identity

POST /identity/alias

Operation ID: alias-create

Create a new alias.

Request body parameters

ParameterTypeRequiredDescription
canonical_idstringnoEntity ID to which this alias belongs to
entity_idstringnoEntity ID to which this alias belongs to. This field is deprecated in favor of ‘canonical_id’.
idstringnoID of the alias
mount_accessorstringnoMount accessor to which this alias belongs to
namestringnoName of the alias

Responses

200: OK

GET /identity/alias/id

Operation ID: alias-list-by-id

List all the alias IDs.

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/alias/id/{id}

Operation ID: alias-read-by-id

Update, read or delete an alias ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the alias

Responses

200: OK

POST /identity/alias/id/{id}

Operation ID: alias-update-by-id

Update, read or delete an alias ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the alias

Request body parameters

ParameterTypeRequiredDescription
canonical_idstringnoEntity ID to which this alias should be tied to
entity_idstringnoEntity ID to which this alias should be tied to. This field is deprecated in favor of ‘canonical_id’.
mount_accessorstringnoMount accessor to which this alias belongs to
namestringnoName of the alias

Responses

200: OK

DELETE /identity/alias/id/{id}

Operation ID: alias-delete-by-id

Update, read or delete an alias ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the alias

Responses

204: empty body

POST /identity/entity

Operation ID: entity-create

Create a new entity

Request body parameters

ParameterTypeRequiredDescription
disabledbooleannoIf set true, tokens tied to this identity will not be able to be used (but will not be revoked).
idstringnoID of the entity. If set, updates the corresponding existing entity.
metadataobjectnoMetadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: stronghold metadata=key1=value1 metadata=key2=value2
namestringnoName of the entity
policiesarraynoPolicies to be tied to the entity.

Responses

200: OK

POST /identity/entity-alias

Operation ID: entity-create-alias

Create a new alias.

Request body parameters

ParameterTypeRequiredDescription
canonical_idstringnoEntity ID to which this alias belongs
custom_metadataobjectnoUser provided key-value pairs
entity_idstringnoEntity ID to which this alias belongs. This field is deprecated, use canonical_id.
idstringnoID of the entity alias. If set, updates the corresponding entity alias.
mount_accessorstringnoMount accessor to which this alias belongs to; unused for a modify
namestringnoName of the alias; unused for a modify

Responses

200: OK

GET /identity/entity-alias/id

Operation ID: entity-list-aliases-by-id

List all the alias IDs.

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/entity-alias/id/{id}

Operation ID: entity-read-alias-by-id

Update, read or delete an alias ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the alias

Responses

200: OK

POST /identity/entity-alias/id/{id}

Operation ID: entity-update-alias-by-id

Update, read or delete an alias ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the alias

Request body parameters

ParameterTypeRequiredDescription
canonical_idstringnoEntity ID to which this alias should be tied to
custom_metadataobjectnoUser provided key-value pairs
entity_idstringnoEntity ID to which this alias belongs to. This field is deprecated, use canonical_id.
mount_accessorstringno(Unused)
namestringno(Unused)

Responses

200: OK

DELETE /identity/entity-alias/id/{id}

Operation ID: entity-delete-alias-by-id

Update, read or delete an alias ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the alias

Responses

204: empty body

POST /identity/entity/batch-delete

Operation ID: entity-batch-delete

Delete all of the entities provided

Request body parameters

ParameterTypeRequiredDescription
entity_idsarraynoEntity IDs to delete

Responses

200: OK

GET /identity/entity/id

Operation ID: entity-list-by-id

List all the entity IDs

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/entity/id/{id}

Operation ID: entity-read-by-id

Update, read or delete an entity using entity ID

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the entity. If set, updates the corresponding existing entity.

Responses

200: OK

POST /identity/entity/id/{id}

Operation ID: entity-update-by-id

Update, read or delete an entity using entity ID

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the entity. If set, updates the corresponding existing entity.

Request body parameters

ParameterTypeRequiredDescription
disabledbooleannoIf set true, tokens tied to this identity will not be able to be used (but will not be revoked).
metadataobjectnoMetadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: stronghold metadata=key1=value1 metadata=key2=value2
namestringnoName of the entity
policiesarraynoPolicies to be tied to the entity.

Responses

200: OK

DELETE /identity/entity/id/{id}

Operation ID: entity-delete-by-id

Update, read or delete an entity using entity ID

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the entity. If set, updates the corresponding existing entity.

