAuth 2.0 client configuration (transaction
SOAUTH2) the SAML attribute client_id must be set and equal the
client_id form parameter of the access token request.
usernameAttribute:
type: string
description: >-
Name of the property in the user object that maps to a SAP username.
e.g. `email`.
tokenEndpointUrl:
type: string
description: Your SAP OData server OAuth2 token endpoint URL.
format: url
scope:
type: string
description: Requested scope for SAP APIs.
servicePassword:
type: string
description: >-
Service account password to use to authenticate API calls to the
token endpoint.
nameIdentifierFormat:
type: string
description: >-
NameID element of the Subject which can be used to express the
user's identity. Defaults to
`urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`.
ClientAddonSharePoint:
type: object
description: SharePoint SSO configuration.
additionalProperties: true
properties:
url:
type: string
description: Internal SharePoint application URL.
external_url:
$ref: '#/components/schemas/ClientAddonSharePointExternalURL'
ClientAddonSpringCM:
type: object
description: SpringCM SSO configuration.
additionalProperties: true
properties:
acsurl:
type: string
description: >-
SpringCM ACS URL, e.g.
`https://na11.springcm.com/atlas/sso/SSOEndpoint.ashx`.
ClientAddonWAMS:
type: object
description: Windows Azure Mobile Services addon configuration.
additionalProperties: true
properties:
masterkey:
type: string
description: Your master key for Windows Azure Mobile Services.
ClientAddonWSFed:
type: object
description: >-
WS-Fed (WIF) addon indicator. Actual configuration is stored in
`callback` and `client_aliases` properties on the client.
additionalProperties: true
ClientAddonZendesk:
type: object
description: Zendesk SSO configuration.
additionalProperties: true
properties:
accountName:
type: string
description: >-
Zendesk account name usually first segment in your Zendesk URL. e.g.
`https://acme-org.zendesk.com` would be `acme-org`.
ClientAddonZoom:
type: object
description: Zoom SSO configuration.
additionalProperties: true
properties:
account:
type: string
description: >-
Zoom account name usually first segment of your Zoom URL, e.g.
`https://acme-org.zoom.us` would be `acme-org`.
ClientAddonSSOIntegration:
type: object
additionalProperties: true
properties:
name:
type: string
description: SSO integration name
version:
type: string
description: SSO integration version installed
ClientAddonOAG:
type:
- object
- 'null'
description: Okta Access Gateway SSO configuration
additionalProperties: false
properties: {}
ClientMobileAndroid:
type: object
description: Android native app configuration.
additionalProperties: true
properties:
app_package_name:
type: string
description: App package name found in AndroidManifest.xml.
default: ''
sha256_cert_fingerprints:
type: array
description: >-
SHA256 fingerprints of the app's signing certificate. Multiple
fingerprints can be used to support different versions of your app,
such as debug and production builds.
minItems: 1
items:
type: string
minLength: 1
ClientMobileiOS:
type: object
description: iOS native app configuration.
additionalProperties: true
properties:
team_id:
type: string
description: >-
Identifier assigned to the Apple account that signs and uploads the
app to the store.
default: ''
app_bundle_identifier:
type: string
description: >-
Assigned by developer to the app as its unique identifier inside the
store. Usually this is a reverse domain plus the app name, e.g.
`com.you.MyApp`.
default: ''
NativeSocialLoginApplePatch:
type:
- object
- 'null'
description: Native Social Login support for the Apple connection
additionalProperties: false
minProperties: 1
properties:
enabled:
type: boolean
description: >-
Determine whether or not to allow signing in natively using an Apple
authorization code
default: false
NativeSocialLoginFacebookPatch:
type:
- object
- 'null'
description: Native Social Login support for the Facebook connection
additionalProperties: false
minProperties: 1
properties:
enabled:
type: boolean
description: Determine whether or not to allow signing in natively using Facebook
default: false
NativeSocialLoginGooglePatch:
type:
- object
- 'null'
description: Native Social Login support for the google-oauth2 connection
additionalProperties: false
minProperties: 1
properties:
enabled:
type: boolean
description: >-
Determine whether or not to allow signing in natively using a Google
ID token
default: false
FedCMLoginGooglePatch:
type:
- object
- 'null'
description: Google FedCM configuration for this client
additionalProperties: false
minProperties: 1
properties:
is_enabled:
type: boolean
description: >-
When true, shows the Google FedCM prompt on New Universal Login for
this client
default: false
RefreshTokenRotationTypeEnum:
type: string
description: 'Refresh token rotation types, one of: rotating, non-rotating'
default: non-rotating
enum:
- rotating
- non-rotating
RefreshTokenExpirationTypeEnum:
type: string
description: 'Refresh token expiration types, one of: expiring, non-expiring'
default: non-expiring
enum:
- expiring
- non-expiring
ClientRefreshTokenPolicy:
type: object
additionalProperties: false
required:
- audience
- scope
properties:
audience:
type: string
description: >-
The identifier of the resource server to which the Multi Resource
Refresh Token Policy applies
minLength: 1
maxLength: 600
scope:
type: array
description: >-
The resource server permissions granted under the Multi Resource
Refresh Token Policy, defining the context in which an access token
can be used
items:
type: string
description: >-
A resource server permission granted under the Multi Resource
Refresh Token Policy
minLength: 1
maxLength: 280
ClientDefaultOrganizationFlowsEnum:
type: string
enum:
- client_credentials
ClientAuthenticationMethodPrivateKeyJWT:
type: object
description: >-
Defines `private_key_jwt` client authentication method. If this property
is defined, the client is enabled to use the Private Key JWT
authentication method.
