Download OpenAPI specification:Download
Protocol Agnostic Zero Trust Identity Broker
Handles the initial step of the OAuth 2.1 authorization code flow. Enforces PKCE, tenant boundaries, and redirects the user agent to the login or consent UI.
| client_id required | string OAuth2 Client ID |
| response_type required | string Must be 'code' |
| redirect_uri required | string Registered redirect URI |
| scope | string Requested space-separated scopes |
| state | string Opaque value used to maintain state between the request and the callback |
| code_challenge | string PKCE code challenge (Required if client enforces PKCE) |
| code_challenge_method | string PKCE method, e.g., 'S256' |
| prompt | string Forces login or consent (e.g., 'login', 'consent', 'none') |
Allows a protected resource (e.g., an API gateway) to query the active state and metadata of a given token.
| token required | string The token to introspect |
| client_id | string OAuth2 Client ID |
| client_secret | string OAuth2 Client Secret |
{ }Terminates the user's session. Supports id_token_hint for validation and post_logout_redirect_uri for safe redirection. Also propagates logout to federated IdPs if applicable.
| id_token_hint | string Previously issued ID Token to validate the logout request |
| post_logout_redirect_uri | string Registered URI to redirect after successful logout |
| state | string Opaque value to maintain state |
Allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed.
| token required | string The token to revoke |
| token_type_hint | string Hint about the token type (e.g., 'refresh_token' or 'access_token') |
Issues access tokens, ID tokens, and refresh tokens based on the provided grant type (e.g., authorization_code, client_credentials, refresh_token). Enforces tenant isolation.
| grant_type required | string Grant Type (e.g., 'authorization_code', 'client_credentials') |
| client_id | string OAuth2 Client ID |
| client_secret | string OAuth2 Client Secret (for basic/post auth) |
| code | string Authorization code (if grant_type=authorization_code) |
| redirect_uri | string Registered redirect URI (must match the one in the auth request) |
| code_verifier | string PKCE code verifier (if PKCE was used) |
| refresh_token | string Refresh token (if grant_type=refresh_token) |
{ }Handles the initial step of the OAuth 2.1 authorization code flow. Enforces PKCE, tenant boundaries, and redirects the user agent to the login or consent UI.
| client_id required | string OAuth2 Client ID |
| response_type required | string Must be 'code' |
| redirect_uri required | string Registered redirect URI |
| scope | string Requested space-separated scopes |
| state | string Opaque value used to maintain state between the request and the callback |
| code_challenge | string PKCE code challenge (Required if client enforces PKCE) |
| code_challenge_method | string PKCE method, e.g., 'S256' |
| prompt | string Forces login or consent (e.g., 'login', 'consent', 'none') |
Allows a protected resource (e.g., an API gateway) to query the active state and metadata of a given token.
| token required | string The token to introspect |
| client_id | string OAuth2 Client ID |
| client_secret | string OAuth2 Client Secret |
{ }Terminates the user's session. Supports id_token_hint for validation and post_logout_redirect_uri for safe redirection. Also propagates logout to federated IdPs if applicable.
| id_token_hint | string Previously issued ID Token to validate the logout request |
| post_logout_redirect_uri | string Registered URI to redirect after successful logout |
| state | string Opaque value to maintain state |
Allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed.
| token required | string The token to revoke |
| token_type_hint | string Hint about the token type (e.g., 'refresh_token' or 'access_token') |
Issues access tokens, ID tokens, and refresh tokens based on the provided grant type (e.g., authorization_code, client_credentials, refresh_token). Enforces tenant isolation.
| grant_type required | string Grant Type (e.g., 'authorization_code', 'client_credentials') |
| client_id | string OAuth2 Client ID |
| client_secret | string OAuth2 Client Secret (for basic/post auth) |
| code | string Authorization code (if grant_type=authorization_code) |
| redirect_uri | string Registered redirect URI (must match the one in the auth request) |
| code_verifier | string PKCE code verifier (if PKCE was used) |
| refresh_token | string Refresh token (if grant_type=refresh_token) |
{ }Accepts a consent request, granting the requested scopes and audiences to the OAuth2 client.
| consent_challenge required | string The cryptographic consent challenge ID |
Consent acceptance payload with granted scopes/audiences
| grant_audience | Array of strings |
| grant_scope | Array of strings |
| remember | boolean |
| remember_for | integer |
| session | object |
{- "grant_audience": [
- "api.shyntr.internal"
], - "grant_scope": [
- "openid",
- "profile",
- "email"
], - "remember": true,
- "remember_for": 3600,
- "session": { }
}{- "property1": "string",
- "property2": "string"
}Rejects a consent request (e.g., user denied access to scopes) and aborts the OAuth2 flow.
| consent_challenge required | string The cryptographic consent challenge ID |
Rejection payload containing error code and description
| error required | string |
| error_description | string |
{- "error": "access_denied",
- "error_description": "The resource owner or authorization server denied the request."