Responses

204: empty body

POST /identity/entity/merge

Operation ID: entity-merge

Merge two or more entities together

Request body parameters

ParameterTypeRequiredDescription
conflicting_alias_ids_to_keeparraynoAlias IDs to keep in case of conflicting aliases. Ignored if no conflicting aliases found
forcebooleannoSetting this will follow the ‘mine’ strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts.
from_entity_idsarraynoEntity IDs which need to get merged
to_entity_idstringnoEntity ID into which all the other entities need to get merged

Responses

200: OK

GET /identity/entity/name

Operation ID: entity-list-by-name

List all the entity names

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/entity/name/{name}

Operation ID: entity-read-by-name

Update, read or delete an entity using entity name

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the entity

Responses

200: OK

POST /identity/entity/name/{name}

Operation ID: entity-update-by-name

Update, read or delete an entity using entity name

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the entity

Request body parameters

ParameterTypeRequiredDescription
disabledbooleannoIf set true, tokens tied to this identity will not be able to be used (but will not be revoked).
idstringnoID of the entity. If set, updates the corresponding existing entity.
metadataobjectnoMetadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: stronghold metadata=key1=value1 metadata=key2=value2
policiesarraynoPolicies to be tied to the entity.

Responses

200: OK

DELETE /identity/entity/name/{name}

Operation ID: entity-delete-by-name

Update, read or delete an entity using entity name

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the entity

Responses

204: empty body

POST /identity/group

Operation ID: group-create

Create a new group.

Request body parameters

ParameterTypeRequiredDescription
idstringnoID of the group. If set, updates the corresponding existing group.
member_entity_idsarraynoEntity IDs to be assigned as group members.
member_group_idsarraynoGroup IDs to be assigned as group members.
metadataobjectnoMetadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: stronghold metadata=key1=value1 metadata=key2=value2
namestringnoName of the group.
policiesarraynoPolicies to be tied to the group.
typestringnoType of the group, ‘internal’ or ’external’. Defaults to ‘internal’

Responses

200: OK

POST /identity/group-alias

Operation ID: group-create-alias

Creates a new group alias, or updates an existing one.

Request body parameters

ParameterTypeRequiredDescription
canonical_idstringnoID of the group to which this is an alias.
idstringnoID of the group alias.
mount_accessorstringnoMount accessor to which this alias belongs to.
namestringnoAlias of the group.

Responses

200: OK

GET /identity/group-alias/id

Operation ID: group-list-aliases-by-id

List all the group alias IDs.

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/group-alias/id/{id}

Operation ID: group-read-alias-by-id

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the group alias.

Responses

200: OK

POST /identity/group-alias/id/{id}

Operation ID: group-update-alias-by-id

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the group alias.

Request body parameters

ParameterTypeRequiredDescription
canonical_idstringnoID of the group to which this is an alias.
mount_accessorstringnoMount accessor to which this alias belongs to.
namestringnoAlias of the group.

Responses

200: OK

DELETE /identity/group-alias/id/{id}

Operation ID: group-delete-alias-by-id

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the group alias.

Responses

204: empty body

GET /identity/group/id

Operation ID: group-list-by-id

List all the group IDs.

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/group/id/{id}

Operation ID: group-read-by-id

Update or delete an existing group using its ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the group. If set, updates the corresponding existing group.

Responses

200: OK

POST /identity/group/id/{id}

Operation ID: group-update-by-id

Update or delete an existing group using its ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the group. If set, updates the corresponding existing group.

Request body parameters

ParameterTypeRequiredDescription
member_entity_idsarraynoEntity IDs to be assigned as group members.
member_group_idsarraynoGroup IDs to be assigned as group members.
metadataobjectnoMetadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: stronghold metadata=key1=value1 metadata=key2=value2
namestringnoName of the group.
policiesarraynoPolicies to be tied to the group.
typestringnoType of the group, ‘internal’ or ’external’. Defaults to ‘internal’

Responses

200: OK

DELETE /identity/group/id/{id}

Operation ID: group-delete-by-id

Update or delete an existing group using its ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the group. If set, updates the corresponding existing group.

Responses

204: empty body

GET /identity/group/name

Operation ID: group-list-by-name

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/group/name/{name}

Operation ID: group-read-by-name

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the group.

Responses

200: OK

POST /identity/group/name/{name}

Operation ID: group-update-by-name

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the group.