additionalProperties: false
required:
- credentials
properties:
credentials:
$ref: >-
#/components/schemas/ClientAuthenticationMethodPrivateKeyJWTCredentials
ClientAuthenticationMethodTLSClientAuth:
type: object
description: >-
Defines `tls_client_auth` client authentication method. If the property
is defined, the client is configured to use CA-based mTLS authentication
method.
additionalProperties: false
required:
- credentials
properties:
credentials:
$ref: >-
#/components/schemas/ClientAuthenticationMethodTLSClientAuthCredentials
ClientAuthenticationMethodSelfSignedTLSClientAuth:
type: object
description: >-
Defines `self_signed_tls_client_auth` client authentication method. If
the property is defined, the client is configured to use mTLS
authentication method utilizing self-signed certificate.
additionalProperties: false
required:
- credentials
properties:
credentials:
$ref: >-
#/components/schemas/ClientAuthenticationMethodSelfSignedTLSClientAuthCredentials
CredentialId:
type: object
additionalProperties: false
required:
- id
properties:
id:
type: string
description: Credential ID
format: credential-id
TokenVaultPrivilegedAccessIpAllowlistEntry:
type: string
oneOf:
- type: string
format: ipv4
- type: string
format: ipv6
- type: string
format: cidr
- type: string
format: ipv6_cidr
ClientTokenExchangeTypeEnum:
type: string
description: >-
Token exchange type. `on_behalf_of_token_exchange`: enables On-Behalf-Of
token exchange (Generally Available). `custom_authentication`: enables
custom token exchange profiles (Early Access, requires entitlement).
minLength: 1
enum:
- custom_authentication
- on_behalf_of_token_exchange
LinkedClientConfiguration:
type: object
description: >-
Configuration for linked clients in the OIN Express Configuration
feature.
additionalProperties: false
required:
- client_id
properties:
client_id:
type: string
description: The ID of the linked client.
format: client-id
ClientMyOrganizationConfigurationAllowedStrategiesEnum:
type: string
description: >-
The allowed connection strategy values for the My Organization
Configuration.
enum:
- pingfederate
- adfs
- waad
- google-apps
- okta
- oidc
- samlp
ClientMyOrganizationDeletionBehaviorEnum:
type: string
description: The deletion behavior for this client.
default: allow
enum:
- allow
- allow_if_empty
AsyncApprovalNotificationsChannelsEnum:
type: string
enum:
- guardian-push
- email
ClientSigningKey:
type: object
additionalProperties: true
properties:
pkcs7:
type: string
description: Signing certificate public key and chain in PKCS#7 (.P7B) format.
default: ''
cert:
type: string
description: Signing certificate public key in X.509 (.CER) format.
default: ''
subject:
type: string
description: Subject name for this certificate in the format `/CN={domain}`.