}{- "property1": "string",
- "property2": "string"
}Accepts a login request and confirms the user's identity. Returns a redirection URL to continue the OAuth2 flow.
| login_challenge required | string The cryptographic login challenge ID |
Login acceptance payload containing subject and session preferences
| context | object |
| remember | boolean |
| remember_for | integer |
| subject required | string |
{- "context": { },
- "remember": false,
- "remember_for": 0,
- "subject": "usr_9f8b7c6d5e4a3b2c1"
}{- "property1": "string",
- "property2": "string"
}Rejects a login request (e.g., due to invalid credentials or user denial) and aborts the OAuth2 flow.
| login_challenge required | string The cryptographic login challenge ID |
Rejection payload containing error code and description
| error required | string |
| error_description | string |
{- "error": "access_denied",
- "error_description": "The resource owner or authorization server denied the request."
}{- "property1": "string",
- "property2": "string"
}Lists all OAuth2/OIDC clients across the system. Secrets are masked.
[- {
- "access_token_lifespan": "string",
- "allowed_cors_origins": [
- "string"
], - "app_id": "string",
- "audience": [
- "string"
], - "backchannel_logout_uri": "string",
- "client_id": "string",
- "client_secret": "string",
- "created_at": "string",
- "enforce_pkce": true,
- "grant_types": [
- "string"
], - "id_token_encrypted_response_alg": "string",
- "id_token_encrypted_response_enc": "string",
- "id_token_lifespan": "string",
- "jwks_uri": "string",
- "name": "string",
- "post_logout_redirect_uris": [
- "string"
], - "public": true,
- "redirect_uris": [
- "string"
], - "refresh_token_lifespan": "string",
- "response_modes": [
- "string"
], - "response_types": [
- "string"
], - "scopes": [
- "string"
], - "skip_consent": true,
- "subject_type": "string",
- "tenant_id": "string",
- "token_endpoint_auth_method": "string",
- "updated_at": "string"
}
]Registers a new OAuth2/OIDC client under the specified tenant enforcing OAuth 2.1 standards.
Client Configuration
| allowed_cors_origins | Array of strings |
| audience | Array of strings |
| backchannel_logout_uri | string |
| client_id | string |
| client_secret | string |
| enforce_pkce | boolean |
| grant_types required | Array of strings |
| id_token_encrypted_response_alg | string |
| id_token_encrypted_response_enc | string |
| jwks | object |
| jwks_uri | string |
| name required | string |
| post_logout_redirect_uris | Array of strings |
| public | boolean |
| redirect_uris required | Array of strings |
| response_modes | Array of strings |
| response_types | Array of strings |
| scopes | Array of strings |
| subject_type | string |
| tenant_id required | string |
| token_endpoint_auth_method | string |
{- "audience": [
- "api-service"
], - "client_id": "my-web-app",
- "client_secret": "super-secure-secret-key",
- "enforce_pkce": true,
- "grant_types": [
- "authorization_code",
- "refresh_token"
], - "id_token_encrypted_response_alg": "RSA-OAEP-256",
- "id_token_encrypted_response_enc": "A256GCM",
- "jwks": { },
- "name": "My Frontend Application",
- "public": false,
- "response_modes": [
- "query",
- "form_post"
], - "response_types": [
- "code"
], - "scopes": [
- "openid",
- "profile",
- "email",
- "offline_access"
], - "subject_type": "public",
- "tenant_id": "default",
- "token_endpoint_auth_method": "client_secret_basic"
}{- "audience": [
- "api-service"
], - "client_id": "my-web-app",
- "client_secret": "super-secure-secret-key",
- "enforce_pkce": true,
- "grant_types": [
- "authorization_code",
- "refresh_token"
], - "id_token_encrypted_response_alg": "RSA-OAEP-256",
- "id_token_encrypted_response_enc": "A256GCM",
- "jwks": { },
- "name": "My Frontend Application",
- "public": false,
- "response_modes": [
- "query",
- "form_post"
], - "response_types": [
- "code"
], - "scopes": [
- "openid",
- "profile",
- "email",
- "offline_access"
], - "subject_type": "public",
- "tenant_id": "default",
- "token_endpoint_auth_method": "client_secret_basic"
}Retrieves details of a specific OAuth2/OIDC client. Secrets are masked.
| id required | string Client ID |
{- "access_token_lifespan": "string",
- "allowed_cors_origins": [
- "string"
], - "app_id": "string",
- "audience": [
- "string"
], - "backchannel_logout_uri": "string",
- "client_id": "string",
- "client_secret": "string",
- "created_at": "string",
- "enforce_pkce": true,
- "grant_types": [
- "string"
], - "id_token_encrypted_response_alg": "string",
- "id_token_encrypted_response_enc": "string",
- "id_token_lifespan": "string",
- "jwks_uri": "string",
- "name": "string",
- "post_logout_redirect_uris": [
- "string"
], - "public": true,
- "redirect_uris": [
- "string"
], - "refresh_token_lifespan": "string",
- "response_modes": [
- "string"
], - "response_types": [
- "string"
], - "scopes": [
- "string"
], - "skip_consent": true,
- "subject_type": "string",
- "tenant_id": "string",
- "token_endpoint_auth_method": "string",
- "updated_at": "string"
}Updates an existing OAuth2/OIDC client. Pass "*****" or empty string to keep the existing secret.