Request body parameters

ParameterTypeRequiredDescription
idstringnoID of the group. If set, updates the corresponding existing group.
member_entity_idsarraynoEntity IDs to be assigned as group members.
member_group_idsarraynoGroup IDs to be assigned as group members.
metadataobjectnoMetadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: stronghold metadata=key1=value1 metadata=key2=value2
policiesarraynoPolicies to be tied to the group.
typestringnoType of the group, ‘internal’ or ’external’. Defaults to ‘internal’

Responses

200: OK

DELETE /identity/group/name/{name}

Operation ID: group-delete-by-name

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the group.

Responses

204: empty body

POST /identity/lookup/entity

Operation ID: entity-look-up

Query entities based on various properties.

Request body parameters

ParameterTypeRequiredDescription
alias_idstringnoID of the alias.
alias_mount_accessorstringnoAccessor of the mount to which the alias belongs to. This should be supplied in conjunction with ‘alias_name’.
alias_namestringnoName of the alias. This should be supplied in conjunction with ‘alias_mount_accessor’.
idstringnoID of the entity.
namestringnoName of the entity.

Responses

200: OK

POST /identity/lookup/group

Operation ID: group-look-up

Query groups based on various properties.

Request body parameters

ParameterTypeRequiredDescription
alias_idstringnoID of the alias.
alias_mount_accessorstringnoAccessor of the mount to which the alias belongs to. This should be supplied in conjunction with ‘alias_name’.
alias_namestringnoName of the alias. This should be supplied in conjunction with ‘alias_mount_accessor’.
idstringnoID of the group.
namestringnoName of the group.

Responses

200: OK

GET /identity/mfa/login-enforcement

Operation ID: mfa-list-login-enforcements

List login enforcements

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/mfa/login-enforcement/{name}

Operation ID: mfa-read-login-enforcement

Read the current login enforcement

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName for this login enforcement configuration

Responses

200: OK

POST /identity/mfa/login-enforcement/{name}

Operation ID: mfa-write-login-enforcement

Create or update a login enforcement

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName for this login enforcement configuration

Request body parameters

ParameterTypeRequiredDescription
auth_method_accessorsarraynoArray of auth mount accessor IDs
auth_method_typesarraynoArray of auth mount types
identity_entity_idsarraynoArray of identity entity IDs
identity_group_idsarraynoArray of identity group IDs
mfa_method_idsarrayyesArray of Method IDs that determine what methods will be enforced

Responses

200: OK

DELETE /identity/mfa/login-enforcement/{name}

Operation ID: mfa-delete-login-enforcement

Delete a login enforcement

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName for this login enforcement configuration

Responses

204: empty body

GET /identity/mfa/method

Operation ID: mfa-list-methods

List MFA method configurations for all MFA methods

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/mfa/method/duo

Operation ID: mfa-list-duo-methods

List MFA method configurations for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

POST /identity/mfa/method/duo

Operation ID: mfa-create-duo-method

Create the given MFA method

Request body parameters

ParameterTypeRequiredDescription
api_hostnamestringnoAPI host name for Duo.
integration_keystringnoIntegration key for Duo.
method_namestringnoThe unique name identifier for this MFA method.
push_infostringnoPush information for Duo.
secret_keystringnoSecret key for Duo.
use_passcodebooleannoIf true, the user is reminded to use the passcode upon MFA validation. This option does not enforce using the passcode. Defaults to false.
username_formatstringnoA template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, “{{alias.name}}@example.com”. Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias’s name field will be used as-is.

Responses

200: OK

GET /identity/mfa/method/duo/{method_id}

Operation ID: mfa-read-duo-method-configuration

Read the current configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Responses

200: OK

POST /identity/mfa/method/duo/{method_id}

Operation ID: mfa-configure-duo-method

Update the configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Request body parameters

ParameterTypeRequiredDescription
api_hostnamestringnoAPI host name for Duo.
integration_keystringnoIntegration key for Duo.
method_namestringnoThe unique name identifier for this MFA method.
push_infostringnoPush information for Duo.
secret_keystringnoSecret key for Duo.
use_passcodebooleannoIf true, the user is reminded to use the passcode upon MFA validation. This option does not enforce using the passcode. Defaults to false.
username_formatstringnoA template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, “{{alias.name}}@example.com”. Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias’s name field will be used as-is.