default: ''
NativeSocialLoginApple:
type: object
description: Native Social Login support for the Apple connection
additionalProperties: false
minProperties: 1
properties:
enabled:
type: boolean
description: >-
Determine whether or not to allow signing in natively using an Apple
authorization code
default: false
NativeSocialLoginFacebook:
type: object
description: Native Social Login support for the Facebook connection
additionalProperties: false
minProperties: 1
properties:
enabled:
type: boolean
description: Determine whether or not to allow signing in natively using Facebook
default: false
NativeSocialLoginGoogle:
type: object
description: Native Social Login support for the google-oauth2 connection
additionalProperties: false
minProperties: 1
properties:
enabled:
type: boolean
description: >-
Determine whether or not to allow signing in natively using a Google
ID token
default: false
FedCMLoginGoogle:
type: object
description: Google FedCM configuration for this client
additionalProperties: false
minProperties: 1
properties:
is_enabled:
type: boolean
description: >-
When true, shows the Google FedCM prompt on New Universal Login for
this client
default: false
ClientOIDCBackchannelLogoutInitiatorsModeEnum:
type: string
description: >-
The `mode` property determines the configuration method for enabling
initiators. `custom` enables only the initiators listed in the
selected_initiators array, `all` enables all current and future
initiators.
enum:
- custom
- all
ClientOIDCBackchannelLogoutInitiatorsEnum:
type: string
description: >-
The `selected_initiators` property contains the list of initiators to be
enabled for the given application.
enum:
- rp-logout
- idp-logout
- password-changed
- session-expired
- session-revoked
- account-deleted
- email-identifier-changed
- mfa-phone-unenrolled
- account-deactivated
ClientSessionTransferDelegationDeviceBindingEnum:
type: string
description: >-
Indicates the device binding enforcement for delegation (impersonation)
access. If set to 'ip', device binding is enforced by IP. If set to
'asn', device binding is enforced by ASN. Default value is `ip`.
default: ip
enum:
- ip
- asn
ClientAddonSAMLMapping:
type: object
additionalProperties: true
ClientAddonSharePointExternalURL:
description: External SharePoint application URLs if exposed to the Internet.
oneOf:
- type: array
items:
type: string
- type: string
ClientAuthenticationMethodPrivateKeyJWTCredentials:
type: array
description: >-
A list of unique and previously created credential IDs enabled on the
client for Private Key JWT authentication.
minItems: 0
items:
$ref: '#/components/schemas/CredentialId'
ClientAuthenticationMethodTLSClientAuthCredentials:
type: array
description: >-
A list of unique and previously created credential IDs enabled on the
client for CA-based mTLS authentication.
minItems: 0
items:
$ref: '#/components/schemas/CredentialId'
ClientAuthenticationMethodSelfSignedTLSClientAuthCredentials:
type: array
description: >-
A list of unique and previously created credential IDs enabled on the
client for mTLS authentication utilizing self-signed certificate.
minItems: 0
items:
$ref: '#/components/schemas/CredentialId'
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: jwt
oAuth2ClientCredentials:
type: oauth2
flows:
clientCredentials:
tokenUrl: /oauth/token/
x-form-parameters:
audience: /api/v2/
scopes:
create:actions: Create Actions
read:actions: Read Actions
update:actions: Update Actions
delete:actions: Delete Actions
read:anomaly_blocks: Read Anomaly Blocks
delete:anomaly_blocks: Delete Anomaly Blocks
read:attack_protection: Read Attack Protection
update:attack_protection: Update Attack Protection
create:authentication_methods: Create Authentication Methods
read:authentication_methods: Read Authentication Methods
update:authentication_methods: Update Authentication Methods
delete:authentication_methods: Delete Authentication Methods
read:branding: Read Branding
update:branding: Update Branding
delete:branding: Delete Branding
create:client_credentials: Create Client Credentials
read:client_credentials: Read Client Credentials
update:client_credentials: Update Client Credentials
delete:client_credentials: Delete Client Credentials
create:client_grants: Create Client Grants
read:client_grants: Read Client Grants
update:client_grants: Update Client Grants
delete:client_grants: Delete Client Grants
read:client_keys: Read Client Keys
update:client_keys: Update Client Keys
read:client_summary: Read Client Summary
update:client_token_vault_privileged_access: Update Client Token Vault Privileged Access
create:clients: Create Clients
read:clients: Read Clients
update:clients: Update Clients
delete:clients: Delete Clients
create:connection_profiles: Create Connection Profiles
read:connection_profiles: Read Connection Profiles
update:connection_profiles: Update Connection Profiles
