openapi: 3.0.3 info: title: Descope API description: Descope API contact: name: Descope url: https://descope.com email: support@descope.com version: 0.0.1 servers: - url: https://api.descope.com description: Descope Production - url: '{customUrl}' description: Custom server URL variables: customUrl: default: https://api.descope.com description: Your Descope API base URL paths: /oauth2/v1/apps/agentic/{project_id}/{mcp_server_id}/authorize: get: tags: [] description: Third Party application authorization GET endpoint by MCP server ID operationId: ThirdPartyApplicationAuthorizeGetByMcpServerID parameters: - name: project_id in: path required: true schema: type: string - name: mcp_server_id in: path required: true schema: type: string - name: response_type in: query schema: type: string - name: scope in: query schema: type: string - name: client_id in: query schema: type: string - name: state in: query schema: type: string - name: redirect_uri in: query schema: type: string - name: code_challenge_method in: query description: PKCE schema: type: string - name: code_challenge in: query schema: type: string - name: nonce in: query schema: type: string - name: loginHint in: query schema: type: string - name: prompt in: query schema: type: string - name: flow in: query schema: type: string - name: flow_token in: query schema: type: string - name: resource in: query description: RFC 8707 - OAuth 2.0 Resource Indicators schema: type: array items: type: string - name: tenant in: query schema: type: string - name: style in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OperationResponse' x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application authorization GET endpoint by MCP server ID keywords: api, third party apps post: tags: [] description: Third Party application authorization POST endpoint by MCP server ID operationId: ThirdPartyApplicationAuthorizePOSTByMcpServerID parameters: - name: project_id in: path required: true schema: type: string - name: mcp_server_id in: path required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/ThirdPartyApplicationAuthZEndpointRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OperationResponse' x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application authorization POST endpoint by MCP server ID keywords: api, third party apps /oauth2/v1/apps/agentic/{project_id}/{mcp_server_id}/token: post: tags: [] description: Third Party application token endpoint by MCP server ID operationId: ThirdPartyApplicationTokenEndpointByMcpServerID parameters: - name: project_id in: path required: true schema: type: string - name: mcp_server_id in: path required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/ThirdPartyApplicationTokenEndpointRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OIDCTokenEndpointResponse' x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application token endpoint by MCP server ID keywords: api, third party apps /oauth2/v1/apps/authorize: get: tags: [] description: Third Party application authorization GET endpoint operationId: ThirdPartyApplicationAuthorizeGet parameters: - name: response_type in: query schema: type: string - name: scope in: query schema: type: string - name: client_id in: query schema: type: string - name: state in: query schema: type: string - name: redirect_uri in: query schema: type: string - name: code_challenge_method in: query description: PKCE schema: type: string - name: code_challenge in: query schema: type: string - name: nonce in: query schema: type: string - name: loginHint in: query schema: type: string - name: prompt in: query schema: type: string - name: flow in: query schema: type: string - name: flow_token in: query schema: type: string - name: resource in: query description: RFC 8707 - OAuth 2.0 Resource Indicators schema: type: array items: type: string - name: project_id in: query schema: type: string - name: tenant in: query schema: type: string - name: mcp_server_id in: query schema: type: string - name: style in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OperationResponse' x-publishYaml: thirdPartyApps security: [] title: Get Authorization summary: Get Authorization Endpoint x-meta: title: Get Authorization Endpoint | Third Party Apps description: Third Party application authorization GET endpoint keywords: api, third party apps post: tags: [] description: Third Party application authorization POST endpoint operationId: ThirdPartyApplicationAuthorize requestBody: content: application/json: schema: $ref: '#/components/schemas/ThirdPartyApplicationAuthZEndpointRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OperationResponse' x-publishYaml: thirdPartyApps security: [] title: Post Authorization summary: Post Authorization Endpoint x-meta: title: Post Authorization Endpoint | Third Party Apps description: Third Party application authorization POST endpoint keywords: api, third party apps /oauth2/v1/apps/bc-authorize: post: tags: [] description: Third Party application CIBA backchannel authentication endpoint operationId: ThirdPartyApplicationCIBAEndpoint requestBody: content: application/json: schema: $ref: '#/components/schemas/CIBAAuthRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CIBAAuthResponse' x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application CIBA backchannel authentication endpoint keywords: api, third party apps /oauth2/v1/apps/device: post: tags: [] description: Third Party application device endpoint operationId: ThirdPartyApplicationDeviceEndpoint requestBody: content: application/json: schema: $ref: '#/components/schemas/OIDCDeviceEndpointRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OIDCDeviceEndpointResponse' x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application device endpoint keywords: api, third party apps /oauth2/v1/apps/finish-authorize: post: tags: [] description: Third Party application authorization finish endpoint operationId: ThirdPartyApplicationFinish requestBody: content: application/json: schema: $ref: '#/components/schemas/ThirdPartyApplicationFinishEndpointRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OperationResponse' x-publishYaml: thirdPartyApps security: [] title: Finish Authorization summary: Finish Authorization Endpoint x-meta: title: Finish Authorization Endpoint | Third Party Apps description: Third Party application authorization finish endpoint keywords: api, third party apps /oauth2/v1/apps/revoke: post: tags: [] description: OIDC revoke endpoint operationId: ThirdPartyApplicationRevocationEndpoint requestBody: content: application/json: schema: $ref: >- #/components/schemas/ThirdPartyApplicationRevocationEndpointRequest required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OperationResponse' x-publishYaml: thirdPartyApps security: [] title: OIDC revoke endpoint summary: OIDC revoke endpoint x-meta: title: OIDC revoke endpoint | Third Party Apps description: OIDC revoke endpoint keywords: api, third party apps /oauth2/v1/apps/token: post: tags: [] description: Third Party application token endpoint operationId: ThirdPartyApplicationTokenEndpoint requestBody: content: application/json: schema: $ref: '#/components/schemas/ThirdPartyApplicationTokenEndpointRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OIDCTokenEndpointResponse' x-publishYaml: thirdPartyApps security: [] title: Third Party application token endpoint summary: Third Party application token endpoint x-meta: title: Third Party application token endpoint | Third Party Apps description: Third Party application token endpoint keywords: api, third party apps /oauth2/v1/apps/userinfo: get: tags: [] description: Third Party application Get UserInfo endpoint operationId: ThirdPartyApplicationUserInfoEndpointGet parameters: - name: project_id in: query description: Can be empty as data arrived on the Authorization header token schema: type: string responses: '200': description: OK content: application/json: schema: $ref: >- #/components/schemas/ThirdPartyApplicationUserInfoEndpointResponse x-publishYaml: thirdPartyApps security: [] title: Get UserInfo summary: Third Party application Get UserInfo endpoint x-meta: title: Third Party application Get UserInfo endpoint | Third Party Apps description: Third Party application Get UserInfo endpoint keywords: api, third party apps post: tags: [] description: Third Party application Post UserInfo endpoint operationId: ThirdPartyApplicationUserInfoEndpointPost requestBody: content: application/json: schema: $ref: >- #/components/schemas/ThirdPartyApplicationUserInfoEndpointRequest required: true responses: '200': description: OK content: application/json: schema: $ref: >- #/components/schemas/ThirdPartyApplicationUserInfoEndpointResponse x-publishYaml: thirdPartyApps security: [] title: Post UserInfo summary: Third Party application Post UserInfo endpoint x-meta: title: Third Party application Post UserInfo endpoint | Third Party Apps description: Third Party application Post UserInfo endpoint keywords: api, third party apps /oauth2/v1/apps/{project_id}/authorize: get: tags: [] description: Third Party application authorization GET endpoint operationId: ThirdPartyApplicationAuthorizeGetByProjectID parameters: - name: project_id in: path required: true schema: type: string - name: response_type in: query schema: type: string - name: scope in: query schema: type: string - name: client_id in: query schema: type: string - name: state in: query schema: type: string - name: redirect_uri in: query schema: type: string - name: code_challenge_method in: query description: PKCE schema: type: string - name: code_challenge in: query schema: type: string - name: nonce in: query schema: type: string - name: loginHint in: query schema: type: string - name: prompt in: query schema: type: string - name: flow in: query schema: type: string - name: flow_token in: query schema: type: string - name: resource in: query description: RFC 8707 - OAuth 2.0 Resource Indicators schema: type: array items: type: string - name: tenant in: query schema: type: string - name: mcp_server_id in: query schema: type: string - name: style in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OperationResponse' x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application authorization GET endpoint keywords: api, third party apps post: tags: [] description: Third Party application authorization POST endpoint operationId: ThirdPartyApplicationAuthorizePostByProjectID parameters: - name: project_id in: path required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/ThirdPartyApplicationAuthZEndpointRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OperationResponse' x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application authorization POST endpoint keywords: api, third party apps /oauth2/v1/apps/{project_id}/bc-authorize: post: tags: [] description: Third Party application CIBA backchannel authentication endpoint operationId: ThirdPartyApplicationCIBAEndpoint parameters: - name: project_id in: path required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/CIBAAuthRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CIBAAuthResponse' x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application CIBA backchannel authentication endpoint keywords: api, third party apps /oauth2/v1/apps/{project_id}/device: post: tags: [] description: Third Party application device endpoint operationId: ThirdPartyApplicationDeviceEndpoint parameters: - name: project_id in: path required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/OIDCDeviceEndpointRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OIDCDeviceEndpointResponse' x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application device endpoint keywords: api, third party apps /oauth2/v1/apps/{project_id}/revoke: post: tags: [] description: Third Party application revoke endpoint by project ID operationId: ThirdPartyApplicationRevocationEndpointByProjectID parameters: - name: project_id in: path required: true schema: type: string requestBody: content: application/json: schema: $ref: >- #/components/schemas/ThirdPartyApplicationRevocationEndpointRequest required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OperationResponse' x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application revoke endpoint by project ID keywords: api, third party apps /oauth2/v1/apps/{project_id}/token: post: tags: [] description: Third Party application token endpoint by project ID operationId: ThirdPartyApplicationTokenEndpointByProjectID parameters: - name: project_id in: path required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/ThirdPartyApplicationTokenEndpointRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OIDCTokenEndpointResponse' x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application token endpoint by project ID keywords: api, third party apps /oauth2/v1/apps/{project_id}/userinfo: get: tags: [] description: Third Party application Get UserInfo endpoint by project ID operationId: ThirdPartyApplicationUserInfoEndpointGetByProjectID parameters: - name: project_id in: path description: Can be empty as data arrived on the Authorization header token required: true schema: type: string responses: '200': description: OK content: application/json: schema: $ref: >- #/components/schemas/ThirdPartyApplicationUserInfoEndpointResponse x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application Get UserInfo endpoint by project ID keywords: api, third party apps post: tags: [] description: Third Party application POST UserInfo endpoint by project ID operationId: ThirdPartyApplicationUserInfoEndpointPostByProjectID parameters: - name: project_id in: path description: Can be empty as data arrived on the Authorization header token required: true schema: type: string requestBody: content: application/json: schema: $ref: >- #/components/schemas/ThirdPartyApplicationUserInfoEndpointRequest required: true responses: '200': description: OK content: application/json: schema: $ref: >- #/components/schemas/ThirdPartyApplicationUserInfoEndpointResponse x-publishYaml: thirdPartyApps security: [] x-meta: title: undefined | Third Party Apps description: Third Party application POST UserInfo endpoint by project ID keywords: api, third party apps /v1/auth/accesskey/exchange: post: tags: [] summary: Exchange Key description: >- ### Exchange API key for access token This API Endpoint will take an API key for the project and provide an access token to be used for accessing the application. The session token JWT token will be valid for the configured [Session Token Timeout](/project-settings#session-token-timeout), and its expiration time will be provided in the `expiration` field of the response object. operationId: ExchangeAccessKey requestBody: content: application/json: schema: $ref: '#/components/schemas/ExchangeAccessKeyRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ExchangeAccessKeyResponse' security: - Descope Project ID:Access Key: [] x-order: 3 x-publishYaml: AccessKeys x-meta: title: Exchange Key | Access Keys description: Exchange API key for access token keywords: api, access keys /v1/auth/enchantedlink/signup/email: post: tags: - '' summary: Sign-Up description: >- ### Sign-up new end user by sending an enchanted link via email Initiate a sign-up process by sending an enchanted link to a new end user. Descope will generate and deliver 3 clickable links to the email address specified, each is numbered with random 2 digit number. When you initiate the enchanted link, the `linkId` will be returned. This `linkId` needs to be displayed to the user to indicate which link for the user to click once they receive the email. Only when the correct link is clicked will the user be successfully verified and logged in. Each clickable link is made up of two parts - the URI you provide in the `URI` field and the enchanted link token generated by Descope. For example, if `URI=https://app.mycompany.com/enchantedlink/verify`, the clickable enchanted link will be `https://app.mycompany.com/enchantedlink/verify?t=enchanted-link-token.` Enchanted links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/enchantedlink), so sending multiple enchanted links (for example, when an end user tries to sign-up a second or third time) does not invalidate links that have already been sent. The return body will include `linkId` and `pendigRef`. The `linkId` (a 2 digit number) should be presented to the user, so they will know which link to click in the delivered email. The endpoint will return a failure code if the email address is already registered. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. ### Next Steps 1. Verify the enchanted link token using the [Verify Token](/api/enchanted-link/verify-token) endpoint. 2. Poll for the successful completion of the token verification using the [Poll Session](/api/enchanted-link/poll-session) endpoint, providing the `pendingRef` returned by the this endpoint. ### See Also - See [Enchanted link Authentication](/api/enchantedlink/) for details about implementing enchanted links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - Use the [Sign-In](/api/enchanted-link/sign-in) endpoint to sign-in an existing end user. - Use the [Sign-In with Auto Sign-up](/api/enchanted-link/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: SignUpEnchantedLink requestBody: content: application/json: schema: $ref: '#/components/schemas/EnchantedLinkSignUpEmailRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EnchantedLinkResponse' security: - Descope Project ID: [] x-publishYaml: EnchantedLink x-order: 1 x-meta: title: Sign-Up | Enchanted Link description: Sign-up new end user by sending an enchanted link via email keywords: api, enchanted link /v1/auth/enchantedlink/signin/email: post: tags: - '' summary: Sign-In description: >- ### Sign-in existing user by sending an enchanted link via email Initiate a sign-in process by sending an enchanted link to a new end user. Descope will generate and deliver 3 clickable links to the email address specified, each is numbered with random 2 digit number. When you initiate the enchanted link, the `linkId` will be returned. This `linkId` needs to be displayed to the user to indicate which link for the user to click once they receive the email. Only when the correct link is clicked will the user be successfully verified and logged in. Each clickable link is made up of two parts - the URI you provide in the `URI` field and the enchanted link token generated by Descope. For example, if `URI=https://app.mycompany.com/enchantedlink/verify`, the clickable enchanted link will be `https://app.mycompany.com/enchantedlink/verify?t=enchanted-link-token.` Enchanted links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/enchantedlink), so sending multiple enchanted links (for example, when an end user tries to sign-up a second or third time) does not invalidate links that have already been sent. The return body will include `linkId` and `pendigRef`. The `linkId` (a 2 digit number) should be presented to the user, so they will know which link to click in the delivered email. The endpoint will return a failure code if the email address is already registered. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. ### Next Steps 1. Verify the enchanted link token using the [Verify Token](/api/enchanted-link/verify-token) endpoint. 2. Poll for the successful completion of the token verification using the [Poll Session](/api/enchanted-link/poll-session) endpoint, providing the `pendingRef` returned by the this endpoint. ### See Also - See [Enchanted link Authentication](/api/enchantedlink/) for details about implementing enchanted links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/enchanted-link/sign-up) endpoint to sign-up a new end user. - Use the [Sign-In with Auto Sign-up](/api/enchanted-link/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: SignInEnchantedLinkEmail requestBody: content: application/json: schema: $ref: '#/components/schemas/EnchantedLinkSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EnchantedLinkResponse' security: - Descope Project ID: [] x-publishYaml: EnchantedLink x-order: 2 x-meta: title: Sign-In | Enchanted Link Email description: Sign-in existing user by sending an enchanted link via email Email keywords: api, enchanted link, email /v1/auth/enchantedlink/signup-in/email: post: tags: - '' summary: Sign-In with Auto Sign-Up description: >- ### Sign-in end user (with automatic sign-up) by sending an enchanted link via email Initiate a process that implements both sign-in and sign-up using a single endpoint. If the email address is already registered (the end user has already registered) the user will be signed in. If the email address is not registered (the end user is not yet registered) the user will be signed up. Descope will generate and deliver 3 clickable links to the email address specified, each is numbered with random 2 digit number. When you initiate the enchanted link, the `linkId` will be returned. This `linkId` needs to be displayed to the user to indicate which link for the user to click once they receive the email. Only when the correct link is clicked will the user be successfully verified and logged in. Each clickable link is made up of two parts - the URI you provide in the `URI` field and the enchanted link token generated by Descope. For example, if `URI=https://app.mycompany.com/enchantedlink/verify`, the clickable enchanted link will be `https://app.mycompany.com/enchantedlink/verify?t=enchanted-link-token.` Enchanted links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/enchantedlink), so sending multiple enchanted links (for example, when an end user tries to sign-up a second or third time) does not invalidate links that have already been sent. The return body will include `linkId` and `pendigRef`. The `linkId` (a 2 digit number) should be presented to the user, so they will know which link to click in the delivered email. The endpoint will return a failure code if the email address is already registered. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. ### Next Steps 1. Verify the enchanted link token using the [Verify Token](/api/enchanted-link/verify-token) endpoint. 2. Poll for the successful completion of the token verification using the [Poll Session](/api/enchanted-link/poll-session) endpoint, providing the `pendingRef` returned by the this endpoint. ### See Also - See [Enchanted link Authentication](/api/enchantedlink/) for details about implementing enchanted links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/enchanted-link/sign-up) endpoint to sign-up a new end user. - Use the [Sign-In with Auto Sign-up](/api/enchanted-link/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: SignUpOrInEnchantedLinkEmail requestBody: content: application/json: schema: $ref: '#/components/schemas/EnchantedLinkSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EnchantedLinkResponse' security: - Descope Project ID: [] x-publishYaml: EnchantedLink x-order: 3 x-meta: title: Sign-In with Auto Sign-Up | Enchanted Link Email description: >- Sign-in end user (with automatic sign-up) by sending an enchanted link via email Email keywords: api, enchanted link, email /v1/auth/enchantedlink/verify: post: tags: - '' summary: Verify Token description: >- ### Verify Enchanted Link token from user Verify that the enchanted link token in the URL clicked by the end user matches and has not expired. This endpoint completes the enchanted link flow for: * sign up * [Sign-Up via email](/api/enchanted-link/sign-up) * sign-in * [Sign-In via email](/api/enchanted-link/sign-in) * sign-in with auto sign-up * [Sign-In with Auto Sign-up via email](/api/enchanted-link/sign-in-auto-sign-up) * Update data * [update email](/api/enchanted-link/update-email) ### Next Steps Poll for the successful completion of the token verification using the [Poll Session](/api/enchanted-link/poll-session) endpoint, providing the `pendingRef` returned by the this endpoint. The response object will be empty when this endpoint completes successfully. The session information will be returned by the the [Poll Session](/api/enchanted-link/poll-session) endpoint. ### See Also - See [Enchanted link Authentication](/api/enchantedlink/) for details about implementing enchanted links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. operationId: VerifyEnchantedLink requestBody: content: application/json: schema: $ref: '#/components/schemas/VerifyEnchantedLinkRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/VerifyEnchantedLinkResponse' security: - Descope Project ID: [] x-publishYaml: EnchantedLink x-order: 4 x-meta: title: Verify Token | Enchanted Link description: Verify Enchanted Link token from user keywords: api, enchanted link /v1/auth/enchantedlink/pending-session: post: tags: - '' summary: Poll Session description: >- ### Poll user session for successful completion of token verification This endpoint is used to wait for the enchanted link verification by the end user. Use this endpoint in a poling way, until it returns a successful JWT, or timeout error. The response object includes the session JWT `sessionJwt` and refresh JWT `refreshJwt` when this endpoint completes successfully. ### See Also - See [Enchanted link Authentication](/api/enchantedlink/) for details about implementing enchanted links. operationId: GetEnchantedLinkSession requestBody: content: application/json: schema: $ref: '#/components/schemas/GetEnchantedLinkSessionRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: EnchantedLink x-order: 5 x-meta: title: Poll Session | Enchanted Link description: Poll user session for successful completion of token verification keywords: api, enchanted link /v1/auth/enchantedlink/update/email: post: tags: - '' summary: Update Email description: >- ### Update email of end user by sending enchanted link via email Update the email address of an existing end user by sending an enchanted link to the new email address. Descope will generate and deliver 3 clickable links to the email address specified, each is numbered with random 2 digit number. Only the right link (based on the number returned will be successfully verified when clicked) Each clickable link is made up of two parts - the URI you provide in the `URI` field and the enchanted link token generated by Descope. For example, if `URI=https://app.mycompany.com/enchantedlink/verify`, the clickable enchanted link will be `https://app.mycompany.com/enchantedlink/verify?t=enchanted-link-token.` Enchanted links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/enchantedlink), so sending multiple enchanted links (for example, when an end user tries to sign-up a second or third time) does not invalidate links that have already been sent. The bearer token requires both the ProjectId and refresh JWT in the format `:`, and can therefore only be run for end users who are currently signed-in. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. Once the token is successfully verified - the email address will be updated. Descope allows you to associating multiple login IDs for a user during API update calls. For details on how this feature works, please review the details [here](/manage/users#associating-multiple-login-ids-for-a-user). ### Next Steps 1. Verify the enchanted link token using the [Verify Token](/api/enchanted-link/verify-token) endpoint. 2. Poll for the successful completion of the token verification using the [Poll Session](/api/enchanted-link/poll-session) endpoint, providing the `pendingRef` returned by the this endpoint. ### See Also - See [Enchanted link Authentication](/api/enchantedlink/) for details about implementing enchanted links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. operationId: UpdateUserEmailEnchantedLink requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserEmailEnchantedLinkRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EnchantedLinkResponse' security: - Descope Project ID:Refresh JWT: [] x-publishYaml: EnchantedLink x-order: 5 x-meta: title: Update Email | Enchanted Link Email description: Update email of end user by sending enchanted link via email Email keywords: api, enchanted link, email /v1/auth/refresh: post: tags: [] summary: Refresh Session description: >- ### Refresh the session token, using a valid fresh token This API endpoint will provide a new valid session token for an existing signed-in user, by validating the provided refresh token. The refresh token is provided as part of the HTTP Authorization Bearer. operationId: RefreshSession requestBody: content: application/json: schema: $ref: '#/components/schemas/RefreshSessionRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID:Refresh JWT: [] x-order: 2 x-publishYaml: session x-meta: title: Refresh Session | Session description: Refresh the session token, using a valid fresh token keywords: api, session /v1/auth/me: get: tags: [] summary: My Details description: >- ### Get current signed-in user details This API Endpoint will return the current user's details. This endpoint requires the user to be signed in and have a valid `refreshJwt`. The `refreshJwt` is then used as part of the Authorization Bearer to perform this task. operationId: Me responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ResponseUser' security: - Descope Project ID:Refresh JWT: [] x-order: 3 x-publishYaml: session x-meta: title: My Details | Session description: Get current signed-in user details keywords: api, session /v1/auth/me/history: get: tags: [] summary: Get Session History description: >- ### Get user's session history This API Endpoint will return the current user's session history including geo-location and IP address. This endpoint requires the user to be signed in and have a valid `refreshJwt`. The `refreshJwt` is then used as part of the Authorization Bearer to perform this task. operationId: MeAuthHistory responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/MeAuthHistoryResponse' security: - Descope Project ID:Refresh JWT: [] x-order: 3 x-publishYaml: session x-meta: title: Get Session History | Session description: Get user's session history keywords: api, session /v1/auth/tenant/select: post: tags: [] summary: Select an active tenant description: >- ### Set the active tenant for the user's current session This endpoint allows you to get a new session token and refresh token with the `dct` claim on the JWT which shows the active selected tenant for the user. See [Tenant Selection Article](/knowledgebase/descopeflows/tenantselectcomponent/) for more details of the usage. operationId: SelectTenant requestBody: content: application/json: schema: $ref: '#/components/schemas/SelectTenantRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID:Refresh JWT: [] x-order: 3 x-publishYaml: session x-meta: title: Select an active tenant | Session description: Set the active tenant for the user's current session keywords: api, session /v1/auth/logout: post: tags: [] summary: Sign-Out description: >- ### Log the user out from the provided session This API endpoint will sign the user out of the provided session using the `refreshToken`. Successfully executing this endpoint will invalidate the provided refresh tokens. Response will also include all user tokens and fields empty, so the executing client will remove cookies as well. operationId: Logout requestBody: content: application/json: schema: $ref: '#/components/schemas/LogoutRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID:Refresh JWT: [] x-order: 4 x-publishYaml: session x-meta: title: Sign-Out | Session description: Log the user out from the provided session keywords: api, session /v1/auth/logoutall: post: tags: [] summary: Sign-Out All Active Sessions description: >- ### Log the user out from all signed-in sessions This API endpoint will sign the user out of all the devices they are currently signed-in with. Successfully executing this endpoint will invalidate all user's refresh tokens. Response will include all user tokens and fields empty, so client will remove cookies as well. operationId: LogoutAllDevices requestBody: content: application/json: schema: $ref: '#/components/schemas/LogoutRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID:Refresh JWT: [] x-order: 4 x-publishYaml: session x-meta: title: Sign-Out All Active Sessions | Session description: Log the user out from all signed-in sessions keywords: api, session /v1/auth/validate: post: tags: [] operationId: ValidateSession requestBody: content: application/json: schema: $ref: '#/components/schemas/ValidateSessionRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ValidateSessionResponse' security: - Descope Project ID:Session JWT: [] summary: Validate Session description: >- ### Validate and parse a user's session JWT. This endpoint is used to validate a users session using the Project ID and the user's session JWT. Upon successful validate of the user, you will receive the parsed JWT. When posting to this endpoint from an application, you get the JWT from local or cookie storage, and prepend it with project ID and use that as the bearer. x-publishYaml: session x-meta: title: Validate Session | Session description: Validate and parse a user's session JWT. keywords: api, session /v1/auth/magiclink/signup/email: post: tags: - Email summary: Sign-Up description: >- ### Sign-up new end user by sending a magic link via email Initiate a sign-up process by sending a magic link to a new end user. Descope will generate and deliver a clickable magic link to the email address specified. The clickable magic link is made up of two parts - the URI you provide in the `URI` field and the magic link token generated by Descope. For example, if `URI=https://app.mycompany.com/magiclink/verify`, the clickable magic link will be `https://app.mycompany.com/magiclink/verify?t=magic-link-token.` Magic links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/magiclink), so sending multiple magic links (for example, when an end user tries to sign-up a second or third time) does not invalidate magic links that have already been sent. The endpoint will return a failure code if the email address is already registered. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. ### Next Steps Verify the magic link token using the [Verify Token](/api/magic-link/verification/verify-token) endpoint. ### See Also - See [Magic link Authentication](/auth-methods/magic-link/with-sdks/client#introduction) for details about implementing magic links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - Use the [Sign-In](/api/magic-link/email/sign-in) endpoint to sign-in an existing end user. - Use the [Sign-In with Auto Sign-up](/api/magic-link/email/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: SignUpMagicLinkEmail requestBody: content: application/json: schema: $ref: '#/components/schemas/MagicLinkSignUpEmailRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailMagicLinkResponse' security: - Descope Project ID: [] x-publishYaml: MagicLink x-order: 1 x-meta: title: Sign-Up | Magic Link Email description: Sign-up new end user by sending a magic link via email Email keywords: api, magic link, email /v1/auth/magiclink/signup/sms: post: tags: - Text Message (SMS) summary: Sign-Up description: >- ### Sign-up new end user by sending a magic link via SMS Initiate a sign-up process by sending a magic link to a new end user. Descope will generate and deliver a clickable magic link to the phone number specified. The clickable magic link is made up of two parts - the URI you provide in the `URI` field and the magic link token generated by Descope. For example, if `URI=https://app.mycompany.com/magiclink/verify`, the clickable magic link will be `https://app.mycompany.com/magiclink/verify?t=magic-link-token.` Magic links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/magiclink), so sending multiple magic links (for example, when an end user tries to sign-up a second or third time) does not invalidate magic links that have already been sent. The endpoint will return a failure code if the email address is already registered. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. ### Next Steps Verify the magic link token using the [Verify Token](/api/magic-link/verification/verify-token) endpoint. ### See Also - See [Magic link Authentication](/auth-methods/magic-link) for details about implementing magic links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - Use the [Sign-In](/api/magic-link/sms/sign-up) endpoint to sign-in an existing end user. - Use the [Sign-In with Auto Sign-up](/api/magic-link/sms/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: SignUpMagicLinkSMS requestBody: content: application/json: schema: $ref: '#/components/schemas/MagicLinkSignUpPhoneRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneMagicLinkResponse' security: - Descope Project ID: [] x-publishYaml: MagicLink x-order: 1 x-meta: title: Sign-Up | Magic Link SMS description: Sign-up new end user by sending a magic link via SMS SMS keywords: api, magic link, sms /v1/auth/magiclink/verify: post: tags: - Verification summary: Verify Token description: >- ### Verify the magic link token from the end user Verify that the magic link token in the URL clicked by the end user matches and has not expired. This endpoint completes the magic link flow for: * sign up * [Sign-Up via email](/api/magic-link/email/sign-up) * [Sign-Up via SMS](/api/magic-link/sms/sign-up) * sign-in * [Sign-In via email](/api/magic-link/email/sign-in) * [Sign-In via SMS](/api/magic-link/sms/sign-in) * sign-in with auto sign-up * [Sign-In with Auto Sign-up via email](/api/magic-link/email/sign-in-auto-sign-up) * [Sign-In with Auto Sign-up via SMS](/api/magic-link/sms/sign-in-auto-sign-up) * update data * [update email](/api/magic-link/email/sign-up) * [update phone number](/api/magic-link/email/sign-up) ### Next Steps The response object will contain the user's details including the session and refresh JWTs. ### See Also - See [Magic link Authentication](/auth-methods/magic-link/with-sdks/client#introduction) for details about implementing magic links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. operationId: VerifyMagicLink requestBody: content: application/json: schema: $ref: '#/components/schemas/VerifyMagicLinkRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: MagicLink x-order: 1 x-meta: title: Verify Token | Magic Link description: Verify the magic link token from the end user keywords: api, magic link /v1/auth/magiclink/signin/email: post: tags: - Email summary: Sign-In description: >- ### Sign-in existing end user by sending a magic link via email Initiate a sign-in process by sending a magic link to an existing end user. Descope will generate and deliver a clickable magic link to the email address specified. The clickable magic link is made up of two parts - the URI you provide in the `URI` field and the magic link token generated by Descope. For example, if `URI=https://app.mycompany.com/magiclink/verify`, the clickable magic link will be `https://app.mycompany.com/magiclink/verify?t=magic-link-token.` Magic links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/magiclink), so sending multiple magic links (for example, when an end user tries to sign-up a second or third time) does not invalidate prior magic links that have already been sent. The endpoint will return a failure code if the email address is not registered. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. ### Next Steps Verify the magic link token using the [Verify Token](/api/magic-link/verification/verify-token) endpoint. ### See Also - See [Magic link Authentication](/auth-methods/magic-link/with-sdks/client#introduction) for details about implementing magic links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/magic-link/email/sign-up) endpoint to sign-up a new end user. - Use the [Sign-In with Auto Sign-up](/api/magic-link/email/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: SignInMagicLinkEmail requestBody: content: application/json: schema: $ref: '#/components/schemas/MagicLinkSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailMagicLinkResponse' security: - Descope Project ID: [] x-publishYaml: MagicLink x-order: 2 x-meta: title: Sign-In | Magic Link Email description: Sign-in existing end user by sending a magic link via email Email keywords: api, magic link, email /v1/auth/magiclink/signin/sms: post: tags: - Text Message (SMS) summary: Sign-In description: >- ### Sign-in existing end user by sending a magic link via SMS Initiate a sign-in process by sending a magic link to an existing end user. Descope will generate and deliver a clickable magic link as an SMS to the phone number specified. The clickable magic link is made up of two parts - the URI you provide in the `URI` field and the magic link token generated by Descope. For example, if `URI=https://app.mycompany.com/magiclink/verify`, the clickable magic link will be `https://app.mycompany.com/magiclink/verify?t=magic-link-token.` Magic links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/magiclink), so sending multiple magic links (for example, when an end user tries to sign-up a second or third time) does not invalidate prior magic links that have already been sent. The endpoint will return a failure code if the email address is not registered. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. ### Next Steps Verify the magic link token using the [Verify Token](/api/magic-link/verification/verify-token) endpoint. ### See Also - See [Magic link Authentication](/auth-methods/magic-link) for details about implementing magic links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/magic-link/sms/sign-up) endpoint to sign-up a new end user. - Use the [Sign-In with Auto Sign-up](/api/magic-link/sms/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: SignInMagicLinkSMS requestBody: content: application/json: schema: $ref: '#/components/schemas/MagicLinkSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneMagicLinkResponse' security: - Descope Project ID: [] x-publishYaml: MagicLink x-order: 2 x-meta: title: Sign-In | Magic Link SMS description: Sign-in existing end user by sending a magic link via SMS SMS keywords: api, magic link, sms /v1/auth/magiclink/signup-in/email: post: tags: - Email summary: Sign-In with Auto Sign-up description: >- ### Sign-in end user (with automatic sign-up) by sending a magic link via email Initiate a process that implements both sign-in and sign-up using a single endpoint. Descope will generate and deliver a clickable magic link to the email address specified. If the email address is already registered (the end user has already registered) the user will be signed in. If the email address is not registered (the end user is not yet registered) the user will be signed up. The clickable magic link is made up of two parts - the URI you provide in the `URI` field and the magic link token generated by Descope. For example, if `URI=https://app.mycompany.com/magiclink/verify`, the clickable magic link will be `https://app.mycompany.com/magiclink/verify?t=magic-link-token.` Magic links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/magiclink), so sending multiple magic links (for example, when an end user tries to sign-up a second or third time) does not invalidate prior magic links that have already been sent. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. ### Next Steps Verify the magic link token using the [Verify Token](/api/magic-link/verification/verify-token) endpoint. ### See Also - See [Magic link Authentication](/auth-methods/magic-link/with-sdks/client#introduction) for details about implementing magic links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/magic-link/email/sign-up) endpoint if you want a sign-up flow that will fail if the end user is already registered. - Use the [Sign-In](/api/magic-link/email/sign-in) endpoint if you want a sign-in flow that will fail if the end user isn't yet registered. operationId: SignUpOrInMagicLinkEmail requestBody: content: application/json: schema: $ref: '#/components/schemas/MagicLinkSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailMagicLinkResponse' security: - Descope Project ID: [] x-publishYaml: MagicLink x-order: 3 x-meta: title: Sign-In with Auto Sign-up | Magic Link Email description: >- Sign-in end user (with automatic sign-up) by sending a magic link via email Email keywords: api, magic link, email /v1/auth/magiclink/signup-in/sms: post: tags: - Text Message (SMS) summary: Sign-In with Auto Sign-up description: >- ### Sign-in end user (with automatic sign-up) by sending a magic link via SMS Initiate a process that implements both sign-in and sign-up using a single endpoint. Descope will generate and deliver a clickable magic link as an SMS to the phone number specified. If the phone number is already registered (the end user has already registered) the user will be signed in. If the email address is not registered (the end user is not yet registered) the user will be signed up. The clickable magic link is made up of two parts - the URI you provide in the `URI` field and the magic link token generated by Descope. For example, if `URI=https://app.mycompany.com/magiclink/verify`, the clickable magic link will be `https://app.mycompany.com/magiclink/verify?t=magic-link-token.` Magic links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/magiclink), so sending multiple magic links (for example, when an end user tries to sign-up a second or third time) does not invalidate prior magic links that have already been sent. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. ### Next Steps Verify the magic link token using the [Verify Token](/api/magic-link/verification/verify-token) endpoint. ### See Also - See [Magic link Authentication](/auth-methods/magic-link) for details about implementing magic links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/magic-link/sms/sign-up) endpoint if you want a sign-up flow that will fail if the end user is already registered. - Use the [Sign-In](/api/magic-link/sms/sign-in) endpoint if you want a sign-in flow that will fail if the end user isn't yet registered. operationId: SignUpOrInMagicLinkSMS requestBody: content: application/json: schema: $ref: '#/components/schemas/MagicLinkSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneMagicLinkResponse' security: - Descope Project ID: [] x-publishYaml: MagicLink x-order: 3 x-meta: title: Sign-In with Auto Sign-up | Magic Link SMS description: >- Sign-in end user (with automatic sign-up) by sending a magic link via SMS SMS keywords: api, magic link, sms /v1/auth/magiclink/update/email: post: tags: - Email summary: Update Email description: >- ### Update email of end user by sending magic link via email Update the email address of an existing end user by sending a magic link to the new email address. Descope will generate and deliver a clickable magic link to the new email address specified. After successfully verifying the magic link token the new email address will be used to deliver new magic links via email. The clickable magic link is made up of two parts - the URI you provide in the `URI` field and the magic link token generated by Descope. For example, if `URI=https://app.mycompany.com/magiclink/verify`, the clickable magic link will be `https://app.mycompany.com/magiclink/verify?t=magic-link-token.