Responses

200: OK

DELETE /identity/mfa/method/duo/{method_id}

Operation ID: mfa-delete-duo-method

Delete a configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Responses

204: empty body

GET /identity/mfa/method/okta

Operation ID: mfa-list-okta-methods

List MFA method configurations for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

POST /identity/mfa/method/okta

Operation ID: mfa-create-okta-method

Create the given MFA method

Request body parameters

ParameterTypeRequiredDescription
api_tokenstringnoOkta API key.
base_urlstringnoThe base domain to use for the Okta API. When not specified in the configuration, “okta.com” is used.
method_namestringnoThe unique name identifier for this MFA method.
org_namestringnoName of the organization to be used in the Okta API.
primary_emailbooleannoIf true, the username will only match the primary email for the account. Defaults to false.
productionbooleanno(DEPRECATED) Use base_url instead.
username_formatstringnoA template string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, “{{entity.name}}@example.com”. If blank, the Entity’s name field will be used as-is.

Responses

200: OK

GET /identity/mfa/method/okta/{method_id}

Operation ID: mfa-read-okta-method-configuration

Read the current configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Responses

200: OK

POST /identity/mfa/method/okta/{method_id}

Operation ID: mfa-configure-okta-method

Update the configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Request body parameters

ParameterTypeRequiredDescription
api_tokenstringnoOkta API key.
base_urlstringnoThe base domain to use for the Okta API. When not specified in the configuration, “okta.com” is used.
method_namestringnoThe unique name identifier for this MFA method.
org_namestringnoName of the organization to be used in the Okta API.
primary_emailbooleannoIf true, the username will only match the primary email for the account. Defaults to false.
productionbooleanno(DEPRECATED) Use base_url instead.
username_formatstringnoA template string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, “{{entity.name}}@example.com”. If blank, the Entity’s name field will be used as-is.

Responses

200: OK

DELETE /identity/mfa/method/okta/{method_id}

Operation ID: mfa-delete-okta-method

Delete a configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Responses

204: empty body

GET /identity/mfa/method/pingid

Operation ID: mfa-list-ping-id-methods

List MFA method configurations for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

POST /identity/mfa/method/pingid

Operation ID: mfa-create-ping-id-method

Create the given MFA method

Request body parameters

ParameterTypeRequiredDescription
method_namestringnoThe unique name identifier for this MFA method.
settings_file_base64stringnoThe settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate.
username_formatstringnoA template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, “{{alias.name}}@example.com”. Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias’s name field will be used as-is.

Responses

200: OK

GET /identity/mfa/method/pingid/{method_id}

Operation ID: mfa-read-ping-id-method-configuration

Read the current configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Responses

200: OK

POST /identity/mfa/method/pingid/{method_id}

Operation ID: mfa-configure-ping-id-method

Update the configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Request body parameters

ParameterTypeRequiredDescription
method_namestringnoThe unique name identifier for this MFA method.
settings_file_base64stringnoThe settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate.
username_formatstringnoA template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, “{{alias.name}}@example.com”. Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias’s name field will be used as-is.

Responses

200: OK

DELETE /identity/mfa/method/pingid/{method_id}

Operation ID: mfa-delete-ping-id-method

Delete a configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Responses

204: empty body

GET /identity/mfa/method/totp

Operation ID: mfa-list-totp-methods

List MFA method configurations for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

POST /identity/mfa/method/totp

Operation ID: mfa-create-totp-method

Create the given MFA method

Request body parameters

ParameterTypeRequiredDescription
algorithmstring (default: SHA1)noThe hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.
digitsinteger (default: 6)noThe number of digits in the generated TOTP token. This value can either be 6 or 8.
issuerstringnoThe name of the key’s issuing organization.
key_sizeinteger (default: 20)noDetermines the size in bytes of the generated key.
max_validation_attemptsintegernoMax number of allowed validation attempts.
method_namestringnoThe unique name identifier for this MFA method.
periodinteger (default: 30)noThe length of time used to generate a counter for the TOTP token calculation.
qr_sizeinteger (default: 200)noThe pixel size of the generated square QR code.
skewinteger (default: 1)noThe number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.

Responses

200: OK

POST /identity/mfa/method/totp/admin-destroy

Operation ID: mfa-admin-destroy-totp-secret

Destroys a TOTP secret for the given MFA method ID on the given entity

Request body parameters

ParameterTypeRequiredDescription
entity_idstringyesIdentifier of the entity from which the MFA method secret needs to be removed.
method_idstringyesThe unique identifier for this MFA method.