delete:connection_profiles: Delete Connection Profiles
create:connections: Create Connections
read:connections: Read Connections
update:connections: Update Connections
delete:connections: Delete Connections
create:connections_keys: Create Connections Keys
read:connections_keys: Read Connections Keys
update:connections_keys: Update Connections Keys
read:current_user: Read Current User
delete:current_user: Delete Current User
create:current_user_device_credentials: Create Current User Device Credentials
delete:current_user_device_credentials: Delete Current User Device Credentials
update:current_user_identities: Update Current User Identities
update:current_user_metadata: Update Current User Metadata
create:custom_domains: Create Custom Domains
read:custom_domains: Read Custom Domains
update:custom_domains: Update Custom Domains
delete:custom_domains: Delete Custom Domains
create:custom_signing_keys: Create Custom Signing Keys
read:custom_signing_keys: Read Custom Signing Keys
update:custom_signing_keys: Update Custom Signing Keys
delete:custom_signing_keys: Delete Custom Signing Keys
read:device_credentials: Read Device Credentials
delete:device_credentials: Delete Device Credentials
create:directory_provisionings: Create Directory Provisionings
read:directory_provisionings: Read Directory Provisionings
update:directory_provisionings: Update Directory Provisionings
delete:directory_provisionings: Delete Directory Provisionings
create:email_provider: Create Email Provider
read:email_provider: Read Email Provider
update:email_provider: Update Email Provider
delete:email_provider: Delete Email Provider
create:email_templates: Create Email Templates
read:email_templates: Read Email Templates
update:email_templates: Update Email Templates
create:encryption_keys: Create Encryption Keys
read:encryption_keys: Read Encryption Keys
update:encryption_keys: Update Encryption Keys
delete:encryption_keys: Delete Encryption Keys
read:event_deliveries: Read Event Deliveries
update:event_deliveries: Update Event Deliveries
create:event_streams: Create Event Streams
read:event_streams: Read Event Streams
update:event_streams: Update Event Streams
delete:event_streams: Delete Event Streams
read:events: Read Events
create:experimentation: Create Experimentation
read:experimentation: Read Experimentation
update:experimentation: Update Experimentation
delete:experimentation: Delete Experimentation
read:federated_connections_tokens: Read Federated Connections Tokens
delete:federated_connections_tokens: Delete Federated Connections Tokens
create:flows: Create Flows
read:flows: Read Flows
update:flows: Update Flows
delete:flows: Delete Flows
read:flows_executions: Read Flows Executions
delete:flows_executions: Delete Flows Executions
create:flows_vault_connections: Create Flows Vault Connections
read:flows_vault_connections: Read Flows Vault Connections
update:flows_vault_connections: Update Flows Vault Connections
delete:flows_vault_connections: Delete Flows Vault Connections
create:forms: Create Forms
read:forms: Read Forms
update:forms: Update Forms
delete:forms: Delete Forms
read:grants: Read Grants
delete:grants: Delete Grants
read:group_members: Read Group Members
create:group_roles: Create Group Roles
read:group_roles: Read Group Roles
delete:group_roles: Delete Group Roles
read:groups: Read Groups
delete:groups: Delete Groups
create:guardian_enrollment_tickets: Create Guardian Enrollment Tickets
read:guardian_enrollments: Read Guardian Enrollments
delete:guardian_enrollments: Delete Guardian Enrollments
read:guardian_factors: Read Guardian Factors
update:guardian_factors: Update Guardian Factors
create:hooks: Create Hooks
read:hooks: Read Hooks
update:hooks: Update Hooks
delete:hooks: Delete Hooks
create:log_streams: Create Log Streams
read:log_streams: Read Log Streams
update:log_streams: Update Log Streams
delete:log_streams: Delete Log Streams
read:logs: Read Logs
read:logs_users: Read Logs Users
read:mfa_policies: Read Mfa Policies
update:mfa_policies: Update Mfa Policies
create:network_acls: Create Network Acls
read:network_acls: Read Network Acls
update:network_acls: Update Network Acls
delete:network_acls: Delete Network Acls
create:organization_client_grants: Create Organization Client Grants
read:organization_client_grants: Read Organization Client Grants
delete:organization_client_grants: Delete Organization Client Grants
create:organization_connections: Create Organization Connections
read:organization_connections: Read Organization Connections
update:organization_connections: Update Organization Connections
delete:organization_connections: Delete Organization Connections
create:organization_discovery_domains: Create Organization Discovery Domains
read:organization_discovery_domains: Read Organization Discovery Domains
update:organization_discovery_domains: Update Organization Discovery Domains
delete:organization_discovery_domains: Delete Organization Discovery Domains