| id required | string Client ID |
Client Update Configuration
| allowed_cors_origins | Array of strings |
| audience | Array of strings |
| backchannel_logout_uri | string |
| client_id | string |
| client_secret | string |
| enforce_pkce | boolean |
| grant_types required | Array of strings |
| id_token_encrypted_response_alg | string |
| id_token_encrypted_response_enc | string |
| jwks | object |
| jwks_uri | string |
| name required | string |
| post_logout_redirect_uris | Array of strings |
| public | boolean |
| redirect_uris required | Array of strings |
| response_modes | Array of strings |
| response_types | Array of strings |
| scopes | Array of strings |
| subject_type | string |
| tenant_id required | string |
| token_endpoint_auth_method | string |
{- "audience": [
- "api-service"
], - "client_id": "my-web-app",
- "client_secret": "super-secure-secret-key",
- "enforce_pkce": true,
- "grant_types": [
- "authorization_code",
- "refresh_token"
], - "id_token_encrypted_response_alg": "RSA-OAEP-256",
- "id_token_encrypted_response_enc": "A256GCM",
- "jwks": { },
- "name": "My Frontend Application",
- "public": false,
- "response_modes": [
- "query",
- "form_post"
], - "response_types": [
- "code"
], - "scopes": [
- "openid",
- "profile",
- "email",
- "offline_access"
], - "subject_type": "public",
- "tenant_id": "default",
- "token_endpoint_auth_method": "client_secret_basic"
}{- "property1": "string",
- "property2": "string"
}Deletes an OAuth2/OIDC client from a specific tenant.
| tenant_id required | string Tenant ID |
| id required | string Client ID |
{- "status_code": 400,
- "user_message": "Invalid input provided"
}Lists all OAuth2/OIDC clients for a specific tenant. Secrets are masked.
| tenant_id required | string Tenant ID |
[- {
- "access_token_lifespan": "string",
- "allowed_cors_origins": [
- "string"
], - "app_id": "string",
- "audience": [
- "string"
], - "backchannel_logout_uri": "string",
- "client_id": "string",
- "client_secret": "string",
- "created_at": "string",
- "enforce_pkce": true,
- "grant_types": [
- "string"
], - "id_token_encrypted_response_alg": "string",
- "id_token_encrypted_response_enc": "string",
- "id_token_lifespan": "string",
- "jwks_uri": "string",
- "name": "string",
- "post_logout_redirect_uris": [
- "string"
], - "public": true,
- "redirect_uris": [
- "string"
], - "refresh_token_lifespan": "string",
- "response_modes": [
- "string"
], - "response_types": [
- "string"
], - "scopes": [
- "string"
], - "skip_consent": true,
- "subject_type": "string",
- "tenant_id": "string",
- "token_endpoint_auth_method": "string",
- "updated_at": "string"
}
]Lists all federated OIDC Identity Providers.
[- {
- "active": true,
- "attribute_mapping": {
- "property1": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}, - "property2": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}
}, - "authorization_endpoint": "string",
- "client_id": "string",
- "client_secret": "string",
- "created_at": "string",
- "end_session_endpoint": "string",
- "id": "string",
- "issuer_url": "string",
- "jwks_uri": "string",
- "name": "string",
- "scopes": [
- "string"
], - "tenant_id": "string",
- "token_endpoint": "string",
- "updated_at": "string",
- "userinfo_endpoint": "string"
}
]Registers an external OpenID Connect Identity Provider for federated authentication.
OIDC Connection Configuration
| attribute_mapping | object |
| authorization_endpoint | string |
| client_id required | string |
| client_secret | string |
| end_session_endpoint | string |
| id | string |
| issuer_url required | string |
| jwks_uri | string |
| name required | string |
| scopes required | Array of strings |
| tenant_id required | string |
| token_endpoint | string |
| user_info_endpoint | string |
{- "attribute_mapping": { },
- "client_id": "google-client-id.apps.googleusercontent.com",
- "client_secret": "YOUR_SECURE_CLIENT_SECRET",
- "id": "conn_oidc_123",
- "name": "Google Workspace SSO",
- "scopes": [
- "openid",
- "profile",
- "email"
], - "tenant_id": "tnt_alpha01",
}{- "attribute_mapping": { },
- "client_id": "google-client-id.apps.googleusercontent.com",
- "client_secret": "YOUR_SECURE_CLIENT_SECRET",
- "id": "conn_oidc_123",
- "name": "Google Workspace SSO",
- "scopes": [
- "openid",
- "profile",
- "email"
], - "tenant_id": "tnt_alpha01",
}Updates an existing OIDC Identity Provider.