Responses

200: OK

POST /identity/mfa/method/totp/admin-generate

Operation ID: mfa-admin-generate-totp-secret

Update or create TOTP secret for the given method ID on the given entity.

Request body parameters

ParameterTypeRequiredDescription
entity_idstringyesEntity ID on which the generated secret needs to get stored.
method_idstringyesThe unique identifier for this MFA method.

Responses

200: OK

POST /identity/mfa/method/totp/generate

Operation ID: mfa-generate-totp-secret

Update or create TOTP secret for the given method ID on the given entity.

Request body parameters

ParameterTypeRequiredDescription
method_idstringyesThe unique identifier for this MFA method.

Responses

200: OK

GET /identity/mfa/method/totp/{method_id}

Operation ID: mfa-read-totp-method-configuration

Read the current configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Responses

200: OK

POST /identity/mfa/method/totp/{method_id}

Operation ID: mfa-configure-totp-method

Update the configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Request body parameters

ParameterTypeRequiredDescription
algorithmstring (default: SHA1)noThe hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.
digitsinteger (default: 6)noThe number of digits in the generated TOTP token. This value can either be 6 or 8.
issuerstringnoThe name of the key’s issuing organization.
key_sizeinteger (default: 20)noDetermines the size in bytes of the generated key.
max_validation_attemptsintegernoMax number of allowed validation attempts.
method_namestringnoThe unique name identifier for this MFA method.
periodinteger (default: 30)noThe length of time used to generate a counter for the TOTP token calculation.
qr_sizeinteger (default: 200)noThe pixel size of the generated square QR code.
skewinteger (default: 1)noThe number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.

Responses

200: OK

DELETE /identity/mfa/method/totp/{method_id}

Operation ID: mfa-delete-totp-method

Delete a configuration for the given MFA method

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Responses

204: empty body

GET /identity/mfa/method/{method_id}

Operation ID: mfa-read-method-configuration

Read the current configuration for the given ID regardless of the MFA method type

Parameters

ParameterTypeLocationRequiredDescription
method_idstringpathyesThe unique identifier for this MFA method.

Responses

200: OK

GET /identity/oidc/.well-known/keys

Operation ID: oidc-read-public-keys

Retrieve public keys

Available without authentication: yes

Responses

200: OK

GET /identity/oidc/.well-known/openid-configuration

Operation ID: oidc-read-open-id-configuration

Query OIDC configurations

Available without authentication: yes

Responses

200: OK

GET /identity/oidc/assignment

Operation ID: oidc-list-assignments

List OIDC assignments

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/oidc/assignment/{name}

Operation ID: oidc-read-assignment

CRUD operations for OIDC assignments.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the assignment

Responses

200: OK

POST /identity/oidc/assignment/{name}

Operation ID: oidc-write-assignment

CRUD operations for OIDC assignments.

Creation supported: yes

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the assignment

Request body parameters

ParameterTypeRequiredDescription
entity_idsarraynoComma separated string or array of identity entity IDs
group_idsarraynoComma separated string or array of identity group IDs

Responses

200: OK

DELETE /identity/oidc/assignment/{name}

Operation ID: oidc-delete-assignment

CRUD operations for OIDC assignments.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the assignment

Responses

204: empty body

GET /identity/oidc/client

Operation ID: oidc-list-clients

List OIDC clients

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/oidc/client/{name}

Operation ID: oidc-read-client

CRUD operations for OIDC clients.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the client.

Responses

200: OK

POST /identity/oidc/client/{name}

Operation ID: oidc-write-client

CRUD operations for OIDC clients.

Creation supported: yes

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the client.

Request body parameters

ParameterTypeRequiredDescription
access_token_ttlinteger (default: 24h)noThe time-to-live for access tokens obtained by the client.
assignmentsarraynoComma separated string or array of assignment resources.
client_typestring (default: confidential)noThe client type based on its ability to maintain confidentiality of credentials. The following client types are supported: ‘confidential’, ‘public’. Defaults to ‘confidential’.
id_token_ttlinteger (default: 24h)noThe time-to-live for ID tokens obtained by the client.
keystring (default: default)noA reference to a named key resource. Cannot be modified after creation. Defaults to the ‘default’ key.
redirect_urisarraynoComma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.

Responses

200: OK

DELETE /identity/oidc/client/{name}

Operation ID: oidc-delete-client

CRUD operations for OIDC clients.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the client.