` Magic links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/magiclink), so sending multiple magic links (for example, when an end user tries to sign-up a second or third time) does not invalidate prior magic links that have already been sent. The bearer token requires both the ProjectId and refresh JWT in the format `:`, and can therefore only be run for end users who are currently signed-in. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. Descope allows you to associating multiple login IDs for a user during API update calls. For details on how this feature works, please review the details [here](/manage/users#associating-multiple-login-ids-for-a-user). ### Next Steps Verify the magic link token using the [Verify Token](/api/magic-link/verification/verify-token) endpoint. ### See Also - See [Magic link Authentication](/auth-methods/magic-link) for details about implementing magic links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. operationId: UpdateUserEmailMagicLink requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserEmailMagicLinkRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailMagicLinkResponse' security: - Descope Project ID:Refresh JWT: [] x-publishYaml: MagicLink x-order: 5 x-meta: title: Update Email | Magic Link Email description: Update email of end user by sending magic link via email Email keywords: api, magic link, email /v1/auth/magiclink/update/phone/sms: post: tags: - Text Message (SMS) summary: Update Phone Number description: >- ### Update phone number of end user by sending magic link via SMS Update the phone number of an existing end user by sending a magic link to the new phone number. Descope will generate and deliver a clickable magic link as an SMS to the new phone number specified. After successfully verifying the magic link token the new phone number will be used to deliver new magic links via SMS. The clickable magic link is made up of two parts - the URI you provide in the `URI` field and the magic link token generated by Descope. For example, if `URI=https://app.mycompany.com/magiclink/verify`, the clickable magic link will be `https://app.mycompany.com/magiclink/verify?t=magic-link-token.` Magic links expire in the time frame configured in the [Descope console](https://app.descope.com/settings/authentication/magiclink), so sending multiple magic links (for example, when an end user tries to sign-up a second or third time) does not invalidate prior magic links that have already been sent. The bearer token requires both the ProjectId and refresh JWT in the format `:`, and can therefore only be run for end users who are currently signed-in. Note that `URI` is an optional parameter. If omitted - the project setting will apply. If provided - it should to be part of the allowed `Approved Domains` configured in the project settings. Descope allows you to associating multiple login IDs for a user during API update calls. For details on how this feature works, please review the details [here](/manage/users#associating-multiple-login-ids-for-a-user). ### Next Step Verify the magic link token using the [Verify Token](/api/magic-link/verification/verify-token) endpoint. ### See Also - See [Magic link Authentication](/auth-methods/magic-link) for details about implementing magic links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. operationId: UpdateUserPhoneMagicLinkSMS requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserPhoneMagicLinkRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneMagicLinkResponse' security: - Descope Project ID:Refresh JWT: [] x-publishYaml: MagicLink x-order: 5 x-meta: title: Update Phone Number | Magic Link SMS description: Update phone number of end user by sending magic link via SMS SMS keywords: api, magic link, sms /v1/auth/notp/{provider}/signup: post: tags: - '' summary: Sign-Up description: Create a new user using NOTP operationId: SignUpNOTP parameters: - name: provider in: path description: Whatsapp, IMessage, etc required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/NOTPSignUpRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/NOTPLinkResponse' security: - Descope Project ID: [] x-publishYaml: NOTP x-order: 1 x-meta: title: Sign-Up | NOTP description: Create a new user using NOTP keywords: api, notp /v1/auth/notp/{provider}/signin: post: tags: - '' summary: Sign-In description: Login a user using NOTP operationId: SignInNOTP parameters: - name: provider in: path description: Whatsapp, IMessage, etc required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/NOTPSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/NOTPLinkResponse' security: - Descope Project ID: [] x-publishYaml: NOTP x-order: 2 x-meta: title: Sign-In | NOTP description: Login a user using NOTP keywords: api, notp /v1/auth/notp/{provider}/signup-in: post: tags: - '' description: >- Login in using NTOP. If the user does not exist, a new user will be created with the given identifier operationId: SignUpOrInNOTP parameters: - name: provider in: path description: Whatsapp, IMessage, etc required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/NOTPSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/NOTPLinkResponse' security: - Descope Project ID: [] x-publishYaml: NOTP x-order: 3 summary: Sign-In with Auto Sign-Up x-meta: title: Sign-In with Auto Sign-Up | NOTP description: >- Login in using NTOP. If the user does not exist, a new user will be created with the given identifier keywords: api, notp /v1/auth/notp/pending-session: post: tags: - '' summary: Get NoTP Pending Session description: >- Get a session that was generated by NOTP Sign in / Sign up request, and verified with Verify request operationId: GetNOTPSession requestBody: content: application/json: schema: $ref: '#/components/schemas/GetNOTPSessionRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: NOTP x-order: 4 x-meta: title: Get NoTP Pending Session | NOTP description: >- Get a session that was generated by NOTP Sign in / Sign up request, and verified with Verify request keywords: api, notp /v1/auth/oauth/authorize: post: tags: [] summary: Sign-Up / Sign-In description: >- ### Authorize end user to sign-up or sign-in using social login credentials Initiate a social login (OAuth) sign-up or sign-in process for an end user. Descope will coordinate the authorization process with the OAUth provider specified in the `provider` field. Specify the URL you want to redirect the end user to after a successful sign-in in the `redirectURL` parameter. When the OAuth authorization completes successfully, the endpoint returns a URL `url` that has a unique code `` appended as a URL parameter to the `redirectURL` you provided. For example, if `redirectURL = https://oauth.mycompany.com/shopping.htm` then `url = https://oauth.mycompany.com/shopping.htm?code=`. The unique code will be exchanged for a valid user object in the next step. After the end user successfully authenticates with the OAuth provider the end user session is redirected to `url`. ### Next Steps Call the [Exchange Code](/api/oauth/exchange-code) endpoint from the flow that responds to the URL specified in the `redirectURL` field, to exchange the unique code for a user session object. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on the stepup, mfa, and customClaims parameters. operationId: AuthorizeOAuth parameters: - name: provider in: query schema: type: string - name: redirectUrl in: query schema: type: string - name: prompt in: query schema: type: array items: type: string - name: test in: query schema: type: boolean - name: rawResponse in: query schema: type: boolean - name: loginHint in: query schema: type: string - name: initiatedEmail in: query schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/LoginOptions' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OAuthRedirectResponse' security: - Descope Project ID: [] x-publishYaml: OAuth x-order: 3 x-meta: title: Sign-Up / Sign-In | OAuth description: >- Authorize end user to sign-up or sign-in using social login credentials keywords: api, oauth /v1/auth/oauth/authorize/signin: post: tags: [] summary: Create Redirect URI for Sign-In Request description: >- ### Create an OAuth Redirect URI for user Sign-In Request This endpoint allows you to create an OAuth Redirect URI for user Sign-Up Request. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. operationId: CreateOAuthRedirectURISignin parameters: - name: provider in: query schema: type: string - name: redirectUrl in: query schema: type: string - name: prompt in: query schema: type: array items: type: string - name: test in: query schema: type: boolean - name: rawResponse in: query schema: type: boolean - name: loginHint in: query schema: type: string - name: initiatedEmail in: query schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/LoginOptions' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OAuthRedirectResponse' security: - Descope Project ID: [] x-publishYaml: OAuth x-order: 4 x-meta: title: Create Redirect URI for Sign-In Request | OAuth description: Create an OAuth Redirect URI for user Sign-In Request keywords: api, oauth /v1/auth/oauth/authorize/signup: post: tags: [] summary: Create Redirect URI for Sign-Up Request description: >- ### Create an OAuth Redirect URI for user Sign-In Request This endpoint allows you to create an OAuth Redirect URI for user Sign-In Request. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. operationId: CreateOAuthRedirectURISignup parameters: - name: provider in: query schema: type: string - name: redirectUrl in: query schema: type: string - name: prompt in: query schema: type: array items: type: string - name: test in: query schema: type: boolean - name: rawResponse in: query schema: type: boolean - name: loginHint in: query schema: type: string - name: initiatedEmail in: query schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/LoginOptions' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OAuthRedirectResponse' security: - Descope Project ID: [] x-publishYaml: OAuth x-order: 5 x-meta: title: Create Redirect URI for Sign-Up Request | OAuth description: Create an OAuth Redirect URI for user Sign-In Request keywords: api, oauth /v1/auth/oauth/native/start: post: tags: [] summary: Starts a full OAuth flow using native APIs description: Starts a full OAuth flow using native APIs operationId: OAuthNativeStart requestBody: content: application/json: schema: $ref: '#/components/schemas/OAuthNativeStartRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/OAuthNativeStartResponse' security: - Descope Project ID: [] x-publishYaml: OAuth x-order: 6 x-meta: title: Starts a full OAuth flow using native APIs | OAuth description: Starts a full OAuth flow using native APIs keywords: api, oauth /v1/auth/oauth/exchange: post: tags: [] summary: Exchange Code description: >- ### Exchange OAuth code for Descope user session This endpoint will exchange the OAuth code for the Descope session information needed for managing the end user session. Call this endpoint from your code flow that responds to the `url` that was returned by the [Sign-In](/api/oauth/sign-up-sign-in) endpoint. The unique code `` is appended as a URL parameter: `code=`, for example, `url = https://oauth.mycompany.com/shopping.htm?code=`. ### Next Steps 1. Extract the unique code `` from the URL parameter. 2. Call this endpoint, passing the `` as the request parameter The response object includes the session JWT (sessionJwt) and refresh JWT (refreshJwt) when this endpoint completes successfully. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. operationId: ExchangeCodeoauth requestBody: content: application/json: schema: $ref: '#/components/schemas/ExchangeTokenRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: OAuth x-order: 7 x-meta: title: Exchange Code | OAuth description: Exchange OAuth code for Descope user session keywords: api, oauth /v1/auth/oauth/native/finish: post: tags: [] summary: Finishes a full OAuth flow using native APIs description: Finishes a full OAuth flow using native APIs operationId: OAuthNativeFinish requestBody: content: application/json: schema: $ref: '#/components/schemas/OAuthNativeFinishRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: OAuth x-order: 7 x-meta: title: Finishes a full OAuth flow using native APIs | OAuth description: Finishes a full OAuth flow using native APIs keywords: api, oauth /v1/auth/otp/signup/email: post: tags: - Email summary: Sign-Up description: >- ### Sign-up new end user by sending an OTP code via email Initiate a sign-up process by sending a One-Time Password (OTP) to a new end user. Descope will generate and deliver the OTP code to the email address specified. Sending multiple OTP codes (for example, when an end user tries to sign-up a second or third time) will invalidate any OTP code that has already been sent. This endpoint will return an empty response object when it completes successfully. The endpoint will return a failure code if the email address is already registered. ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/email/verify-otp) endpoint to complete the user sign-up process. After successfully verifying OTP code the end user will be signed-in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - Use the [Sign-In](/api/otp/email/sign-in) endpoint to sign-in an existing end user. - Use the [Sign-In with Auto Sign-up](/api/otp/email/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: UserSignupOtpEmail requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPSignUpEmailRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailOperationResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 1 x-meta: title: Sign-Up | OTP Email description: Sign-up new end user by sending an OTP code via email Email keywords: api, otp, email /v1/auth/otp/signup/sms: post: tags: - Text Message (SMS) summary: Sign-Up description: >- ### Sign-up new end user by sending an OTP code via SMS Initiate a sign-up process by sending a One-Time Password (OTP) to a new end user. Descope will generate and deliver the OTP code via SMS to the phone number specified. Sending multiple OTP codes (for example, when an end user tries to sign-up a second or third time) will invalidate any OTP code that has already been sent. This endpoint will return an empty response object when it completes successfully. The endpoint will return a failure code if the phone number is already registered. ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/sms/verify-otp) endpoint to complete the user sign-up process. After successfully verifying the OTP code the end user will be signed-in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - Use the [Sign-In](/api/otp/sms/sign-in) endpoint to sign-in an existing end user. - Use the [Sign-In with Auto Sign-up](/api/otp/sms/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: SignUpOtpSMS requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPSignUpPhoneRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneOperationResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 1 x-meta: title: Sign-Up | OTP SMS description: Sign-up new end user by sending an OTP code via SMS SMS keywords: api, otp, sms /v1/auth/otp/signup/voice: post: tags: - Voice Message (Phone) summary: Sign-Up description: >- ### Sign-up new end user by sending an OTP code via Voice Initiate a sign-up process by sending a One-Time Password (OTP) to a new end user. Descope will generate and deliver the OTP code via Voice to the phone number specified. Sending multiple OTP codes (for example, when an end user tries to sign-up a second or third time) will invalidate any OTP code that has already been sent. This endpoint will return an empty response object when it completes successfully. The endpoint will return a failure code if the phone number is already registered. ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/phone/verify-otp) endpoint to complete the user sign-up process. After successfully verifying the OTP code the end user will be signed-in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - Use the [Sign-In](/api/otp/phone/sign-in) endpoint to sign-in an existing end user. - Use the [Sign-In with Auto Sign-up](/api/otp/phone/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: SignUpOtpVoice requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPSignUpPhoneRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneOperationResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 1 x-meta: title: Sign-Up | OTP description: Sign-up new end user by sending an OTP code via Voice keywords: api, otp /v1/auth/otp/signin/email: post: tags: - Email summary: Sign-In description: >- ### Sign-in existing end user by sending an OTP code via email Initiate a sign-in process by sending a One-Time Password (OTP) to an existing end user. Descope will generate and deliver the OTP code to the email address specified. Sending multiple OTP codes (for example, when an end user tries to sign-in a second or third time) will invalidate any OTP code that has already been sent. This endpoint will return an empty response object when it completes successfully. The endpoint will return a failure code if the email address is not yet registered. ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/email/verify-otp) endpoint to complete the user sign-in process. After successfully verifying the code the end user will be signed-in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/otp/email/sign-up) endpoint to sign-up a new end user. - Use the [Sign-In with Auto Sign-up](/api/otp/email/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: UserSigninOtpEmail requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailOperationResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 2 x-meta: title: Sign-In | OTP Email description: Sign-in existing end user by sending an OTP code via email Email keywords: api, otp, email /v1/auth/otp/signin/sms: post: tags: - Text Message (SMS) summary: Sign-In description: >- ### Sign-in existing end user by sending an OTP code via SMS Initiate a sign-in process by sending a One-Time Password (OTP) to an existing end user. Descope will generate and deliver the OTP code to the phone number specified. Sending multiple OTP codes (for example, when an end user tries to sign-in a second or third time) will invalidate any OTP code that has already been sent. This endpoint will return an empty response object when it completes successfully. The endpoint will return a failure code if the phone number is not yet registered. ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/sms/verify-otp) endpoint to complete the user sign-in process. After successfully verifying the code the end user will be signed-in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/otp/sms/sign-up) endpoint to sign-up a new end user. - Use the [Sign-In with Auto Sign-up](/api/otp/sms/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: SignInOTPSMS requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneOperationResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 2 x-meta: title: Sign-In | OTP SMS description: Sign-in existing end user by sending an OTP code via SMS SMS keywords: api, otp, sms /v1/auth/otp/signin/voice: post: tags: - Voice Message (Phone) summary: Sign-In description: >- ### Sign-in existing end user by sending an OTP code via Voice Initiate a sign-in process by sending a One-Time Password (OTP) to an existing end user. Descope will generate and deliver the OTP code to the phone number specified. Sending multiple OTP codes (for example, when an end user tries to sign-in a second or third time) will invalidate any OTP code that has already been sent. This endpoint will return an empty response object when it completes successfully. The endpoint will return a failure code if the phone number is not yet registered. ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/phone/verify-otp) endpoint to complete the user sign-in process. After successfully verifying the code the end user will be signed-in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/otp/phone/sign-up) endpoint to sign-up a new end user. - Use the [Sign-In with Auto Sign-up](/api/otp/phone/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. operationId: SignInOTPVoice requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneOperationResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 2 x-meta: title: Sign-In | OTP description: Sign-in existing end user by sending an OTP code via Voice keywords: api, otp /v1/auth/otp/signup-in/email: post: tags: - Email summary: Sign-In with Auto Sign-up description: >- ### Sign-in end user (with automatic sign-up) by sending an OTP code via email Initiate a process that implements both sign-in and sign-up using a single endpoint. Descope will generate and deliver the One-Time Password (OTP) to the end user via email. If the email address is already registered (the end user exists) the user will be signed in. If the email address is not registered (the end user is not yet registered) the user will be signed up. Sending multiple OTP codes (for example, when an end user tries to sign-up/sign-in a second or third time) will invalidate any OTP code that has already been sent. This endpoint will return an empty response object when it completes successfully. ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/email/verify-otp) endpoint to complete the user sign-in process. After successfully verifying the code the end user will be signed-in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/otp/email/sign-up) endpoint if you want a sign-up flow that will fail if the end user is already registered. - Use the [Sign-In](/api/otp/email/sign-in) endpoint if you want a sign-in flow that will fail if the end user isn't yet registered. operationId: UserSignUpInOtpEmail requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailOperationResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 3 x-meta: title: Sign-In with Auto Sign-up | OTP Email description: >- Sign-in end user (with automatic sign-up) by sending an OTP code via email Email keywords: api, otp, email /v1/auth/otp/signup-in/sms: post: tags: - Text Message (SMS) summary: Sign-In with Auto Sign-up description: >- ### Sign-in end user (with automatic sign-up) by sending an OTP code via SMS Initiate a process that implements both sign-in and sign-up using a single endpoint. Descope will generate and deliver the One-Time Password (OTP) to the end user via SMS. If the phone number is already registered (the end user exists) the user will be signed in. If the phone number is not registered (the end user is not yet registered) the user will be signed up. Sending multiple OTP codes (for example, when an end user tries to sign-up/sign-in a second or third time) will invalidate any OTP code that has already been sent. This endpoint will return an empty response object when it completes successfully. ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/sms/verify-otp) endpoint to complete the user sign-in process. After successfully verifying the code the end user will be signed-in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/otp/sms/sign-up) endpoint if you want a sign-up flow that will fail if the end user is already registered. - Use the [Sign-In](/api/otp/sms/sign-in-auto-sign-up) endpoint if you want a sign-in flow that will fail if the end user isn't yet registered. operationId: SignUpOrInOTPSMS requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneOperationResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 3 x-meta: title: Sign-In with Auto Sign-up | OTP SMS description: >- Sign-in end user (with automatic sign-up) by sending an OTP code via SMS SMS keywords: api, otp, sms /v1/auth/otp/signup-in/voice: post: tags: - Voice Message (Phone) summary: Sign-In with Auto Sign-up description: >- ### Sign-in end user (with automatic sign-up) by sending an OTP code via Voice Initiate a process that implements both sign-in and sign-up using a single endpoint. Descope will generate and deliver the One-Time Password (OTP) to the end user via Voice. If the phone number is already registered (the end user exists) the user will be signed in. If the phone number is not registered (the end user is not yet registered) the user will be signed up. Sending multiple OTP codes (for example, when an end user tries to sign-up/sign-in a second or third time) will invalidate any OTP code that has already been sent. This endpoint will return an empty response object when it completes successfully. ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/phone/verify-otp) endpoint to complete the user sign-in process. After successfully verifying the code the end user will be signed-in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/otp/phone/sign-up) endpoint if you want a sign-up flow that will fail if the end user is already registered. - Use the [Sign-In](/api/otp/phone/sign-in-auto-sign-up) endpoint if you want a sign-in flow that will fail if the end user isn't yet registered. operationId: SignUpOrInOTPVoice requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneOperationResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 3 x-meta: title: Sign-In with Auto Sign-up | OTP description: >- Sign-in end user (with automatic sign-up) by sending an OTP code via Voice keywords: api, otp /v1/auth/otp/verify/email: post: tags: - Email summary: Verify OTP Code description: >- ### Verify the validity of an OTP code sent via email Verify that the OTP code entered by the end user matches the OTP code that was sent. The Verify OTP code endpoint completes the OTP via email flow for: - [Sign-Up](/api/otp/email/sign-up) - [Sign-In](/api/otp/email/sign-in) - [Sign-In with Auto Sign-up](/api/otp/email/sign-in-auto-sign-up) - [Update Email](/api/otp/email/update-email) The response object includes the session JWT `sessionJwt` and refresh JWT `refreshJwt` when the endpoint completes successfully, and the end user will be signed in. For an update email flow, the new email address will replace the original email address. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. operationId: VerifyOtpEmail requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPVerifyCodeRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 4 x-meta: title: Verify OTP Code | OTP Email description: Verify the validity of an OTP code sent via email Email keywords: api, otp, email /v1/auth/otp/verify/sms: post: tags: - Text Message (SMS) summary: Verify OTP Code description: >- ### Verify the validity of an OTP code via SMS Verify that the OTP code entered by the end user matches the OTP code that was sent. The Verify OTP code endpoint completes the OTP via SMS flow for: - [Sign-Up](/api/otp/sms/sign-up) - [Sign-In](/api/otp/sms/sign-in) - [Sign-In with Auto Sign-up](/api/otp/sms/sign-in-auto-sign-up) - [Update Email](/api/otp/sms/update-phone) The response object includes the session JWT `sessionJwt` and refresh JWT `refreshJwt` when it completes successfully, and the end user will be signed in. For an update phone number flow, the new phone number will replace the original phone number. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. operationId: VerifyCodeSMS requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPVerifyCodeRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 4 x-meta: title: Verify OTP Code | OTP SMS description: Verify the validity of an OTP code via SMS SMS keywords: api, otp, sms /v1/auth/otp/verify/voice: post: tags: - Voice Message (Phone) summary: Verify OTP Code description: >- ### Verify the validity of an OTP code via Voice Verify that the OTP code entered by the end user matches the OTP code that was sent. The Verify OTP code endpoint completes the OTP via Voice flow for: - [Sign-Up](/api/otp/phone/sign-up) - [Sign-In](/api/otp/phone/sign-in) - [Sign-In with Auto Sign-up](/api/otp/phone/sign-in-auto-sign-up) - [Update Phone](/api/otp/phone/update-phone) The response object includes the session JWT `sessionJwt` and refresh JWT `refreshJwt` when it completes successfully, and the end user will be signed in. For an update phone number flow, the new phone number will replace the original phone number. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. operationId: VerifyCodeVoice requestBody: content: application/json: schema: $ref: '#/components/schemas/OTPVerifyCodeRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: OTP x-order: 4 x-meta: title: Verify OTP Code | OTP description: Verify the validity of an OTP code via Voice keywords: api, otp /v1/auth/otp/update/email: post: tags: - Email summary: Update Email description: >- ### Update Email Address of Existing User Update the email of an existing end user by sending an OTP code to the new email address. After successfully verifying the code the new email address will be used to deliver new OTP messages via email. The bearer token requires both the ProjectId and refresh JWT in the format `:`, and can therefore only be run for end users who are currently signed-in. This endpoint will return an empty response object when it completes successfully. Descope allows you to associating multiple login IDs for a user during API update calls. For details on how this feature works, please review the details [here](/manage/users#associating-multiple-login-ids-for-a-user). ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/email/verify-otp) endpoint to complete the update process. After successfully verifying the code the new email address will replace the original email address. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - See the [Verify OTP Code](/api/otp/email/verify-otp) endpoint, which will return the Refresh Jwt needed. operationId: UpdateUserEmailOtp requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserEmailOTPRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmailOperationResponse' security: - Descope Project ID:Refresh JWT: [] x-publishYaml: OTP x-order: 5 x-meta: title: Update Email | OTP Email description: Update Email Address of Existing User Email keywords: api, otp, email /v1/auth/otp/update/phone/sms: post: tags: - Text Message (SMS) summary: Update Phone description: >- ### Update phone number of Existing User Update the phone number of an existing end user by sending an OTP code to the new phone number. After successfully verifying the code the new phone number will be used to deliver new OTP messages via SMS. The bearer token requires both the ProjectId and refresh JWT in the format `:`, and can therefore only be run for end users who are currently signed-in. This endpoint will return an empty response object when it completes successfully. Descope allows you to associating multiple login IDs for a user during API update calls. For details on how this feature works, please review the details [here](/manage/users#associating-multiple-login-ids-for-a-user). ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/sms/verify-otp) endpoint to complete the update process. After successfully verifying the code the newphone number will replace the original phone number. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - Successful execution will return an empty body - To try this endpoint - need to provide `Project ID:Refresh JWT` as bearer. You can acquire the Session JWT by signing in the user and collecting it from the response. operationId: UpdateUserPhoneOTPSMS requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserPhoneOTPRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneOperationResponse' security: - Descope Project ID:Refresh JWT: [] x-publishYaml: OTP x-order: 5 x-meta: title: Update Phone | OTP SMS description: Update phone number of Existing User SMS keywords: api, otp, sms /v1/auth/otp/update/phone/voice: post: tags: - Voice Message (Phone) summary: Update Phone description: >- ### Update phone number of Existing User Update the phone number of an existing end user by sending an OTP code to the new phone number. After successfully verifying the code the new phone number will be used to deliver new OTP messages via Voice. The bearer token requires both the ProjectId and refresh JWT in the format `:`, and can therefore only be run for end users who are currently signed-in. This endpoint will return an empty response object when it completes successfully. Descope allows you to associating multiple login IDs for a user during API update calls. For details on how this feature works, please review the details [here](/manage/users#associating-multiple-login-ids-for-a-user). ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/phone/verify-otp) endpoint to complete the update process. After successfully verifying the code the newphone number will replace the original phone number. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - Successful execution will return an empty body - To try this endpoint - need to provide `Project ID:Refresh JWT` as bearer. You can acquire the Session JWT by signing in the user and collecting it from the response. operationId: UpdateUserPhoneOTPVoice requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserPhoneOTPRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PhoneOperationResponse' security: - Descope Project ID:Refresh JWT: [] x-publishYaml: OTP x-order: 5 x-meta: title: Update Phone | OTP description: Update phone number of Existing User keywords: api, otp /v1/auth/password/signup: post: tags: [] summary: Sign-Up User description: >- ### Sign-Up a new user utilizing password authentication. This endpoint will return the user's JWT. ### Next Steps Verify the user's email to allow for password reset by updating the email via [OTP](/api/otp/email/update-email), [Enchanted Link](/api/enchanted-link/update-email), or [Magic Link](/api/magic-link/email/update-email) Add tenants to the user via [Update User Add Tenant](/api/management/users/update-user-add-tenant) Add roles to the user via [Update User Add Role](/api/management/users/update-user-add-roles) ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - Use the [Sign-In](/api/passwords/sign-in) endpoint to sign-in an existing end user. operationId: SignUpPassword requestBody: content: application/json: schema: $ref: '#/components/schemas/PasswordSignUpRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: Password x-order: 1 x-meta: title: Sign-Up User | Password description: >- Sign-Up a new user utilizing password authentication. This endpoint will return the user's JWT. keywords: api, password /v1/auth/password/signin: post: tags: [] summary: Sign-In User description: >- ### Sign-In an existing user utilizing password authentication. This endpoint will return the user's JWT. ### Next Steps Verify the user's email to allow for password reset by updating the email via [OTP](/api/otp/email/update-email), [Enchanted Link](/api/enchanted-link/update-email), or [Magic Link](/api/magic-link/email/update-email) Add tenants to the user via [Update User Add Tenant](/api/management/users/update-user-add-tenant) Add roles to the user via [Update User Add Role](/api/management/users/update-user-add-roles) ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - Use the [Sign-Up](/api/passwords/sign-up) endpoint to sign-up a new end user. operationId: SignInPassword requestBody: content: application/json: schema: $ref: '#/components/schemas/PasswordSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: Password x-order: 2 x-meta: title: Sign-In User | Password description: >- Sign-In an existing user utilizing password authentication. This endpoint will return the user's JWT. keywords: api, password /v1/auth/password/reset: post: tags: - Email summary: Reset Password description: >- ### Sent a password reset email to an existing user utilizing the password API. ### Next Steps You will then need to verify the user after the password reset is sent via email, this would need to be done via [Verify Magic Link](/api/magic-link/verification/verify-token). ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - You can also utilize [Update Password](/api/passwords/update-password) or [Replace Password](/api/passwords/replace-password) as alternatives to change a user's password. operationId: SendPasswordReset requestBody: content: application/json: schema: $ref: '#/components/schemas/PasswordResetSendRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PasswordResetSendResponse' security: - Descope Project ID: [] x-publishYaml: Password x-order: 3 x-meta: title: Reset Password | Password description: >- Sent a password reset email to an existing user utilizing the password API. keywords: api, password /v1/auth/password/replace: post: tags: [] summary: Replace Password description: >- ### Replace the user's password of an existing user utilizing the password API. ### Next Steps Sign the user in with their new password via [Sign-In](/api/passwords/sign-in) ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - You can also utilize [Update Password](/api/passwords/update-password) or [Reset Password](/api/passwords/email/password-reset) as alternatives to change a user's password. operationId: ReplaceUserPassword requestBody: content: application/json: schema: $ref: '#/components/schemas/PasswordReplaceRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: Password x-order: 4 x-meta: title: Replace Password | Password description: >- Replace the user's password of an existing user utilizing the password API. keywords: api, password /v1/auth/password/update: post: tags: [] summary: Update Password description: >- ### Update the user's password of an existing user utilizing the password API. ### Next Steps Sign the user in with their new password via [Sign-In](/api/passwords/sign-in) ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - You can also utilize [Replace Password](/api/passwords/replace-password) or [Reset Password](/api/passwords/email/password-reset) as alternatives to change a user's password. operationId: UpdateUserPassword requestBody: content: application/json: schema: $ref: '#/components/schemas/PasswordUpdateRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID:Refresh JWT: [] x-publishYaml: Password x-order: 5 x-meta: title: Update Password | Password description: >- Update the user's password of an existing user utilizing the password API. keywords: api, password /v1/auth/password/policy: get: tags: [] summary: Get Password Policy description: >- ### Get the configured password policy for the project. ### See Also - See [Password Policy Customization](/auth-methods/passwords#password-policy) for further details on password policy configuration. operationId: GetPasswordPolicy responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/PasswordPolicyResponse' security: - Descope Project ID: [] x-publishYaml: Password x-order: 6 x-meta: title: Get Password Policy | Password description: Get the configured password policy for the project. keywords: api, password /v1/auth/saml/authorize: post: tags: [] summary: Creating SAML redirect URI description: Creating SAML redirect URI operationId: CreateSAMLRedirect parameters: - name: tenant in: query schema: type: string - name: redirectUrl in: query schema: type: string - name: prompt in: query schema: type: array items: type: string - name: test in: query schema: type: boolean - name: forceAuthn in: query schema: type: boolean - name: loginHint in: query schema: type: string - name: initiatedEmail in: query schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/LoginOptions' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SAMLRedirectResponse' security: - Descope Project ID: [] x-publishYaml: SAML x-order: 5 x-meta: title: Creating SAML redirect URI | SAML description: Creating SAML redirect URI keywords: api, saml /v1/auth/saml/exchange: post: tags: [] summary: Finalize SAML authentication description: Finalize SAML authentication operationId: ExchangeToken requestBody: content: application/json: schema: $ref: '#/components/schemas/ExchangeTokenRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: SAML x-order: 5 x-meta: title: Finalize SAML authentication | SAML description: Finalize SAML authentication keywords: api, saml /v1/auth/saml/idp/metadata: get: tags: [] summary: IDP Metadata URL for external SAML services description: IDP Metadata URL for external SAML services operationId: SAMLIDPMetadata parameters: - name: app in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SAMLIDPMetadataResponse' x-publishYaml: SAML x-order: 5 security: [] x-meta: title: IDP Metadata URL for external SAML services | SAML description: IDP Metadata URL for external SAML services keywords: api, saml /v1/auth/sso/authorize: post: tags: [] summary: Start SSO description: >- ### Authorize end user to sign-in using SAML SSO Initiate a SAML SSO (Single Sign-On, "sign-in" in Descope terminology) process for an end user. Descope will coordinate the sign-in process with the service provider. Specify the URL you want to redirect the end user to after a successful sign-in in the `redirectURL` parameter. When the SSO sign-in completes successfully, the endpoint returns a URL `url` that has a unique code ``, also called a token) appended as a URL parameter to the `redirectURL` you provided. For example, if `redirectURL = https://sso.mycompany.com/mywork.htm` then `url = https://sso.mycompany.com/mywork.htm?code=`. The unique code will be exchanged for a valid user object in the next step. After the end user has been successfully authenticated with the identity provider (IdP) the end user session is redirected to `url`. ### Next Steps Call the [Exchange Code](/api/sso/exchange-code) endpoint from the flow that responds to the URL specified in the `redirectURL` field, to exchange the unique code for a user session object. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on the stepup, mfa, and customClaims parameters. operationId: AuthorizeSAML parameters: - name: tenant in: query schema: type: string - name: redirectUrl in: query schema: type: string - name: prompt in: query schema: type: array items: type: string - name: test in: query schema: type: boolean - name: forceAuthn in: query schema: type: boolean - name: loginHint in: query schema: type: string - name: initiatedEmail in: query schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/LoginOptions' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SAMLRedirectResponse' security: - Descope Project ID: [] x-publishYaml: SSO x-order: 1 x-meta: title: Start SSO | SSO description: Authorize end user to sign-in using SAML SSO keywords: api, sso /v1/auth/sso/exchange: post: tags: [] summary: Exchange SSO Code description: >- ### Exchange SSO SAML code for Descope user session This endpoint will exchange the unique SAML code (also called a token) for the Descope session information needed for managing the end user session. Call this endpoint from your code flow that responds to the `url` that was returned by the [Sign-In](/api/oauth/sign-up-sign-in) endpoint. The unique code `` is appended as a URL parameter: `code=`, for example, `url = https://sso.mycompany.com/mywork.htm?code=`. ### Next Steps 1. Extract the unique code `` from the URL parameter. 2. Call this endpoint, passing the `` as the request parameter The response object includes the session JWT (sessionJwt) and refresh JWT (refreshJwt) when this endpoint completes successfully. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. operationId: ExchangeCodesso requestBody: content: application/json: schema: $ref: '#/components/schemas/ExchangeTokenRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: SSO x-order: 2 x-meta: title: Exchange SSO Code | SSO description: Exchange SSO SAML code for Descope user session keywords: api, sso /v1/auth/totp/signup: post: tags: [] summary: Sign-Up description: >- ### Sign-up new end user via TOTP Initiate a TOTP sign-up process for a new end user. Descope will generate a TOTP key (also called a secret or seed) that will be entered into the end user's authenticator app so that TOTP codes can be successfully verified. The new end user will be registered after the full TOTP sign-up flow has successfully completed. If the end user is already registered use the [add/update](/api/totp/add-update-key) endpoint to add TOTP funtionality to an existing end user, to prevent the same person being registered twice. ### Next Steps 1. Display the TOTP key so it can be entered into their authenticator app. The TOTP key is returned in the response object in three ways, to ensure it can easily be entered into the end user's authenticator app. 2. Prompt the end user user for a TOTP code generated by their authenticator app. 3. Verify the TOTP code using the [Sign-In / Verify](/api/totp/sign-in-verify) endpoint to complete the sign-in process. After successfully verifying the TOTP code the new end user will be registered using the details you provided in the body of this endpoint. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - Use the [add/update](/api/totp/add-update-key) endpoint to add TOTP funtionality to an existing end user. operationId: SignUpTOTP requestBody: content: application/json: schema: $ref: '#/components/schemas/TOTPSignUpRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/TOTPResponse' security: - Descope Project ID: [] x-publishYaml: TOTP x-order: 1 x-meta: title: Sign-Up | TOTP description: Sign-up new end user via TOTP keywords: api, totp /v1/auth/totp/verify: post: tags: [] summary: Sign-In / Verify description: >- ### Verify the TOTP of an end user Verify the TOTP code of an end user. This endpoint is the final API call for the following TOTP flows: * Sign-In - If the end user is already registered, this end-point is the only call you need to sign-in that user. * Sign-Up - If you are implementing a sign-up flow, this endpoint will verify the TOTP code and complete the sign-up process * Add/ Update - If you are implementing an Add / Update flow, this endpoint completes the process of adding/updating the TOTP key for that user. The response object includes the session JWT `sessionJwt` and refresh JWT `refreshJwt` when the endpoint completes successfully, and the end user will be signed in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. operationId: VerifyCodeTOTP requestBody: content: application/json: schema: $ref: '#/components/schemas/TOTPVerifyCodeRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: TOTP x-order: 2 x-meta: title: Sign-In / Verify | TOTP description: Verify the TOTP of an end user keywords: api, totp /v1/auth/totp/update: post: tags: [] summary: Add / Update Key description: >- ### Add or update TOTP key for existing end user Initiate a flow to add TOTP functionality for an existing end user, or to update the TOTP key for an existing end user. Descope will generate a TOTP key (also called a secret or seed) that will be entered into the end user's authenticator app so that TOTP codes can be successfully verified. The new end user will be registered after the full Add / Update TOTP flow has successfully completed. The bearer token requires both the ProjectId and refresh JWT in the format `:`, and can therefore only be run for end users who are currently signed-in. If the end user is not yet registered use the [Sign-Up](/api/totp/sign-up) endpoint to register the user. ### Next Steps 1. Display the TOTP key to the end user so the key can be entered into the authenticator app. Use any of the following methods to display the key to your end user: * (recommended) Redirect the end user session to the `provisioningURL` returned in the response body. The URL displays the key as a QR code that can be scanned directly from the authenticator app. * Render the QR code using your own web page using the `image` (the QR code as Base64) returned in the response body. * If your end user cannot scan a QR code, present the `key` returned in the response body so the key can be pasted into their authenticator app. If the authenticator app prompts, the end user must select key type: "time based". 2. Prompt the end user user for a TOTP code generated by their authenticator app. 3. Verify the TOTP code using the [Sign-In / Verify](/api/totp/sign-in-verify) endpoint to complete the Add / Update process. After successfully verifying the TOTP code the new TOTP key will be used to validate future TOTP code. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. operationId: UpdateUserTOTP requestBody: content: application/json: schema: $ref: '#/components/schemas/TOTPUpdateRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/TOTPResponse' security: - Descope Project ID:Refresh JWT: [] x-publishYaml: TOTP x-order: 3 x-meta: title: Add / Update Key | TOTP description: Add or update TOTP key for existing end user keywords: api, totp /v1/auth/webauthn/signup/start: post: tags: [] summary: User Sign-Up description: Create a new user using WebAuthn operationId: WebAuthnSignupStart requestBody: content: application/json: schema: $ref: '#/components/schemas/WebauthnSignUpStartRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/WebauthnStartResponse' security: - Descope Project ID: [] x-publishYaml: WebAuthn x-order: 1 x-meta: title: User Sign-Up | WebAuthn description: Create a new user using WebAuthn keywords: api, webauthn /v1/auth/webauthn/signup/finish: post: tags: [] summary: Finalize Sign-Up description: Finalize a WebAuthn signup operation operationId: WebAuthnSignupFinish requestBody: content: application/json: schema: $ref: '#/components/schemas/WebauthnSignUpFinishRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: WebAuthn x-order: 2 x-meta: title: Finalize Sign-Up | WebAuthn description: Finalize a WebAuthn signup operation keywords: api, webauthn /v1/auth/webauthn/signin/start: post: tags: [] summary: User Sign-In description: Login an existing user with WebAuthn operationId: WebAuthnSigninStart requestBody: content: application/json: schema: $ref: '#/components/schemas/WebauthnSignInStartRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/WebauthnStartResponse' security: - Descope Project ID: [] x-publishYaml: WebAuthn x-order: 3 x-meta: title: User Sign-In | WebAuthn description: Login an existing user with WebAuthn keywords: api, webauthn /v1/auth/webauthn/signin/finish: post: tags: [] summary: Finalize Sign-In description: Finalize a WebAuthn signin operation operationId: WebAuthnSigninFinish requestBody: content: application/json: schema: $ref: '#/components/schemas/WebauthnSignInFinishRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/JWTResponse' security: - Descope Project ID: [] x-publishYaml: WebAuthn x-order: 4 x-meta: title: Finalize Sign-In | WebAuthn description: Finalize a WebAuthn signin operation keywords: api, webauthn /v1/auth/webauthn/signup-in/start: post: tags: [] summary: User Sign-In with Auto Sign-Up description: >- Use to login with WebAuthn, if user doesn't exist a new user will be created operationId: WebAuthnSignUpInStart requestBody: content: application/json: schema: $ref: '#/components/schemas/WebauthnSignUpOrInStartRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/WebauthnStartResponse' security: - Descope Project ID: [] x-publishYaml: WebAuthn x-order: 5 x-meta: title: User Sign-In with Auto Sign-Up | WebAuthn description: >- Use to login with WebAuthn, if user doesn't exist a new user will be created keywords: api, webauthn /v1/auth/webauthn/update/start: post: tags: [] summary: Add WebAuthn Device description: Add a new WebAuthn device to an existing user operationId: WebAuthnDeviceAddStart requestBody: content: application/json: schema: $ref: '#/components/schemas/WebauthnAddDeviceStartRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/WebauthnStartResponse' security: - Descope Project ID:Refresh JWT: [] x-publishYaml: WebAuthn x-order: 6 x-meta: title: Add WebAuthn Device | WebAuthn description: Add a new WebAuthn device to an existing user keywords: api, webauthn /v1/auth/webauthn/update/finish: post: tags: [] summary: Finalize Add WebAuthn description: Finalize adding a new WebAuthn device operationId: WebAuthnDeviceAddFinish requestBody: content: application/json: schema: $ref: '#/components/schemas/WebauthnAddDeviceFinishRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/WebauthnAddDeviceFinishResponse' security: - Descope Project ID: [] x-publishYaml: WebAuthn x-order: 7 x-meta: title: Finalize Add WebAuthn | WebAuthn description: Finalize adding a new WebAuthn device keywords: api, webauthn /v1/keys/{projectId}: get: tags: [] summary: Token Validation Key (V1) description: >- ### Get public key for session token validation (V1) This API endpoint will return the public key needed to handle the session token JWT validation. `projectId` is provided as a GET parameter, so this endpoint can be executed with a browser. operationId: GetKeys parameters: - name: projectId in: path required: true schema: type: string - name: certs in: query schema: type: boolean responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/sessionv1.JWKSResponse' x-publishYaml: sessionGetKeys x-order: 1 security: [] x-meta: title: Token Validation Key (V1) | Session Get Keys description: Get public key for session token validation (V1) keywords: api, session get keys /v2/keys/{projectId}: get: tags: [] summary: Token Validation Key (V2) description: >- ### Get public key for session token validation (V2) This API endpoint will return the public key needed to handle the session token JWT validation. `projectId` is provided as a GET parameter, so this endpoint can be executed with a browser. This endpoint differentiates from [Token Validation Key (V1)](/api/session/get-keys) as the data is returned in JSON format rather than an array. operationId: GetKeysV2 parameters: - name: projectId in: path required: true schema: type: string - name: certs in: query schema: type: boolean responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/sessionv1.JWKSResponseV2' x-publishYaml: sessionGetKeys x-order: 1 security: [] x-meta: title: Token Validation Key (V2) | Session Get Keys description: Get public key for session token validation (V2) keywords: api, session get keys /scim/v2/Groups: get: tags: [] summary: Search SCIM Groups description: >- ### Search SCIM groups, using a valid access key. This endpoint allows administrators to search SCIM groups. These groups have been created and associated to the Application and Descope tenant. The response includes an array of group objects within the Resources object. These group objects include details about the groups including the members. It is important to note the bearer token for SCIM API endpoints. The format is `ProjectId:AccessKey` the access key must be associated with the applicable tenant and has the tenant admin role. ### Next Steps Once you have this data, you can [Update an Existing SCIM Group](/api/management/tenants/scim/update-scim-group) or [Delete an Existing SCIM Group](/api/management/tenants/scim/delete-scim-group). You can add or remove users from the SCIM groups via [Update SCIM Group](/api/management/tenants/scim/update-scim-group). ### See also - See [SCIM Management](/scim) for further details on managing SCIM provisioning. operationId: SearchSCIMGroups parameters: - name: filter in: query schema: type: string - name: startIndex in: query schema: type: integer format: int32 - name: count in: query schema: type: integer format: int32 - name: excludedAttributes in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SCIMGetGroupsResponse' security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 1 x-meta: title: Search SCIM Groups | Scim Management description: Search SCIM groups, using a valid access key. keywords: api, scim management post: tags: [] summary: Create SCIM Group description: >- ### Create a SCIM group, using a valid access key. This endpoint allows administrators to create new SCIM groups within their environement. When creating the group, you can configure the groupId, displayName, and it's members. The response includes the new group's group object which includes details about the groups including the members. It is important to note the bearer token for SCIM API endpoints. The format is `ProjectId:AccessKey` the access key must be associated with the applicable tenant and associated with the tenant admin role. ### Next Steps Once you have created the group, you can later add or remove users from the SCIM groups via [Update SCIM Group](/api/management/tenants/scim/update-scim-group). ### See also - See [SCIM Management](/scim) for further details on managing SCIM provisioning. operationId: CreateSCIMGroup requestBody: content: application/json: schema: $ref: '#/components/schemas/SCIMGroupRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SCIMGroupResponse' security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 3 x-meta: title: Create SCIM Group | Scim Management description: Create a SCIM group, using a valid access key. keywords: api, scim management /scim/v2/Groups/{groupId}: get: tags: [] summary: Load SCIM Group description: >- ### Load an existing SCIM group, using a valid access key. This endpoint allows administrators to load an existing SCIM group using the SCIM groupId, which is a required field, and optionally the displayName. The response includes the group's object which includes details about the groups including the members. It is important to note the bearer token for SCIM API endpoints. The format is `ProjectId:AccessKey` the access key must be associated with the applicable tenant and associated with the tenant admin role. ### Next Steps Once you have this data, you can add or remove users from the SCIM groups via [Update SCIM Group](/api/management/tenants/scim/update-scim-group). ### See also - See [SCIM Management](/scim) for further details on managing SCIM provisioning. operationId: LoadSCIMGroup parameters: - name: groupId in: path required: true schema: type: string - name: displayName in: query schema: type: string - name: externalId in: query schema: type: string - name: excludedAttributes in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SCIMGroupResponse' security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 2 x-meta: title: Load SCIM Group | Scim Management description: Load an existing SCIM group, using a valid access key. keywords: api, scim management put: tags: [] summary: Update SCIM Group description: >- ### Update an existing SCIM group, using a valid access key. This endpoint allows administrators to update an existing SCIM group using the SCIM group ID, which is a required field. You can update the display name and members through this API endpoint. The response includes the group's object which includes details about the groups including the members. It is important to note the bearer token for SCIM API endpoints. The format is `ProjectId:AccessKey` the access key must be associated with the applicable tenant and associated with the tenant admin role. ### See also - See [SCIM Management](/scim) for further details on managing SCIM provisioning. operationId: UpdateSCIMGroup parameters: - name: groupId in: path required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/SCIMGroupRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SCIMGroupResponse' security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 4 x-meta: title: Update SCIM Group | Scim Management description: Update an existing SCIM group, using a valid access key. keywords: api, scim management delete: tags: [] summary: Delete SCIM Group description: >- ### Delete an existing SCIM group, using a valid access key. This endpoint allows administrators to delete an existing SCIM group using using the SCIM groupId, which is a required field, and optionally the displayName. It is important to note the bearer token for SCIM API endpoints. The format is `ProjectId:AccessKey` the access key must be associated with the applicable tenant and associated with the tenant admin role. ### See also - See [SCIM Management](/scim) for further details on managing SCIM provisioning. operationId: DeleteSCIMGroup parameters: - name: groupId in: path required: true schema: type: string - name: displayName in: query schema: type: string - name: externalId in: query schema: type: string - name: excludedAttributes in: query schema: type: string responses: '200': description: OK content: {} security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 5 x-meta: title: Delete SCIM Group | Scim Management description: Delete an existing SCIM group, using a valid access key. keywords: api, scim management patch: tags: [] summary: Patch SCIM Group description: Patch SCIM Group, using a valid access key. operationId: PatchSCIMGroup parameters: - name: groupId in: path required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/SCIMPatchRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 5 x-meta: title: Patch SCIM Group | Scim Management description: Patch SCIM Group, using a valid access key. keywords: api, scim management /scim/v2/Users: get: tags: [] summary: Search SCIM Users description: >- ### Search SCIM users, using a valid access key. This endpoint allows administrators to search SCIM users. These users have been created and associated to the Application and Descope tenant. The response includes an array of user objects within the Resources object. These user objects include details about the users including their email, phone, username, name, etc. It is important to note the bearer token for SCIM API endpoints. The format is `ProjectId:AccessKey` the access key must be associated with the applicable tenant and associated with the tenant admin role. ### Next Steps Once you have user data, you can utilize [Update SCIM Group](/api/management/tenants/scim/update-scim-group) to add or remove the user on groups. ### See also - See [SCIM Management](/scim) for further details on managing SCIM provisioning. operationId: SearchSCIMUsers parameters: - name: filter in: query schema: type: string - name: startIndex in: query schema: type: integer format: int32 - name: count in: query schema: type: integer format: int32 responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SCIMGetUsersResponse' security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 6 x-meta: title: Search SCIM Users | Scim Management description: Search SCIM users, using a valid access key. keywords: api, scim management /scim/v2/Users/{userId}: get: tags: [] summary: Load SCIM User description: >- ### Load an existing SCIM user, using a valid access key. This endpoint allows administrators to load an existing SCIM user. The response includes the user's object, which includes details about the users including their email, phone, username, name, etc. It is important to note the bearer token for SCIM API endpoints. The format is `ProjectId:AccessKey` the access key must be associated with the applicable tenant and associated with the tenant admin role. ### Next Steps Once you have user data, you can utilize [Update SCIM Group](/api/management/tenants/scim/update-scim-group) to add or remove the user on groups. ### See also - See [SCIM Management](/scim) for further details on managing SCIM provisioning. operationId: LoadSCIMUser parameters: - name: userId in: path required: true schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SCIMGetUserResponse' security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 7 x-meta: title: Load SCIM User | Scim Management description: Load an existing SCIM user, using a valid access key. keywords: api, scim management put: tags: [] summary: Update SCIM User description: >- ### Update an existing SCIM user, using a valid access key. This endpoint allows administrators to update an existing SCIM user. Through this API endpoint, administrators can update the displayName, phoneNumbers, emails, and if the user is active. The response includes the user's object, which includes details about the users including their email, phone, username, name, etc. It is important to note the bearer token for SCIM API endpoints. The format is `ProjectId:AccessKey` the access key must be associated with the applicable tenant and associated with the tenant admin role. ### See also - See [SCIM Management](/scim) for further details on managing SCIM provisioning. operationId: UpdateSCIMUser parameters: - name: userId in: path required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/SCIMUserRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SCIMGetUserResponse' security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 9 x-meta: title: Update SCIM User | Scim Management description: Update an existing SCIM user, using a valid access key. keywords: api, scim management delete: tags: [] summary: Delete SCIM User description: >- ### Delete an existing SCIM User, using a valid access key. This API endpoint allows administrators to delete an existing SCIM user from the Descope tenant. It is important to note the bearer token for SCIM API endpoints. The format is `ProjectId:AccessKey` the access key must be associated with the applicable tenant and associated with the tenant admin role. ### See also - See [SCIM Management](/scim) for further details on managing SCIM provisioning. operationId: DeleteSCIMUser parameters: - name: userId in: path required: true schema: type: string - name: displayName in: query description: >- The following values are manipulated by the marshaler in httpgateway/marshaler.go in case of changing or adding new ones, need to edit the marshaler as well schema: type: string - name: active in: query schema: type: boolean - name: name.givenName in: query schema: type: string - name: name.familyName in: query schema: type: string - name: name.middleName in: query schema: type: string - name: userName in: query schema: type: string responses: '200': description: OK content: {} security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 11 x-meta: title: Delete SCIM User | Scim Management description: Delete an existing SCIM User, using a valid access key. keywords: api, scim management patch: tags: [] summary: Patch SCIM User description: Patch SCIM User, using a valid access key. operationId: SCIMPatchUser parameters: - name: userId in: path required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/SCIMPatchRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SCIMGetUserResponse' security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 10 x-meta: title: Patch SCIM User | Scim Management description: Patch SCIM User, using a valid access key. keywords: api, scim management /scim/v2/ResourceTypes: get: tags: [] summary: Load SCIM Resource Types description: >- ### Load SCIM resource types, using a valid access key. This API endpoint allows administrators to load the resource types available within the SCIM provisioning. The response includes an array of the available resource types. It is important to note the bearer token for SCIM API endpoints. The format is `ProjectId:AccessKey` the access key must be associated with the applicable tenant and associated with the tenant admin role. ### See also - See [SCIM Management](/scim) for further details on managing SCIM provisioning. operationId: LoadSCIMResourceTypes responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SCIMResourceTypesResponse' security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 11 x-meta: title: Load SCIM Resource Types | Scim Management description: Load SCIM resource types, using a valid access key. keywords: api, scim management /scim/v2/ServiceProviderConfig: get: tags: [] summary: Load SCIM Service Provider Config description: >- ### Load the supported SCIM provisioning service provider configuration, using a valid access key. This API endpoint allows administrators to load the supported SCIM provisioning service provider configuration. The response includes detailed information on the applicable configurations and schemas within your IdP for SCIM provisioning. It is important to note the bearer token for SCIM API endpoints. The format is `ProjectId:AccessKey` the access key must be associated with the applicable tenant and associated with the tenant admin role. ### See also - See [SCIM Management](/scim) for further details on managing SCIM provisioning. operationId: LoadSCIMServiceProviderConfig responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SCIMServiceProviderConfigResponse' security: - Descope Project ID:Access Key: [] x-publishYaml: scimManagement x-order: 12 x-meta: title: Load SCIM Service Provider Config | Scim Management description: >- Load the supported SCIM provisioning service provider configuration, using a valid access key. keywords: api, scim management /v1/mgmt/accesskey: get: tags: [] summary: Load An Access Key description: >- ### Load an access key, using a valid management key. This API endpoint allows administrators to load the details of an existing access key. The response contains details of the access key including associated roles and tenants as well as details of the key's creation, status, and expiration. ### Next Steps Once you have this data, you can utilize the response to [Update an access key](/api/management/access-keys/update-access-key), [Activate an access key](/api/management/access-keys/activate-access-key), [Deactivate an access key](/api/management/access-keys/deactivate-access-key), or [Delete an access key](/api/management/access-keys/delete-access-key). ### See also - See [Access Key Management](/access-keys) for further details on managing access keys. operationId: LoadAccessKey parameters: - name: id in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/AccessKeyResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: accessKeyManagement x-order: 1 x-meta: title: Load An Access Key | Access Key Management description: Load an access key, using a valid management key. keywords: api, access key management /v1/mgmt/accesskey/search: post: tags: [] summary: Search Access Keys description: >- ### Search access keys, using a valid management key. This API endpoint allows administrators to search for details of existing access keys for a given array of tenants. The response contains an array of details for the access keys returned by the search including associated roles and tenants as well as details of the key's creation, status, and expiration. ### Next Steps Once you have this data, you can utilize the response to [Update an access key](/api/management/access-keys/update-access-key), [Activate an access key](/api/management/access-keys/activate-access-key), [Deactivate an access key](/api/management/access-keys/deactivate-access-key), or [Delete an access key](/api/management/access-keys/delete-access-key). ### See also - See [Access Key Management](/access-keys) for further details on managing access keys. operationId: SearchAccessKeys requestBody: content: application/json: schema: $ref: '#/components/schemas/SearchAccessKeysRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/AccessKeysResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: accessKeyManagement x-order: 2 x-meta: title: Search Access Keys | Access Key Management description: Search access keys, using a valid management key. keywords: api, access key management /v1/mgmt/accesskey/create: post: tags: [] summary: Create Access Key description: >- ### Create an access key, using a valid management key. This API endpoint allows administrators to create an access key. During the creation of the access key, you can set the name, expiration time, roles and tenant:role pairs to associated with the key. ### Next Steps Once you have the access key, you can utilize it to configure external items such as [SCIM](/api/scimmanagement/), or use it to [exchange for a JWT](/api/access-keys/exchange-key). ### See also - See [Access Key Management](/access-keys) for further details on managing access keys. operationId: CreateAccessKey requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateAccessKeyRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CreateAccessKeyResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: accessKeyManagement x-order: 3 x-meta: title: Create Access Key | Access Key Management description: Create an access key, using a valid management key. keywords: api, access key management /v1/mgmt/accesskey/update: post: tags: [] summary: Update Access Key description: >- ### Update an existing access key, using a valid management key. This API endpoint allows administrators to update an existing access key. With this endpoint, you can only update the access key's name. ### See also - See [Access Key Management](/access-keys) for further details on managing access keys. operationId: UpdateAccessKey requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateAccessKeyRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/AccessKeyResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: accessKeyManagement x-order: 4 x-meta: title: Update Access Key | Access Key Management description: Update an existing access key, using a valid management key. keywords: api, access key management /v1/mgmt/accesskey/activate: post: tags: [] summary: Activate Access Key description: >- ### Activate an existing access key, using a valid management key. This API endpoint allows administrators to activate an existing access key. ### Next Steps Once you have reactivated the access key, you can utilize it to configure external items such as [SCIM](/api/scimmanagement/), or use it to [exchange for a JWT](/api/access-keys/exchange-key). ### See also - See [Access Key Management](/access-keys) for further details on managing access keys. operationId: ActivateAccessKey requestBody: content: application/json: schema: $ref: '#/components/schemas/AccessKeyRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: accessKeyManagement x-order: 5 x-meta: title: Activate Access Key | Access Key Management description: Activate an existing access key, using a valid management key. keywords: api, access key management /v1/mgmt/accesskey/deactivate: post: tags: [] summary: Deactivate Access Key description: >- ### Deactivate an existing access key, using a valid management key. This API endpoint allows administrators to deactivate an existing access key. Once the access key has been deactivated, it's access will be revoked until reactivated. ### See also - See [Access Key Management](/access-keys) for further details on managing access keys. operationId: DeactivateAccessKey requestBody: content: application/json: schema: $ref: '#/components/schemas/AccessKeyRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: accessKeyManagement x-order: 6 x-meta: title: Deactivate Access Key | Access Key Management description: Deactivate an existing access key, using a valid management key. keywords: api, access key management /v1/mgmt/accesskey/activate/batch: post: tags: [] summary: Batch Activate Access Keys description: >- ### Activate existing access keys in batch, using a valid management key. This API endpoint allows administrators to activate existing access keys in batch. ### Next Steps Once you have reactivated the access key, you can utilize it to configure external items such as [SCIM](/api/scimmanagement/), or use it to [exchange for a JWT](/api/access-keys/exchange-key). ### See also - See [Access Key Management](/access-keys) for further details on managing access keys. operationId: ActivateAccessKeys requestBody: content: application/json: schema: $ref: '#/components/schemas/AccessKeyBatchRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: accessKeyManagement x-order: 7 x-meta: title: Batch Activate Access Keys | Access Key Management description: Activate existing access keys in batch, using a valid management key. keywords: api, access key management /v1/mgmt/accesskey/deactivate/batch: post: tags: [] summary: Batch Deactivate Access Keys description: >- ### Deactivate existing access keys in batch, using a valid management key. This API endpoint allows administrators to deactivate existing access keys in batch. Once the access keys have been deactivated, their access will be revoked until reactivated. ### See also - See [Access Key Management](/access-keys) for further details on managing access keys. operationId: DeactivateAccessKeys requestBody: content: application/json: schema: $ref: '#/components/schemas/AccessKeyBatchRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: accessKeyManagement x-order: 8 x-meta: title: Batch Deactivate Access Keys | Access Key Management description: >- Deactivate existing access keys in batch, using a valid management key. keywords: api, access key management /v1/mgmt/accesskey/delete/batch: post: tags: [] summary: Batch Delete Access Keys description: >- ### Delete existing access keys in batch, using a valid management key. This API endpoint allows administrators to delete existing access keys in batch. Once the access keys have been deleted, their access will be revoked. ### See also - See [Access Key Management](/access-keys) for further details on managing access keys. operationId: DeleteAccessKeys requestBody: content: application/json: schema: $ref: '#/components/schemas/AccessKeyBatchRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: accessKeyManagement x-order: 9 x-meta: title: Batch Delete Access Keys | Access Key Management description: Delete existing access keys in batch, using a valid management key. keywords: api, access key management /v1/mgmt/accesskey/delete: post: tags: [] summary: Delete Access Key description: >- ### Delete an existing access key, using a valid management key. This API endpoint allows administrators to delete an existing access key. Once the access key has been deleted, it's access will be revoked. ### See also - See [Access Key Management](/access-keys) for further details on managing access keys. operationId: DeleteAccessKey requestBody: content: application/json: schema: $ref: '#/components/schemas/AccessKeyRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: accessKeyManagement x-order: 10 x-meta: title: Delete Access Key | Access Key Management description: Delete an existing access key, using a valid management key. keywords: api, access key management /v1/mgmt/audit/search: post: tags: [] summary: Search Audit description: >- ### Search the audit log, using a valid management key. This API endpoint allows you to search the audit log utilizing various search parameters and returns the results in JSON format. operationId: SearchAudit requestBody: content: application/json: schema: $ref: '#/components/schemas/SearchAuditRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SearchAuditResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: auditManagement x-order: 1 x-meta: title: Search Audit | Audit Management description: Search the audit log, using a valid management key. keywords: api, audit management /v1/mgmt/audit/event: post: tags: [] summary: Create Audit Event description: >- ### Create an audit log event, using a valid management key. This API endpoint allows you to create an audit log utilizing various parameters and returns the results in JSON format. operationId: CreateAuditEvent requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateAuditRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: auditManagement x-order: 2 x-meta: title: Create Audit Event | Audit Management description: Create an audit log event, using a valid management key. keywords: api, audit management /v1/mgmt/user: get: tags: [] summary: Load User description: >- ### Load a user's data, using a valid management key. This API endpoint takes the user's loginId and then returns details of a user utilizing a valid management key. The response includes the following; however, there are additional items in the response that you can see below by expanding the response 200 OK. - loginIds - userId - name - email - phone - verified settings (phone, email) - Tenant configurations - which tenantIds, which roleNames _Note: Suppose you frequently load a user for a specific user detail, such as their email address or a particular custom attribute. In that case, you can save execution time and additional API/SDK calls to load the user by adding the items to the custom claim. For details on adding items to the custom claims, see [this documentation](/security-best-practices/custom-claims#using-custom-claims-within-descope-flows)._ _Note: If you have access to all federated applications, the list will return as an empty array. Descope allows you to restrict which apps each user has access to, but by default gives access to all applications._ ### Next Steps Once you have this data, you can utilize the response to prepare the payload to perform an [Update](/api/management/users/update-user) on the user. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: LoadUser parameters: - name: loginId in: query schema: type: string - name: userId in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 1 x-meta: title: Load User | User Management description: Load a user's data, using a valid management key. keywords: api, user management /v1/mgmt/user/customattributes: get: tags: - Custom Attributes summary: Get Available Custom Attributes description: >- ### Get available custom attributes to configure on users within a project, using a valid management key. This API endpoint will return the available user custom attributes within a project. ### See also - See [Custom Attributes](/manage/users#custom-user-attributes) for further details on custom user attributes - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: UserCustomAttributes responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CustomAttributesResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 1 x-meta: title: Get Available Custom Attributes | User Management description: >- Get available custom attributes to configure on users within a project, using a valid management key. keywords: api, user management /v1/mgmt/user/customattribute/create: post: tags: - Custom Attributes summary: Create a Custom Attributes description: >- ### Create a custom attributes to configure on users within a project, using a valid management key. This API endpoint will create a custom attribute within a project. ### See also - See [Custom Attributes](/manage/users#custom-user-attributes) for further details on custom user attributes - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: CreateUserCustomAttribute requestBody: content: application/json: schema: $ref: '#/components/schemas/ImportCustomAttributesRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CustomAttributesResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 2 x-meta: title: Create a Custom Attributes | User Management description: >- Create a custom attributes to configure on users within a project, using a valid management key. keywords: api, user management /v1/mgmt/user/provider/token: get: tags: [] summary: Get User Provider Token description: >- ### Get an existing user's provider token, using a valid management key. This API endpoint will loads the user's access token generated by the OAuth/OIDC provider, using a valid management key. When querying for OAuth providers, this only applies when utilizing your own account with the provider and have selected `Manage tokens from provider` selected under the [social auth methods](https://app.descope.com/settings/authentication/social). ### Query Params - `loginId` - The loginId of the user you want to get the provider token for. - `provider` - The provider you want to get the token for. - `withRefreshToken (optional)` - set to true to also return the refresh token. - `forceRefresh (optional)` - set to true to force a refresh of the token. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Provider Options](/auth-methods/oauth#social-login-oauth-providers) for a the out of the box list of providers. operationId: GetUserProviderToken parameters: - name: loginId in: query schema: type: string - name: provider in: query schema: type: string - name: withRefreshToken in: query schema: type: boolean - name: forceRefresh in: query schema: type: boolean responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserProviderTokenResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 2 x-meta: title: Get User Provider Token | User Management description: Get an existing user's provider token, using a valid management key. keywords: api, user management /v1/mgmt/user/customattribute/delete: post: tags: - Custom Attributes summary: Delete a Custom Attributes description: >- ### Delete a custom attributes to configure on users within a project, using a valid management key. This API endpoint will delete a custom attribute within a project. ### See also - See [Custom Attributes](/manage/users#custom-user-attributes) for further details on custom user attributes - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: DeleteUserCustomAttribute requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteCustomAttributesRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CustomAttributesResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 3 x-meta: title: Delete a Custom Attributes | User Management description: >- Delete a custom attributes to configure on users within a project, using a valid management key. keywords: api, user management /v1/mgmt/user/search: post: tags: [] summary: Search Users description: Search users, using a valid management key. operationId: SearchUsers requestBody: content: application/json: schema: $ref: '#/components/schemas/SearchUsersRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UsersResponse' deprecated: true security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 3 x-meta: title: Search Users | User Management description: Search users, using a valid management key. keywords: api, user management /v2/mgmt/user/search: post: tags: [] summary: Search Users description: >- ### Search for users, using a valid management key. This API endpoint will search for users utilizing a valid management key. Searches can be defined with any combination of roles or tenants. You can also only send the request with an empty payload to return all users. The response will include the following details on all users within an array of objects: - loginIds - userId - name - email - phone - verified settings (phone, email) - Tenant configurations (tenantIds, roleNames) ### Next Steps You can then parse through the response in order to find any users which you may need to delete, update, etc. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: SearchUsers requestBody: content: application/json: schema: $ref: '#/components/schemas/SearchUsersRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UsersResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 4 x-meta: title: Search Users | User Management description: Search for users, using a valid management key. keywords: api, user management /v1/mgmt/user/history: post: tags: [] summary: Get User's Login History description: >- ### Get an user's login history, using a valid management key. This API endpoint will loads the user's login history based on the user's userId. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: UsersAuthHistory requestBody: content: application/json: schema: type: object properties: {} required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UsersAuthHistoryResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 5 x-meta: title: Get User's Login History | User Management description: Get an user's login history, using a valid management key. keywords: api, user management /v1/mgmt/user/create: post: tags: [] summary: Create User description: >- ### Create a new user, using a valid management key. This API endpoint will create a new user utilizing a valid management key. This API endpoint allows you to configure all aspects of a user: - loginId - email - phone - verified settings (phone, email) - one must be set to true - displayName - roleNames - Tenant configurations - which tenantIds, which roleNames. The userTenants can include multiple items Ex: ``` "userTenants": [ { "tenantId": "T2IMjmRfYTQHlbaastz3im59ERS3", "roleNames": [ "Test" ] }, { "tenantId": "T2Igau6dX1R6SkomtFCdBLrc3r67", "roleNames": [ "Test" ] } ``` Additionally, you can create a user with multiple login IDs by passing an array of loginIds in string format within the `additionalIdentifiers` key. ### Next Steps Once the user is created, the user can then login utilizing any sign-in api supported. This will then switch the user from invited to active. ### See also - See [Manage User](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: CreateUser requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateUserRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 6 x-meta: title: Create User | User Management description: Create a new user, using a valid management key. keywords: api, user management /v1/mgmt/user/create/batch: post: tags: [] summary: Batch Create Users description: >- ### Batch Create Users, using a valid management key. This API endpoint will batch create new users utilizing a valid management key. This API endpoint allows you to configure all aspects of a user: - loginId - email - phone - verified settings (phone, email) - one must be set to true - displayName - roleNames - Tenant configurations - which tenantIds, which roleNames. The userTenants can include multiple items Ex: ``` "userTenants": [ { "tenantId": "T2IMjmRfYTQHlbaastz3im59ERS3", "roleNames": [ "Test" ] }, { "tenantId": "T2Igau6dX1R6SkomtFCdBLrc3r67", "roleNames": [ "Test" ] } ``` Additionally, you can create a user with multiple login IDs by passing an array of loginIds in string format within the `additionalIdentifiers` key. You can also decide whether to invite the users, configure the inviteUrl, and whether to send invites via email or SMS. When importing with hashed passwords, see [this guide](/migrate/custom#importing-passwords) for further detailed configuration of password hash formats. ### Next Steps Once the user is created, the user can then login utilizing any sign-in api supported. This will then switch the user from invited to active. ### See also - See [Manage User](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: CreateUsers requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateUsersRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CreateUsersResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 7 x-meta: title: Batch Create Users | User Management description: Batch Create Users, using a valid management key. keywords: api, user management /v1/mgmt/user/update: post: tags: [] summary: Update User description: >- ### Updates a user's details, using a valid management key. This API endpoint will update a user's details of a user utilizing a valid management key. It is important to understand the update will take the configurations for the user provided and will overwrite all user settings. This means that if the user currently has email and phone, but the update only includes email, the phone and other non-provided configurations will be removed. This API endpoint will remove any details that are not provided. It is preferred to use other updates supported by the API, such as the following options: - [Update User Status](/api/management/users/update-user-status) - [Update User Email](/api/management/users/update-user-email) - [Update User Phone](/api/management/users/update-user-phone) - [Update User Display Name](/api/management/users/update-user-display-name) - [Update User Add Tenant](/api/management/users/update-user-add-tenant) - [Update User Remove Tenant](/api/management/users/update-user-remove-tenant) - [Update User Add Role](/api/management/users/update-user-add-roles) - [Update User Remove Role](/api/management/users/update-user-remove-roles) Additionally, you can update a user with multiple login IDs by passing an array of loginIds in string format within the `additionalIdentifiers` key. It is suggested to gather the current user configurations via [Load User](/api/management/users/load-user) in order to assist you in building the payload for this api endpoint. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: UpdateUser requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 8 x-meta: title: Update User | User Management description: Updates a user's details, using a valid management key. keywords: api, user management /v1/mgmt/user/patch: patch: tags: [] summary: Patch User description: >- ### Patch a user's details, using a valid management key. This API endpoint will patch a user's details of a user utilizing a valid management key. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: PatchUser requestBody: content: application/json: schema: $ref: '#/components/schemas/PatchUserRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 9 x-meta: title: Patch User | User Management description: Patch a user's details, using a valid management key. keywords: api, user management /v1/mgmt/user/update/status: post: tags: [] summary: Update User Status description: >- ### Updates an existing user's status, using a valid management key. This API endpoint allows you to update the user's status granularly without updating all user details. Available statuses to utilize: - invited - enabled - disabled The response returns the user's details in json format. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: UpdateUserStatus requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserStatusRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 10 x-meta: title: Update User Status | User Management description: Updates an existing user's status, using a valid management key. keywords: api, user management /v1/mgmt/user/update/email: post: tags: [] summary: Update User Email description: >- ### Updates an existing user's email, using a valid management key. This API endpoint allows you to update the user's email granularly without updating all user details. The response returns the user's details in json format. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: UpdateUserEmail requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserEmailRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 11 x-meta: title: Update User Email | User Management Email description: Updates an existing user's email, using a valid management key. Email keywords: api, user management, email /v1/mgmt/user/update/loginid: post: tags: [] summary: Update User Login ID description: >- ### Updates an existing user's login ID, using a valid management key. This API endpoint allows you to update a user's Login ID. If you'd like to remove a login ID, provide an empty string for the new login ID. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: UpdateUserLoginID requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserLoginIDRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 12 x-meta: title: Update User Login ID | User Management description: Updates an existing user's login ID, using a valid management key. keywords: api, user management /v1/mgmt/user/update/phone: post: tags: [] summary: Update User Phone description: >- ### Updates an existing user's phone number, using a valid management key. This API endpoint allows you to update the user's phone number granularly without updating all user details. The response returns the user's details in json format. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: UpdateUserPhone requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserPhoneRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 13 x-meta: title: Update User Phone | User Management description: Updates an existing user's phone number, using a valid management key. keywords: api, user management /v1/mgmt/user/update/name: post: tags: [] summary: Update User Display Name description: >- ### Updates an existing user's display name, using a valid management key. This API endpoint allows you to update the user's display name granularly without updating all user details. The response returns the user's details in json format. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: UpdateUserDisplayName requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserDisplayNameRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 14 x-meta: title: Update User Display Name | User Management description: Updates an existing user's display name, using a valid management key. keywords: api, user management /v1/mgmt/user/update/picture: post: tags: [] summary: Update User Picture description: >- ### Update an existing user's profile picture, using a valid management key. This API endpoint allows you to update a user's profile picture granularly without updating all user details. The response returns the user's details in json format. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Manage Tenants](/management/tenant-management) for further details on managing tenants. operationId: UpdateUserPicture requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserPictureRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 15 x-meta: title: Update User Picture | User Management description: >- Update an existing user's profile picture, using a valid management key. keywords: api, user management /v1/mgmt/user/update/customAttribute: post: tags: [] summary: Update User Custom Attribute description: >- ### Update an existing user's custom attributes, using a valid management key. This API endpoint allows you to update a user's custom attributes granularly without updating all user details. The response returns the user's details in json format. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Manage Tenants](/management/tenant-management) for further details on managing tenants. operationId: UpdateUserCustomAttribute requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserCustomAttributeRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 16 x-meta: title: Update User Custom Attribute | User Management description: >- Update an existing user's custom attributes, using a valid management key. keywords: api, user management /v1/mgmt/jwt/update: post: tags: [] summary: Update JWT description: >- ### Updates a JWT with custom claims, using a valid management key. This API endpoint will update a JWT with custom claims. This endpoint takes the JWT as well as the `customClaims` json. operationId: UpdateJWT requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateJWTRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/managementv1.JWTResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 17 x-meta: title: Update JWT | User Management description: Updates a JWT with custom claims, using a valid management key. keywords: api, user management /v1/mgmt/user/password/expire: post: tags: [] summary: Expire User Passwsord description: >- ### Expire an existing user's password, using a valid management key. This API endpoint allows you to expire an existing user's password. Upon next login, the user will need to follow the reset password flow. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Manage Tenants](/management/tenant-management) for further details on managing tenants. - See [Reset Password](/api/passwords/email/password-reset) for sending the password reset email. operationId: ExpireUserPassword requestBody: content: application/json: schema: $ref: '#/components/schemas/ExpireUserPasswordRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 18 x-meta: title: Expire User Passwsord | User Management description: Expire an existing user's password, using a valid management key. keywords: api, user management /v1/mgmt/user/password/set/active: post: tags: [] summary: Set Active Password for User description: >- ### Set an active password for an existing user, using a valid management key. This API endpoint allows you to set an active password for an existing user. This will allow the user to authenticate with this password without changing it. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Manage Tenants](/management/tenant-management) for further details on managing tenants. operationId: SetUserActivePassword requestBody: content: application/json: schema: $ref: '#/components/schemas/SetUserPasswordRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SetUserPasswordResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 19 x-meta: title: Set Active Password for User | User Management description: >- Set an active password for an existing user, using a valid management key. keywords: api, user management /v1/mgmt/user/password/set/temporary: post: tags: [] summary: Set Temporary Password for User description: >- ### Set a temporary password for an existing user, using a valid management key. This API endpoint allows you to set a temporary password for an existing user. This will require the user to change their password on next authentication. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Manage Tenants](/management/tenant-management) for further details on managing tenants. operationId: SetUserTemporaryPassword requestBody: content: application/json: schema: $ref: '#/components/schemas/SetUserPasswordRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SetUserPasswordResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 20 x-meta: title: Set Temporary Password for User | User Management description: >- Set a temporary password for an existing user, using a valid management key. keywords: api, user management /v1/mgmt/user/totp/delete: post: tags: [] summary: Delete User's TOTP Seed description: >- ### Delete an existing user's TOTP, using a valid management key. This API endpoint allows you to delete an existing user's TOTP seed. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: RemoveUserTOTP requestBody: content: application/json: schema: $ref: '#/components/schemas/RemoveUserTOTPRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 21 x-meta: title: Delete User's TOTP Seed | User Management description: Delete an existing user's TOTP, using a valid management key. keywords: api, user management /v1/mgmt/user/update/tenant/add: post: tags: [] summary: Update User Add Tenant description: >- ### Add a tenant to an existing user, using a valid management key. This API endpoint allows you to add a user to a tenant granularly without updating all user details. The response returns the user's details in json format. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Manage Tenants](/management/tenant-management) for further details on managing tenants. operationId: UpdateUserAddTenant requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserTenantRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 22 x-meta: title: Update User Add Tenant | User Management description: Add a tenant to an existing user, using a valid management key. keywords: api, user management /v1/mgmt/user/update/tenant/remove: post: tags: [] summary: Update User Remove Tenant description: >- ### Removes a tenant from an existing user, using a valid management key. This API endpoint allows you to remove a user from a tenant granularly without updating all user details. The response returns the user's details in json format. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Manage Tenants](/management/tenant-management) for further details on managing tenants. operationId: UpdateUserRemoveTenant requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserTenantRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 23 x-meta: title: Update User Remove Tenant | User Management description: Removes a tenant from an existing user, using a valid management key. keywords: api, user management /v2/mgmt/user/update/role/add: post: tags: [] summary: Update User Add Roles description: >- ### Add roles to an existing user, using a valid management key. This API endpoint allows you to add roles to a user granularly without updating all user details. `roleNames` is an array of the role names in string format. The `tenantId` is optional; if provided, the user must be a member of that tenant The response returns the user's details in json format. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Manage Roles](/manage/roles/) for further details on managing roles. operationId: UpdateUserAddRoles requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserRolesRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 24 x-meta: title: Update User Add Roles | User Management description: Add roles to an existing user, using a valid management key. keywords: api, user management /v1/mgmt/user/update/role/set: post: tags: [] summary: Set User's Roles description: >- ### Set an existing user's roles, using a valid management key. This API endpoint allows you to set a user's roles. This will override the current roles associated to the user and will set all passed roles. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Manage Roles](/manage/roles/) for further details on managing roles. operationId: UpdateUserSetRoles requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserRolesRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 25 x-meta: title: Set User's Roles | User Management description: Set an existing user's roles, using a valid management key. keywords: api, user management /v1/mgmt/user/update/role/remove: post: tags: [] summary: Update User Remove Roles description: >- ### Remove roles from an existing user, using a valid management key. This API endpoint allows you to remove roles from a user granularly without updating all user details. `roleNames` is an array of the role names in string format. The `tenantId` is optional; if provided, the user must be a member of that tenant The response returns the user's details in json format. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Manage Roles](/manage/roles/) for further details on managing roles. operationId: UpdateUserRemoveRoles requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserRolesRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 26 x-meta: title: Update User Remove Roles | User Management description: Remove roles from an existing user, using a valid management key. keywords: api, user management /v1/mgmt/user/update/ssoapp/add: post: tags: [] summary: Add Application to User description: >- ### Add Applications to an existing user, using a valid management key. This API endpoint allows you to add Applications to a user granularly without updating all user details. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Applications](/manage/idpapplications/) for further details on Applications. operationId: UpdateUserAddSSOApps requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserSSOAppsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 27 x-meta: title: Add Application to User | User Management description: Add Applications to an existing user, using a valid management key. keywords: api, user management /v1/mgmt/user/update/ssoapp/set: post: tags: [] summary: Set Applications to User description: >- ### Set Applications for an existing user, using a valid management key. This API endpoint allows you to set the associated Applications for a user. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Applications](/manage/idpapplications/) for further details on Applications. operationId: UpdateUserSetSSOApps requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserSSOAppsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 28 x-meta: title: Set Applications to User | User Management description: Set Applications for an existing user, using a valid management key. keywords: api, user management /v1/mgmt/user/update/ssoapp/remove: post: tags: [] summary: Remove Application to User description: >- ### Remove Applications from an existing user, using a valid management key. This API endpoint allows you to remove Applications from a user granularly without updating all user details. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Applications](/manage/idpapplications/) for further details on Applications. operationId: UpdateUserRemoveSSOApps requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateUserSSOAppsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UserResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 29 x-meta: title: Remove Application to User | User Management description: >- Remove Applications from an existing user, using a valid management key. keywords: api, user management /v1/mgmt/user/logout: post: tags: [] summary: Log user out of all sessions description: >- ### Log a user out of all sessions, using a valid management key. This API endpoint allows you to log a user out of all active sessions. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. - See [Manage Roles](/manage/roles/) for further details on managing roles. operationId: LogoutAllUserDevices requestBody: content: application/json: schema: $ref: '#/components/schemas/UserLogoutRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 30 x-meta: title: Log user out of all sessions | User Management description: Log a user out of all sessions, using a valid management key. keywords: api, user management /v1/mgmt/user/passkeys/delete: post: tags: [] summary: Delete User's Passkeys description: >- ### Delete a user's Passkeys, using a valid management key. This API endpoint will delete all existing passkeys for the user ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: RemoveUserPasskeys requestBody: content: application/json: schema: $ref: '#/components/schemas/RemoveUserPasskeysRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 31 x-meta: title: Delete User's Passkeys | User Management description: Delete a user's Passkeys, using a valid management key. keywords: api, user management /v1/mgmt/user/delete: post: tags: [] summary: Delete User description: >- ### Delete a user, using a valid management key. This API endpoint will delete a user utilizing a valid management key based on the provided user loginId. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: DeleteUser requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteUserRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 32 x-meta: title: Delete User | User Management description: Delete a user, using a valid management key. keywords: api, user management /v1/mgmt/user/delete/batch: post: tags: [] summary: Batch Delete Users description: >- ### Delete users, using a valid management key. This API endpoint will delete users utilizing a valid management key. ### See also - See [Manage Users](/manage/users) for further details on managing users. - See [The User Object](/api/overview#the-user-object) for further details on the user object. operationId: DeleteUsers requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteUsersRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 33 x-meta: title: Batch Delete Users | User Management description: Delete users, using a valid management key. keywords: api, user management /v1/mgmt/impersonate: post: tags: [] summary: Impersonate User description: >- ### Impersonate a user, using a valid management key. This API endpoint will allow you to impersonate a user using a login ID. The impersonator user must have the impersonation permission in order for this request to work. The response would be a refresh JWT of the impersonated user operationId: Impersonate requestBody: content: application/json: schema: $ref: '#/components/schemas/ImpersonateRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/managementv1.JWTResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 34 x-meta: title: Impersonate User | User Management description: Impersonate a user, using a valid management key. keywords: api, user management /v1/mgmt/auth/anonymous: post: tags: [] summary: Anonymous User description: >- ### Anonymous User Anonymous Users are identified with a unique Descope JWT type. Eventually, create a token that we can use as the defined anonymous identity. Signed by Descope. For more info, please refer to our anonymous users documentation. operationId: Anonymous requestBody: content: application/json: schema: $ref: '#/components/schemas/AnonymousUserRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/AnonymousJWTResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-order: 35 x-meta: title: Anonymous User | User Management description: Anonymous User keywords: api, user management /v1/mgmt/stop/impersonate: {} /v1/mgmt/stop/impersonation: post: tags: [] summary: Stop impersonation description: Stop impersonation as a different user operationId: Stop impersonation requestBody: content: application/json: schema: $ref: '#/components/schemas/StopImpersonationRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/managementv1.JWTResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: userManagement x-meta: title: Stop impersonation | User Management description: Stop impersonation as a different user keywords: api, user management /v1/mgmt/authz/schema/save: post: tags: [] summary: Save an authz schema description: Save (create or update) an authz schema for your project. operationId: SaveSchema requestBody: content: application/json: schema: $ref: '#/components/schemas/SaveSchemaRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SaveSchemaResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 1 x-meta: title: Save an authz schema | Authz description: Save (create or update) an authz schema for your project. keywords: api, authz /v1/mgmt/authz/schema/delete: post: tags: [] summary: Delete an authz schema description: Delete an authz schema thus removing authz from your project. operationId: DeleteSchema requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteSchemaRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeleteSchemaResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 2 x-meta: title: Delete an authz schema | Authz description: Delete an authz schema thus removing authz from your project. keywords: api, authz /v1/mgmt/authz/schema/load: post: tags: [] summary: Load an authz schema description: Load an authz schema for your project. operationId: LoadSchema requestBody: content: application/json: schema: $ref: '#/components/schemas/LoadSchemaRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadSchemaResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 3 x-meta: title: Load an authz schema | Authz description: Load an authz schema for your project. keywords: api, authz /v1/mgmt/authz/ns/save: post: tags: [] summary: Save an authz namespace description: Save (create or update) an authz namespace for your project. operationId: SaveNamespace requestBody: content: application/json: schema: $ref: '#/components/schemas/SaveNamespaceRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SaveNamespaceResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 4 x-meta: title: Save an authz namespace | Authz description: Save (create or update) an authz namespace for your project. keywords: api, authz /v1/mgmt/authz/ns/delete: post: tags: [] summary: Delete an authz namespace description: Delete an authz namespace and remove all related relations. operationId: DeleteNamespace requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteNamespaceRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeleteNamespaceResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 5 x-meta: title: Delete an authz namespace | Authz description: Delete an authz namespace and remove all related relations. keywords: api, authz /v1/mgmt/authz/rd/save: post: tags: [] summary: Save an authz relation definition description: Save (create or update) an authz relation definition for your project. operationId: SaveRelationDefinition requestBody: content: application/json: schema: $ref: '#/components/schemas/SaveRelationDefinitionRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SaveRelationDefinitionResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 6 x-meta: title: Save an authz relation definition | Authz description: Save (create or update) an authz relation definition for your project. keywords: api, authz /v1/mgmt/authz/rd/delete: post: tags: [] summary: Delete an authz relation definition description: >- Delete an authz relation definition for your project and remove all related relations. operationId: DeleteRelationDefinition requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteRelationDefinitionRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeleteRelationDefinitionResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 7 x-meta: title: Delete an authz relation definition | Authz description: >- Delete an authz relation definition for your project and remove all related relations. keywords: api, authz /v1/mgmt/authz/re/create: post: tags: [] summary: Create a list of authz relations description: Create a list of authz relations. operationId: CreateRelations requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateRelationsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CreateRelationsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 8 x-meta: title: Create a list of authz relations | Authz description: Create a list of authz relations. keywords: api, authz /v1/mgmt/authz/re/delete: post: tags: [] summary: Delete a list of authz relations description: Delete a list of authz relations. operationId: DeleteRelations requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteRelationsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeleteRelationsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 9 x-meta: title: Delete a list of authz relations | Authz description: Delete a list of authz relations. keywords: api, authz /v1/mgmt/authz/re/deleteresources: post: tags: [] summary: Delete all relations for a list of resources description: Delete all relations for the given list of resources. operationId: DeleteRelationsForResources requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteRelationsForResourcesRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeleteRelationsForResourcesResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 10 x-meta: title: Delete all relations for a list of resources | Authz description: Delete all relations for the given list of resources. keywords: api, authz /v1/mgmt/authz/re/has: post: tags: [] summary: Check a list of relation queries description: Check a list of relation queries. operationId: HasRelations requestBody: content: application/json: schema: $ref: '#/components/schemas/HasRelationsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/HasRelationsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 11 x-meta: title: Check a list of relation queries | Authz description: Check a list of relation queries. keywords: api, authz /v1/mgmt/authz/re/who: post: tags: [] summary: Query who can access resource with relation description: >- Return a list of users who can access a given resource with given relation. operationId: WhoCanAccess requestBody: content: application/json: schema: $ref: '#/components/schemas/WhoCanAccessRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/WhoCanAccessResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 12 x-meta: title: Query who can access resource with relation | Authz description: >- Return a list of users who can access a given resource with given relation. keywords: api, authz /v1/mgmt/authz/re/resource: post: tags: [] summary: Load a list of defined relations for the given resource description: Load a list of defined relations for the given resource. operationId: ResourceRelations requestBody: content: application/json: schema: $ref: '#/components/schemas/ResourceRelationsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ResourceRelationsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 13 x-meta: title: Load a list of defined relations for the given resource | Authz description: Load a list of defined relations for the given resource. keywords: api, authz /v1/mgmt/authz/re/targets: post: tags: [] summary: Load a list of defined relations for the given list of targets description: >- Load a list of defined relations for the given list of targets without recursively traversing the relation tree. operationId: TargetsRelations requestBody: content: application/json: schema: $ref: '#/components/schemas/TargetsRelationsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/TargetsRelationsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 14 x-meta: title: Load a list of defined relations for the given list of targets | Authz description: >- Load a list of defined relations for the given list of targets without recursively traversing the relation tree. keywords: api, authz /v1/mgmt/authz/re/targetall: post: tags: [] summary: >- Load a list of relations for the given target including all derived relations description: >- Load a list of relations for the given target including all derived relations. operationId: WhatCanTargetAccess requestBody: content: application/json: schema: $ref: '#/components/schemas/WhatCanTargetAccessRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/WhatCanTargetAccessResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 15 x-meta: title: >- Load a list of relations for the given target including all derived relations | Authz description: >- Load a list of relations for the given target including all derived relations. keywords: api, authz /v1/mgmt/authz/getmodified: post: tags: [] summary: Return the list of targets and resources changed since the given date description: >- Return the list of targets and resources changed since the given date. Should be used to invalidate local caches. operationId: GetModified requestBody: content: application/json: schema: $ref: '#/components/schemas/GetModifiedRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/GetModifiedResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 16 x-meta: title: >- Return the list of targets and resources changed since the given date | Authz description: >- Return the list of targets and resources changed since the given date. Should be used to invalidate local caches. keywords: api, authz /v1/mgmt/fga/check: post: tags: [] summary: Check FGA Permission description: >- ### Check FGA permission This endpoint allows you to check if a target has a specific relation to a resource using Fine-Grained Authorization. operationId: Check requestBody: content: application/json: schema: $ref: '#/components/schemas/CheckRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CheckResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: fga x-order: 1 x-meta: title: Check FGA Permission | Fga description: Check FGA permission keywords: api, fga /v1/mgmt/fga/relations: post: tags: [] summary: Get FGA Relations description: >- ### Get FGA relations This endpoint allows you to retrieve relations for a given target or resource using Fine-Grained Authorization. operationId: CreateFGARelations requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateTuplesRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CreateTuplesResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: fga x-order: 2 x-meta: title: Get FGA Relations | Fga description: Get FGA relations keywords: api, fga delete: tags: [] summary: Delete All FGA Relations description: Delete all project FGA relations operationId: DeleteAllFGARelations responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeleteAllTuplesResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: fga x-order: 3 x-meta: title: Delete All FGA Relations | Fga description: Delete all project FGA relations keywords: api, fga /v1/mgmt/fga/mappable/resources: post: tags: [] summary: Search for FGA mappable resources description: Search for FGA mappable resources. operationId: SearchFGAMappableResources requestBody: content: application/json: schema: $ref: '#/components/schemas/SearchFGAMappableResourcesRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SearchMappableResourcesResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: fga x-order: 3 x-meta: title: Search for FGA mappable resources | Fga description: Search for FGA mappable resources. keywords: api, fga get: x-order: 6 x-publishYaml: fga summary: Get Mappable Resources description: >- ### Get mappable resources This endpoint allows you to retrieve mappable resources for Fine-Grained Authorization. x-meta: title: Get Mappable Resources | Fga description: Get mappable resources keywords: api, fga /v1/mgmt/fga/relations/delete: post: tags: [] summary: Delete FGA Relations description: >- ### Delete FGA relations This endpoint allows you to delete relations using Fine-Grained Authorization. operationId: DeleteFGARelations requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteTuplesRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeleteTuplesResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: fga x-order: 3 x-meta: title: Delete FGA Relations | Fga description: Delete FGA relations keywords: api, fga /v1/mgmt/fga/schema: get: tags: [] summary: Get FGA Schema description: >- ### Get FGA schema This endpoint allows you to retrieve the current Fine-Grained Authorization schema for your project. operationId: GetFGASchema responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadDSLSchemaResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: fga x-order: 4 x-meta: title: Get FGA Schema | Fga description: Get FGA schema keywords: api, fga post: tags: [] summary: Save FGA Schema description: >- ### Save FGA schema This endpoint allows you to save (create or update) the Fine-Grained Authorization schema for your project. operationId: CreateFGASchema requestBody: content: application/json: schema: $ref: '#/components/schemas/SaveDSLSchemaRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SaveDSLSchemaResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: fga x-order: 5 x-meta: title: Save FGA Schema | Fga description: Save FGA schema keywords: api, fga /v1/mgmt/fga/mappable/schema: get: tags: [] summary: Get Mappable Schema description: >- ### Get mappable schema This endpoint allows you to retrieve the mappable schema for Fine-Grained Authorization. operationId: GetFGAMappableSchema parameters: - name: tenantId in: query schema: type: string - name: resourcesLimit in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/GetMappableSchemaResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: fga x-order: 7 x-meta: title: Get Mappable Schema | Fga description: Get mappable schema keywords: api, fga /v1/mgmt/fga/resources/load: post: tags: [] summary: Load FGA Resources description: >- ### Load FGA resources This endpoint allows you to load resources for Fine-Grained Authorization. operationId: LoadResourcesDetails requestBody: content: application/json: schema: $ref: '#/components/schemas/LoadResourcesDetailsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadResourcesDetailsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: fga x-order: 8 x-meta: title: Load FGA Resources | Fga description: Load FGA resources keywords: api, fga /v1/mgmt/fga/resources/save: post: tags: [] summary: Save FGA Resources description: >- ### Save FGA resources This endpoint allows you to save resources for Fine-Grained Authorization. operationId: SaveResourcesDetails requestBody: content: application/json: schema: $ref: '#/components/schemas/SaveResourcesDetailsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SaveResourcesDetailsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: fga x-order: 9 x-meta: title: Save FGA Resources | Fga description: Save FGA resources keywords: api, fga /v1/mgmt/flow/list: post: tags: [] summary: List/Search Flows description: >- ### List or search flows within a project utilizing a management key. This endpoint is used to list or search flows within a project. To list all flows, send an empty body such as: `{ }` or `{ "ids": [] }`. To search for a flow or several flows, send a body with the flowIds you want to search such as `{ "ids": ["sign-in"] }` or `{ "ids": ["sign-in", "sign-up"] }`. ### See Also - See [Flow Overview](/customize/flows/) for more information on flows. - See [Manage Flows](/customize/manage_flows/) for more information on managing (export, import, delete, disable, enable) flows. operationId: ListFlows requestBody: content: application/json: schema: $ref: '#/components/schemas/SearchFlowsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ListFlowsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: flowManagement x-order: 1 x-meta: title: List/Search Flows | Flow Management description: List or search flows within a project utilizing a management key. keywords: api, flow management /v2/mgmt/flow/export: post: tags: [] summary: Export Flow description: >- ### Export an existing flow from a project utilizing a management key. This endpoint is used to export an existing flow from a project. The response is the JSON which includes the flow and associated screens. ### See Also - See [Flow Overview](/customize/flows/) for more information on flows. - See [Manage Flows](/customize/manage_flows/) for more information on managing (export, import, delete, disable, enable) flows. operationId: ExportFlow requestBody: content: application/json: schema: $ref: '#/components/schemas/ExportFlowRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ExportFlowResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: flowManagement x-order: 2 x-meta: title: Export Flow | Flow Management description: Export an existing flow from a project utilizing a management key. keywords: api, flow management /v2/mgmt/flow/import: post: tags: [] summary: Import Flow description: >- ### Import a flow within a project utilizing a management key. This endpoint is used to import a flow to a project. The request items for the `flow` and `screen` this endpoint can be received from the export flow endpoint. ### See Also - See [Flow Overview](/customize/flows/) for more information on flows. - See [Manage Flows](/customize/manage_flows/) for more information on managing (export, import, delete, disable, enable) flows. operationId: ImportFlow requestBody: content: application/json: schema: $ref: '#/components/schemas/ImportFlowRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: flowManagement x-order: 3 x-meta: title: Import Flow | Flow Management description: Import a flow within a project utilizing a management key. keywords: api, flow management /v1/mgmt/flow/delete: post: tags: [] summary: Delete Flow description: >- ### Delete a flow within a project utilizing a management key. This endpoint is used to delete a flow from a project by giving an existing flow ID to be deleted. ### See Also - See [Flow Overview](/customize/flows/) for more information on flows. - See [Manage Flows](/customize/manage_flows/) for more information on managing (export, import, delete, disable, enable) flows. operationId: DeleteFlows requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteFlowsRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: flowManagement x-order: 4 x-meta: title: Delete Flow | Flow Management description: Delete a flow within a project utilizing a management key. keywords: api, flow management /v2/mgmt/theme/export: post: tags: [] summary: Export Theme description: >- ### Export a theme from a project utilizing a management key. This endpoint is used to export a theme from a project. The response is the JSON of the theme. ### See Also - See [Styles Overview](/management/project-settings/styles) for more information on styles and themes operationId: ExportTheme responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ExportThemeResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: flowManagement x-order: 5 x-meta: title: Export Theme | Flow Management description: Export a theme from a project utilizing a management key. keywords: api, flow management /v2/mgmt/theme/import: post: tags: [] summary: Import Theme description: >- ### Import a theme to a project utilizing a management key. This endpoint is used to import a theme from a project. The request body for this endpoint can be received from the export theme endpoint. ### See Also - See [Styles Overview](/management/project-settings/styles) for more information on styles and themes operationId: ImportTheme requestBody: content: application/json: schema: $ref: '#/components/schemas/ImportThemeRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: flowManagement x-order: 6 x-meta: title: Import Theme | Flow Management description: Import a theme to a project utilizing a management key. keywords: api, flow management /v1/mgmt/group/all: post: tags: [] summary: Load All External Groups for a Tenant description: >- ### Load all external groups for a tenant, using a valid management key. This API endpoint allows administrators to load all external groups that are associated to a tenant. The response contains an array of group objects including the group id, display name, and an array of associated members. ### Next Steps Administrators can review this information and make changes within their IdP or if necessary, [Create a SCIM Group](/api/management/tenants/scim/create-scim-group), [Update an Existing SCIM Group (adding new members)](/api/management/tenants/scim/update-scim-group), or [Delete an Existing SCIM Group](/api/management/tenants/scim/delete-scim-group) ### See also - See [SSO Configuration](/sso) for further details on managing SSO Configurations on a tenant. operationId: LoadGroups requestBody: content: application/json: schema: $ref: '#/components/schemas/LoadGroupsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadGroupsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: groupManagement x-order: 2 x-meta: title: Load All External Groups for a Tenant | Group Management description: Load all external groups for a tenant, using a valid management key. keywords: api, group management /v1/mgmt/group/member/all: post: tags: [] summary: Load All External Groups for Specific Members description: >- ### Load all external group for specific members, using a valid management key. This API endpoint allows administrators to load all external groups for specific members associated with a specific tenant. The tenantId is required and the loginId or userId are optional for further filtering. The response contains an array of group objects including the group id, display name, and an array of associated members. ### Next Steps Administrators can review this information and make changes within their IdP or if necessary, [Create a SCIM Group](/api/management/tenants/scim/create-scim-group), [Update an Existing SCIM Group (adding new members)](/api/management/tenants/scim/update-scim-group), or [Delete an Existing SCIM Group](/api/management/tenants/scim/delete-scim-group) ### See also - See [SSO Configuration](/sso) for further details on managing SSO Configurations on a tenant. operationId: LoadMemberGroups requestBody: content: application/json: schema: $ref: '#/components/schemas/LoadMemberGroupsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadMemberGroupsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: groupManagement x-order: 2 x-meta: title: Load All External Groups for Specific Members | Group Management description: >- Load all external group for specific members, using a valid management key. keywords: api, group management /v1/mgmt/group/members: post: tags: [] summary: Load All Members of a specific External Group description: >- ### Load all members of a specific External group, using a valid management key. This API endpoint allows administrators to load all members of a specific external group that is associated to a tenant. The response contains an array of group objects including the group id, display name, and an array of associated members. ### Next Steps Administrators can review this information and make changes within their IdP or if necessary, [Create a SCIM Group](/api/management/tenants/scim/create-scim-group), [Update an Existing SCIM Group (adding new members)](/api/management/tenants/scim/update-scim-group), or [Delete an Existing SCIM Group](/api/management/tenants/scim/delete-scim-group) ### See also - See [SSO Configuration](/sso) for further details on managing SSO Configurations on a tenant. operationId: LoadGroupMembers requestBody: content: application/json: schema: $ref: '#/components/schemas/LoadGroupMembersRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadGroupMembersResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: groupManagement x-order: 2 x-meta: title: Load All Members of a specific External Group | Group Management description: >- Load all members of a specific External group, using a valid management key. keywords: api, group management /v1/mgmt/outbound/apps: get: tags: [] summary: List All Outbound Apps description: >- ### List all outbound applications This endpoint allows you to retrieve all outbound applications configured in your project. operationId: LoadOutboundApps responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadOutboundAppsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 1 x-meta: title: List All Outbound Apps | Outbound Apps Management description: List all outbound applications keywords: api, outbound apps management /v1/mgmt/outbound/apps-with-user-token: get: tags: [] summary: List Outbound Apps with User Token description: >- ### List outbound applications with user token This endpoint allows you to retrieve outbound applications that have a user token available. operationId: ListUserOutboundAppsWithValidUserToken parameters: - name: userId in: query schema: type: string - name: tenantId in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: >- #/components/schemas/ListUserOutboundAppsWithValidUserTokenResponse security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 2 x-meta: title: List Outbound Apps with User Token | Outbound Apps Management description: List outbound applications with user token keywords: api, outbound apps management /v1/mgmt/outbound/app/{id}: get: tags: [] summary: Get Outbound App by ID description: >- ### Get outbound application by ID This endpoint allows you to retrieve a specific outbound application by its ID. operationId: LoadOutboundApp parameters: - name: id in: path required: true schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadOutboundAppResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 3 x-meta: title: Get Outbound App by ID | Outbound Apps Management description: Get outbound application by ID keywords: api, outbound apps management /v1/mgmt/outbound/app/create: post: tags: [] summary: Create Outbound App description: |- ### Create outbound application This endpoint allows you to create a new outbound application. operationId: CreateOutboundApp requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateOutboundAppRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CreateOutboundAppResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 4 x-meta: title: Create Outbound App | Outbound Apps Management description: Create outbound application keywords: api, outbound apps management /v1/mgmt/outbound/app/update: post: tags: [] summary: Update Outbound App description: |- ### Update outbound application This endpoint allows you to update an existing outbound application. operationId: UpdateOutboundApp requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateOutboundAppRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/UpdateOutboundAppResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 5 x-meta: title: Update Outbound App | Outbound Apps Management description: Update outbound application keywords: api, outbound apps management /v1/mgmt/outbound/app/delete: post: tags: [] summary: Delete Outbound App