| id required | string Connection ID |
OIDC Connection Update Configuration
| attribute_mapping | object |
| authorization_endpoint | string |
| client_id required | string |
| client_secret | string |
| end_session_endpoint | string |
| id | string |
| issuer_url required | string |
| jwks_uri | string |
| name required | string |
| scopes required | Array of strings |
| tenant_id required | string |
| token_endpoint | string |
| user_info_endpoint | string |
{- "attribute_mapping": { },
- "client_id": "google-client-id.apps.googleusercontent.com",
- "client_secret": "YOUR_SECURE_CLIENT_SECRET",
- "id": "conn_oidc_123",
- "name": "Google Workspace SSO",
- "scopes": [
- "openid",
- "profile",
- "email"
], - "tenant_id": "tnt_alpha01",
}{- "property1": "string",
- "property2": "string"
}Deletes a federated OIDC Identity Provider from a tenant.
| tenant_id required | string Tenant ID |
| id required | string Connection ID |
{- "status_code": 400,
- "user_message": "Invalid input provided"
}Retrieves details of a specific OIDC Identity Provider.
| tenant_id required | string Tenant ID |
| id required | string Connection ID |
{- "active": true,
- "attribute_mapping": {
- "property1": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}, - "property2": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}
}, - "authorization_endpoint": "string",
- "client_id": "string",
- "client_secret": "string",
- "created_at": "string",
- "end_session_endpoint": "string",
- "id": "string",
- "issuer_url": "string",
- "jwks_uri": "string",
- "name": "string",
- "scopes": [
- "string"
], - "tenant_id": "string",
- "token_endpoint": "string",
- "updated_at": "string",
- "userinfo_endpoint": "string"
}Lists all federated OIDC Identity Providers for a specific tenant.
| tenant_id required | string Tenant ID |
[- {
- "active": true,
- "attribute_mapping": {
- "property1": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}, - "property2": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}
}, - "authorization_endpoint": "string",
- "client_id": "string",
- "client_secret": "string",
- "created_at": "string",
- "end_session_endpoint": "string",
- "id": "string",
- "issuer_url": "string",
- "jwks_uri": "string",
- "name": "string",
- "scopes": [
- "string"
], - "tenant_id": "string",
- "token_endpoint": "string",
- "updated_at": "string",
- "userinfo_endpoint": "string"
}
]Lists outbound policies. If tenant_id is provided, returns tenant and global policies.
| tenant_id | string Tenant ID |
[- {
- "allowed_host_patterns": [
- "*.example.com"
], - "allowed_path_patterns": [
- "/api/*"
], - "allowed_ports": [
- 443
], - "allowed_schemes": [
- "https"
], - "block_link_local_ips": true,
- "block_localhost_names": true,
- "block_loopback_ips": true,
- "block_multicast_ips": true,
- "block_private_ips": true,
- "created_at": "2026-01-01T12:00:00Z",
- "disable_redirects": true,
- "enabled": true,
- "id": "policy-123",
- "max_response_bytes": 2097152,
- "name": "Default Webhook Policy",
- "request_timeout_seconds": 5,
- "require_dns_resolve": true,
- "target": "webhook_delivery",
- "tenant_id": "tenant-abc",
- "updated_at": "2026-01-01T12:00:00Z"
}
]Creates a new outbound security policy for global or tenant-specific outbound HTTP controls.
Create outbound policy request
| allowed_host_patterns | Array of strings |
| allowed_path_patterns | Array of strings |
| allowed_ports | Array of integers |
| allowed_schemes | Array of strings |
| block_link_local_ips | boolean |
| block_localhost_names | boolean |
| block_loopback_ips | boolean |
| block_multicast_ips | boolean |
| block_private_ips | boolean |
| disable_redirects | boolean |
| enabled | boolean |
| id | string |
| max_response_bytes | integer [ 1024 .. 10485760 ] |
| name required | string |
| request_timeout_seconds | integer [ 1 .. 30 ] |
| require_dns_resolve | boolean |
| target required | string Enum: "webhook_delivery" "jwks_fetch" "oidc_discovery" |
| tenant_id | string |
{- "allowed_host_patterns": [
- "*.example.com"
], - "allowed_path_patterns": [
- "/api/*"
], - "allowed_ports": [
- 443
], - "allowed_schemes": [
- "https"
], - "block_link_local_ips": true,
- "block_localhost_names": true,
- "block_loopback_ips": true,
- "block_multicast_ips": true,
- "block_private_ips": true,
- "disable_redirects": true,
- "enabled": true,
- "id": "policy-123",
- "max_response_bytes": 2097152,
- "name": "Default Webhook Policy",
- "request_timeout_seconds": 5,
- "require_dns_resolve": true,
- "target": "webhook_delivery",
- "tenant_id": "tenant-abc"
}{- "allowed_host_patterns": [
- "*.example.com"
], - "allowed_path_patterns": [
- "/api/*"
], - "allowed_ports": [
- 443
], - "allowed_schemes": [
- "https"
], - "block_link_local_ips": true,
- "block_localhost_names": true,
- "block_loopback_ips": true,
- "block_multicast_ips": true,
- "block_private_ips": true,
- "created_at": "2026-01-01T12:00:00Z",
- "disable_redirects": true,
- "enabled": true,
- "id": "policy-123",
- "max_response_bytes": 2097152,
- "name": "Default Webhook Policy",
- "request_timeout_seconds": 5,
- "require_dns_resolve": true,
- "target": "webhook_delivery",
- "tenant_id": "tenant-abc",
- "updated_at": "2026-01-01T12:00:00Z"
}Returns a single outbound policy by id.