create:organization_group_roles: Create Organization Group Roles
read:organization_group_roles: Read Organization Group Roles
delete:organization_group_roles: Delete Organization Group Roles
read:organization_groups: Read Organization Groups
create:organization_invitations: Create Organization Invitations
read:organization_invitations: Read Organization Invitations
delete:organization_invitations: Delete Organization Invitations
read:organization_member_effective_roles: Read Organization Member Effective Roles
read:organization_member_role_source_groups: Read Organization Member Role Source Groups
create:organization_member_roles: Create Organization Member Roles
read:organization_member_roles: Read Organization Member Roles
delete:organization_member_roles: Delete Organization Member Roles
create:organization_members: Create Organization Members
read:organization_members: Read Organization Members
delete:organization_members: Delete Organization Members
create:organizations: Create Organizations
read:organizations: Read Organizations
update:organizations: Update Organizations
delete:organizations: Delete Organizations
read:organizations_summary: Read Organizations Summary
create:phone_providers: Create Phone Providers
read:phone_providers: Read Phone Providers
update:phone_providers: Update Phone Providers
delete:phone_providers: Delete Phone Providers
create:phone_templates: Create Phone Templates
read:phone_templates: Read Phone Templates
update:phone_templates: Update Phone Templates
delete:phone_templates: Delete Phone Templates
read:prompts: Read Prompts
update:prompts: Update Prompts
create:rate_limit_policies: Create Rate Limit Policies
read:rate_limit_policies: Read Rate Limit Policies
update:rate_limit_policies: Update Rate Limit Policies
delete:rate_limit_policies: Delete Rate Limit Policies
read:refresh_tokens: Read Refresh Tokens
update:refresh_tokens: Update Refresh Tokens
delete:refresh_tokens: Delete Refresh Tokens
create:resource_servers: Create Resource Servers
read:resource_servers: Read Resource Servers
update:resource_servers: Update Resource Servers
delete:resource_servers: Delete Resource Servers
create:role_members: Create Role Members
read:role_members: Read Role Members
delete:role_members: Delete Role Members
create:roles: Create Roles
read:roles: Read Roles
update:roles: Update Roles
delete:roles: Delete Roles
create:rules: Create Rules
read:rules: Read Rules
update:rules: Update Rules
delete:rules: Delete Rules
read:rules_configs: Read Rules Configs
update:rules_configs: Update Rules Configs
delete:rules_configs: Delete Rules Configs
create:scim_config: Create Scim Config
read:scim_config: Read Scim Config
update:scim_config: Update Scim Config
delete:scim_config: Delete Scim Config
create:scim_token: Create Scim Token
read:scim_token: Read Scim Token
delete:scim_token: Delete Scim Token
read:self_service_profile_custom_texts: Read Self Service Profile Custom Texts
update:self_service_profile_custom_texts: Update Self Service Profile Custom Texts
create:self_service_profiles: Create Self Service Profiles
read:self_service_profiles: Read Self Service Profiles
update:self_service_profiles: Update Self Service Profiles
delete:self_service_profiles: Delete Self Service Profiles
read:sessions: Read Sessions
update:sessions: Update Sessions
delete:sessions: Delete Sessions
create:signing_keys: Create Signing Keys
read:signing_keys: Read Signing Keys
update:signing_keys: Update Signing Keys
create:sso_access_tickets: Create Sso Access Tickets
delete:sso_access_tickets: Delete Sso Access Tickets
read:stats: Read Stats
read:tenant_settings: Read Tenant Settings
update:tenant_settings: Update Tenant Settings
create:token_exchange_profiles: Create Token Exchange Profiles
read:token_exchange_profiles: Read Token Exchange Profiles
update:token_exchange_profiles: Update Token Exchange Profiles
delete:token_exchange_profiles: Delete Token Exchange Profiles
create:user_attribute_profiles: Create User Attribute Profiles
read:user_attribute_profiles: Read User Attribute Profiles
update:user_attribute_profiles: Update User Attribute Profiles
delete:user_attribute_profiles: Delete User Attribute Profiles
read:user_effective_permissions: Read User Effective Permissions
read:user_effective_roles: Read User Effective Roles
read:user_idp_tokens: Read User Idp Tokens
read:user_permission_source_roles: Read User Permission Source Roles
read:user_role_source_groups: Read User Role Source Groups
create:user_tickets: Create User Tickets
create:users: Create Users
read:users: Read Users
update:users: Update Users
delete:users: Delete Users
update:users_app_metadata: Update Users App Metadata
create:vdcs_templates: Create Vdcs Templates
read:vdcs_templates: Read Vdcs Templates
update:vdcs_templates: Update Vdcs Templates
delete:vdcs_templates: Delete Vdcs Templates
````