description: |- ### Delete outbound application This endpoint allows you to delete an outbound application. operationId: DeleteOutboundApp requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteOutboundAppRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeleteOutboundAppResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 6 x-meta: title: Delete Outbound App | Outbound Apps Management description: Delete outbound application keywords: api, outbound apps management /v1/mgmt/outbound/app/user/token: post: tags: [] summary: Fetch Outbound App User Token description: >- ### Fetch outbound application user token This endpoint allows you to fetch the user token for an outbound application. operationId: FetchOutboundAppUserToken requestBody: content: application/json: schema: $ref: '#/components/schemas/FetchOutboundAppUserTokenRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/FetchOutboundAppUserTokenResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 7 x-meta: title: Fetch Outbound App User Token | Outbound Apps Management description: Fetch outbound application user token keywords: api, outbound apps management /v1/mgmt/outbound/app/user/token/latest: post: tags: [] summary: Fetch Latest Outbound App User Token description: >- ### Fetch latest outbound application user token This endpoint allows you to fetch the latest user token for an outbound application. operationId: FetchLatestOutboundAppUserToken requestBody: content: application/json: schema: $ref: '#/components/schemas/FetchLatestOutboundAppUserTokenRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/FetchLatestOutboundAppUserTokenResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 8 x-meta: title: Fetch Latest Outbound App User Token | Outbound Apps Management description: Fetch latest outbound application user token keywords: api, outbound apps management /v1/mgmt/outbound/app/tenant/token: post: tags: [] summary: Fetch Outbound App Tenant Token description: >- ### Fetch outbound application tenant token This endpoint allows you to fetch the tenant token for an outbound application. operationId: FetchOutboundAppTenantToken requestBody: content: application/json: schema: $ref: '#/components/schemas/FetchOutboundAppTenantTokenRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/FetchOutboundAppTenantTokenResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 9 x-meta: title: Fetch Outbound App Tenant Token | Outbound Apps Management description: Fetch outbound application tenant token keywords: api, outbound apps management /v1/mgmt/outbound/app/tenant/token/latest: post: tags: [] summary: Fetch Latest Outbound App Tenant Token description: >- ### Fetch latest outbound application tenant token This endpoint allows you to fetch the latest tenant token for an outbound application. operationId: FetchLatestOutboundAppTenantToken requestBody: content: application/json: schema: $ref: '#/components/schemas/FetchLatestOutboundAppTenantTokenRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/FetchLatestOutboundAppTenantTokenResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 10 x-meta: title: Fetch Latest Outbound App Tenant Token | Outbound Apps Management description: Fetch latest outbound application tenant token keywords: api, outbound apps management /v1/mgmt/outbound/token: delete: tags: [] summary: Delete outbound application token by id description: Delete outbound application token by id, using a valid management key. operationId: DeleteOutboundAppTokenByID parameters: - name: id in: query schema: type: string responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 11 x-meta: title: Delete outbound application token by id | Outbound Apps Management description: Delete outbound application token by id, using a valid management key. keywords: api, outbound apps management /v1/mgmt/outbound/user/tokens: delete: tags: [] summary: Delete outbound application tokens by appId or userId description: >- Delete outbound application tokens by appId or userId, using a valid management key. operationId: DeleteOutboundAppUserTokens parameters: - name: appId in: query schema: type: string - name: userId in: query schema: type: string responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: outboundAppsManagement x-order: 12 x-meta: title: >- Delete outbound application tokens by appId or userId | Outbound Apps Management description: >- Delete outbound application tokens by appId or userId, using a valid management key. keywords: api, outbound apps management /v1/mgmt/password/settings: get: tags: [] summary: Get Tenant Password Settings description: >- ### Get password settings for a tenant This endpoint allows you to get the password settings of a given tenant. ### See Also - See [tenant password settings](/customize/tenant#passwords) for details about tenant password settings. operationId: GetPasswordSettings parameters: - name: tenantId in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/GetPasswordSettingsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: passwordManagement x-order: 1 x-meta: title: Get Tenant Password Settings | Password Management description: Get password settings for a tenant keywords: api, password management post: tags: [] summary: Update Tenant Password Settings description: >- ### Update password settings for a tenant This endpoint allows you to update the password settings of a given tenant. ### See Also - See [tenant password settings](/customize/tenant#passwords) for details about tenant password settings. operationId: ConfigurePasswordSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/ConfigurePasswordSettingsRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: passwordManagement x-order: 2 x-meta: title: Update Tenant Password Settings | Password Management description: Update password settings for a tenant keywords: api, password management /v1/mgmt/permission/all: get: tags: [] summary: Load All Permission description: >- ### Load all permissions, using a valid management key. This API endpoint returns details all permissions configured within the Descope instance. The response includes an array of permissions and these details of each permission: - name - description - systemDefault ### Next Steps Once you have this data, you can utilize the response to [Create Roles](/api/management/roles/create-role) or [Update Roles](/api/management/roles/update-role) ### See also - See [User Authorization](/manage/roles/) for further details on managing roles and permissions. operationId: LoadAllPermissions responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadPermissionsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: permissionManagement x-order: 1 x-meta: title: Load All Permission | Permission Management description: Load all permissions, using a valid management key. keywords: api, permission management /v1/mgmt/permission/create: post: tags: [] summary: Create Permission description: >- ### Create a permission, using a valid management key. This API endpoint allows administrators to create a new permission. The endpoint takes the following two parameters: - name (required) - description (optional) ### Next Steps Once you have this data, you can utilize the newly created role to [Create Roles](/api/management/roles/create-role) or [Update Roles](/api/management/roles/update-role) ### See also - See [User Authorization](/manage/roles/) for further details on managing roles and permissions. operationId: CreatePermission requestBody: content: application/json: schema: $ref: '#/components/schemas/CreatePermissionRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: permissionManagement x-order: 2 x-meta: title: Create Permission | Permission Management description: Create a permission, using a valid management key. keywords: api, permission management /v1/mgmt/permission/update: post: tags: [] summary: Update Permission description: >- ### Update a permission, using a valid management key. This API endpoint allows administrators to update an existing permission. The endpoint takes the following two parameters: - name (required) - description (optional - though if not provided, it will be removed from the permission) ### Next Steps Once you have this data, you can utilize the newly created role to [Create Roles](/api/management/roles/create-role) or [Update Roles](/api/management/roles/update-role) ### See also - See [User Authorization](/manage/roles/) for further details on managing roles and permissions. operationId: UpdatePermission requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdatePermissionRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: permissionManagement x-order: 3 x-meta: title: Update Permission | Permission Management description: Update a permission, using a valid management key. keywords: api, permission management /v1/mgmt/permission/delete: post: tags: [] summary: Delete Permission description: >- ### Delete a permission, using a valid management key. This API endpoint allows administrators to delete an existing permission. The endpoint takes the following one parameter: - name (required) ### See also - See [User Authorization](/manage/roles/) for further details on managing roles and permissions. operationId: DeletePermission requestBody: content: application/json: schema: $ref: '#/components/schemas/DeletePermissionRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: permissionManagement x-order: 4 x-meta: title: Delete Permission | Permission Management description: Delete a permission, using a valid management key. keywords: api, permission management /v1/mgmt/project/update/name: post: tags: [] summary: Rename Project description: >- ### Rename a project utilizing a management key. This endpoint allows you to update the name of a project. The body only requires the `name` argument. ### See Also - See [Managing Environments](/customize/environments/) for details about managing environments. operationId: UpdateProjectName requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateProjectNameRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: projectManagement x-order: 1 x-meta: title: Rename Project | Project Management description: Rename a project utilizing a management key. keywords: api, project management /v1/mgmt/project/export: post: tags: [] summary: Export Project description: >- ### Export a project utilizing a management key. This endpoint is used to export a project. The response is the JSON of the project items. ### See Also - See [Managing Environments](/customize/environments/) for details about managing environments. operationId: ExportProject requestBody: content: application/json: schema: $ref: '#/components/schemas/ExportSnapshotRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ExportSnapshotResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: projectManagement x-order: 2 x-meta: title: Export Project | Project Management description: Export a project utilizing a management key. keywords: api, project management /v1/mgmt/project/import: post: tags: [] summary: Import Project description: >- ### Import a project utilizing a management key. This endpoint is used to import a project. The argument of `files` should be the output of the [export project endpoint](/api/management/projects/export-project) You can also exclude items from the export when importing by utilizing the flags below within the `exclude` array. ``` The entire project: project Project specific items: project.domain project.trustedDomains project.tokenResponseMethod project.selfProvisioning project.rotateJwt project.cookiepolicy project.refreshTokenExpiration project.stepupTokenExpiration project.sessionTokenExpiration project.keySessionTokenExpiration project.inviteUrl project.inviteEmail project.inviteSms project.inviteMagicLink project.conformanceJwt project.inactivity Auth Methods, Flows, styles, etc: magicLink enchantedLink embeddedLink otp totp sso oauth webauthn password styles flows connectors authorization attributes ssoApps ``` You can also import secrets for connectors and OAuth Providers using the `inputSecrets` argument. ### See Also - See [Managing Environments](/customize/environments/) for details about managing environments. operationId: ImportProject requestBody: content: application/json: schema: $ref: '#/components/schemas/ImportSnapshotRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: projectManagement x-order: 3 x-meta: title: Import Project | Project Management description: Import a project utilizing a management key. keywords: api, project management /v1/mgmt/project/clone: post: tags: [] summary: Clone Project description: >- ### Clone a project utilizing a management key. This endpoint allows you to clone the current project, including its settings and configurations. _Note: This requires a pro or enterprise tier licenses. Users, tenants and access keys are not cloned._ ### See Also - See [Managing Environments](/customize/environments/) for details about managing environments. operationId: CloneProject requestBody: content: application/json: schema: $ref: '#/components/schemas/CloneProjectRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CloneProjectResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: projectManagement x-order: 4 x-meta: title: Clone Project | Project Management description: Clone a project utilizing a management key. keywords: api, project management /v1/mgmt/project/delete: post: tags: [] summary: Delete Project description: >- ### Delete a project utilizing a management key. This endpoint allows you to delete a project. This action is irreversible, use with caution. ### See Also - See [Managing Environments](/customize/environments/) for details about managing environments. operationId: DeleteProject responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: projectManagement x-order: 5 x-meta: title: Delete Project | Project Management description: Delete a project utilizing a management key. keywords: api, project management /v1/mgmt/project/snapshot/export: post: tags: [] summary: Export Project Snapshot description: >- ### Export a project snapshot utilizing a management key. This endpoint allows you to export a snapshot of the current project state. ### See Also - See [Managing Environments](/customize/environments/) for details about managing environments. operationId: ExportSnapshot requestBody: content: application/json: schema: $ref: '#/components/schemas/ExportSnapshotRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ExportSnapshotResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: projectManagement x-order: 6 x-meta: title: Export Project Snapshot | Project Management description: Export a project snapshot utilizing a management key. keywords: api, project management /v1/mgmt/project/snapshot/import: post: tags: [] summary: Import Project Snapshot description: >- ### Import a project snapshot utilizing a management key. This endpoint allows you to import a previously exported project snapshot. ### See Also - See [Managing Environments](/customize/environments/) for details about managing environments. operationId: ImportSnapshot requestBody: content: application/json: schema: $ref: '#/components/schemas/ImportSnapshotRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: projectManagement x-order: 7 x-meta: title: Import Project Snapshot | Project Management description: Import a project snapshot utilizing a management key. keywords: api, project management /v1/mgmt/project/snapshot/validate: post: tags: [] summary: Validate Project Snapshot description: >- ### Validate a project snapshot utilizing a management key. This endpoint allows you to validate a project snapshot before importing it. ### See Also - See [Managing Environments](/customize/environments/) for details about managing environments. operationId: ValidateSnapshot requestBody: content: application/json: schema: $ref: '#/components/schemas/ImportSnapshotRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ValidateSnapshotResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: projectManagement x-order: 8 x-meta: title: Validate Project Snapshot | Project Management description: Validate a project snapshot utilizing a management key. keywords: api, project management /v1/mgmt/project/update/tags: post: tags: [] summary: Update Project Tags description: >- ### Update project tags utilizing a management key. This endpoint allows you to update the tags associated with a project. ### See Also - See [Managing Environments](/customize/environments/) for details about managing environments. operationId: UpdateProjectTags requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateProjectTagsRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: projectManagement x-order: 9 x-meta: title: Update Project Tags | Project Management description: Update project tags utilizing a management key. keywords: api, project management /v1/mgmt/projects/list: post: tags: [] summary: List Projects description: >- ### List all projects utilizing a management key. This endpoint allows you to list all projects in your account. ### See Also - See [Managing Environments](/customize/environments/) for details about managing environments. operationId: ListProject requestBody: content: application/json: schema: $ref: '#/components/schemas/ListProjectsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ListProjectsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: projectManagement x-order: 10 x-meta: title: List Projects | Project Management description: List all projects utilizing a management key. keywords: api, project management /v1/mgmt/role/all: get: tags: [] summary: Load All Roles description: >- ### Load all roles, using a valid management key. This API endpoint allows administrators to load all existing roles. This endpoint returns an array of roles including their name, description, and permissionsNames. ### See also - See [User Authorization](/manage/roles/) for further details on managing roles and permissions. operationId: LoadAllRoles responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadRolesResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: roleManagement x-order: 1 x-meta: title: Load All Roles | Role Management description: Load all roles, using a valid management key. keywords: api, role management /v1/mgmt/role/search: post: tags: [] summary: Search Roles description: >- ### Search roles, using a valid management key. This API endpoint allows administrators to search against existing roles. This endpoint returns an array of roles including their name, description, and permissionsNames that match the search parameters. ### See also - See [User Authorization](/manage/roles/) for further details on managing roles and permissions. operationId: SearchRoles requestBody: content: application/json: schema: $ref: '#/components/schemas/SearchRolesRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadRolesResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: roleManagement x-order: 2 x-meta: title: Search Roles | Role Management description: Search roles, using a valid management key. keywords: api, role management /v1/mgmt/role/create: post: tags: [] summary: Create Role description: >- ### Create a role, using a valid management key. This API endpoint allows administrators to create a new role. The endpoint takes the following three parameters: - name (required) - description (optional) - permissionNames (optional) ### See also - See [User Authorization](/manage/roles/) for further details on managing roles and permissions. operationId: CreateRole requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateRoleRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Role' security: - Descope Project ID and Management Key: [] x-publishYaml: roleManagement x-order: 3 x-meta: title: Create Role | Role Management description: Create a role, using a valid management key. keywords: api, role management /v1/mgmt/role/update: post: tags: [] summary: Update Role description: >- ### Update an existing role, using a valid management key. This API endpoint allows administrators to update an existing role. The endpoint takes the following four parameters: - name (required) - newName (required) - description (optional - though if not provided, it will be removed from the role)) - permissionNames (optional - though if not provided, it will be removed from the role)) ### See also - See [User Authorization](/manage/roles/) for further details on managing roles and permissions. operationId: UpdateRole requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateRoleRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/Role' security: - Descope Project ID and Management Key: [] x-publishYaml: roleManagement x-order: 4 x-meta: title: Update Role | Role Management description: Update an existing role, using a valid management key. keywords: api, role management /v1/mgmt/role/delete: post: tags: [] summary: Delete Role description: >- ### Delete a role, using a valid management key. This API endpoint allows administrators to delete an existing role. The endpoint takes the following one parameter: - name (required) ### See also - See [User Authorization](/manage/roles/) for further details on managing roles and permissions._override/App.tsx operationId: DeleteRole requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteRoleRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: roleManagement x-order: 5 x-meta: title: Delete Role | Role Management description: Delete a role, using a valid management key. keywords: api, role management /v1/mgmt/role/delete/batch: post: tags: [] summary: Batch Delete Roles description: >- ### Delete roles in batch, using a valid management key. This API endpoint allows administrators to delete roles in batch. The endpoint takes the following one parameter: - roleNames (required) ### See also - See [User Authorization](/manage/roles/) for further details on managing roles and permissions. operationId: DeleteRoles requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteRolesRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: roleManagement x-order: 6 x-meta: title: Batch Delete Roles | Role Management description: Delete roles in batch, using a valid management key. keywords: api, role management /v1/mgmt/sso/idp/apps/load: get: tags: [] summary: Load All Applications description: >- ### Load all Applications within a project This endpoint returns details of all Applications within your Descope project. ### See Also - Review our [documentation](/manage/idpapplications/) around Applications within Descope. operationId: LoadAllSSOApplications responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadAllSSOApplicationsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: ssoAppsManagement x-order: 1 x-meta: title: Load All Applications | Sso Apps Management description: Load all Applications within a project keywords: api, sso apps management /v1/mgmt/sso/idp/app/load: get: tags: [] summary: Load Application by ID description: >- ### Load Application by ID within a project This endpoint returns details of a specific Application within your Descope project. ### See Also - Review our [documentation](/manage/idpapplications/) around Applications within Descope. operationId: LoadSSOApplication parameters: - name: id in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadSSOApplicationResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: ssoAppsManagement x-order: 2 x-meta: title: Load Application by ID | Sso Apps Management description: Load Application by ID within a project keywords: api, sso apps management /v1/mgmt/sso/idp/app/oidc/create: post: tags: [] summary: Create OIDC Application description: >- ### Create OIDC Application within a project This endpoint creates an OIDC Application within your Descope project. ### See Also - Review our [documentation](/manage/idpapplications/) around Applications within Descope. operationId: CreateSSOOIDCApplication requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateUpdateSSOOIDCApplicationRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CreateSSOApplicationResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: ssoAppsManagement x-order: 3 x-meta: title: Create OIDC Application | Sso Apps Management description: Create OIDC Application within a project keywords: api, sso apps management /v1/mgmt/sso/idp/app/oidc/update: post: tags: [] summary: Update OIDC Application description: >- ### Update OIDC Application within a project This endpoint updates an OIDC Application within your Descope project. ### See Also - Review our [documentation](/manage/idpapplications/) around Applications within Descope. operationId: UpdateSSOOIDCApplication requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateUpdateSSOOIDCApplicationRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: ssoAppsManagement x-order: 4 x-meta: title: Update OIDC Application | Sso Apps Management description: Update OIDC Application within a project keywords: api, sso apps management /v1/mgmt/sso/idp/app/saml/create: post: tags: [] summary: Create SAML Application description: >- ### Create SAML Application within a project This endpoint creates a SAML Application within your Descope project. ### See Also - Review our [documentation](/manage/idpapplications/) around Applications within Descope. operationId: CreateSSOSAMLApplication requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateUpdateSSOSAMLApplicationRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CreateSSOApplicationResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: ssoAppsManagement x-order: 5 x-meta: title: Create SAML Application | Sso Apps Management description: Create SAML Application within a project keywords: api, sso apps management /v1/mgmt/sso/idp/app/saml/update: post: tags: [] summary: Update SAML Application description: >- ### Update SAML Application within a project This endpoint updates a SAML Application within your Descope project. ### See Also - Review our [documentation](/manage/idpapplications/) around Applications within Descope. operationId: UpdateSSOSAMLApplication requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateUpdateSSOSAMLApplicationRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: ssoAppsManagement x-order: 6 x-meta: title: Update SAML Application | Sso Apps Management description: Update SAML Application within a project keywords: api, sso apps management /v1/mgmt/sso/idp/app/delete: post: tags: [] summary: Delete Application description: >- ### Delete an Application within a project This endpoint deletes an Application within your Descope project. ### See Also - Review our [documentation](/manage/idpapplications/) around Applications within Descope. operationId: DeleteSSOApplication requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteSSOApplicationRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: ssoAppsManagement x-order: 7 x-meta: title: Delete Application | Sso Apps Management description: Delete an Application within a project keywords: api, sso apps management /v2/mgmt/sso/settings: get: tags: [] summary: Get Tenant's SAML/OIDC Settings description: >- ### Get the current SAML/OIDC configuration settings of a tenant, using a valid management key. This API endpoint allows you to get the current SAML/OIDC configuration settings of a tenant. ### See also - See [SSO Configuration](/sso) for further details on managing SSO Configurations on a tenant. operationId: LoadSSOSettings parameters: - name: tenantId in: query schema: type: string - name: ssoId in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadSSOSettingsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: ssoManagement x-order: 1 x-meta: title: Get Tenant's SAML/OIDC Settings | Sso Management description: >- Get the current SAML/OIDC configuration settings of a tenant, using a valid management key. keywords: api, sso management /v1/mgmt/sso/saml: post: tags: [] summary: Set Tenant's SAML Settings description: >- ### Configure the SAML Settings, using a valid management key. This API endpoint will configure the SAML settings on a tenant utilizing a valid management key. This API endpoint accepts idpURL, entityId, idpCert, and redirectURL which will be applied to the tenant under SSO Configuration section and will select the option to "Enter the connection details manually" This endpoint also accepts the attribute mapping you would like to be configured on the SAML settings. These configurations will need to be captured directly from your idp provider. The values for each field can be obtained from the admin console of the identity provider. Alternatively, administrators can configure SAML without applying these setting manually via [Configure SAML Metadata URL](/api/management/tenants/sso/configure-sso-saml-settings-by-metadata) ### See also - See [SSO Configuration](/sso) for further details on managing SSO Configurations on a tenant. operationId: ConfigureSSOSAMLSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/ConfigureSSOSAMLSettingsRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: ssoManagement x-order: 2 x-meta: title: Set Tenant's SAML Settings | Sso Management description: Configure the SAML Settings, using a valid management key. keywords: api, sso management /v1/mgmt/sso/saml/metadata: post: tags: [] summary: Set Tenant's SAML Settings via Metadata URL description: >- ### Configure the SAML Metadata URL, using a valid management key. This API endpoint will configure the SAML Metadata URL on a tenant utilizing a valid management key. This API endpoint accepts idpMetadataURL which will be applied to the tenant under SSO Configuration section and will select the option to "Retrieve the connection details dynamically using a metadata URL" This endpoint also accepts the attribute mapping you would like to be configured on the SAML settings. This Metadata URL can can be obtained from the admin console of the identity provider. Configuring SAML via Metadata URL allows administrators to configure SAML without applying these setting manually via [Configure SAML Settings](/api/management/tenants/sso/configure-sso-saml-settings) ### See also - See [SSO Configuration](/sso) for further details on managing SSO Configurations on a tenant. operationId: ConfigureSSOSAMLSettingsByMetadata requestBody: content: application/json: schema: $ref: '#/components/schemas/ConfigureSSOSAMLSettingsByMetadataRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: ssoManagement x-order: 3 x-meta: title: Set Tenant's SAML Settings via Metadata URL | Sso Management description: Configure the SAML Metadata URL, using a valid management key. keywords: api, sso management /v1/mgmt/sso/oidc: post: tags: [] summary: Set Tenant's OIDC Settings description: >- ### Configure the OIDC settings of a tenant, using a valid management key. This API endpoint will configure the OIDC settings on a tenant utilizing a valid management key. This endpoint accepts the OIDC configuration settings as well as the attribute mapping you would like to be configured on the SAML settings. ### See also - See [SSO Configuration](/sso) for further details on managing SSO Configurations on a tenant. operationId: ConfigureSSOOIDCSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/ConfigureSSOOIDCSettingsRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: ssoManagement x-order: 4 x-meta: title: Set Tenant's OIDC Settings | Sso Management description: Configure the OIDC settings of a tenant, using a valid management key. keywords: api, sso management /v1/mgmt/sso/settings/new: post: tags: [] summary: Create New SSO Settings description: >- ### Create new SSO settings for a tenant, using a valid management key. This API endpoint allows you to create a new SSO configuration for a tenant. The endpoint accepts the tenant ID, an optional SSO ID, and a display name for the SSO configuration. ### See also - See [SSO Configuration](/sso) for further details on managing SSO Configurations on a tenant. operationId: NewSSOSettingsRequest requestBody: content: application/json: schema: $ref: '#/components/schemas/NewSSOSettingsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadSSOSettingsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: ssoManagement x-order: 5 x-meta: title: Create New SSO Settings | Sso Management description: Create new SSO settings for a tenant, using a valid management key. keywords: api, sso management /v1/mgmt/sso/settings: delete: tags: [] summary: Delete Tenant's SAML/OIDC Settings description: >- ### Delete the current SAML/OIDC configuration settings of a tenant, using a valid management key. This API endpoint allows you to delete the current SAML/OIDC configuration settings of a tenant. Use this with caution as this endpoint deletes the configuration and is irreversible. ### See also - See [SSO Configuration](/sso) for further details on managing SSO Configurations on a tenant. operationId: DeleteSSOSettings parameters: - name: tenantId in: query schema: type: string - name: ssoId in: query schema: type: string responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: ssoManagement x-order: 6 x-meta: title: Delete Tenant's SAML/OIDC Settings | Sso Management description: >- Delete the current SAML/OIDC configuration settings of a tenant, using a valid management key. keywords: api, sso management /v1/mgmt/tenant/all: get: tags: [] summary: Load All Tenants description: >- ### Load all tenants, using a valid management key. This API endpoint returns details of all configured tenants within the Descope instance. The response includes an array of the tenants and these details for each tenant: - id - name - selfProvisioningDomains ### Next Steps - Once you have this data, you can utilize the response to add users to the tenant via [Update User](/api/management/users/update-user) or [Create User](/api/management/users/create-user) - You can also apply sso configurations to the tenant via the [SSO Management API](/api/ssomanagement/) ### See also - See [Tenant Management](/management/tenant-management) for further details on managing tenants. operationId: LoadAllTenants responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadAllTenantsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: tenantManagement x-order: 1 x-meta: title: Load All Tenants | Tenant Management description: Load all tenants, using a valid management key. keywords: api, tenant management /v1/mgmt/tenant: get: tags: [] summary: Load Tenant By ID description: >- ### Load tenant by ID, using a valid management key. This API endpoint returns details of the tenant within the Descope instance that matches the ID provided. The response includes an array of the tenants and these details for each tenant: - id - name - selfProvisioningDomains ### Next Steps - Once you have this data, you can utilize the response to add users to the tenant via [Update User](/api/management/users/update-user) or [Create User](/api/management/users/create-user) - You can also apply sso configurations to the tenant via the [SSO Management API](/api/ssomanagement/) ### See also - See [Tenant Management](/management/tenant-management) for further details on managing tenants. operationId: LoadTenant parameters: - name: id in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadTenantResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: tenantManagement x-order: 2 x-meta: title: Load Tenant By ID | Tenant Management description: Load tenant by ID, using a valid management key. keywords: api, tenant management /v1/mgmt/tenant/search: post: tags: [] summary: Search Tenants description: >- ### Search all tenants, using a valid management key. This API endpoint returns details of configured tenants within the Descope instance that match the search parameters. The response includes an array of the tenants and these details for each tenant: - id - name - selfProvisioningDomains ### Next Steps - Once you have this data, you can utilize the response to add users to the tenant via [Update User](/api/management/users/update-user) or [Create User](/api/management/users/create-user) - You can also apply sso configurations to the tenant via the [SSO Management API](/api/ssomanagement/) ### See also - See [Tenant Management](/management/tenant-management) for further details on managing tenants. operationId: SearchTenants requestBody: content: application/json: schema: $ref: '#/components/schemas/SearchTenantsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadAllTenantsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: tenantManagement x-order: 3 x-meta: title: Search Tenants | Tenant Management description: Search all tenants, using a valid management key. keywords: api, tenant management /v1/mgmt/tenant/create: post: tags: [] summary: Create Tenant description: >- ### Create a new tenant, using a valid management key. This API endpoint will create a new tenant utilizing a valid management key. Creation of a new tenant can set the name, id, and selfProvisioningDomains. The id and selfProvisioningDomains are not mandatory. The id will be autogenerated if not provided. The response will always include the tenantId. ### Next Steps - You can then add users to the tenant via [Update User](/api/management/users/update-user) or [Create User](/api/management/users/create-user) - You can also apply sso configurations to the tenant via the [SSO Management API](/api/ssomanagement/) ### See also - See [Tenant Management](/management/tenant-management) for further details on managing tenants. operationId: CreateTenant requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateTenantRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CreateTenantResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: tenantManagement x-order: 4 x-meta: title: Create Tenant | Tenant Management description: Create a new tenant, using a valid management key. keywords: api, tenant management /v1/mgmt/tenant/update: post: tags: [] summary: Update Tenant description: >- ### Update a tenant, using a valid management key. This API endpoint will update a tenant utilizing a valid management key. Utilizing this API endpoint will allow you to update the name or selfProvisioningDomains settings of the tenant. ### Next Steps - You can then add users to the tenant via [Update User](/api/management/users/update-user) or [Create User](/api/management/users/create-user) - You can also apply sso configurations to the tenant via the [SSO Management API](/api/ssomanagement/) ### See also - See [Tenant Management](/management/tenant-management) for further details on managing tenants. operationId: UpdateTenant requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateTenantRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: tenantManagement x-order: 5 x-meta: title: Update Tenant | Tenant Management description: Update a tenant, using a valid management key. keywords: api, tenant management /v1/mgmt/tenant/delete: post: tags: [] summary: Delete Tenant description: >- ### Delete a tenant, using a valid management key. This API endpoint will delete a tenant utilizing a valid management key based on the provided user tenandId. ### See also - See [Tenant Management](/management/tenant-management) for further details on managing tenants. operationId: DeleteTenant requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteTenantRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: tenantManagement x-order: 6 x-meta: title: Delete Tenant | Tenant Management description: Delete a tenant, using a valid management key. keywords: api, tenant management /v1/mgmt/tenant/sso-user-remove: post: tags: [] summary: Remove SSO User from Tenant description: >- ### Remove an SSO user from a tenant, using a valid management key. This API endpoint removes an SSO user's association with a tenant. ### See also - See [Tenant Management](/management/tenant-management) for further details on managing tenants. operationId: RemoveSSOSuffixFromExternalId requestBody: content: application/json: schema: $ref: '#/components/schemas/RemoveSSOSuffixFromExternalIdRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: tenantManagement x-order: 7 x-meta: title: Remove SSO User from Tenant | Tenant Management description: Remove an SSO user from a tenant, using a valid management key. keywords: api, tenant management /v1/mgmt/tenant/adminlinks/sso/authenticated: post: tags: [] summary: Authenticated SSO Admin Link description: >- ### Authenticated SSO admin link for a tenant, using a valid management key. This API endpoint handles authenticated SSO admin link requests for a tenant. operationId: GetTenantAdminLinkSSOForAuthenticatedUsers requestBody: content: application/json: schema: $ref: >- #/components/schemas/GetTenantAdminLinkSSOForAuthenticateUsersRequest required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/GenerateTenantAdminLinkResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: tenantAdminLinkManagement x-order: 4 x-meta: title: Authenticated SSO Admin Link | Tenant Admin Link Management description: >- Authenticated SSO admin link for a tenant, using a valid management key. keywords: api, tenant admin link management /v2/mgmt/tenant/adminlinks/sso/generate: post: tags: [] summary: Generate SSO Admin Link description: >- ### Generate an SSO admin link for a tenant, using a valid management key. This API endpoint generates an SSO admin link that allows a tenant administrator to configure SSO settings. operationId: GenerateTenantAdminLinkSSO requestBody: content: application/json: schema: $ref: '#/components/schemas/GenerateTenantAdminLinkRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/GenerateTenantAdminLinkResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: tenantAdminLinkManagement x-order: 1 x-meta: title: Generate SSO Admin Link | Tenant Admin Link Management description: Generate an SSO admin link for a tenant, using a valid management key. keywords: api, tenant admin link management /v1/mgmt/tenant/adminlinks/sso/revoke: post: tags: [] summary: Revoke SSO Admin Link description: |- ### Revoke an SSO admin link for a tenant, using a valid management key. This API endpoint revokes an existing SSO admin link for a tenant. operationId: RevokeTenantAdminLinkSSO requestBody: content: application/json: schema: $ref: '#/components/schemas/RevokeTenantAdminLinkRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: tenantAdminLinkManagement x-order: 2 x-meta: title: Revoke SSO Admin Link | Tenant Admin Link Management description: Revoke an SSO admin link for a tenant, using a valid management key. keywords: api, tenant admin link management /v1/mgmt/tenant/adminlinks/sso/send: post: tags: [] summary: Send SSO Admin Link description: >- ### Send an SSO admin link to a tenant administrator, using a valid management key. This API endpoint sends an SSO admin link via email to the specified tenant administrator. operationId: SendTenantAdminLinkSSO requestBody: content: application/json: schema: $ref: '#/components/schemas/SendTenantAdminLinkRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SendTenantAdminLinkResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: tenantAdminLinkManagement x-order: 3 x-meta: title: Send SSO Admin Link | Tenant Admin Link Management description: >- Send an SSO admin link to a tenant administrator, using a valid management key. keywords: api, tenant admin link management /v1/mgmt/tenant/adminlinks/sso/generate: post: tags: [] summary: Generate tenant admin SSO configuration link description: >- Generate tenant admin SSO configuration link, using a valid management key. operationId: GenerateTenantAdminLinkSSODeprecated requestBody: content: application/json: schema: $ref: '#/components/schemas/GenerateTenantAdminLinkRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/GenerateTenantAdminLinkResponse' deprecated: true security: - Descope Project ID and Management Key: [] x-publishYaml: __NO_PUBLISH__ x-order: 8 x-meta: title: >- Generate tenant admin SSO configuration link | Tenant Admin Link Management description: >- Generate tenant admin SSO configuration link, using a valid management key. keywords: api, tenant admin link management /v1/mgmt/tenant/settings: get: tags: [] summary: Get Tenant Session Settings description: >- ### Get session settings for a tenant This endpoint allows you to get the session settings of a given tenant. ### See Also - See [tenant session settings](/customize/tenant#session-management) for details about tenant session settings. operationId: GetTenantSettings parameters: - name: id in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/GetTenantSettingsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: tenantSessionManagement x-order: 7 x-meta: title: Get Tenant Session Settings | Tenant Session Management description: Get session settings for a tenant keywords: api, tenant session management post: tags: [] summary: Update Tenant Session Settings description: >- ### Update session settings for a tenant This endpoint allows you to update the session settings of a given tenant. ### See Also - See [tenant session settings](/customize/tenant#session-management) for details about tenant session settings. operationId: ConfigureTenantSettings requestBody: content: application/json: schema: $ref: '#/components/schemas/ConfigureTenantSettingsRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: tenantSessionManagement x-order: 8 x-meta: title: Update Tenant Session Settings | Tenant Session Management description: Update session settings for a tenant keywords: api, tenant session management /v1/mgmt/tests/generate/otp: post: tags: [] summary: Generate OTP description: >- ### Generate an OTP verification code for a test user. This endpoint is used to generate an OTP verification code for a test user. You can define whether this is sent via email or sms. Once you generate the OTP code, you must verify the OTP code via [verify OTP email](/api/otp/email/verify-otp) or [verify OTP sms](/api/otp/sms/verify-otp) ### See Also - See [OTP Authentication](/api/otp/) for details about implementing OTP. - See [Create a user](/api/management/users/create-user) with the `test` flag set to true to set it as a test user. - See [Manage Test Users](/manage/testusers/) for more information on test users. operationId: GenerateOTPForTestUser requestBody: content: application/json: schema: $ref: '#/components/schemas/TestUserGenerateOTPRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/TestUserGenerateOTPResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: testUserManagement x-order: 1 x-meta: title: Generate OTP | Test User Management description: Generate an OTP verification code for a test user. keywords: api, test