| id required | string Policy ID |
{- "allowed_host_patterns": [
- "*.example.com"
], - "allowed_path_patterns": [
- "/api/*"
], - "allowed_ports": [
- 443
], - "allowed_schemes": [
- "https"
], - "block_link_local_ips": true,
- "block_localhost_names": true,
- "block_loopback_ips": true,
- "block_multicast_ips": true,
- "block_private_ips": true,
- "created_at": "2026-01-01T12:00:00Z",
- "disable_redirects": true,
- "enabled": true,
- "id": "policy-123",
- "max_response_bytes": 2097152,
- "name": "Default Webhook Policy",
- "request_timeout_seconds": 5,
- "require_dns_resolve": true,
- "target": "webhook_delivery",
- "tenant_id": "tenant-abc",
- "updated_at": "2026-01-01T12:00:00Z"
}Updates an existing outbound policy by id.
| id required | string Policy ID |
Update outbound policy request
| allowed_host_patterns | Array of strings |
| allowed_path_patterns | Array of strings |
| allowed_ports | Array of integers |
| allowed_schemes | Array of strings |
| block_link_local_ips | boolean |
| block_localhost_names | boolean |
| block_loopback_ips | boolean |
| block_multicast_ips | boolean |
| block_private_ips | boolean |
| disable_redirects | boolean |
| enabled | boolean |
| max_response_bytes | integer [ 1024 .. 10485760 ] |
| name required | string |
| request_timeout_seconds | integer [ 1 .. 30 ] |
| require_dns_resolve | boolean |
{- "allowed_host_patterns": [
- "api.example.com"
], - "allowed_path_patterns": [
- "/v1/*"
], - "allowed_ports": [
- 443
], - "allowed_schemes": [
- "https"
], - "block_link_local_ips": true,
- "block_localhost_names": true,
- "block_loopback_ips": true,
- "block_multicast_ips": true,
- "block_private_ips": true,
- "disable_redirects": true,
- "enabled": true,
- "max_response_bytes": 2097152,
- "name": "Updated Policy Name",
- "request_timeout_seconds": 5,
- "require_dns_resolve": true
}{- "allowed_host_patterns": [
- "*.example.com"
], - "allowed_path_patterns": [
- "/api/*"
], - "allowed_ports": [
- 443
], - "allowed_schemes": [
- "https"
], - "block_link_local_ips": true,
- "block_localhost_names": true,
- "block_loopback_ips": true,
- "block_multicast_ips": true,
- "block_private_ips": true,
- "created_at": "2026-01-01T12:00:00Z",
- "disable_redirects": true,
- "enabled": true,
- "id": "policy-123",
- "max_response_bytes": 2097152,
- "name": "Default Webhook Policy",
- "request_timeout_seconds": 5,
- "require_dns_resolve": true,
- "target": "webhook_delivery",
- "tenant_id": "tenant-abc",
- "updated_at": "2026-01-01T12:00:00Z"
}Lists all SAML Service Providers globally across the hub.
[- {
- "acs_url": "string",
- "active": true,
- "allowed_scopes": [
- "string"
], - "attribute_mapping": {
- "property1": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}, - "property2": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}
}, - "created_at": "string",
- "encrypt_assertion": true,
- "entity_id": "string",
- "force_authn": true,
- "id": "string",
- "metadata_url": "string",
- "name": "string",
- "sign_assertion": true,
- "sign_response": true,
- "slo_url": "string",
- "tenant_id": "string",
- "updated_at": "string"
}
]Registers a legacy SAML Service Provider in the system for federation.
SAML Client Configuration
| acs_url | string |
| allowed_scopes | Array of strings |
| attribute_mapping | object |
| encrypt_assertion | boolean |
| entity_id | string |
| force_authn | boolean |
| metadata_url | string |
| name | string |
| sign_assertion | boolean |
| sign_response | boolean |
| slo_url | string |
| sp_certificate | string |
| sp_encryption_certificate | string |
| tenant_id | string |
{- "allowed_scopes": [
- "email",
- "profile",
- "groups"
], - "attribute_mapping": { },
- "encrypt_assertion": false,
- "force_authn": true,
- "name": "Acme Corp Finance App",
- "sign_assertion": true,
- "sign_response": true,
- "sp_certificate": "MIID...[Base64_Cert]...==",
- "sp_encryption_certificate": "MIID...[Base64_Cert]...==",
- "tenant_id": "tnt_alpha01"
}{- "allowed_scopes": [
- "email",
- "profile",
- "groups"
], - "attribute_mapping": { },
- "encrypt_assertion": false,
- "force_authn": true,
- "name": "Acme Corp Finance App",
- "sign_assertion": true,
- "sign_response": true,
- "sp_certificate": "MIID...[Base64_Cert]...==",
- "sp_encryption_certificate": "MIID...[Base64_Cert]...==",
- "tenant_id": "tnt_alpha01"
}Updates an existing SAML Service Provider. Automatically pulls metadata if MetadataURL is provided.