Responses

204: empty body

GET /identity/oidc/config

Operation ID: oidc-read-configuration

OIDC configuration

Responses

200: OK

POST /identity/oidc/config

Operation ID: oidc-configure

OIDC configuration

Request body parameters

ParameterTypeRequiredDescription
issuerstringnoIssuer URL to be used in the iss claim of the token. If not set, app_addr will be used.

Responses

200: OK

POST /identity/oidc/introspect

Operation ID: oidc-introspect

Verify the authenticity of an OIDC token

Request body parameters

ParameterTypeRequiredDescription
client_idstringnoOptional client_id to verify
tokenstringnoToken to verify

Responses

200: OK

GET /identity/oidc/key

Operation ID: oidc-list-keys

List OIDC keys

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/oidc/key/{name}

Operation ID: oidc-read-key

CRUD operations for OIDC keys.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the key

Responses

200: OK

POST /identity/oidc/key/{name}

Operation ID: oidc-write-key

CRUD operations for OIDC keys.

Creation supported: yes

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the key

Request body parameters

ParameterTypeRequiredDescription
algorithmstring (default: RS256)noSigning algorithm to use. This will default to RS256.
allowed_client_idsarraynoComma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If “*” all roles are allowed.
rotation_periodinteger (default: 24h)noHow often to generate a new keypair.
verification_ttlinteger (default: 24h)noControls how long the public portion of a key will be available for verification after being rotated.

Responses

200: OK

DELETE /identity/oidc/key/{name}

Operation ID: oidc-delete-key

CRUD operations for OIDC keys.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the key

Responses

204: empty body

POST /identity/oidc/key/{name}/rotate

Operation ID: oidc-rotate-key

Rotate a named OIDC key.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the key

Request body parameters

ParameterTypeRequiredDescription
verification_ttlintegernoControls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.

Responses

200: OK

GET /identity/oidc/provider

Operation ID: oidc-list-providers

List OIDC providers

Parameters

ParameterTypeLocationRequiredDescription
allowed_client_idstringquerynoFilters the list of OIDC providers to those that allow the given client ID in their set of allowed_client_ids.
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/oidc/provider/{name}

Operation ID: oidc-read-provider

CRUD operations for OIDC providers.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the provider

Responses

200: OK

POST /identity/oidc/provider/{name}

Operation ID: oidc-write-provider

CRUD operations for OIDC providers.

Creation supported: yes

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the provider

Request body parameters

ParameterTypeRequiredDescription
allowed_client_idsarraynoThe client IDs that are permitted to use the provider
issuerstringnoSpecifies what will be used for the iss claim of ID tokens.
scopes_supportedarraynoThe scopes supported for requesting on the provider

Responses

200: OK

DELETE /identity/oidc/provider/{name}

Operation ID: oidc-delete-provider

CRUD operations for OIDC providers.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the provider

Responses

204: empty body

GET /identity/oidc/provider/{name}/.well-known/keys

Operation ID: oidc-read-provider-public-keys

Retrieve public keys

Available without authentication: yes

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the provider

Responses

200: OK

GET /identity/oidc/provider/{name}/.well-known/openid-configuration

Operation ID: oidc-read-provider-open-id-configuration

Query OIDC configurations

Available without authentication: yes

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the provider

Responses

200: OK

GET /identity/oidc/provider/{name}/authorize

Operation ID: oidc-provider-authorize

Provides the OIDC Authorization Endpoint.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the provider

Responses

200: OK

POST /identity/oidc/provider/{name}/authorize

Operation ID: oidc-provider-authorize-with-parameters

Provides the OIDC Authorization Endpoint.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the provider

Request body parameters

ParameterTypeRequiredDescription
client_idstringyesThe ID of the requesting client.
code_challengestringnoThe code challenge derived from the code verifier.
code_challenge_methodstring (default: plain)noThe method that was used to derive the code challenge. The following methods are supported: ‘S256’, ‘plain’. Defaults to ‘plain’.
max_ageintegernoThe allowable elapsed time in seconds since the last time the end-user was actively authenticated.
noncestringnoThe value that will be returned in the ID token nonce claim after a token exchange.
redirect_uristringyesThe redirection URI to which the response will be sent.
response_typestringyesThe OIDC authentication flow to be used. The following response types are supported: ‘code’
scopestringyesA space-delimited, case-sensitive list of scopes to be requested. The ‘openid’ scope is required.
statestringnoThe value used to maintain state between the authentication request and client.