user management /v1/mgmt/tests/generate/magiclink: post: tags: [] summary: Generate Magic Link description: >- ### Generate a Magic Link for a test user. This endpoint is used to generate a Magic Link for a test user. You can define whether this is sent via email or sms. Once you generate the Magic Link Token must be verified via [verify token](/api/magic-link/verification/verify-token) ### See Also - See [Magic link Authentication](/api/magiclink/) for details about implementing magic links. - See [Create a user](/api/management/users/create-user) with the `test` flag set to true to set it as a test user. - See [Manage Test Users](/manage/testusers/) for more information on test users. operationId: GenerateMagicLinkForTestUser requestBody: content: application/json: schema: $ref: '#/components/schemas/TestUserGenerateMagicLinkRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/TestUserGenerateMagicLinkResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: testUserManagement x-order: 2 x-meta: title: Generate Magic Link | Test User Management description: Generate a Magic Link for a test user. keywords: api, test user management /v1/mgmt/tests/generate/enchantedlink: post: tags: [] summary: Generate Enchanted Link description: >- ### Generate a Enchanted Link for a test user. This endpoint is used to generate a Enchanted Link for a test user. You can define whether this is sent via email or sms. Once you generate the Enchanted Link Token must be verified via [verify token](/api/enchanted-link/verify-token) ### See Also - See [Enchanted link Authentication](/api/enchantedlink/) for details about implementing enchanted links. - See [Create a user](/api/management/users/create-user) with the `test` flag set to true to set it as a test user. - See [Manage Test Users](/manage/testusers/) for more information on test users. operationId: GenerateEnchantedLinkForTestUser requestBody: content: application/json: schema: $ref: '#/components/schemas/TestUserGenerateEnchantedLinkRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/TestUserGenerateEnchantedLinkResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: testUserManagement x-order: 3 x-meta: title: Generate Enchanted Link | Test User Management description: Generate a Enchanted Link for a test user. keywords: api, test user management /v1/mgmt/user/test/delete/all: delete: tags: [] summary: Delete All Test Users description: >- ### Delete all test users This endpoint is used to delete all test users from a project. This action will delete these users forever and they will not be recoverable. ### See Also - See [Manage Test Users](/manage/testusers/) for more information on test users. operationId: DeleteAllTestUsers responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/DeleteAllTestUsersResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: testUserManagement x-order: 4 x-meta: title: Delete All Test Users | Test User Management description: Delete all test users keywords: api, test user management /v1/mgmt/thirdparty/app/create: post: tags: [] summary: Create third party application description: Create a new third party application, using a valid management key. operationId: CreateThirdPartyApplication requestBody: content: application/json: schema: $ref: '#/components/schemas/CreateThirdPartyApplicationRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/CreateThirdPartyApplicationResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 1 x-meta: title: Create third party application | Third Party Apps Management description: Create a new third party application, using a valid management key. keywords: api, third party apps management /v1/mgmt/thirdparty/app/update: post: tags: [] summary: Update third party application description: Update a third party application, using a valid management key. operationId: UpdateThirdPartyApplication requestBody: content: application/json: schema: $ref: '#/components/schemas/UpdateThirdPartyApplicationRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 2 x-meta: title: Update third party application | Third Party Apps Management description: Update a third party application, using a valid management key. keywords: api, third party apps management /v1/mgmt/thirdparty/app/patch: post: tags: [] summary: Patch third party application description: Patch a third party application, using a valid management key. operationId: PatchThirdPartyApplication requestBody: content: application/json: schema: $ref: '#/components/schemas/PatchThirdPartyApplicationRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 3 x-meta: title: Patch third party application | Third Party Apps Management description: Patch a third party application, using a valid management key. keywords: api, third party apps management /v1/mgmt/thirdparty/app/load: get: tags: [] summary: Load third party application by ID description: >- Loads project third party application by id, using a valid management key. operationId: LoadThirdPartyApplication parameters: - name: id in: query schema: type: string - name: clientId in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadThirdPartyApplicationResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 4 x-meta: title: Load third party application by ID | Third Party Apps Management description: >- Loads project third party application by id, using a valid management key. keywords: api, third party apps management /v1/mgmt/thirdparty/apps/load: get: tags: [] summary: Load All third party applications description: >- Loads all project third party applications, using a valid management key. operationId: LoadAllThirdPartyApplications parameters: - name: page in: query schema: type: integer format: int32 - name: limit in: query schema: type: integer format: int32 responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/LoadAllThirdPartyApplicationsResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 5 x-meta: title: Load All third party applications | Third Party Apps Management description: >- Loads all project third party applications, using a valid management key. keywords: api, third party apps management /v1/mgmt/thirdparty/app/secret: get: tags: [] summary: Get third party application secret description: Get a third party application secret, using a valid management key. operationId: GetThirdPartyApplicationSecret parameters: - name: id in: query schema: type: string responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/GetThirdPartyApplicationSecretResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 6 x-meta: title: Get third party application secret | Third Party Apps Management description: Get a third party application secret, using a valid management key. keywords: api, third party apps management /v1/mgmt/thirdparty/app/rotate: post: tags: [] summary: Rotate third party application secret by application ID description: >- Rotate the project third party application secret by the application id, using a valid management key. operationId: RotateThirdPartyApplicationSecret requestBody: content: application/json: schema: $ref: '#/components/schemas/RotateThirdPartyApplicationSecretRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/RotateThirdPartyApplicationSecretResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 7 x-meta: title: >- Rotate third party application secret by application ID | Third Party Apps Management description: >- Rotate the project third party application secret by the application id, using a valid management key. keywords: api, third party apps management get: x-publishYaml: __NO_PUBLISH__ operationId: NoPublishRotate responses: '200': description: Successful operation x-meta: title: undefined | Third Party Apps Management description: No description available keywords: api, third party apps management /v1/mgmt/thirdparty/consents/search: post: tags: [] summary: Search third party applications consents description: Search third party applications consents, using a valid management key. operationId: SearchThirdPartyApplicationConsents requestBody: content: application/json: schema: $ref: '#/components/schemas/SearchThirdPartyApplicationConsentsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: >- #/components/schemas/SearchThirdPartyApplicationConsentsResponse security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 8 x-meta: title: Search third party applications consents | Third Party Apps Management description: >- Search third party applications consents, using a valid management key. keywords: api, third party apps management /v1/mgmt/thirdparty/consents/delete: post: tags: [] summary: Delete third party applications consents description: Delete third party applications consents, using a valid management key. operationId: DeleteThirdPartyApplicationConsents requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteThirdPartyApplicationConsentsRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: >- #/components/schemas/DeleteThirdPartyApplicationConsentsResponse security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 9 x-meta: title: Delete third party applications consents | Third Party Apps Management description: >- Delete third party applications consents, using a valid management key. keywords: api, third party apps management /v1/mgmt/thirdparty/consents/delete/tenant: post: tags: [] summary: Delete third party applications consents by tenant description: >- Delete third party applications consents by tenant, using a valid management key. operationId: DeleteThirdPartyApplicationTenantConsents requestBody: content: application/json: schema: $ref: >- #/components/schemas/DeleteThirdPartyApplicationTenantConsentsRequest required: true responses: '200': description: OK content: application/json: schema: $ref: >- #/components/schemas/DeleteThirdPartyApplicationConsentsResponse security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 10 x-meta: title: >- Delete third party applications consents by tenant | Third Party Apps Management description: >- Delete third party applications consents by tenant, using a valid management key. keywords: api, third party apps management /v1/mgmt/thirdparty/app/delete: post: tags: [] summary: Delete third party application description: Delete a third party application, using a valid management key. operationId: DeleteThirdPartyApplication requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteThirdPartyApplicationRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 11 x-meta: title: Delete third party application | Third Party Apps Management description: Delete a third party application, using a valid management key. keywords: api, third party apps management /v1/mgmt/thirdparty/app/delete/batch: post: tags: [] summary: Batch delete third party applications description: >- Delete multiple third party applications in batch, using a valid management key. operationId: DeleteThirdPartyApplications requestBody: content: application/json: schema: $ref: '#/components/schemas/DeleteThirdPartyApplicationsRequest' required: true responses: '200': description: OK content: {} security: - Descope Project ID and Management Key: [] x-publishYaml: thirdPartyAppsManagement x-order: 12 x-meta: title: Batch delete third party applications | Third Party Apps Management description: >- Delete multiple third party applications in batch, using a valid management key. keywords: api, third party apps management /v1/mgmt/user/signin/embeddedlink: post: tags: - Embedded Link summary: Generate Embedded Link description: >- ### Generate an embedded link for an existing user Initiate a sign-in process by generating an embdedded link for an existing user utilizing a management key. The endpoint will return a token which can then be verified using the Magic Link [Verify Token](/api/magic-link/verification/verify-token) endpoint. ### Next Steps Verify the embedded link token using the [Verify Token](/api/magic-link/verification/verify-token) endpoint. ### See Also - See [Embedded link Authentication](/customize/auth/embeddedlink/) for details about implementing embedded links. - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. operationId: EmbeddedLinkSignin requestBody: content: application/json: schema: $ref: '#/components/schemas/EmbeddedLinkSignInRequest' required: true responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/EmbeddedLinkSignInResponse' security: - Descope Project ID and Management Key: [] x-publishYaml: MagicLink x-order: 1 x-meta: title: Generate Embedded Link | Embedded Link description: Generate an embedded link for an existing user keywords: api, embedded link components: schemas: AccessKeyLoginOptions: type: object properties: customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value selectedTenant: type: string CIBAAuthRequest: type: object properties: client_id: type: string client_secret: type: string scope: type: string login_hint: type: string binding_message: type: string requested_expiry: type: integer format: uint32 audience: type: string project_id: type: string CIBAAuthResponse: type: object properties: auth_req_id: type: string expires_in: type: integer format: uint32 interval: type: integer format: uint32 EmailMagicLinkResponse: type: object properties: maskedEmail: type: string EmailOperationResponse: type: object properties: maskedEmail: type: string verificationAttempts: type: integer format: int32 EnchantedLinkResponse: type: object properties: pendingRef: type: string linkId: type: string maskedEmail: type: string EnchantedLinkSignInRequest: type: object properties: loginId: type: string redirectUrl: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' providerId: type: string ssoAppId: type: string EnchantedLinkSignUpEmailRequest: type: object properties: email: type: string loginId: type: string user: $ref: '#/components/schemas/SignUpUser' redirectUrl: type: string providerId: type: string loginOptions: $ref: '#/components/schemas/SignupLoginOptions' ExchangeAccessKeyRequest: type: object properties: loginOptions: $ref: '#/components/schemas/AccessKeyLoginOptions' ExchangeAccessKeyResponse: type: object properties: keyId: type: string sessionJwt: type: string ExchangeOAuthCodeRequest: type: object properties: code: type: string state: type: string provider: type: string user: type: string error: type: string projectId: type: string tenantId: type: string id_token: type: string error_description: type: string ssoId: type: string ExchangeOneTapIDTokenRequest: type: object properties: provider: type: string idToken: type: string nonce: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' ExchangeTokenRequest: type: object properties: code: type: string ExportedAuthHistory: type: object properties: userId: type: string loginTime: type: integer format: int32 city: type: string country: type: string ip: type: string selectedTenant: type: string FedCMAccount: type: object properties: id: type: string givenName: type: string name: type: string email: type: string picture: type: string approvedClients: type: array items: type: string loginHints: type: array items: type: string domainHints: type: array items: type: string description: >- Accroding to https://developers.google.com/privacy-sandbox/3pcd/fedcm-developer-guide#accounts-list-endpoint FedCMAccountsResponse: type: object properties: accounts: type: array items: $ref: '#/components/schemas/FedCMAccount' FedCMAssertionRequest: type: object properties: accountId: type: string clientId: type: string nonce: type: string disclosureTextShown: type: string isAutoSelected: type: string projectId: type: string description: >- According to https://developers.google.com/privacy-sandbox/3pcd/fedcm-developer-guide#id-assertion-endpoint FedCMAssertionResponse: type: object properties: token: type: string GenerateUserRecoveryCodesRequest: type: object properties: loginId: type: string GenerateUserRecoveryCodesResponse: type: object properties: codes: type: array items: $ref: '#/components/schemas/RecoveryCode' GetEnchantedLinkSessionRequest: type: object properties: pendingRef: type: string GetNOTPSessionRequest: type: object properties: pendingRef: type: string GetOneTapClientIDResponse: type: object properties: clientId: type: string GetUserSecurityVerifyQuestionsResponse: type: object properties: questions: type: array items: $ref: '#/components/schemas/SecurityQuestion' IDPResponse: type: object properties: samlResponse: type: string samlGeneratedUser: type: string samlGeneratedRoles: type: string oidcResponse: type: string oidcGeneratedUser: type: string oidcGeneratedRoles: type: string idpGroups: type: array items: type: string idpSAMLAttributes: type: object default: false idpOIDCClaims: type: object IDPSSOLogoutRequest: type: object properties: app: type: string JWTResponse: type: object properties: sessionJwt: type: string refreshJwt: type: string cookieDomain: type: string cookiePath: type: string cookieMaxAge: type: integer format: int32 cookieExpiration: type: integer format: int32 user: $ref: '#/components/schemas/ResponseUser' firstSeen: type: boolean idpResponse: $ref: '#/components/schemas/IDPResponse' sessionExpiration: type: integer format: int32 externalToken: type: string claims: type: object tenantSSOID: type: string trustedDeviceJwt: type: string nextRefreshSeconds: type: integer format: int32 cookieName: type: string sessionCookieName: type: string sessionCookieDomain: type: string description: >- NOTE: if you add a new field to this message, also add it to the OptionalJWTResponse message LoginOptions: type: object properties: stepup: type: boolean default: false customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value mfa: type: boolean default: false ssoAppId: type: string templateOptions: type: object additionalProperties: type: string locale: type: string pkceChallenge: type: string description: >- relevant only for enchanted links in the point in time - other methods will ignore this field format: bytes revokeOtherSessions: type: boolean revokeOtherSessionsTypes: type: array items: type: string LogoutRequest: type: object properties: logoutType: type: array items: type: string MagicLinkSignInRequest: type: object properties: loginId: type: string redirectUrl: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' providerId: type: string ssoAppId: type: string MagicLinkSignUpEmailRequest: type: object properties: email: type: string loginId: type: string user: $ref: '#/components/schemas/SignUpUser' redirectUrl: type: string providerId: type: string loginOptions: $ref: '#/components/schemas/SignupLoginOptions' MagicLinkSignUpPhoneRequest: type: object properties: phone: type: string loginId: type: string user: $ref: '#/components/schemas/SignUpUser' redirectUrl: type: string providerId: type: string loginOptions: $ref: '#/components/schemas/SignupLoginOptions' MeAuthHistoryResponse: type: object properties: authHistory: type: array items: $ref: '#/components/schemas/ExportedAuthHistory' MeTenantsRequest: type: object properties: dct: type: boolean ids: type: array items: type: string MeTenantsResponse: type: object properties: tenants: type: array items: $ref: '#/components/schemas/Tenant' NOTPLinkResponse: type: object properties: pendingRef: type: string description: Pending ref is the reference to the pending operation redirectUrl: type: string description: >- Link to the app (e.g. https://wa.me/1234567890?text=My%20authentication%20code%20is%20999999) image: type: string description: QR code image NOTPSignInRequest: type: object properties: provider: type: string description: Whatsapp, IMessage, etc loginId: type: string description: Optional, becasue can be retrived from the provider webhook loginOptions: $ref: '#/components/schemas/LoginOptions' providerId: type: string templates: $ref: '#/components/schemas/NOTPTemplateIDs' ssoAppId: type: string NOTPSignUpRequest: type: object properties: provider: type: string description: Whatsapp, IMessage, etc phone: type: string loginId: type: string user: $ref: '#/components/schemas/SignUpUser' providerId: type: string templates: $ref: '#/components/schemas/NOTPTemplateIDs' ssoAppId: type: string loginOptions: $ref: '#/components/schemas/SignupLoginOptions' NOTPTemplateIDs: type: object properties: verifyTemplateId: type: string successTemplateId: type: string errorTemplateId: type: string description: NOTP Requests & Responses OAuthNativeFinishRequest: type: object properties: provider: type: string stateId: type: string user: type: string code: type: string idToken: type: string OAuthNativeStartRequest: type: object properties: provider: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' implicit: type: boolean rawResponse: type: boolean OAuthNativeStartResponse: type: object properties: clientId: type: string stateId: type: string nonce: type: string implicit: type: boolean errorId: type: string OAuthRedirectResponse: type: object properties: url: type: string errorId: type: string OIDCAuthZEndpointFinishRequest: type: object properties: state_id: type: string sso_app_id: type: string error_redirect_uri: type: string OIDCAuthZEndpointRequest: type: object properties: response_type: type: string scope: type: string client_id: type: string state: type: string redirect_uri: type: string code_challenge_method: type: string description: PKCE code_challenge: type: string dynamic_val: type: string nonce: type: string ssoAppId: type: string loginHint: type: string prompt: type: string flow: type: string flow_token: type: string tenant: type: string style: type: string OIDCAuthZEntraMFAEndpointRequest: type: object properties: response_type: type: string scope: type: string client_id: type: string state: type: string redirect_uri: type: string nonce: type: string id_token_hint: type: string claims: type: string ssoAppId: type: string style: type: string OIDCDeviceEndpointRequest: type: object properties: ssoAppId: type: string client_id: type: string scope: type: string audience: type: string project_id: type: string OIDCDeviceEndpointResponse: type: object properties: device_code: type: string user_code: type: string verification_uri: type: string verification_uri_complete: type: string expires_in: type: integer format: uint32 interval: type: integer format: uint32 OIDCEndSessionEndpointRequest: type: object properties: id_token_hint: type: string client_id: type: string post_logout_redirect_uri: type: string state: type: string ssoAppId: type: string OIDCRevocationEndpointRequest: type: object properties: token: type: string token_type_hint: type: string ssoAppId: type: string OIDCTokenEndpointRequest: type: object properties: grant_type: type: string code: type: string redirect_uri: type: string client_id: type: string client_secret: type: string code_verifier: type: string refresh_token: type: string scope: type: string ssoAppId: type: string audience: type: string username: type: string password: type: string assertion: type: string client_assertion_type: type: string client_assertion: type: string device_code: type: string OIDCTokenEndpointResponse: type: object properties: access_token: type: string token_type: type: string refresh_token: type: string id_token: type: string expires_in: type: integer format: uint32 scope: type: string error: type: string description: >- Those fields are in use just in case of error of device flow scenario (where device polling on the specific error response) description: type: string issued_token_type: type: string OIDCUserInfoEndpointRequest: type: object properties: ssoAppId: type: string description: Can be empty as data arrived on the Authorization header token OIDCUserInfoEndpointResponse: type: object properties: userInfoClaims: type: object OTPSignInRequest: type: object properties: loginId: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' providerId: type: string ssoAppId: type: string OTPSignUpEmailRequest: type: object properties: email: type: string loginId: type: string user: $ref: '#/components/schemas/EmailSignUpUserObject' providerId: type: string loginOptions: $ref: '#/components/schemas/SignupLoginOptions' OTPSignUpPhoneRequest: type: object properties: phone: type: string loginId: type: string user: $ref: '#/components/schemas/PhoneSignUpUserObject' providerId: type: string loginOptions: $ref: '#/components/schemas/SignupLoginOptions' OTPVerifyCodeRequest: type: object properties: loginId: type: string code: type: string OperationResponse: type: object properties: {} OptionalJWTResponse: type: object properties: sessionJwt: type: string refreshJwt: type: string cookieDomain: type: string cookiePath: type: string cookieMaxAge: type: integer format: int32 cookieExpiration: type: integer format: int32 sessionExpiration: type: integer description: |- For convenience, we use the same field numbers as in JWTResponse optional userv1.ResponseUser user = 7; optional bool firstSeen = 8; optional IDPResponse idpResponse = 11; format: int32 externalToken: type: string claims: type: object tenantSSOID: type: string trustedDeviceJwt: type: string nextRefreshSeconds: type: integer format: int32 cookieName: type: string sessionCookieName: type: string sessionCookieDomain: type: string description: |- This is a copy of JWTResponse with all fields optional This is used so in case an empty response is returned, it won't send zero values PasskeyOptions: type: object properties: authenticatorSelection: allOf: - $ref: >- #/components/schemas/PasskeyOptions_WebauthnAuthenticatorSelectionCriteria description: attestation only (sign up) attestation: type: integer format: enum default: false userVerification: type: integer description: assertion only (sign in) format: enum extensionsJSON: type: string description: shared PasskeyOptions_WebauthnAuthenticatorSelectionCriteria: type: object properties: authenticatorAttachment: type: integer format: enum requireResidentKey: type: integer format: enum residentKey: type: integer format: enum userVerification: type: integer format: enum extensionsJSON: type: string PasswordPolicyResponse: type: object properties: minLength: type: integer format: int32 lowercase: type: boolean uppercase: type: boolean number: type: boolean nonAlphanumeric: type: boolean strengthScoreEnabled: type: boolean strengthScore: type: integer format: int32 PasswordReplaceRequest: type: object properties: loginId: type: string oldPassword: type: string newPassword: type: string revokeOtherSessions: type: boolean revokeOtherSessionsTypes: type: array items: type: string PasswordResetSendRequest: type: object properties: loginId: type: string redirectUrl: type: string providerId: type: string templateOptions: type: object additionalProperties: type: string locale: type: string PasswordResetSendResponse: type: object properties: resetMethod: type: string pendingRef: type: string linkId: type: string maskedEmail: type: string PasswordSignInRequest: type: object properties: loginId: type: string password: type: string ssoAppId: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' PasswordSignUpRequest: type: object properties: loginId: type: string user: $ref: '#/components/schemas/SignUpUser' password: type: string loginOptions: $ref: '#/components/schemas/SignupLoginOptions' PasswordUpdateRequest: type: object properties: loginId: type: string newPassword: type: string PhoneMagicLinkResponse: type: object properties: maskedPhone: type: string PhoneOperationResponse: type: object properties: maskedPhone: type: string verificationAttempts: type: integer format: int32 PushEnrollDeviceRequest: type: object properties: provider: type: string token: type: string device: type: string PushGetSessionRequest: type: object properties: pendingRef: type: string PushSignInFinishRequest: type: object properties: transactionId: type: string result: type: string PushSignInStartRequest: type: object properties: loginId: type: string PushSignInStartResponse: type: object properties: pendingRef: type: string RecoveryCode: type: object properties: code: type: string RefreshSessionRequest: type: object properties: externalToken: type: string SAMLIDPFinishEndpointRequest: type: object properties: state_id: type: string sso_app_id: type: string additionalSAMLAttributes: type: object default: false SAMLIDPFinishEndpointResponse: type: object properties: url: type: string samlResponse: type: string relayState: type: string error: type: boolean SAMLIDPInitiateAdapter1RequestPOST: type: object properties: SPID: type: string RelayState: type: string LoginHint: type: string tenant: type: string flow_token: type: string fp: type: string dpid: type: string SAMLIDPInitiateRequestPOST: type: object properties: app: type: string RelayState: type: string LoginHint: type: string tenant: type: string flow_token: type: string login_hint: type: string SAMLIDPMetadataResponse: type: object properties: xml: type: string SAMLIDPSSORequestPOSTData: type: object properties: SAMLRequest: type: string default: false RelayState: type: string SamlRequest: type: string LoginHint: type: string tenant: type: string flow_token: type: string login_hint: type: string SAMLMetadataResponse: type: object properties: xml: type: string SAMLRedirectResponse: type: object properties: url: type: string SecurityQuestion: type: object properties: id: type: string text: type: string description: >- Same as service service's SecurityQuestion, but we don't want to depend on project service SecurityQuestionAnswer: type: object properties: id: type: string answer: type: string SelectTenantRequest: type: object properties: tenant: type: string SetupUserSecurityQuestionsRequest: type: object properties: loginId: type: string answers: type: array items: $ref: '#/components/schemas/SecurityQuestionAnswer' description: Setup Questions SetupUserSecurityQuestionsResponse: type: object properties: {} SignInRecoveryCodeRequest: type: object properties: loginId: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' code: type: string SignUpUser: type: object properties: loginId: type: string name: type: string phone: type: string email: type: string givenName: type: string middleName: type: string familyName: type: string SignupLoginOptions: type: object properties: customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value templateOptions: type: object additionalProperties: type: string locale: type: string pkceChallenge: type: string description: >- relevant only for enchanted links in the point in time - other methods will ignore this field format: bytes TOTPResponse: type: object properties: provisioningURL: type: string description: >- Clickable URL containing the TOTP key that will open an installed authenticator app image: type: string description: >- QR code of the TOTP key (as a Base64 image) that can be scanned from an authenticator app key: type: string description: TOTP key that can be manually pasted into the authenticator app TOTPSignUpRequest: type: object properties: loginId: type: string user: $ref: '#/components/schemas/SignUpUser' ssoAppId: type: string TOTPUpdateRequest: type: object properties: loginId: type: string TOTPVerifyCodeRequest: type: object properties: loginId: type: string code: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' Tenant: type: object properties: id: type: string name: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value selfProvisioningDomains: type: array items: type: string authType: type: string domains: type: array items: type: string createdTime: type: integer format: int32 disabled: type: boolean enforceSSO: type: boolean enforceSSOExclusions: type: array items: type: string federatedAppIds: type: array items: type: string parent: type: string successors: type: array items: type: string defaultRoles: type: array items: type: string roleInheritance: type: string ThirdPartyApplicationAuthZEndpointRequest: type: object properties: response_type: type: string scope: type: string client_id: type: string state: type: string redirect_uri: type: string code_challenge_method: type: string description: PKCE code_challenge: type: string nonce: type: string loginHint: type: string prompt: type: string flow: type: string flow_token: type: string resource: type: array items: type: string description: RFC 8707 - OAuth 2.0 Resource Indicators project_id: type: string tenant: type: string mcp_server_id: type: string style: type: string ThirdPartyApplicationFinishEndpointRequest: type: object properties: state_id: type: string app_id: type: string error_redirect_uri: type: string consent_id: type: string ThirdPartyApplicationRevocationEndpointRequest: type: object properties: token: type: string token_type_hint: type: string client_id: type: string client_secret: type: string project_id: type: string ThirdPartyApplicationTokenEndpointRequest: type: object properties: grant_type: type: string code: type: string client_id: type: string client_secret: type: string code_verifier: type: string scope: type: string refresh_token: type: string tenantId: type: string resource: type: string description: >- RFC 8707 - OAuth 2.0 Resource Indicators - Token Endpoint only supports receiving a single resource audience: type: string assertion: type: string client_assertion_type: type: string client_assertion: type: string device_code: type: string project_id: type: string mcp_server_id: type: string subject_token: type: string subject_token_type: type: string auth_req_id: type: string ThirdPartyApplicationUserInfoEndpointRequest: type: object properties: project_id: type: string description: Can be empty as data arrived on the Authorization header token ThirdPartyApplicationUserInfoEndpointResponse: type: object properties: userInfoClaims: type: object UpdateUserEmailEnchantedLinkRequest: type: object properties: loginId: type: string email: type: string redirectUrl: type: string addToLoginIDs: type: boolean default: false onMergeUseExisting: type: boolean default: false providerId: type: string templateOptions: type: object additionalProperties: type: string locale: type: string failOnConflict: type: boolean UpdateUserEmailMagicLinkRequest: type: object properties: loginId: type: string email: type: string redirectUrl: type: string addToLoginIDs: type: boolean default: false onMergeUseExisting: type: boolean default: false providerId: type: string templateOptions: type: object additionalProperties: type: string locale: type: string failOnConflict: type: boolean UpdateUserEmailOTPRequest: type: object properties: loginId: type: string email: type: string addToLoginIDs: type: boolean default: false onMergeUseExisting: type: boolean default: false providerId: type: string templateOptions: type: object additionalProperties: type: string locale: type: string failOnConflict: type: boolean UpdateUserNOTPRequest: type: object properties: provider: type: string loginId: type: string phone: type: string addToLoginIDs: type: boolean default: false onMergeUseExisting: type: boolean default: false providerId: type: string templates: $ref: '#/components/schemas/NOTPTemplateIDs' templateOptions: type: object additionalProperties: type: string ssoAppId: type: string locale: type: string failOnConflict: type: boolean UpdateUserPhoneMagicLinkRequest: type: object properties: loginId: type: string phone: type: string redirectUrl: type: string addToLoginIDs: type: boolean default: false onMergeUseExisting: type: boolean default: false providerId: type: string templateOptions: type: object additionalProperties: type: string locale: type: string failOnConflict: type: boolean UpdateUserPhoneOTPRequest: type: object properties: loginId: type: string phone: type: string addToLoginIDs: type: boolean default: false onMergeUseExisting: type: boolean default: false providerId: type: string templateOptions: type: object additionalProperties: type: string locale: type: string failOnConflict: type: boolean ValidateSessionRequest: type: object properties: {} ValidateSessionResponse: type: object properties: parsedJWT: type: object VerifyEnchantedLinkRequest: type: object properties: token: type: string pkceVerifier: type: string format: bytes VerifyEnchantedLinkResponse: type: object properties: {} VerifyMagicLinkRequest: type: object properties: token: type: string VerifyOneTapIDTokenResponse: type: object properties: code: type: string VerifyUserSecurityQuestionsRequest: type: object properties: loginId: type: string answers: type: array items: $ref: '#/components/schemas/SecurityQuestionAnswer' stepup: type: boolean description: Verify Questions WSFedIDPFinishEndpointRequest: type: object properties: state_id: type: string sso_app_id: type: string WSFedIDPFinishEndpointResponse: type: object properties: replyURL: type: string wresult: type: string wctx: type: string error: type: boolean WSFedIDPInitiateRequest: type: object properties: app: type: string tenant: type: string login_hint: type: string WSFedIDPMetadataResponse: type: object properties: xml: type: string WSFedIDPPassiveRequest: type: object properties: app: type: string wa: type: string wtrealm: type: string wreply: type: string wctx: type: string whr: type: string tenant: type: string login_hint: type: string WebauthnAddDeviceFinishRequest: type: object properties: transactionId: type: string response: type: string WebauthnAddDeviceFinishResponse: type: object properties: {} WebauthnAddDeviceStartRequest: type: object properties: loginId: type: string origin: type: string passkeyOptions: $ref: '#/components/schemas/PasskeyOptions' WebauthnSignInFinishRequest: type: object properties: transactionId: type: string response: type: string WebauthnSignInStartRequest: type: object properties: loginId: type: string origin: type: string passkeyOptions: $ref: '#/components/schemas/PasskeyOptions' loginOptions: $ref: '#/components/schemas/LoginOptions' WebauthnSignUpFinishRequest: type: object properties: transactionId: type: string response: type: string WebauthnSignUpOrInStartRequest: type: object properties: loginId: type: string origin: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' ssoAppId: type: string passkeyOptions: $ref: '#/components/schemas/PasskeyOptions' WebauthnSignUpStartRequest: type: object properties: loginId: type: string user: $ref: '#/components/schemas/SignUpUser' origin: type: string passkeyOptions: $ref: '#/components/schemas/PasskeyOptions' WebauthnStartResponse: type: object properties: transactionId: type: string options: type: string create: type: boolean WhatsappChange: type: object properties: value: $ref: '#/components/schemas/WhatsappValue' field: type: string WhatsappContact: type: object properties: profile: $ref: '#/components/schemas/WhatsappProfile' wa_id: type: string WhatsappConversation: type: object properties: id: type: string expirationTimestamp: type: string origin: $ref: '#/components/schemas/WhatsappOrigin' WhatsappEntry: type: object properties: id: type: string changes: type: array items: $ref: '#/components/schemas/WhatsappChange' WhatsappMessage: type: object properties: from: type: string id: type: string timestamp: type: string text: $ref: '#/components/schemas/WhatsappText' type: type: string WhatsappMetadata: type: object properties: display_phone_number: type: string phone_number_id: type: string WhatsappOrigin: type: object properties: type: type: string WhatsappPricing: type: object properties: billable: type: boolean pricingModel: type: string category: type: string WhatsappProfile: type: object properties: name: type: string WhatsappStatus: type: object properties: id: type: string status: type: string timestamp: type: string recipientId: type: string conversation: $ref: '#/components/schemas/WhatsappConversation' pricing: $ref: '#/components/schemas/WhatsappPricing' WhatsappText: type: object properties: body: type: string WhatsappValue: type: object properties: messaging_product: type: string metadata: $ref: '#/components/schemas/WhatsappMetadata' contacts: type: array items: $ref: '#/components/schemas/WhatsappContact' messages: type: array items: $ref: '#/components/schemas/WhatsappMessage' statuses: type: array items: $ref: '#/components/schemas/WhatsappStatus' WhatsappWebhookNotifyRequest: type: object properties: object: type: string entry: type: array items: $ref: '#/components/schemas/WhatsappEntry' signatureData: $ref: '#/components/schemas/WhatsappWebhookSignatureData' WhatsappWebhookSignatureData: type: object properties: xHubSignature256: type: string payload: type: string format: bytes ResponseUser: type: object properties: loginIds: type: array items: type: string userId: type: string name: type: string email: type: string phone: type: string verifiedEmail: type: boolean verifiedPhone: type: boolean roleNames: type: array items: type: string userTenants: type: array items: $ref: '#/components/schemas/UserTenants' status: type: string externalIds: type: array items: type: string picture: type: string test: type: boolean default: false customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value createdTime: type: integer format: int32 TOTP: type: boolean default: false SAML: type: boolean default: false OAuth: type: object additionalProperties: type: boolean default: false webauthn: type: boolean password: type: boolean ssoAppIds: type: array items: type: string givenName: type: string middleName: type: string familyName: type: string editable: type: boolean SCIM: type: boolean push: type: boolean permissions: type: array items: type: string OIDC: type: boolean consentExpiration: type: integer format: int32 UserTenants: type: object properties: tenantId: type: string roleNames: type: array items: type: string tenantName: type: string permissions: type: array items: type: string EmailSignUpUserObject: type: object properties: username: type: string description: Username Username name: type: string description: Name Name phone: type: string description: Phone Phone icon: type: string PhoneSignUpUserObject: type: object properties: username: type: string description: Username Username name: type: string description: Name Name email: type: string description: Email Email icon: type: string FedCMBranding: type: object properties: background_color: type: string color: type: string icons: type: array items: $ref: '#/components/schemas/FedCMIcon' FedCMClientMetadataResponse: type: object properties: privacy_policy_url: type: string terms_of_service_url: type: string FedCMConfigResponse: type: object properties: accounts_endpoint: type: string client_metadata_endpoint: type: string id_assertion_endpoint: type: string disconnect_endpoint: type: string login_url: type: string branding: $ref: '#/components/schemas/FedCMBranding' description: >- According to https://developers.google.com/privacy-sandbox/3pcd/fedcm-developer-guide#idp-config-file FedCMIcon: type: object properties: url: type: string size: type: integer format: int32 WellKnownProjectConfigurationResponse: type: object properties: allowAuthHostingIframeEmbedding: type: boolean sessionv1.JWKSResponse: type: object properties: alg: type: string e: type: string kid: type: string kty: type: string 'n': type: string use: type: string sessionv1.JWKSResponseV2: type: object properties: keys: type: array items: $ref: '#/components/schemas/sessionv1.JWKSResponse' sessionv1.WellKnownConfigurationResponse: type: object properties: issuer: type: string jwks_uri: type: string authorization_endpoint: type: string response_types_supported: type: array items: type: string subject_types_supported: type: array items: type: string id_token_signing_alg_values_supported: type: array items: type: string token_endpoint: type: string userinfo_endpoint: type: string scopes_supported: type: array items: type: string claims_supported: type: array items: type: string end_session_endpoint: type: string revocation_endpoint: type: string token_endpoint_auth_methods_supported: type: array items: type: string registration_endpoint: type: string code_challenge_methods_supported: type: array items: type: string backchannel_logout_supported: type: boolean device_authorization_endpoint: type: string client_id_metadata_document_supported: type: boolean backchannel_token_delivery_modes_supported: type: array items: type: string backchannel_authentication_endpoint: type: string Analytic: type: object properties: projectId: type: string action: type: string created: type: string device: type: string method: type: string geo: type: string tenant: type: string cnt: type: string referrer: type: string Audit: type: object properties: ID: type: string projectId: type: string userId: type: string action: type: string occurred: type: string device: type: string method: type: string geo: type: string remoteAddress: type: string externalIds: type: array items: type: string tenants: type: array items: type: string data: type: object type: type: string actorId: type: string SearchAnalyticsRequest: type: object properties: from: type: string to: type: string actions: type: array items: type: string devices: type: array items: type: string methods: type: array items: type: string geos: type: array items: type: string tenants: type: array items: type: string groupByAction: type: boolean groupByDevice: type: boolean groupByMethod: type: boolean groupByGeo: type: boolean groupByTenant: type: boolean groupByCreated: type: string excludedActions: type: array items: type: string groupByReferrer: type: boolean SearchAnalyticsResponse: type: object properties: analytics: type: array items: $ref: '#/components/schemas/Analytic' SearchAuditRequest: type: object properties: from: type: string to: type: string userIds: type: array items: type: string actions: type: array items: type: string devices: type: array items: type: string methods: type: array items: type: string geos: type: array items: type: string remoteAddresses: type: array items: type: string externalIds: type: array items: type: string tenants: type: array items: type: string noTenants: type: boolean text: type: string excludedActions: type: array items: type: string actorIds: type: array items: type: string size: type: integer format: int32 page: type: integer format: int32 searchFields: type: array items: $ref: '#/components/schemas/SearchField' oldestFirst: type: boolean loginIdsContain: type: array items: type: string loginIdsNotContain: type: array items: type: string excludedExternalIds: type: array items: type: string auditTypes: type: array items: type: string levels: type: array items: type: string SearchAuditResponse: type: object properties: audits: type: array items: $ref: '#/components/schemas/Audit' total: type: integer format: int32 Backup: type: object properties: id: type: string projectId: type: string status: type: string schemaVersion: type: integer format: int32 tupleCount: type: integer format: int32 createdAt: type: integer format: int32 completedAt: type: integer format: int32 errorMessage: type: string CheckPath: type: object properties: steps: type: array items: $ref: '#/components/schemas/CheckPathStep' CheckPathStep: type: object properties: stepType: type: integer format: enum tuple: $ref: '#/components/schemas/Tuple' permission: type: string subPaths: type: array items: $ref: '#/components/schemas/CheckPath' CheckRequest: type: object properties: tuples: type: array items: $ref: '#/components/schemas/Tuple' computePaths: type: boolean CheckResponse: type: object properties: tuples: type: array items: $ref: '#/components/schemas/CheckResponseTuple' CheckResponseInfo: type: object properties: direct: type: boolean description: >- A relation is considered "direct" if, based solely on the schema, its "allowed" state can only be changed by creating or deleting relations involving its resource, its target, or both (including itself) path: allOf: - $ref: '#/components/schemas/CheckPath' description: >- if the check succeeded, includes the full path of intermediate relations between the target and the resource CheckResponseTuple: type: object properties: allowed: type: boolean tuple: $ref: '#/components/schemas/Tuple' info: $ref: '#/components/schemas/CheckResponseInfo' CreateBackupRequest: type: object properties: {} CreateBackupResponse: type: object properties: backupId: type: string CreateRelationsRequest: type: object properties: relations: type: array items: $ref: '#/components/schemas/Relation' CreateRelationsResponse: type: object properties: {} CreateTuplesRequest: type: object properties: tuples: type: array items: $ref: '#/components/schemas/Tuple' CreateTuplesResponse: type: object properties: {} DeleteAllTuplesResponse: type: object properties: {} DeleteBackupResponse: type: object properties: {} DeleteNamespaceRequest: type: object properties: name: type: string schemaName: type: string description: optional upgrade to the schema name DeleteNamespaceResponse: type: object properties: {} DeleteRelationDefinitionRequest: type: object properties: name: type: string namespace: type: string schemaName: type: string description: optional upgrade to the schema name DeleteRelationDefinitionResponse: type: object properties: {} DeleteRelationsForResourcesRequest: type: object properties: resources: type: array items: type: string DeleteRelationsForResourcesResponse: type: object properties: {} DeleteRelationsRequest: type: object properties: relations: type: array items: $ref: '#/components/schemas/Relation' DeleteRelationsResponse: type: object properties: {} DeleteResourceRelationsForResourcesRequest: type: object properties: resources: type: array items: type: string DeleteResourceRelationsForResourcesResponse: type: object properties: {} DeleteSchemaRequest: type: object properties: {} DeleteSchemaResponse: type: object properties: {} DeleteTuplesRequest: type: object properties: tuples: type: array items: $ref: '#/components/schemas/Tuple' DeleteTuplesResponse: type: object properties: {} GetBackupResponse: type: object properties: backup: $ref: '#/components/schemas/Backup' GetMappableSchemaResponse: type: object properties: schema: $ref: '#/components/schemas/Schema' mappableResources: type: array items: $ref: '#/components/schemas/MappableResources' GetModifiedRequest: type: object properties: since: type: string description: >- Changed since given milli epoch UTC time - optional, default to max changelog (change events) TTL GetModifiedResponse: type: object properties: targets: type: array items: type: string resources: type: array items: type: string schemaChanged: type: boolean HasRelationsRequest: type: object properties: relationQueries: type: array items: $ref: '#/components/schemas/RelationQuery' HasRelationsResponse: type: object properties: relationQueries: type: array items: $ref: '#/components/schemas/RelationQuery' directRelations: type: array items: type: boolean ListBackupsResponse: type: object properties: backups: type: array items: $ref: '#/components/schemas/Backup' LoadDSLSchemaResponse: type: object properties: dsl: type: string schema: $ref: '#/components/schemas/Schema' LoadResourcesDetailsRequest: type: object properties: resourceIdentifiers: type: array items: $ref: '#/components/schemas/ResourceIdentifier' description: Request message for loading details for resources LoadResourcesDetailsResponse: type: object properties: resourcesDetails: type: array items: $ref: '#/components/schemas/ResourceDetails' description: Response message for loading details for resources LoadSchemaRequest: type: object properties: {} LoadSchemaResponse: type: object properties: schema: $ref: '#/components/schemas/Schema' MappableResource: type: object properties: resource: type: string displayName: type: string MappableResourceQuery: type: object properties: type: type: string queries: type: array items: type: string MappableResources: type: object properties: type: type: string resources: type: array items: $ref: '#/components/schemas/MappableResource' Namespace: type: object properties: name: type: string description: Name of the namespace (entity type) relationDefinitions: type: array items: $ref: '#/components/schemas/RelationDefinition' description: The relation definitions belonging to the namespace Node: type: object properties: nType: type: string description: Node type can be either child, union, intersect or sub children: type: array items: $ref: '#/components/schemas/Node' description: For union, intersect or sub, the children nodes expression: allOf: - $ref: '#/components/schemas/NodeExpression' description: The expression for child nodes NodeExpression: type: object properties: neType: type: string description: >- Expression type can be either self, userSet, relationLeft, relationRight relationDefinition: type: string description: The name of the relation definition for self and relationLeft/Right relationDefinitionNamespace: type: string description: The namespace of the relation definition targetRelationDefinition: type: string description: >- The name of the relation definition for targetSet as well as type of relation for target relationLeft/Right targetRelationDefinitionNamespace: type: string description: The namespace of the target relation definition Relation: type: object properties: resource: type: string description: Relation is defined on the resource relationDefinition: type: string description: The name of the relation definition namespace: type: string description: The namespace of the relation definition target: type: string description: The target for given the relation targetNamespace: type: string description: The target namespace for the relation targetSetResource: type: string description: The targetSet target resource for the relation targetSetRelationDefinition: type: string description: The targetSet target relation definition for the relation targetSetRelationDefinitionNamespace: type: string description: The targetSet target relation definition namespace for the relation query: allOf: - $ref: '#/components/schemas/UserQuery' description: User query for a list of users target description: >- Relation is specified between resource and target where target can be direct target (user or related resource), targetSet (anyone who has another relation), and list of users matching query RelationDefinition: type: object properties: name: type: string description: Name of the relation definition complexDefinition: allOf: - $ref: '#/components/schemas/Node' description: >- Optional complex definition for complex (union, intersect, sub) relation definitions RelationQuery: type: object properties: resource: type: string relationDefinition: type: string namespace: type: string target: type: string hasRelation: type: boolean description: Query if the given resource has the given relation to the given user ResourceDetails: type: object properties: resourceId: type: string resourceType: type: string displayName: type: string ResourceIdentifier: type: object properties: resourceId: type: string resourceType: type: string ResourceRelationsRequest: type: object properties: resource: type: string ignoreTargetSetRelations: type: boolean ResourceRelationsResponse: type: object properties: relations: type: array items: $ref: '#/components/schemas/Relation' RestoreBackupRequest: type: object properties: backupId: type: string RestoreBackupResponse: type: object properties: autoBackupId: type: string SaveDSLSchemaRequest: type: object properties: dsl: type: string description: New API SaveDSLSchemaResponse: type: object properties: {} SaveNamespaceRequest: type: object properties: namespace: $ref: '#/components/schemas/Namespace' oldName: type: string description: Old name if we are renaming the namespace schemaName: type: string description: optional upgrade to the schema name SaveNamespaceResponse: type: object properties: {} SaveRelationDefinitionRequest: type: object properties: relationDefinition: $ref: '#/components/schemas/RelationDefinition' namespace: type: string oldName: type: string description: Old name if we are renaming the relation definition schemaName: type: string description: optional upgrade to the schema name SaveRelationDefinitionResponse: type: object properties: {} SaveResourcesDetailsRequest: type: object properties: resourcesDetails: type: array items: $ref: '#/components/schemas/ResourceDetails' description: Request message for saving details for resources SaveResourcesDetailsResponse: type: object properties: {} description: Response message for saving details for resources SaveSchemaDryDeletes: type: object properties: hasDeletes: type: boolean relations: type: array items: type: string types: type: array items: type: string SaveSchemaDryRunResponse: type: object properties: deletesPreview: $ref: '#/components/schemas/SaveSchemaDryDeletes' SaveSchemaRequest: type: object properties: schema: $ref: '#/components/schemas/Schema' upgrade: type: boolean SaveSchemaResponse: type: object properties: {} Schema: type: object properties: namespaces: type: array items: $ref: '#/components/schemas/Namespace' description: List of namespaces in the schema name: type: string SearchMappableResourcesResponse: type: object properties: mappableResources: type: array items: $ref: '#/components/schemas/MappableResources' TargetsRelationsRequest: type: object properties: targets: type: array items: type: string includeTargetSetRelations: type: boolean TargetsRelationsResponse: type: object properties: relations: type: array items: $ref: '#/components/schemas/Relation' Tuple: type: object properties: resource: type: string description: The resource identifier. example: document-123 resourceType: type: string description: The type of the resource. example: doc relation: type: string description: The relation between the resource and the target. example: editor target: type: string description: The target identifier (user, group, etc.). example: user-456 targetType: type: string description: The type of the target. example: user example: resource: document-123 resourceType: doc relation: editor target: user-456 targetType: user UserQuery: type: object properties: tenants: type: array items: type: string description: >- If not empty then users must be members of at least one of these tenants roles: type: array items: type: string description: If not empty then users must have one of the specified roles text: type: string description: >- Full text search across relevant columns (displayName, email, tenants, status) statuses: type: array items: type: string description: If not empty then users must be in one of the given statuses ssoOnly: type: boolean description: Return only users that have SSO external IDs default: false withTestUser: type: boolean description: Return also users which are test users customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value WhatCanTargetAccessRequest: type: object properties: target: type: string WhatCanTargetAccessResponse: type: object properties: relations: type: array items: $ref: '#/components/schemas/Relation' WhatCanTargetAccessWithRelationRequest: type: object properties: target: type: string relationDefinition: type: string namespace: type: string ParentTarget: type: string ParentRelationDefinition: type: string WhatCanTargetAccessWithRelationResponse: type: object properties: resources: type: array items: type: string WhoCanAccessRequest: type: object properties: resource: type: string relationDefinition: type: string namespace: type: string description: Query the list of users who have the relation to the resource WhoCanAccessResponse: type: object properties: targets: type: array items: type: string ReBACGroupsMapping: type: object properties: relations: type: array items: $ref: '#/components/schemas/ReBACGroupsMappingRelation' ReBACGroupsMappingRelation: type: object properties: resource: type: string description: Resource identifier of the relation relationDefinition: type: string description: The name of the relation definition namespace: type: string description: The namespace of the relation definition CustomAttribute: type: object properties: name: type: string type: type: integer format: int32 options: type: array items: $ref: '#/components/schemas/CustomAttributeOption' displayName: type: string defaultValue: $ref: '#/components/schemas/google.protobuf.Any' viewPermissions: type: array items: type: string editPermissions: type: array items: type: string editable: type: boolean description: this is to know if this specific user can edit this specific field description: |- this object is used in project exports, make sure any changes here are also applied in managementservice CustomAttributeOption: type: object properties: value: type: string label: type: string description: Custom Attributes CustomAttributesResponse: type: object properties: data: type: array items: $ref: '#/components/schemas/CustomAttribute' total: type: string DeleteCustomAttributesRequest: type: object properties: names: type: array items: type: string ImportCustomAttributesRequest: type: object properties: attributes: type: array items: $ref: '#/components/schemas/CustomAttribute' google.protobuf.Any: type: object properties: '@type': type: string description: The type of the serialized message. additionalProperties: true description: >- Contains an arbitrary serialized message along with a @type that describes the type of the serialized message. google.protobuf.Value: description: >- Represents a dynamically typed value which can be either null, a number, a string, a boolean, a recursive struct value, or a list of values. AccessKey: type: object properties: id: type: string name: type: string roleNames: type: array items: type: string keyTenants: type: array items: $ref: '#/components/schemas/AssociatedTenantAK' status: type: string createdTime: type: integer format: int32 expireTime: type: integer format: int32 createdBy: type: string clientId: type: string boundUserId: type: string customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value editable: type: boolean description: type: string permittedIps: type: array items: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value AccessKeyBatchRequest: type: object properties: ids: type: array items: type: string AccessKeyRequest: type: object properties: id: type: string AccessKeyResponse: type: object properties: key: $ref: '#/components/schemas/AccessKey' AccessKeysResponse: type: object properties: keys: type: array items: $ref: '#/components/schemas/AccessKey' AddIPsToListRequest: type: object properties: id: type: string ips: type: array items: type: string AddTextsToListRequest: type: object properties: id: type: string texts: type: array items: type: string AnonymousJWTResponse: type: object properties: sessionJwt: type: string refreshJwt: type: string cookieDomain: type: string cookiePath: type: string cookieMaxAge: type: integer format: int32 cookieExpiration: type: integer format: int32 AnonymousUserRequest: type: object properties: customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value selectedTenant: type: string refreshDuration: type: integer format: int32 roles: type: array items: type: string managementv1.ApplicationScope: type: object properties: name: type: string description: type: string optional: type: boolean values: type: array items: type: string description: Keep this message synchronized with the matching one in ProjectService managementv1.AssociatedTenant: type: object properties: tenantId: type: string roleNames: type: array items: type: string AssociatedTenantAK: type: object properties: tenantId: type: string roleNames: type: array items: type: string tenantName: type: string AttributeMapping: type: object properties: name: type: string email: type: string group: type: string givenName: type: string middleName: type: string familyName: type: string picture: type: string customAttributes: type: object additionalProperties: type: string AuditFilters: type: object properties: filterType: type: string operator: type: string values: type: array items: type: string AuthenticationSchemes: type: object properties: name: type: string description: type: string primary: type: boolean specUri: type: string type: type: string Bulk: type: object properties: supported: type: boolean maxOperations: type: integer format: int32 maxPayloadSize: type: integer format: int32 CheckIPInListRequest: type: object properties: id: type: string ip: type: string CheckIPInListResponse: type: object properties: exists: type: boolean CheckTextInListRequest: type: object properties: id: type: string text: type: string CheckTextInListResponse: type: object properties: exists: type: boolean ClearListRequest: type: object properties: id: type: string CloneProjectAsyncResponse: type: object properties: processId: type: string CloneProjectRequest: type: object properties: name: type: string environment: type: string tags: type: array items: type: string CloneProjectResponse: type: object properties: projectId: type: string projectName: type: string tag: type: string environment: type: string tags: type: array items: type: string ConfigurePasswordSettingsRequest: type: object properties: minLength: type: integer format: int32 lowercase: type: boolean uppercase: type: boolean number: type: boolean nonAlphanumeric: type: boolean expiration: type: boolean expirationWeeks: type: integer format: int32 reuse: type: boolean reuseAmount: type: integer format: int32 lock: type: boolean lockAttempts: type: integer format: int32 tenantId: type: string enabled: type: boolean tempLock: type: boolean tempLockAttempts: type: integer format: int32 tempLockDuration: type: integer format: int32 enablePasswordStrength: type: boolean passwordStrengthScore: type: integer format: int32 ConfigureSSOMappingsRequest: type: object properties: tenantId: type: string roleMappings: type: array items: $ref: '#/components/schemas/RoleMapping' attributeMapping: $ref: '#/components/schemas/AttributeMapping' defaultSSORoles: type: array items: type: string groupsPriority: type: array items: type: string ConfigureSSOMetadataRequest: type: object properties: tenantId: type: string idpMetadataURL: type: string redirectURL: type: string domains: type: array items: type: string domain: type: string description: Deprecated - use domains instead ConfigureSSOOIDCSettingsRequest: type: object properties: tenantId: type: string settings: $ref: '#/components/schemas/SSOOIDCSettings' domains: type: array items: type: string ssoId: type: string ConfigureSSORedirectURLRequest: type: object properties: tenantId: type: string samlRedirectUrl: type: string oauthRedirectUrl: type: string ssoId: type: string ConfigureSSOSAMLSettingsByMetadataRequest: type: object properties: tenantId: type: string settings: $ref: '#/components/schemas/SSOSAMLByMetadataSettings' redirectUrl: type: string domains: type: array items: type: string ssoId: type: string ConfigureSSOSAMLSettingsRequest: type: object properties: tenantId: type: string settings: $ref: '#/components/schemas/SSOSAMLSettings' redirectUrl: type: string domains: type: array items: type: string ssoId: type: string ConfigureSSOSettingsRequest: type: object properties: tenantId: type: string idpURL: type: string entityId: type: string idpCert: type: string redirectURL: type: string domains: type: array items: type: string domain: type: string description: Deprecated - use domains instead ConfigureTenantSettingsRequest: type: object properties: tenantId: type: string domains: type: array items: type: string selfProvisioningDomains: type: array items: type: string authType: type: string enabled: type: boolean refreshTokenExpiration: type: integer format: int32 refreshTokenExpirationUnit: type: string sessionTokenExpiration: type: integer format: int32 sessionTokenExpirationUnit: type: string stepupTokenExpiration: type: integer format: int32 stepupTokenExpirationUnit: type: string enableInactivity: type: boolean inactivityTime: type: integer format: int32 inactivityTimeUnit: type: string JITDisabled: type: boolean ssoSetupSuiteSettings: $ref: '#/components/schemas/SSOSetupSuiteSettings' ConnectOutboundAppOptions: type: object properties: redirectUrl: type: string scopes: type: array items: type: string prompt: type: array items: type: string loginHint: type: string resources: type: array items: type: string externalIdentifier: type: string ConnectOutboundAppRequest: type: object properties: appId: type: string options: $ref: '#/components/schemas/ConnectOutboundAppOptions' ConnectOutboundAppResponse: type: object properties: url: type: string ConnectorHTTPAPIKeyAuthentication: type: object properties: key: type: string token: type: string ConnectorHTTPAuthentication: type: object properties: bearerToken: type: string basic: $ref: '#/components/schemas/ConnectorHTTPBasicAuthentication' apiKey: $ref: '#/components/schemas/ConnectorHTTPAPIKeyAuthentication' ConnectorHTTPBasicAuthentication: type: object properties: username: type: string password: type: string CreateAccessKeyRequest: type: object properties: name: type: string expireTime: type: string roleNames: type: array items: type: string keyTenants: type: array items: $ref: '#/components/schemas/managementv1.AssociatedTenant' userId: type: string customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value description: type: string permittedIps: type: array items: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value CreateAccessKeyResponse: type: object properties: cleartext: type: string key: $ref: '#/components/schemas/AccessKey' CreateAdditionalSignKeyRequest: type: object properties: algorithm: type: string CreateAdditionalSignKeyResponse: type: object properties: {} CreateAuditRequest: type: object properties: userId: type: string action: type: string tenantId: type: string type: type: string actorId: type: string data: type: object CreateDescopersRequest: type: object properties: descopers: type: array items: $ref: '#/components/schemas/DescoperCreate' CreateDescopersResponse: type: object properties: descopers: type: array items: $ref: '#/components/schemas/Descoper' total: type: integer format: int32 CreateListRequest: type: object properties: name: type: string description: type: string type: type: string data: $ref: '#/components/schemas/google.protobuf.Value' CreateListResponse: type: object properties: list: $ref: '#/components/schemas/List' CreateManagementKeyRequest: type: object properties: name: type: string description: type: string expiresIn: type: string permittedIps: type: array items: type: string reBac: $ref: '#/components/schemas/ManagementKeyReBac' expireTime: type: string CreateManagementKeyResponse: type: object properties: cleartext: type: string key: $ref: '#/components/schemas/ManagementKey' CreateMcpServerClientRequest: type: object properties: name: type: string mcpServerId: type: string approvedCallbackUrls: type: array items: type: string scopes: type: array items: type: string tags: type: array items: type: string logo: type: string CreateMcpServerClientResponse: type: object properties: id: type: string cleartext: type: string clientId: type: string CreateMcpServerRequest: type: object properties: name: type: string description: type: string dynamicRegistration: $ref: '#/components/schemas/McpServerDynamicClientRegistration' audienceWhitelist: type: array items: type: string approvedScopes: $ref: '#/components/schemas/DynamicClientRegistrationApprovedScopes' approvedCallbackUrls: type: array items: type: string loginPageURL: type: string sessionSettings: $ref: '#/components/schemas/ThirdPartyApplicationSessionSettings' tags: type: array items: type: string logo: type: string cimdSettings: $ref: '#/components/schemas/CIMDSettings' skipConsentScreen: type: boolean consentFlowId: type: string consentFlowHostingURL: type: string description: Keep this message synchronized with the matching one in ProjectService CreateMcpServerResponse: type: object properties: server: $ref: '#/components/schemas/McpServer' CreateOutboundAppByDcrPresetRequest: type: object properties: dcrPresetId: type: string tenantId: type: string CreateOutboundAppByDcrPresetResponse: type: object properties: app: $ref: '#/components/schemas/OutboundApp' CreateOutboundAppByTemplateOverrides: type: object properties: name: type: string description: type: string logo: type: string discoveryUrl: type: string authorizationUrl: type: string authorizationUrlParams: type: array items: $ref: '#/components/schemas/URLParam' tokenUrl: type: string tokenUrlParams: type: array items: $ref: '#/components/schemas/URLParam' revocationUrl: type: string defaultScopes: type: array items: type: string defaultRedirectUrl: type: string callbackDomain: type: string pkce: type: boolean accessType: type: string prompt: type: array items: type: string useDcr: type: boolean dcrUrl: type: string CreateOutboundAppByTemplateRequest: type: object properties: clientId: type: string clientSecret: type: string tenantId: type: string id: type: string overrides: $ref: '#/components/schemas/CreateOutboundAppByTemplateOverrides' CreateOutboundAppByTemplateResponse: type: object properties: app: $ref: '#/components/schemas/OutboundApp' CreateOutboundAppRequest: type: object properties: id: type: string name: type: string description: type: string clientId: type: string description: >- string templateId = 4 [(validate).string = {std_len: true , optional: true}]; - will always be custom clientSecret: type: string logo: type: string discoveryUrl: type: string authorizationUrl: type: string authorizationUrlParams: type: array items: $ref: '#/components/schemas/URLParam' tokenUrl: type: string tokenUrlParams: type: array items: $ref: '#/components/schemas/URLParam' revocationUrl: type: string defaultScopes: type: array items: type: string defaultRedirectUrl: type: string callbackDomain: type: string pkce: type: boolean accessType: type: string prompt: type: array items: type: string appType: type: string useDcr: type: boolean dcrUrl: type: string tenantId: type: string CreateOutboundAppResponse: type: object properties: app: $ref: '#/components/schemas/OutboundApp' CreatePermissionRequest: type: object properties: name: type: string description: type: string CreatePermissionsRequest: type: object properties: permissions: type: array items: $ref: '#/components/schemas/CreatePermissionRequest' CreateRoleRequest: type: object properties: name: type: string description: type: string permissionNames: type: array items: type: string tenantId: type: string default: type: boolean private: type: boolean CreateRolesRequest: type: object properties: roles: type: array items: $ref: '#/components/schemas/CreateRoleRequest' CreateSSOApplicationResponse: type: object properties: id: type: string CreateTenantRequest: type: object properties: name: type: string id: type: string selfProvisioningDomains: type: array items: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value authType: type: string disabled: type: boolean enforceSSO: type: boolean enforceSSOExclusions: type: array items: type: string federatedAppIds: type: array items: type: string parent: type: string roleInheritance: type: string CreateTenantResponse: type: object properties: id: type: string CreateThirdPartyApplicationRequest: type: object properties: name: type: string description: type: string logo: type: string loginPageUrl: type: string approvedCallbackUrls: type: array items: type: string permissionsScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' attributesScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' consentFlowId: type: string logoUrl: type: string jwtBearerSettings: allOf: - $ref: '#/components/schemas/JWTBearerSettings' description: >- string backChannelLogoutUrl = 10 [(validate).string = {url: true, optional: true}]; sessionSettings: $ref: '#/components/schemas/ThirdPartyApplicationSessionSettings' nonConfidentialClient: type: boolean audienceWhitelist: type: array items: type: string clientId: type: string clientSecret: type: string forceAddAllAuthorizationInfo: type: boolean connectionsScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' defaultAudience: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value cibaSettings: $ref: '#/components/schemas/ThirdPartyApplicationCIBASettings' CreateThirdPartyApplicationResponse: type: object properties: id: type: string cleartext: type: string clientId: type: string CreateUpdateSSOOIDCApplicationRequest: type: object properties: id: type: string name: type: string description: type: string enabled: type: boolean logo: type: string loginPageUrl: type: string claims: type: array items: type: string forceAuthentication: type: boolean backChannelLogoutUrl: type: string jwtBearerSettings: $ref: '#/components/schemas/JWTBearerSettings' customIdpInitiatedLoginPageUrl: type: string CreateUpdateSSOSAMLApplicationRequest: type: object properties: id: type: string name: type: string description: type: string enabled: type: boolean logo: type: string loginPageUrl: type: string useMetadataInfo: type: boolean metadataUrl: type: string entityId: type: string acsUrl: type: string certificate: type: string attributeMapping: type: array items: $ref: '#/components/schemas/SAMLIDPAttributeMappingInfo' groupsMapping: type: array items: $ref: '#/components/schemas/SAMLIDPGroupsMappingInfo' acsAllowedCallbacks: type: array items: type: string subjectNameIdType: type: string subjectNameIdFormat: type: string defaultRelayState: type: string forceAuthentication: type: boolean logoutRedirectUrl: type: string errorRedirectURL: type: string defaultSignatureAlgorithm: type: string CreateUpdateSSOWSFedApplicationRequest: type: object properties: id: type: string name: type: string description: type: string enabled: type: boolean logo: type: string loginPageUrl: type: string realm: type: string replyUrl: type: string attributeMapping: type: array items: $ref: '#/components/schemas/SAMLIDPAttributeMappingInfo' groupsMapping: type: array items: $ref: '#/components/schemas/SAMLIDPGroupsMappingInfo' forceAuthentication: type: boolean logoutRedirectUrl: type: string errorRedirectURL: type: string CreateUserRequest: type: object properties: loginId: type: string email: type: string phone: type: string verifiedEmail: type: boolean verifiedPhone: type: boolean name: type: string roleNames: type: array items: type: string userTenants: type: array items: $ref: '#/components/schemas/managementv1.AssociatedTenant' invite: type: boolean test: type: boolean default: false customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value picture: type: string sendMail: type: boolean sendSMS: type: boolean additionalIdentifiers: type: array items: type: string inviteUrl: type: string password: type: string hashedPassword: $ref: '#/components/schemas/PasswordImport' givenName: type: string middleName: type: string familyName: type: string ssoAppIds: type: array items: type: string templateOptions: type: object additionalProperties: type: string status: type: string CreateUsers: type: object properties: loginId: type: string email: type: string phone: type: string verifiedEmail: type: boolean verifiedPhone: type: boolean name: type: string roleNames: type: array items: type: string userTenants: type: array items: $ref: '#/components/schemas/managementv1.AssociatedTenant' test: type: boolean default: false picture: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value password: type: string hashedPassword: $ref: '#/components/schemas/PasswordImport' additionalIdentifiers: type: array items: type: string givenName: type: string middleName: type: string familyName: type: string ssoAppIds: type: array items: type: string seed: type: string status: type: string createdTime: type: integer format: int32 CreateUsersFailureResponse: type: object properties: failure: type: string user: $ref: '#/components/schemas/ResponseUser' CreateUsersRequest: type: object properties: users: type: array items: $ref: '#/components/schemas/CreateUsers' invite: type: boolean sendMail: type: boolean sendSMS: type: boolean inviteUrl: type: string templateOptions: type: object additionalProperties: type: string CreateUsersResponse: type: object properties: createdUsers: type: array items: $ref: '#/components/schemas/ResponseUser' failedUsers: type: array items: $ref: '#/components/schemas/CreateUsersFailureResponse' additionalErrors: type: object additionalProperties: type: string DeleteDescoperResponse: type: object properties: {} DeleteListRequest: type: object properties: id: type: string DeleteManagementKeysRequest: type: object properties: ids: type: array items: type: string DeleteManagementKeysResponse: type: object properties: total: type: integer format: int32 DeleteMcpServerClientRequest: type: object properties: id: type: string mcpServerId: type: string DeleteMcpServerClientResponse: type: object properties: {} DeleteMcpServerClientsRequest: type: object properties: ids: type: array items: type: string mcpServerId: type: string DeleteMcpServerClientsResponse: type: object properties: {} DeleteMcpServerRequest: type: object properties: id: type: string DeleteMcpServerResponse: type: object properties: {} DeleteMcpServersRequest: type: object properties: ids: type: array items: type: string DeleteMcpServersResponse: type: object properties: {} DeleteOutboundAppRequest: type: object properties: id: type: string DeleteOutboundAppResponse: type: object properties: {} DeletePermissionRequest: type: object properties: name: type: string DeletePermissionsRequest: type: object properties: names: type: array items: type: string DeleteRoleRequest: type: object properties: name: type: string tenantId: type: string DeleteRolesRequest: type: object properties: roleNames: type: array items: type: string tenantId: type: string DeleteSSOApplicationRequest: type: object properties: id: type: string DeleteTenantRequest: type: object properties: id: type: string cascade: type: boolean DeleteThirdPartyApplicationConsentsRequest: type: object properties: consentIds: type: array items: type: string appId: type: string userIds: type: array items: type: string tenantId: type: string DeleteThirdPartyApplicationConsentsResponse: type: object properties: {} DeleteThirdPartyApplicationRequest: type: object properties: id: type: string DeleteThirdPartyApplicationTenantConsentsRequest: type: object properties: consentIds: type: array items: type: string appId: type: string tenantId: type: string DeleteThirdPartyApplicationsRequest: type: object properties: ids: type: array items: type: string DeleteUserRequest: type: object properties: loginId: type: string userId: type: string DeleteUsersRequest: type: object properties: userIds: type: array items: type: string Descoper: type: object properties: id: type: string attributes: $ref: '#/components/schemas/DescoperAttributes' rbac: $ref: '#/components/schemas/DescoperRBAC' status: type: string loginIDs: type: array items: type: string DescoperAttributes: type: object properties: displayName: type: string email: type: string phone: type: string description: Descopers DescoperCreate: type: object properties: loginId: type: string description: >- loginId is email-only for descoper creation for now, even if the full loginIds can be other types too. attributes: $ref: '#/components/schemas/DescoperAttributes' sendInvite: type: boolean rbac: $ref: '#/components/schemas/DescoperRBAC' DescoperProjectRole: type: object properties: projectIds: type: array items: type: string role: type: string DescoperRBAC: type: object properties: isCompanyAdmin: type: boolean tags: type: array items: $ref: '#/components/schemas/DescoperTagRole' projects: type: array items: $ref: '#/components/schemas/DescoperProjectRole' DescoperTagRole: type: object properties: tags: type: array items: type: string role: type: string EmbeddedLinkSignInRequest: type: object properties: loginId: type: string customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value timeout: type: integer format: int32 EmbeddedLinkSignUpOrInRequest: type: object properties: loginId: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' user: $ref: '#/components/schemas/SignUpUser' emailVerified: type: boolean phoneVerified: type: boolean timeout: type: integer format: int32 ExpireUserPasswordRequest: type: object properties: loginId: type: string ExportFlowLocalizationRequest: type: object properties: flowId: type: string ExportFlowLocalizationResponse: type: object properties: overrides: $ref: '#/components/schemas/FlowLocalizationOverrides' ExportMessagingLocalizationRequest: type: object properties: {} ExportMessagingLocalizationResponse: type: object properties: overrides: $ref: '#/components/schemas/TemplateLocalizationOverrides' ExportSnapshotRequest: type: object properties: format: type: string ExportSnapshotResponse: type: object properties: files: type: object FGACacheAPIMetrics: type: object properties: api: type: string hitCount: type: string missCount: type: string totalCalls: type: string avgHitCandidates: type: number format: double avgHitFiltered: type: number format: double avgResultSize: type: number format: double avgDurationMs: type: string minDurationMs: type: string maxDurationMs: type: string avgDurationHitMs: type: string minDurationHitMs: type: string maxDurationHitMs: type: string avgDurationMissMs: type: string minDurationMissMs: type: string maxDurationMissMs: type: string FetchLatestOutboundAppTenantTokenRequest: type: object properties: appId: type: string tenantId: type: string options: $ref: '#/components/schemas/FetchOutboundAppTokenOptions' externalIdentifier: type: string FetchLatestOutboundAppTenantTokenResponse: type: object properties: token: $ref: '#/components/schemas/OutboundAppToken' FetchLatestOutboundAppUserTokenRequest: type: object properties: appId: type: string userId: type: string tenantId: type: string options: $ref: '#/components/schemas/FetchOutboundAppTokenOptions' externalIdentifier: type: string FetchLatestOutboundAppUserTokenResponse: type: object properties: token: $ref: '#/components/schemas/OutboundAppToken' FetchOutboundAppTenantTokenRequest: type: object properties: appId: type: string tenantId: type: string scopes: type: array items: type: string options: $ref: '#/components/schemas/FetchOutboundAppTokenOptions' externalIdentifier: type: string FetchOutboundAppTenantTokenResponse: type: object properties: token: $ref: '#/components/schemas/OutboundAppToken' FetchOutboundAppTokenOptions: type: object properties: withRefreshToken: type: boolean forceRefresh: type: boolean FetchOutboundAppUserTokenRequest: type: object properties: appId: type: string userId: type: string scopes: type: array items: type: string options: $ref: '#/components/schemas/FetchOutboundAppTokenOptions' tenantId: type: string externalIdentifier: type: string FetchOutboundAppUserTokenResponse: type: object properties: token: $ref: '#/components/schemas/OutboundAppToken' Filter: type: object properties: supported: type: boolean maxResults: type: integer format: int32 GenerateClientAssertionJWTRequest: type: object properties: issuer: type: string subject: type: string audience: type: array items: type: string expiresIn: type: integer format: int32 flattenAudience: type: boolean algorithm: type: string GenerateJWTSignInRequest: type: object properties: loginId: type: string stepup: type: boolean customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value mfa: type: boolean ssoAppId: type: string revokeOtherSessions: type: boolean jwt: type: string refreshDuration: type: integer format: int32 selectedTenantId: type: string GenerateSimpleJWTResponse: type: object properties: jwt: type: string GenerateTenantAdminLinkRequest: type: object properties: tenantId: type: string expireTime: type: string email: type: string ssoId: type: string GenerateTenantAdminLinkResponse: type: object properties: adminSSOConfigurationLink: type: string GetAllListsResponse: type: object properties: lists: type: array items: $ref: '#/components/schemas/List' GetCloneProjectProcessResponse: type: object properties: projectId: type: string projectName: type: string error: type: string GetDescoperResponse: type: object properties: descoper: $ref: '#/components/schemas/Descoper' GetLicenseResponse: type: object properties: rateLimitTier: type: string GetListByNameResponse: type: object properties: list: $ref: '#/components/schemas/List' GetListResponse: type: object properties: list: $ref: '#/components/schemas/List' GetManagementKeyResponse: type: object properties: key: $ref: '#/components/schemas/ManagementKey' GetMcpServerClientSecretRequest: type: object properties: id: type: string mcpServerId: type: string GetMcpServerClientSecretResponse: type: object properties: cleartext: type: string GetPasswordSettingsResponse: type: object properties: minLength: type: integer format: int32 lowercase: type: boolean uppercase: type: boolean number: type: boolean nonAlphanumeric: type: boolean expiration: type: boolean expirationWeeks: type: integer format: int32 reuse: type: boolean reuseAmount: type: integer format: int32 lock: type: boolean lockAttempts: type: integer format: int32 tenantId: type: string enabled: type: boolean tempLock: type: boolean tempLockAttempts: type: integer format: int32 tempLockDuration: type: integer format: int32 enablePasswordStrength: type: boolean passwordStrengthScore: type: integer format: int32 GetSSOSettingsResponse: type: object properties: tenantId: type: string idpEntityId: type: string idpSSOUrl: type: string idpCertificate: type: string idpMetadataUrl: type: string spEntityId: type: string spACSUrl: type: string spCertificate: type: string userMapping: $ref: '#/components/schemas/UserMapping' groupsMapping: type: array items: $ref: '#/components/schemas/GroupsMapping' redirectUrl: type: string domains: type: array items: type: string domain: type: string description: Deprecated - use domains instead description: deprecated GetTenantAdminLinkSSOForAuthenticateUsersRequest: type: object properties: tenantId: type: string GetTenantSettingsResponse: type: object properties: domains: type: array items: type: string selfProvisioningDomains: type: array items: type: string authType: type: string enabled: type: boolean refreshTokenExpiration: type: integer format: int32 refreshTokenExpirationUnit: type: string sessionTokenExpiration: type: integer format: int32 sessionTokenExpirationUnit: type: string stepupTokenExpiration: type: integer format: int32 stepupTokenExpirationUnit: type: string enableInactivity: type: boolean inactivityTime: type: integer format: int32 inactivityTimeUnit: type: string JITDisabled: type: boolean ssoSetupSuiteSettings: $ref: '#/components/schemas/SSOSetupSuiteSettings' GetThirdPartyApplicationSecretResponse: type: object properties: cleartext: type: string Group: type: object properties: id: type: string display: type: string members: type: array items: $ref: '#/components/schemas/GroupMember' GroupMember: type: object properties: loginId: type: string userId: type: string display: type: string GroupsMapping: type: object properties: role: $ref: '#/components/schemas/RoleItem' groups: type: array items: type: string ImpersonateRequest: type: object properties: loginId: type: string impersonatorId: type: string validateConsent: type: boolean customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value selectedTenant: type: string refreshDuration: type: integer format: int32 ImportAccessKeyRequest: type: object properties: name: type: string expireTime: type: string roleNames: type: array items: type: string keyTenants: type: array items: $ref: '#/components/schemas/managementv1.AssociatedTenant' userId: type: string customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value description: type: string permittedIps: type: array items: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value cleartext: type: string ImportAccessKeysRequest: type: object properties: keys: type: array items: $ref: '#/components/schemas/ImportAccessKeyRequest' ImportAccessKeysResponse: type: object properties: keys: type: array items: $ref: '#/components/schemas/AccessKey' ImportFlowLocalizationRequest: type: object properties: flowId: type: string overrides: $ref: '#/components/schemas/FlowLocalizationOverrides' ImportFlowLocalizationResponse: type: object properties: overrides: $ref: '#/components/schemas/FlowLocalizationOverrides' ImportListsRequest: type: object properties: lists: type: array items: $ref: '#/components/schemas/List' ImportMessagingLocalizationRequest: type: object properties: overrides: $ref: '#/components/schemas/TemplateLocalizationOverrides' ImportMessagingLocalizationResponse: type: object properties: overrides: $ref: '#/components/schemas/TemplateLocalizationOverrides' ImportSnapshotRequest: type: object properties: files: type: object excludes: type: array items: type: string inputSecrets: $ref: '#/components/schemas/SnapshotSecrets' ImportUserPasskeysRequest: type: object properties: loginId: type: string devices: type: array items: $ref: '#/components/schemas/WebauthnImportDevice' ImportUsersFailure: type: object properties: user: type: string reason: type: string ImportUsersRequest: type: object properties: source: type: string dryrun: type: boolean users: type: string format: bytes hashes: type: string format: bytes ImportUsersResponse: type: object properties: users: type: array items: $ref: '#/components/schemas/ResponseUser' failures: type: array items: $ref: '#/components/schemas/ImportUsersFailure' InfraCreateRequest: type: object properties: entity: type: string data: type: object InfraResponse: type: object properties: entity: type: string id: type: string data: type: object InfraUpdateRequest: type: object properties: entity: type: string id: type: string data: type: object IssuerSettings: type: object properties: jwksUri: type: string signAlgorithm: type: string userInfoUri: type: string externalIdFieldName: type: string JWTBearerSettings: type: object