| id required | string Client ID |
SAML Client Update Configuration
| acs_url | string |
| allowed_scopes | Array of strings |
| attribute_mapping | object |
| encrypt_assertion | boolean |
| entity_id | string |
| force_authn | boolean |
| metadata_url | string |
| name | string |
| sign_assertion | boolean |
| sign_response | boolean |
| slo_url | string |
| sp_certificate | string |
| sp_encryption_certificate | string |
| tenant_id | string |
{- "allowed_scopes": [
- "email",
- "profile",
- "groups"
], - "attribute_mapping": { },
- "encrypt_assertion": false,
- "force_authn": true,
- "name": "Acme Corp Finance App",
- "sign_assertion": true,
- "sign_response": true,
- "sp_certificate": "MIID...[Base64_Cert]...==",
- "sp_encryption_certificate": "MIID...[Base64_Cert]...==",
- "tenant_id": "tnt_alpha01"
}{- "property1": "string",
- "property2": "string"
}Removes a SAML Service Provider from a specific tenant.
| tenant_id required | string Tenant ID |
| id required | string Client ID |
{- "status_code": 400,
- "user_message": "Invalid input provided"
}Retrieves details of a specific SAML Service Provider.
| tenant_id required | string Tenant ID |
| id required | string Client ID |
{- "acs_url": "string",
- "active": true,
- "allowed_scopes": [
- "string"
], - "attribute_mapping": {
- "property1": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}, - "property2": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}
}, - "created_at": "string",
- "encrypt_assertion": true,
- "entity_id": "string",
- "force_authn": true,
- "id": "string",
- "metadata_url": "string",
- "name": "string",
- "sign_assertion": true,
- "sign_response": true,
- "slo_url": "string",
- "tenant_id": "string",
- "updated_at": "string"
}Lists all SAML Service Providers for a specific tenant.
| tenant_id required | string Tenant ID |
[- {
- "acs_url": "string",
- "active": true,
- "allowed_scopes": [
- "string"
], - "attribute_mapping": {
- "property1": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}, - "property2": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}
}, - "created_at": "string",
- "encrypt_assertion": true,
- "entity_id": "string",
- "force_authn": true,
- "id": "string",
- "metadata_url": "string",
- "name": "string",
- "sign_assertion": true,
- "sign_response": true,
- "slo_url": "string",
- "tenant_id": "string",
- "updated_at": "string"
}
]Lists all federated SAML Identity Providers.
[- {
- "active": true,
- "attribute_mapping": {
- "property1": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}, - "property2": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}
}, - "created_at": "string",
- "force_authn": true,
- "id": "string",
- "idp_certificate": "string",
- "idp_encryption_certificate": "string",
- "idp_entity_id": "string",
- "idp_metadata_xml": "string",
- "idp_single_sign_on": "string",
- "idp_slo_url": "string",
- "metadata_url": "string",
- "name": "string",
- "sign_request": true,
- "sp_private_key": "string",
- "tenant_id": "string",
- "updated_at": "string"
}
]Registers an external SAML Identity Provider for federated authentication.
SAML Connection Configuration
| attribute_mapping | object |
| force_authn | boolean |
| id | string |
| idp_certificate | string |
| idp_encryption_certificate | string |
| idp_entity_id | string |
| idp_metadata_xml | string |
| idp_single_sign_on | string |
| idp_slo_url | string |
| metadata_url | string |
| name required | string |
| sign_request | boolean |
| sp_private_key | string |
| tenant_id required | string |
{- "attribute_mapping": { },
- "force_authn": false,
- "id": "conn_saml_123",
- "idp_certificate": "MIID...[Base64_Cert]...==",
- "idp_encryption_certificate": "string",
- "idp_metadata_xml": "<md:EntityDescriptor>...</md:EntityDescriptor>",
- "name": "Corporate Okta SSO",
- "sign_request": true,
- "sp_private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----",
- "tenant_id": "tnt_alpha01"
}{- "attribute_mapping": { },
- "force_authn": false,
- "id": "conn_saml_123",
- "idp_certificate": "MIID...[Base64_Cert]...==",
- "idp_encryption_certificate": "string",
- "idp_metadata_xml": "<md:EntityDescriptor>...</md:EntityDescriptor>",
- "name": "Corporate Okta SSO",
- "sign_request": true,
- "sp_private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----",
- "tenant_id": "tnt_alpha01"
}Updates an existing SAML Identity Provider.