Responses

200: OK

POST /identity/oidc/provider/{name}/token

Operation ID: oidc-provider-token

Provides the OIDC Token Endpoint.

Available without authentication: yes

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the provider

Request body parameters

ParameterTypeRequiredDescription
client_idstringnoThe ID of the requesting client.
client_secretstringnoThe secret of the requesting client.
codestringyesThe authorization code received from the provider’s authorization endpoint.
code_verifierstringnoThe code verifier associated with the authorization code.
grant_typestringyesThe authorization grant type. The following grant types are supported: ‘authorization_code’.
redirect_uristringyesThe callback location where the authentication response was sent.

Responses

200: OK

GET /identity/oidc/provider/{name}/userinfo

Operation ID: oidc-provider-user-info

Provides the OIDC UserInfo Endpoint.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the provider

Responses

200: OK

POST /identity/oidc/provider/{name}/userinfo

Operation ID: oidc-provider-user-info2

Provides the OIDC UserInfo Endpoint.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the provider

Responses

200: OK

GET /identity/oidc/role

Operation ID: oidc-list-roles

List configured OIDC roles

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/oidc/role/{name}

Operation ID: oidc-read-role

CRUD operations on OIDC Roles

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the role

Responses

200: OK

POST /identity/oidc/role/{name}

Operation ID: oidc-write-role

CRUD operations on OIDC Roles

Creation supported: yes

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the role

Request body parameters

ParameterTypeRequiredDescription
client_idstringnoOptional client_id
keystringyesThe OIDC key to use for generating tokens. The specified key must already exist.
templatestringnoThe template string to use for generating tokens. This may be in string-ified JSON or base64 format.
ttlinteger (default: 24h)noTTL of the tokens generated against the role.

Responses

200: OK

DELETE /identity/oidc/role/{name}

Operation ID: oidc-delete-role

CRUD operations on OIDC Roles

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the role

Responses

204: empty body

GET /identity/oidc/scope

Operation ID: oidc-list-scopes

List OIDC scopes

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/oidc/scope/{name}

Operation ID: oidc-read-scope

CRUD operations for OIDC scopes.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the scope

Responses

200: OK

POST /identity/oidc/scope/{name}

Operation ID: oidc-write-scope

CRUD operations for OIDC scopes.

Creation supported: yes

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the scope

Request body parameters

ParameterTypeRequiredDescription
descriptionstringnoThe description of the scope
templatestringnoThe template string to use for the scope. This may be in string-ified JSON or base64 format.

Responses

200: OK

DELETE /identity/oidc/scope/{name}

Operation ID: oidc-delete-scope

CRUD operations for OIDC scopes.

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the scope

Responses

204: empty body

GET /identity/oidc/token/{name}

Operation ID: oidc-generate-token

Generate an OIDC token

Parameters

ParameterTypeLocationRequiredDescription
namestringpathyesName of the role

Responses

200: OK

POST /identity/persona

Operation ID: persona-create

Create a new alias.

Request body parameters

ParameterTypeRequiredDescription
entity_idstringnoEntity ID to which this persona belongs to
idstringnoID of the persona
metadataobjectnoMetadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: stronghold metadata=key1=value1 metadata=key2=value2
mount_accessorstringnoMount accessor to which this persona belongs to
namestringnoName of the persona

Responses

200: OK

GET /identity/persona/id

Operation ID: persona-list-by-id

List all the alias IDs.

Parameters

ParameterTypeLocationRequiredDescription
liststring (true)queryyesMust be set to true

Responses

200: OK

GET /identity/persona/id/{id}

Operation ID: persona-read-by-id

Update, read or delete an alias ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the persona

Responses

200: OK

POST /identity/persona/id/{id}

Operation ID: persona-update-by-id

Update, read or delete an alias ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the persona

Request body parameters

ParameterTypeRequiredDescription
entity_idstringnoEntity ID to which this persona should be tied to
metadataobjectnoMetadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: stronghold metadata=key1=value1 metadata=key2=value2
mount_accessorstringnoMount accessor to which this persona belongs to
namestringnoName of the persona

Responses

200: OK

DELETE /identity/persona/id/{id}

Operation ID: persona-delete-by-id

Update, read or delete an alias ID.

Parameters

ParameterTypeLocationRequiredDescription
idstringpathyesID of the persona

Responses

204: empty body