| id required | string Connection ID |
SAML Connection Update Configuration
| attribute_mapping | object |
| force_authn | boolean |
| id | string |
| idp_certificate | string |
| idp_encryption_certificate | string |
| idp_entity_id | string |
| idp_metadata_xml | string |
| idp_single_sign_on | string |
| idp_slo_url | string |
| metadata_url | string |
| name required | string |
| sign_request | boolean |
| sp_private_key | string |
| tenant_id required | string |
{- "attribute_mapping": { },
- "force_authn": false,
- "id": "conn_saml_123",
- "idp_certificate": "MIID...[Base64_Cert]...==",
- "idp_encryption_certificate": "string",
- "idp_metadata_xml": "<md:EntityDescriptor>...</md:EntityDescriptor>",
- "name": "Corporate Okta SSO",
- "sign_request": true,
- "sp_private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----",
- "tenant_id": "tnt_alpha01"
}{- "property1": "string",
- "property2": "string"
}Deletes a federated SAML Identity Provider from a tenant.
| tenant_id required | string Tenant ID |
| id required | string Connection ID |
{- "status_code": 400,
- "user_message": "Invalid input provided"
}Retrieves details of a specific SAML Identity Provider.
| tenant_id required | string Tenant ID |
| id required | string Connection ID |
{- "active": true,
- "attribute_mapping": {
- "property1": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}, - "property2": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}
}, - "created_at": "string",
- "force_authn": true,
- "id": "string",
- "idp_certificate": "string",
- "idp_encryption_certificate": "string",
- "idp_entity_id": "string",
- "idp_metadata_xml": "string",
- "idp_single_sign_on": "string",
- "idp_slo_url": "string",
- "metadata_url": "string",
- "name": "string",
- "sign_request": true,
- "sp_private_key": "string",
- "tenant_id": "string",
- "updated_at": "string"
}Lists all federated SAML Identity Providers for a specific tenant.
| tenant_id required | string Tenant ID |
[- {
- "active": true,
- "attribute_mapping": {
- "property1": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}, - "property2": {
- "fallback": "string",
- "source": "string",
- "target": "string",
- "target_scopes": [
- "string"
], - "type": "string",
- "value": "string"
}
}, - "created_at": "string",
- "force_authn": true,
- "id": "string",
- "idp_certificate": "string",
- "idp_encryption_certificate": "string",
- "idp_entity_id": "string",
- "idp_metadata_xml": "string",
- "idp_single_sign_on": "string",
- "idp_slo_url": "string",
- "metadata_url": "string",
- "name": "string",
- "sign_request": true,
- "sp_private_key": "string",
- "tenant_id": "string",
- "updated_at": "string"
}
]Lists all tenants configured within the identity hub.
[- {
- "description": "Main production environment for Alpha Corp",
- "display_name": "Alpha Corp Production",
- "id": "tnt_alpha01",
- "name": "alpha-production"
}
]Creates a new isolated tenant environment with strict data boundaries.
Tenant Information
| description | string |
| display_name | string |
| id | string |
| name required | string |
{- "description": "Main production environment for Alpha Corp",
- "display_name": "Alpha Corp Production",
- "id": "tnt_alpha01",
- "name": "alpha-production"
}{- "created_at": "string",
- "description": "string",
- "display_name": "string",
- "id": "string",
- "issuer_url": "string",
- "name": "string",
- "updated_at": "string"
}Performs a cascade delete of a tenant and all its associated resources. The default tenant cannot be deleted.
| id required | string Tenant ID |
{- "property1": "string",
- "property2": "string"
}Retrieves a specific tenant by its ID.
| id required | string Tenant ID |
{- "created_at": "string",
- "description": "string",
- "display_name": "string",
- "id": "string",
- "issuer_url": "string",
- "name": "string",
- "updated_at": "string"
}Updates an existing tenant's details.
| id required | string Tenant ID |
Tenant Update Information
| description | string |
| display_name | string |
| id | string |
| name required | string |
{- "description": "Main production environment for Alpha Corp",
- "display_name": "Alpha Corp Production",
- "id": "tnt_alpha01",
- "name": "alpha-production"
}{- "property1": "string",
- "property2": "string"
}Retrieves all authorization scopes associated with a specific tenant.
| id required | string Tenant ID |
[- {
- "active": true,
- "claims": [
- "string"
], - "created_at": "string",
- "description": "string",
- "id": "string",
- "is_system": true,
- "name": "string",
- "tenant_id": "string",
- "updated_at": "string"
}
]Creates a new authorization scope for a specific tenant.
| id required | string Tenant ID |
Scope configuration payload
| active | boolean |
| claims | Array of strings |
| created_at | string |
| description | string |
| id | string |
| is_system | boolean |
| name | string |
| tenant_id | string |
| updated_at | string |
{- "active": true,
- "claims": [
- "string"
], - "created_at": "string",
- "description": "string",
- "id": "string",
- "is_system": true,
- "name": "string",
- "tenant_id": "string",
- "updated_at": "string"
}{- "active": true,
- "claims": [
- "string"
], - "created_at": "string",
- "description": "string",
- "id": "string",
- "is_system": true,
- "name": "string",
- "tenant_id": "string",
- "updated_at": "string"
}Retrieves the details of a specific authorization scope within a tenant boundary.
| id required | string Tenant ID |
| scope_id required | string Scope ID |
{- "active": true,
- "claims": [
- "string"
], - "created_at": "string",
- "description": "string",
- "id": "string",
- "is_system": true,
- "name": "string",
- "tenant_id": "string",
- "updated_at": "string"
}Updates an existing authorization scope configuration.
| id required | string Tenant ID |
| scope_id required | string Scope ID |
Scope update payload
| active | boolean |
| claims | Array of strings |
| created_at | string |
| description | string |
| id | string |
| is_system | boolean |
| name | string |
| tenant_id | string |
| updated_at | string |
{- "active": true,
- "claims": [
- "string"
], - "created_at": "string",
- "description": "string",
- "id": "string",
- "is_system": true,
- "name": "string",
- "tenant_id": "string",
- "updated_at": "string"
}{- "property1": "string",
- "property2": "string"
}Retrieves paginated audit logs for a specific tenant.
| tenant_id required | string Tenant ID for isolation boundary |
| limit | integer Default: 100 Number of records to return |
| offset | integer Default: 0 Number of records to skip |
[- { }
]Retrieves available identity providers and authentication methods for a given cryptographic login challenge. This discovery endpoint establishes the initial context for the user authentication journey.
| login_challenge required | string The cryptographic login challenge ID |
{ }Handles the callback from an external OIDC Identity Provider. Validates state and CSRF, exchanges the authorization code for tokens, fetches UserInfo, maps attributes, and resumes the original login flow.
| tenant_id required | string Tenant ID |
| code required | string Authorization code returned by the external IdP |
| state required | string State parameter to mitigate CSRF and restore context |
Starts the login flow with an external OIDC Identity Provider (e.g., Google, Okta) for a specific tenant and connection. Generates CSRF tokens and redirects the user.
| tenant_id required | string Tenant ID |
| connection_id required | string OIDC Connection ID |
| login_challenge required | string The active cryptographic login challenge ID |
Handles IdP-initiated or SP-initiated Single Logout requests. Clears the local session and potentially notifies other connected applications.
| tenant_id required | string Tenant ID |
| SAMLRequest | string SAML LogoutRequest (SP-initiated) |
| SAMLResponse | string SAML LogoutResponse |
| RelayState | string Relay state |
Handles IdP-initiated or SP-initiated Single Logout requests. Clears the local session and potentially notifies other connected applications.
| tenant_id required | string Tenant ID |
| SAMLRequest | string SAML LogoutRequest (SP-initiated) |
| SAMLResponse | string SAML LogoutResponse |
| RelayState | string Relay state |
Receives an AuthnRequest from a Service Provider. Challenges the user for authentication and issues a SAMLResponse containing assertions.
| tenant_id required | string Tenant ID |
| SAMLRequest | string Deflated and Base64 encoded AuthnRequest (HTTP-Redirect) |
| RelayState | string Opaque state passed back to the SP |
| login_verifier | string Internal verifier after a successful login challenge |
| SAMLRequest | string Base64 encoded AuthnRequest (HTTP-POST) |
Receives an AuthnRequest from a Service Provider. Challenges the user for authentication and issues a SAMLResponse containing assertions.
| tenant_id required | string Tenant ID |
| SAMLRequest | string Deflated and Base64 encoded AuthnRequest (HTTP-Redirect) |
| RelayState | string Opaque state passed back to the SP |
| login_verifier | string Internal verifier after a successful login challenge |
| SAMLRequest | string Base64 encoded AuthnRequest (HTTP-POST) |
Starts the SAML SSO flow as a Service Provider against an external Identity Provider. Generates an AuthnRequest and redirects the user.
| tenant_id required | string Tenant ID |
| connection_id required | string SAML Connection ID (IdP Reference) |
| login_challenge required | string Active login challenge |
Receives and validates the SAMLResponse from an external Identity Provider. Prevents XML Signature Wrapping (XSW) and CSRF attacks.
| tenant_id required | string Tenant ID |
| SAMLResponse required | string Base64 encoded SAML Response |
| RelayState required | string Relay state containing the login challenge |
Handles logout requests acting as a Service Provider against an external IdP.
| tenant_id required | string Tenant ID |
| SAMLRequest | string SAML LogoutRequest |
| SAMLResponse | string SAML LogoutResponse |
| connection_id | string IdP Connection ID for SP-initiated SLO |
| RelayState | string Relay state |
{- "property1": "string",
- "property2": "string"
}Registers a new webhook endpoint for event dispatching. Includes strict SSRF protection to prevent internal network scanning.
Webhook configuration payload including target URL, events, and bound tenants
| events required | Array of strings |
| name required | string |
| tenant_ids required | Array of strings |
| url required | string |
{- "events": [
- "string"
], - "name": "string",
- "tenant_ids": [
- "string"
], - "url": "string"
}{- "active": true,
- "created_at": "string",
- "events": [
- "string"
], - "failure_count": 0,
- "id": "string",
- "name": "string",
- "tenant_ids": [
- "string"
], - "updated_at": "string",
- "url": "string"
}