properties: issuers: type: object additionalProperties: $ref: '#/components/schemas/IssuerSettings' jwtBearerGrantTypeAudienceToUse: type: string jwtBearerGrantTypeScopeToUse: type: string jwtBearerGrantTypeCustomClaimsToUse: type: string managementv1.JWTResponse: type: object properties: jwt: type: string List: type: object properties: id: type: string name: type: string description: type: string type: type: string data: $ref: '#/components/schemas/google.protobuf.Value' description: Lists ListDescopersRequest: type: object properties: {} ListDescopersResponse: type: object properties: descopers: type: array items: $ref: '#/components/schemas/Descoper' total: type: integer format: int32 ListFlowTemplatesResponse: type: object properties: templates: type: array items: $ref: '#/components/schemas/FlowTemplate' total: type: integer format: int32 ListFlowsResponse: type: object properties: flows: type: array items: $ref: '#/components/schemas/Flow' total: type: integer format: int32 ListProjectsRequest: type: object properties: {} ListProjectsResponse: type: object properties: projects: type: array items: $ref: '#/components/schemas/Project' ListTrustedDevicesForUsersRequest: type: object properties: identifiers: type: array items: type: string description: The users' login identifiers (external ID or ID). ListTrustedDevicesForUsersResponse: type: object properties: devices: type: array items: $ref: '#/components/schemas/TrustedDevice' ListUserOutboundAppsWithValidUserTokenResponse: type: object properties: appIds: type: array items: type: string ListWidgetsResponse: type: object properties: widgets: type: array items: $ref: '#/components/schemas/Widget' LoadAllMcpServersRequest: type: object properties: {} LoadAllMcpServersResponse: type: object properties: servers: type: array items: $ref: '#/components/schemas/McpServer' total: type: integer format: int32 LoadAllSSOApplicationsResponse: type: object properties: apps: type: array items: $ref: '#/components/schemas/SSOApplication' LoadAllSSOSettingsResponse: type: object properties: SSOSettings: type: array items: $ref: '#/components/schemas/LoadSSOSettingsResponse' LoadAllTenantsResponse: type: object properties: tenants: type: array items: $ref: '#/components/schemas/Tenant' LoadAllThirdPartyApplicationsResponse: type: object properties: apps: type: array items: $ref: '#/components/schemas/ThirdPartyApplication' total: type: integer format: int32 LoadGroupMembersRequest: type: object properties: tenantId: type: string groupId: type: string LoadGroupMembersResponse: type: object properties: groups: type: array items: $ref: '#/components/schemas/Group' LoadGroupsRequest: type: object properties: tenantId: type: string LoadGroupsResponse: type: object properties: groups: type: array items: $ref: '#/components/schemas/Group' LoadMcpServerClientRequest: type: object properties: id: type: string clientId: type: string mcpServerId: type: string LoadMcpServerClientResponse: type: object properties: client: $ref: '#/components/schemas/McpServerClient' LoadMcpServerRequest: type: object properties: id: type: string LoadMcpServerResponse: type: object properties: server: $ref: '#/components/schemas/McpServer' LoadMemberGroupsRequest: type: object properties: tenantId: type: string loginIds: type: array items: type: string userIds: type: array items: type: string LoadMemberGroupsResponse: type: object properties: groups: type: array items: $ref: '#/components/schemas/Group' LoadOutboundAppResponse: type: object properties: app: $ref: '#/components/schemas/OutboundApp' LoadOutboundAppsResponse: type: object properties: apps: type: array items: $ref: '#/components/schemas/OutboundApp' LoadPermissionsResponse: type: object properties: permissions: type: array items: $ref: '#/components/schemas/Permission' LoadRolesResponse: type: object properties: roles: type: array items: $ref: '#/components/schemas/Role' LoadSSOApplicationResponse: type: object properties: app: $ref: '#/components/schemas/SSOApplication' LoadSSOSettingsResponse: type: object properties: tenant: $ref: '#/components/schemas/Tenant' saml: $ref: '#/components/schemas/SamlSettingsResponse' oidc: $ref: '#/components/schemas/SSOOIDCSettings' ssoId: type: string LoadTenantResponse: type: object properties: tenant: $ref: '#/components/schemas/Tenant' LoadThirdPartyApplicationResponse: type: object properties: app: $ref: '#/components/schemas/ThirdPartyApplication' LoadUsersRequest: type: object properties: userIds: type: array items: type: string description: >- max len will be validated in app level, so we can control it with an env var includeInvalidUsers: type: boolean ManagementKey: type: object properties: id: type: string name: type: string description: type: string status: type: string createdTime: type: integer format: int32 expireTime: type: integer format: int32 permittedIps: type: array items: type: string reBac: $ref: '#/components/schemas/ManagementKeyReBac' version: type: integer format: int32 authzVersion: type: integer format: int32 ManagementKeyProjectRole: type: object properties: projectIds: type: array items: type: string roles: type: array items: type: string ManagementKeyReBac: type: object properties: companyRoles: type: array items: type: string projectRoles: type: array items: $ref: '#/components/schemas/ManagementKeyProjectRole' tagRoles: type: array items: $ref: '#/components/schemas/ManagementKeyTagRole' ManagementKeyTagRole: type: object properties: tags: type: array items: type: string roles: type: array items: type: string description: Management key McpServer: type: object properties: id: type: string name: type: string description: type: string dynamicRegistration: $ref: '#/components/schemas/McpServerDynamicClientRegistration' audienceWhitelist: type: array items: type: string approvedScopes: $ref: '#/components/schemas/DynamicClientRegistrationApprovedScopes' approvedCallbackUrls: type: array items: type: string loginPageURL: type: string sessionSettings: $ref: '#/components/schemas/ThirdPartyApplicationSessionSettings' tags: type: array items: type: string logo: type: string cimdSettings: $ref: '#/components/schemas/CIMDSettings' skipConsentScreen: type: boolean description: Keep this message synchronized with the matching one in ProjectService McpServerClient: type: object properties: id: type: string name: type: string clientId: type: string mcpServerId: type: string approvedCallbackUrls: type: array items: type: string scopes: type: array items: type: string tags: type: array items: type: string logo: type: string registrationType: type: string status: type: string McpServerDynamicClientRegistration: type: object properties: enabled: type: boolean disableApprovedScopesAsDefault: type: boolean flowId: type: string description: Keep this message synchronized with the matching one in ProjectService NewSSOSettingsRequest: type: object properties: tenantId: type: string ssoId: type: string displayName: type: string OAuthUserDataClaimsMapping: type: object properties: loginId: type: string username: type: string name: type: string email: type: string verifiedEmail: type: string verifiedPhone: type: string picture: type: string givenName: type: string middleName: type: string familyName: type: string customAttributes: type: object additionalProperties: type: string group: type: string description: >- Note that this is used both in SSO settings and in OAuth settings import/export, make sure not to change any fields which might break backwards compatibility with existing exported project data OutboundApp: type: object properties: id: type: string name: type: string description: type: string clientId: type: string logo: type: string discoveryUrl: type: string authorizationUrl: type: string authorizationUrlParams: type: array items: $ref: '#/components/schemas/URLParam' tokenUrl: type: string tokenUrlParams: type: array items: $ref: '#/components/schemas/URLParam' revocationUrl: type: string defaultScopes: type: array items: type: string defaultRedirectUrl: type: string callbackDomain: type: string pkce: type: boolean accessType: type: string prompt: type: array items: type: string clientSecret: type: string appType: type: string useDcr: type: boolean dcrUrl: type: string tenantId: type: string OutboundAppToken: type: object properties: id: type: string appId: type: string userId: type: string tokenSub: type: string accessToken: type: string accessTokenType: type: string accessTokenExpiry: type: string hasRefreshToken: type: boolean refreshToken: type: string lastRefreshTime: type: string lastRefreshError: type: string scopes: type: array items: type: string tenantId: type: string grantedBy: type: string externalIdentifier: type: string PatchThirdPartyApplicationRequest: type: object properties: id: type: string name: type: string description: type: string logo: type: string loginPageUrl: type: string approvedCallbackUrls: type: array items: type: string permissionsScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' attributesScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' logoUrl: type: string jwtBearerSettings: allOf: - $ref: '#/components/schemas/JWTBearerSettings' description: >- string backChannelLogoutUrl = 10 [(validate).string = {url: true, optional: true}]; sessionSettings: $ref: '#/components/schemas/ThirdPartyApplicationSessionSettings' audienceWhitelist: type: array items: type: string forceAddAllAuthorizationInfo: type: boolean connectionsScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' defaultAudience: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value cibaSettings: $ref: '#/components/schemas/ThirdPartyApplicationCIBASettings' PatchUserBatchFailureResponse: type: object properties: failure: type: string user: $ref: '#/components/schemas/ResponseUser' PatchUserBatchRequest: type: object properties: users: type: array items: $ref: '#/components/schemas/PatchUserRequest' PatchUserBatchResponse: type: object properties: patchedUsers: type: array items: $ref: '#/components/schemas/ResponseUser' failedUsers: type: array items: $ref: '#/components/schemas/PatchUserBatchFailureResponse' additionalErrors: type: object additionalProperties: type: string PatchUserRequest: type: object properties: loginId: type: string email: type: string phone: type: string verifiedEmail: type: boolean verifiedPhone: type: boolean name: type: string roleNames: $ref: '#/components/schemas/google.protobuf.Value' userTenants: $ref: '#/components/schemas/google.protobuf.Value' status: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value picture: type: string givenName: type: string middleName: type: string familyName: type: string ssoAppIds: $ref: '#/components/schemas/google.protobuf.Value' additionalIdentifiers: type: array items: type: string Permission: type: object properties: name: type: string description: type: string systemDefault: type: boolean Project: type: object properties: id: type: string name: type: string tag: type: string environment: type: string tags: type: array items: type: string RecalculateSSOMappingsRequest: type: object properties: tenantId: type: string ssoId: type: string RecalculateSSOMappingsResponse: type: object properties: {} RegisterThirdPartyApplicationRequest: type: object properties: projectId: type: string description: Auto fill by proto from the requested URL client_name: type: string description: Spec fields client_uri: type: string redirect_uris: type: array items: type: string description: >- repeated string redirectUris = 4 [json_name = "redirect_uris", (validate).repeated = {min_items: 1, items: {string: {url: true}}}]; logo_uri: type: string scope: type: string token_endpoint_auth_method: type: string grant_types: type: array items: type: string response_types: type: array items: type: string description: type: string description: Extension fields logo_content: type: string permissions_scopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' attributes_scopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' consent_flow_id: type: string login_page_url: type: string jwtBearerSettings: allOf: - $ref: '#/components/schemas/JWTBearerSettings' description: >- string backChannelLogoutUrl = 16 [(validate).string = {url: true, optional: true}]; sessionSettings: $ref: '#/components/schemas/ThirdPartyApplicationSessionSettings' audienceWhitelist: type: array items: type: string connections_scopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' mcpServerId: type: string description: Auto fill by proto from the requested URL (only in agentic hub) defaultAudience: type: string skipConsentScreen: type: boolean useResources: type: boolean RegisterThirdPartyApplicationResponse: type: object properties: client_id: type: string client_name: type: string redirect_uris: type: array items: type: string client_id_issued_at: type: integer format: int32 client_secret: type: string client_secret_expires_at: type: integer format: int32 grant_types: type: array items: type: string response_types: type: array items: type: string token_endpoint_auth_method: type: string client_uri: type: string logo_uri: type: string description: type: string scope: type: string login_page_url: type: string jwt_bearer_settings: allOf: - $ref: '#/components/schemas/JWTBearerSettings' description: >- string backChannelLogoutUrl = 15 [(validate).string = {url: true, optional: true}]; session_settings: $ref: '#/components/schemas/ThirdPartyApplicationSessionSettings' audienceWhitelist: type: array items: type: string RemoveIPsFromListRequest: type: object properties: id: type: string ips: type: array items: type: string RemoveSSOSuffixFromExternalIdRequest: type: object properties: tenantId: type: string RemoveTextsFromListRequest: type: object properties: id: type: string texts: type: array items: type: string RemoveUserPasskeysRequest: type: object properties: loginId: type: string RemoveUserTOTPRequest: type: object properties: loginId: type: string ReportFGACacheMetricsRequest: type: object properties: metrics: type: array items: $ref: '#/components/schemas/FGACacheAPIMetrics' ResourceType: type: object properties: schemas: type: array items: type: string id: type: string name: type: string description: type: string endpoint: type: string schema: type: string RevokeTenantAdminLinkRequest: type: object properties: tenantId: type: string ssoId: type: string Role: type: object properties: name: type: string description: type: string permissionNames: type: array items: type: string createdTime: type: integer format: int32 tenantId: type: string default: type: boolean private: type: boolean RoleItem: type: object properties: id: type: string name: type: string RoleMapping: type: object properties: groups: type: array items: type: string roleName: type: string RotateMcpServerClientSecretRequest: type: object properties: id: type: string mcpServerId: type: string RotateMcpServerClientSecretResponse: type: object properties: cleartext: type: string RotateThirdPartyApplicationSecretRequest: type: object properties: id: type: string RotateThirdPartyApplicationSecretResponse: type: object properties: cleartext: type: string SAMLIDPAttributeMappingInfo: type: object properties: name: type: string type: type: string value: type: string SAMLIDPGroupsMappingInfo: type: object properties: name: type: string type: type: string filterType: type: string value: type: string roles: type: array items: $ref: '#/components/schemas/SAMLIDPRoleGroupMappingInfo' SAMLIDPRoleGroupMappingInfo: type: object properties: id: type: string name: type: string SCIMGetGroupsResponse: type: object properties: totalResults: type: integer format: int32 startIndex: type: integer format: int32 itemsPerPage: type: integer format: int32 schemas: type: array items: type: string Resources: type: array items: $ref: '#/components/schemas/SCIMGroupResponse' detail: type: string status: type: integer format: int32 SCIMGetUserResponse: type: object properties: user: $ref: '#/components/schemas/SCIMGetUsersResource' SCIMGetUsersResource: type: object properties: schemas: type: array items: type: string id: type: string userName: type: string meta: $ref: '#/components/schemas/SCIMGetUsersResourceMeta' emails: type: array items: $ref: '#/components/schemas/SCIMUserEmail' name: $ref: '#/components/schemas/SCIMUserName' active: type: boolean displayName: type: string detail: type: string attributes: type: object status: type: integer format: int32 SCIMGetUsersResourceMeta: type: object properties: created: type: object location: type: string lastModified: type: object resourceType: type: string SCIMGetUsersResponse: type: object properties: totalResults: type: integer format: int32 startIndex: type: integer format: int32 itemsPerPage: type: integer format: int32 schemas: type: array items: type: string Resources: type: array items: $ref: '#/components/schemas/SCIMGetUsersResource' detail: type: string status: type: integer format: int32 SCIMGroupMember: type: object properties: value: type: string display: type: string SCIMGroupRequest: type: object properties: groupId: type: string displayName: type: string members: type: array items: $ref: '#/components/schemas/SCIMGroupMember' externalId: type: string excludedAttributes: type: string SCIMGroupResourceMeta: type: object properties: created: type: object location: type: string lastModified: type: object resourceType: type: string SCIMGroupResponse: type: object properties: displayName: type: string schemas: type: array items: type: string id: type: string members: type: array items: $ref: '#/components/schemas/SCIMGroupMember' meta: $ref: '#/components/schemas/SCIMGroupResourceMeta' externalId: type: string detail: type: string status: type: integer format: int32 SCIMPatchOperation: type: object properties: op: type: string path: type: string valueString: type: string description: >- The following values are manipulated by the marshaler in httpgateway/marshaler.go in case of changing or adding new ones, need to edit the marshaler as well valueBoolean: type: boolean valueArray: type: array items: $ref: '#/components/schemas/SCIMPatchOperationValue' valueID: type: string valueDisplayName: type: string SCIMPatchOperationValue: type: object properties: value: type: string description: >- The following values are manipulated by the marshaler in httpgateway/marshaler.go in case of changing or adding new ones, need to edit the marshaler as well display: type: string SCIMPatchRequest: type: object properties: userId: type: string groupId: type: string operations: type: array items: $ref: '#/components/schemas/SCIMPatchOperation' SCIMResourceTypesResponse: type: object properties: values: type: array items: $ref: '#/components/schemas/ResourceType' SCIMServiceProviderConfigResponse: type: object properties: schemas: type: array items: type: string documentationUri: type: string patch: $ref: '#/components/schemas/Supported' bulk: $ref: '#/components/schemas/Bulk' filter: $ref: '#/components/schemas/Filter' changePassword: $ref: '#/components/schemas/Supported' sort: $ref: '#/components/schemas/Supported' etag: $ref: '#/components/schemas/Supported' authenticationSchemes: type: array items: $ref: '#/components/schemas/AuthenticationSchemes' SCIMUserEmail: type: object properties: value: type: string primary: type: boolean type: type: string SCIMUserName: type: object properties: givenName: type: string familyName: type: string middleName: type: string SCIMUserPhoneNumber: type: object properties: value: type: string primary: type: boolean type: type: string SCIMUserRequest: type: object properties: userId: type: string displayName: type: string description: >- The following values are manipulated by the marshaler in httpgateway/marshaler.go in case of changing or adding new ones, need to edit the marshaler as well emails: type: array items: $ref: '#/components/schemas/SCIMUserEmail' active: type: boolean name: $ref: '#/components/schemas/SCIMUserName' userName: type: string attributes: type: object SSOApplication: type: object properties: id: type: string name: type: string description: |- int64 version - excluded int64 createdTime - excluded string projectId - copied description: type: string enabled: type: boolean logo: type: string appType: type: string samlSettings: $ref: '#/components/schemas/SSOApplicationSAMLSettings' oidcSettings: $ref: '#/components/schemas/SSOApplicationOIDCSettings' customSettings: $ref: '#/components/schemas/SSOApplicationCustomSettings' wsfedSettings: $ref: '#/components/schemas/SSOApplicationWSFedSettings' SSOApplicationCustomSettings: type: object properties: loginPageUrl: type: string SSOApplicationOIDCSettings: type: object properties: loginPageUrl: type: string issuer: type: string discoveryUrl: type: string claims: type: array items: type: string forceAuthentication: type: boolean jwtBearerSettings: $ref: '#/components/schemas/JWTBearerSettings' backChannelLogoutUrl: type: string customIdpInitiatedLoginPageUrl: type: string SSOApplicationSAMLSettings: type: object properties: loginPageUrl: type: string idpCert: type: string useMetadataInfo: type: boolean metadataUrl: type: string entityId: type: string acsUrl: type: string certificate: type: string attributeMapping: type: array items: $ref: '#/components/schemas/SAMLIDPAttributeMappingInfo' groupsMapping: type: array items: $ref: '#/components/schemas/SAMLIDPGroupsMappingInfo' idpMetadataUrl: type: string idpEntityId: type: string idpSsoUrl: type: string acsAllowedCallbacks: type: array items: type: string subjectNameIdType: type: string subjectNameIdFormat: type: string defaultRelayState: type: string idpInitiatedUrl: type: string forceAuthentication: type: boolean idpLogoutUrl: type: string logoutRedirectUrl: type: string errorRedirectURL: type: string defaultSignatureAlgorithm: type: string SSOApplicationWSFedSettings: type: object properties: loginPageUrl: type: string realm: type: string replyUrl: type: string attributeMapping: type: array items: $ref: '#/components/schemas/SAMLIDPAttributeMappingInfo' groupsMapping: type: array items: $ref: '#/components/schemas/SAMLIDPGroupsMappingInfo' forceAuthentication: type: boolean logoutRedirectUrl: type: string errorRedirectURL: type: string idpCert: type: string idpInitiatedUrl: type: string idpMetadataUrl: type: string idpEntityId: type: string idpSsoUrl: type: string SSOOIDCSettings: type: object properties: name: type: string clientId: type: string clientSecret: type: string redirectUrl: type: string authUrl: type: string tokenUrl: type: string userDataUrl: type: string scope: type: array items: type: string JWKsUrl: type: string userAttrMapping: $ref: '#/components/schemas/OAuthUserDataClaimsMapping' manageProviderTokens: type: boolean callbackDomain: type: string prompt: type: array items: type: string grantType: type: string issuer: type: string groupsMapping: type: array items: $ref: '#/components/schemas/GroupsMapping' defaultSSORoles: type: array items: type: string fgaMappings: type: object additionalProperties: $ref: '#/components/schemas/ReBACGroupsMapping' roleMappings: type: array items: $ref: '#/components/schemas/RoleMapping' providerID: type: string scimProviderID: type: string groupsPriority: type: array items: type: string SSOSAMLByMetadataSettings: type: object properties: idpMetadataUrl: type: string roleMappings: type: array items: $ref: '#/components/schemas/RoleMapping' attributeMapping: $ref: '#/components/schemas/AttributeMapping' spEncryptionKey: type: string spSignKey: type: string subjectNameIdFormat: type: string spACSUrl: type: string spEntityId: type: string defaultSSORoles: type: array items: type: string fgaMappings: type: object additionalProperties: $ref: '#/components/schemas/ReBACGroupsMapping' configFGATenantIDResourcePrefix: type: string configFGATenantIDResourceSuffix: type: string groupsPriority: type: array items: type: string SSOSAMLSettings: type: object properties: idpUrl: type: string entityId: type: string idpCert: type: string roleMappings: type: array items: $ref: '#/components/schemas/RoleMapping' attributeMapping: $ref: '#/components/schemas/AttributeMapping' spEncryptionKey: type: string spSignKey: type: string subjectNameIdFormat: type: string spACSUrl: type: string spEntityId: type: string defaultSSORoles: type: array items: type: string fgaMappings: type: object additionalProperties: $ref: '#/components/schemas/ReBACGroupsMapping' configFGATenantIDResourcePrefix: type: string configFGATenantIDResourceSuffix: type: string idpAdditionalCerts: type: array items: type: string groupsPriority: type: array items: type: string SSOSetupSuiteSettings: type: object properties: enabled: type: boolean styleId: type: string disabledFeatures: $ref: '#/components/schemas/SSOSetupSuiteSettingsDisabledFeatures' SSOSetupSuiteSettingsDisabledFeatures: type: object properties: saml: type: boolean oidc: type: boolean scim: type: boolean ssoDomains: type: boolean groupMapping: type: boolean SamlSettingsResponse: type: object properties: idpEntityId: type: string idpSSOUrl: type: string idpCertificate: type: string idpMetadataUrl: type: string spEntityId: type: string spACSUrl: type: string spCertificate: type: string attributeMapping: $ref: '#/components/schemas/UserMapping' groupsMapping: type: array items: $ref: '#/components/schemas/GroupsMapping' redirectUrl: type: string spSignCertificate: type: string subjectNameIdFormat: type: string defaultSSORoles: type: array items: type: string fgaMappings: type: object additionalProperties: $ref: '#/components/schemas/ReBACGroupsMapping' providerID: type: string scimProviderID: type: string configFGATenantIDResourcePrefix: type: string configFGATenantIDResourceSuffix: type: string idpAdditionalCertificates: type: array items: type: string groupsPriority: type: array items: type: string SearchAccessKeysRequest: type: object properties: tenantIds: type: array items: type: string text: type: string sort: type: array items: $ref: '#/components/schemas/SortField' boundUserId: type: string creatingUser: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value SearchFGAMappableResourcesRequest: type: object properties: tenantId: type: string resourcesQueries: type: array items: $ref: '#/components/schemas/MappableResourceQuery' resourcesLimit: type: string SearchManagementKeysResponse: type: object properties: keys: type: array items: $ref: '#/components/schemas/ManagementKey' SearchMcpServerClientsRequest: type: object properties: mcpServerId: type: string page: type: integer format: int32 limit: type: integer format: int32 text: type: string name: type: string clientId: type: string status: type: string registrationMethod: type: string tag: type: string sort: type: array items: $ref: '#/components/schemas/SortField' SearchMcpServerClientsResponse: type: object properties: clients: type: array items: $ref: '#/components/schemas/McpServerClient' total: type: integer format: int32 SearchRolesRequest: type: object properties: tenantIds: type: array items: type: string roleNames: type: array items: type: string roleNameLike: type: string permissionNames: type: array items: type: string text: type: string description: Full text search across relevant columns sort: type: array items: $ref: '#/components/schemas/SortField' includeProjectRoles: type: boolean description: relevant when tenantIds are set SearchTenantsRequest: type: object properties: tenantIds: type: array items: type: string tenantNames: type: array items: type: string tenantSelfProvisioningDomains: type: array items: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value authType: type: string tenantSSODomains: type: array items: type: string parentTenantId: type: string topLevelOnly: type: boolean SearchThirdPartyApplicationConsentsRequest: type: object properties: appId: type: string userId: type: string consentId: type: string page: type: integer description: Page number starting with 0 for the first page format: int32 tenantId: type: string limit: type: integer format: int32 SearchThirdPartyApplicationConsentsResponse: type: object properties: consents: type: array items: $ref: '#/components/schemas/ThirdPartyApplicationConsent' total: type: integer format: int32 SearchUsersRequest: type: object properties: loginId: type: string description: Search for specific login ID tenantIds: type: array items: type: string description: >- If not empty then users must be members of at least one of these tenants roleNames: type: array items: type: string description: If not empty then users must have one of the specified roles limit: type: integer description: Default is 100 if not specified format: int32 text: type: string description: Full text search across relevant columns page: type: integer description: Page number starting with 0 for the first page format: int32 ssoOnly: type: boolean description: Bring only users that have SSO external IDs default: false withTestUser: type: boolean description: Return also users which are test users testUsersOnly: type: boolean description: Return only test users default: false customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value statuses: type: array items: type: string description: If not empty then users must be in one of those statuses emails: type: array items: type: string phones: type: array items: type: string ssoAppIds: type: array items: type: string sort: type: array items: $ref: '#/components/schemas/SortField' loginIds: type: array items: type: string fromCreatedTime: type: string toCreatedTime: type: string fromModifiedTime: type: string toModifiedTime: type: string userIds: type: array items: type: string scimOnly: type: boolean description: Bring only users that provisioned or updated by SCIM tenantRoleIds: type: object additionalProperties: $ref: '#/components/schemas/StringArray' tenantRoleNames: type: object additionalProperties: $ref: '#/components/schemas/StringArray' includeSubTenants: type: boolean password: type: boolean totp: type: boolean webauthn: type: boolean scim: type: boolean selectedColumns: type: array items: type: string verifiedEmail: type: boolean description: If provided, filter users by whether their email is verified verifiedPhone: type: boolean description: If provided, filter users by whether their phone is verified SendTenantAdminLinkRequest: type: object properties: tenantId: type: string email: type: string ssoId: type: string SendTenantAdminLinkResponse: type: object properties: {} SetUserAuditConnectorRequest: type: object properties: url: type: string authentication: $ref: '#/components/schemas/ConnectorHTTPAuthentication' hmacSecret: type: string headers: type: object additionalProperties: type: string insecure: type: boolean SetUserPasswordRequest: type: object properties: loginId: type: string password: type: string SetUserPasswordResponse: type: object properties: cleartext: type: string SetWebAuditConnectorRequest: type: object properties: name: type: string description: type: string url: type: string authentication: $ref: '#/components/schemas/ConnectorHTTPAuthentication' hmacSecret: type: string headers: type: object additionalProperties: type: string insecure: type: boolean filters: type: array items: $ref: '#/components/schemas/AuditFilters' SetWebAuditConnectorRequestDeprecated: type: object properties: name: type: string description: type: string url: type: string authentication: $ref: '#/components/schemas/ConnectorHTTPAuthentication' hmacSecret: type: string headers: type: object additionalProperties: type: string insecure: type: boolean filters: $ref: '#/components/schemas/AuditFilters' description: Deprecated - use SetWebAuditConnectorRequest instead SnapshotSecret: type: object properties: id: type: string name: type: string type: type: string value: type: string SnapshotSecrets: type: object properties: connectors: type: array items: $ref: '#/components/schemas/SnapshotSecret' oauthProviders: type: array items: $ref: '#/components/schemas/SnapshotSecret' outboundApps: type: array items: $ref: '#/components/schemas/SnapshotSecret' SortField: type: object properties: field: type: string description: >- Field must be from the give list: id, modifiedTime, createdTime, externalId, displayName, tenant, phoneNumber, email, status desc: type: boolean StopImpersonationRequest: type: object properties: jwt: type: string selectedTenant: type: string customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value refreshDuration: type: integer format: int32 Supported: type: object properties: supported: type: boolean ThirdPartyApplication: type: object properties: id: type: string name: type: string description: |- int64 version - excluded int64 createdTime - excluded string projectId - copied description: type: string clientId: type: string logo: type: string loginPageUrl: type: string approvedCallbackUrls: type: array items: type: string permissionsScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' attributesScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' dynamic: type: boolean status: type: string logoUrl: type: string jwtBearerSettings: allOf: - $ref: '#/components/schemas/JWTBearerSettings' description: >- string backChannelLogoutUrl = 13 [(validate).string = {url: true, optional: true}]; is not supported now as its exist only in project service but there is no end_session endpoint in onetime service sessionSettings: $ref: '#/components/schemas/ThirdPartyApplicationSessionSettings' nonConfidentialClient: type: boolean audienceWhitelist: type: array items: type: string forceAddAllAuthorizationInfo: type: boolean connectionsScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' defaultAudience: type: string skipConsentScreen: type: boolean useResources: type: boolean customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value cibaSettings: $ref: '#/components/schemas/ThirdPartyApplicationCIBASettings' ThirdPartyApplicationCIBASettings: type: object properties: enabled: type: boolean expirationTime: type: integer format: int32 expirationTimeUnit: type: string emailServiceProvider: type: string emailServiceProviderFallback: type: string emailServiceTemplateId: type: string loginPageURL: type: string ThirdPartyApplicationConsent: type: object properties: id: type: string appId: type: string userId: type: string scopes: type: array items: type: string grantedBy: type: string createdTime: type: integer format: int32 tenantId: type: string ExpireTime: type: integer format: int32 modifiedTime: type: integer format: int32 ThirdPartyApplicationSessionSettings: type: object properties: enabled: type: boolean refreshTokenExpiration: type: integer format: int32 refreshTokenExpirationUnit: type: string sessionTokenExpiration: type: integer format: int32 sessionTokenExpirationUnit: type: string userTemplateId: type: string keyTemplateId: type: string keySessionTokenExpiration: type: integer format: int32 keySessionTokenExpirationUnit: type: string TrustedDevice: type: object properties: id: type: string name: type: string deviceType: type: string userId: type: string lastLoginTime: type: string expirationTime: type: string lastLocation: type: string isCurrentDevice: type: boolean description: expands userv1.TrustedDevice with isCurrentDevice UpdateAccessKeyRequest: type: object properties: id: type: string name: type: string description: type: string roleNames: allOf: - $ref: '#/components/schemas/google.protobuf.Value' description: >- we want to differentiate between empty and nil so we use google.protobuf.Value keyTenants: $ref: '#/components/schemas/google.protobuf.Value' customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value permittedIps: $ref: '#/components/schemas/google.protobuf.Value' customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value UpdateDescoperRequest: type: object properties: id: type: string attributes: allOf: - $ref: '#/components/schemas/DescoperAttributes' description: >- updateable fields (optional! updating attributes has additional constraints) rbac: $ref: '#/components/schemas/DescoperRBAC' UpdateDescoperResponse: type: object properties: descoper: $ref: '#/components/schemas/Descoper' UpdateJWTRequest: type: object properties: jwt: type: string customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value refreshDuration: type: integer format: int32 UpdateListRequest: type: object properties: id: type: string name: type: string description: type: string type: type: string data: $ref: '#/components/schemas/google.protobuf.Value' UpdateListResponse: type: object properties: list: $ref: '#/components/schemas/List' UpdateManagementKeyRequest: type: object properties: id: type: string name: type: string description: type: string permittedIps: type: array items: type: string status: type: string UpdateManagementKeyResponse: type: object properties: key: $ref: '#/components/schemas/ManagementKey' UpdateMcpServerClientRequest: type: object properties: id: type: string mcpServerId: type: string name: type: string approvedCallbackUrls: type: array items: type: string scopes: type: array items: type: string tags: type: array items: type: string logo: type: string UpdateMcpServerClientResponse: type: object properties: client: $ref: '#/components/schemas/McpServerClient' UpdateMcpServerRequest: type: object properties: server: $ref: '#/components/schemas/McpServer' UpdateMcpServerResponse: type: object properties: server: $ref: '#/components/schemas/McpServer' UpdateOutboundAppRequest: type: object properties: app: $ref: '#/components/schemas/OutboundApp' UpdateOutboundAppResponse: type: object properties: app: $ref: '#/components/schemas/OutboundApp' UpdatePermissionRequest: type: object properties: name: type: string newName: type: string description: type: string UpdatePermissionsRequest: type: object properties: permissions: type: array items: $ref: '#/components/schemas/UpdatePermissionRequest' UpdateProjectNameRequest: type: object properties: name: type: string UpdateProjectTagsRequest: type: object properties: tags: type: array items: type: string UpdateRoleRequest: type: object properties: name: type: string newName: type: string description: type: string permissionNames: type: array items: type: string tenantId: type: string default: type: boolean private: type: boolean UpdateRolesRequest: type: object properties: roles: type: array items: $ref: '#/components/schemas/UpdateRoleRequest' UpdateSSOProviderIDsRequest: type: object properties: tenantId: type: string ssoId: type: string samlProviderId: type: string samlScimProviderId: type: string oidcProviderId: type: string oidcScimProviderId: type: string UpdateTenantDefaultRolesRequest: type: object properties: id: type: string defaultRoles: type: array items: type: string UpdateTenantRequest: type: object properties: id: type: string name: type: string selfProvisioningDomains: type: array items: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value authType: type: string description: deprecated - authType should be set via ConfigureTenantSettings disabled: type: boolean enforceSSO: type: boolean enforceSSOExclusions: type: array items: type: string federatedAppIds: type: array items: type: string roleInheritance: type: string UpdateThirdPartyApplicationRequest: type: object properties: id: type: string name: type: string description: type: string logo: type: string loginPageUrl: type: string approvedCallbackUrls: type: array items: type: string permissionsScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' attributesScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' logoUrl: type: string jwtBearerSettings: allOf: - $ref: '#/components/schemas/JWTBearerSettings' description: >- string backChannelLogoutUrl = 10 [(validate).string = {url: true, optional: true}]; sessionSettings: $ref: '#/components/schemas/ThirdPartyApplicationSessionSettings' audienceWhitelist: type: array items: type: string forceAddAllAuthorizationInfo: type: boolean connectionsScopes: type: array items: $ref: '#/components/schemas/managementv1.ApplicationScope' defaultAudience: type: string customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value cibaSettings: $ref: '#/components/schemas/ThirdPartyApplicationCIBASettings' UpdateUserCustomAttributeRequest: type: object properties: loginId: type: string attributeKey: type: string attributeValue: $ref: '#/components/schemas/google.protobuf.Value' UpdateUserDisplayNameRequest: type: object properties: loginId: type: string name: type: string givenName: type: string middleName: type: string familyName: type: string UpdateUserEmailRequest: type: object properties: loginId: type: string email: type: string verified: type: boolean failOnConflict: type: boolean UpdateUserImpersonationConsentRequest: type: object properties: loginId: type: string impersonationConsent: type: integer format: int32 UpdateUserLoginIDRequest: type: object properties: loginId: type: string newLoginId: type: string UpdateUserPhoneRequest: type: object properties: loginId: type: string phone: type: string verified: type: boolean failOnConflict: type: boolean UpdateUserPictureRequest: type: object properties: loginId: type: string picture: type: string UpdateUserRemoveTrustedDevicesRequest: type: object properties: loginId: type: string description: The user's login identifier (external ID) or ID deviceIds: type: array items: type: string description: Trusted device IDs to delete UpdateUserRequest: type: object properties: loginId: type: string email: type: string phone: type: string verifiedEmail: type: boolean verifiedPhone: type: boolean name: type: string roleNames: type: array items: type: string userTenants: type: array items: $ref: '#/components/schemas/managementv1.AssociatedTenant' customAttributes: type: object description: >- Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. additionalProperties: type: string example: attribute-key: attribute-value picture: type: string additionalIdentifiers: type: array items: type: string givenName: type: string middleName: type: string familyName: type: string ssoAppIds: type: array items: type: string status: type: string UpdateUserRolesRequest: type: object properties: loginId: type: string tenantId: type: string roleNames: type: array items: type: string UpdateUserSSOAppsRequest: type: object properties: loginId: type: string ssoAppIds: type: array items: type: string UpdateUserStatusRequest: type: object properties: loginId: type: string status: type: string UpdateUserTenantRequest: type: object properties: loginId: type: string tenantId: type: string UploadOutboundAppTenantAPIKeyRequest: type: object properties: appId: type: string tenantId: type: string apiKey: type: string UploadOutboundAppTenantAPIKeyResponse: type: object properties: {} UploadOutboundAppUserAPIKeyRequest: type: object properties: appId: type: string userId: type: string apiKey: type: string tenantId: type: string UploadOutboundAppUserAPIKeyResponse: type: object properties: {} UserAuthHistory: type: object properties: userId: type: string loginTime: type: integer format: int32 city: type: string country: type: string ip: type: string selectedTenant: type: string UserLogoutRequest: type: object properties: loginId: type: string userId: type: string sessionTypes: type: array items: type: string UserMapping: type: object properties: name: type: string email: type: string username: type: string group: type: string givenName: type: string middleName: type: string familyName: type: string picture: type: string customAttributes: type: object additionalProperties: type: string verifiedEmail: type: string verifiedPhone: type: string UserProviderTokenResponse: type: object properties: provider: type: string providerUserId: type: string accessToken: type: string expiration: type: integer format: uint32 scopes: type: array items: type: string refreshToken: type: string UserResponse: type: object properties: user: $ref: '#/components/schemas/ResponseUser' created: type: boolean UsersAuthHistoryRequest: type: object properties: userIds: type: array items: type: string UsersAuthHistoryResponse: type: object properties: usersAuthHistory: type: array items: $ref: '#/components/schemas/UserAuthHistory' UsersResponse: type: object properties: users: type: array items: $ref: '#/components/schemas/ResponseUser' total: type: integer format: int32 ValidateSnapshotResponse: type: object properties: ok: type: boolean failures: type: array items: type: string missingSecrets: $ref: '#/components/schemas/SnapshotSecrets' Widget: type: object properties: widgetId: type: string name: type: string type: type: string disabled: type: boolean onetimev1.AssociatedTenant: type: object properties: tenantId: type: string roleNames: type: array items: type: string EmbeddedLinkSignInResponse: type: object properties: token: type: string maskedEmail: type: string maskedPhone: type: string GenerateJWTSignUpRequest: type: object properties: loginId: type: string user: $ref: '#/components/schemas/SignUpUser' emailVerified: type: boolean phoneVerified: type: boolean customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value ssoAppId: type: string refreshDuration: type: integer format: int32 selectedTenantId: type: string userTenants: type: array items: $ref: '#/components/schemas/onetimev1.AssociatedTenant' PasswordImport: type: object properties: bcrypt: $ref: '#/components/schemas/PasswordImportHash' django: $ref: '#/components/schemas/PasswordImportHash' firebase: $ref: '#/components/schemas/PasswordImportFirebase' pbkdf2: $ref: '#/components/schemas/PasswordImportPbkdf2' phpass: $ref: '#/components/schemas/PasswordImportPhpass' md5: $ref: '#/components/schemas/PasswordImportHash' bach: $ref: '#/components/schemas/PasswordImportBach' argon2: $ref: '#/components/schemas/PasswordImportArgon2' sha: $ref: '#/components/schemas/PasswordImportSha' buddyauth: $ref: '#/components/schemas/PasswordImportHash' PasswordImportArgon2: type: object properties: hash: type: string format: bytes salt: type: string format: bytes iterations: type: integer format: uint32 memory: type: integer format: uint32 threads: type: integer format: uint32 type: type: string PasswordImportBach: type: object properties: hash: type: string key: type: string PasswordImportFirebase: type: object properties: hash: type: string format: bytes salt: type: string format: bytes saltSeparator: type: string format: bytes signerKey: type: string format: bytes memory: type: integer format: uint32 rounds: type: integer format: uint32 PasswordImportHash: type: object properties: hash: type: string PasswordImportPbkdf2: type: object properties: hash: type: string format: bytes salt: type: string format: bytes iterations: type: integer format: uint32 type: type: string PasswordImportPhpass: type: object properties: hash: type: string salt: type: string iterations: type: integer format: uint32 type: type: string PasswordImportSha: type: object properties: hash: type: string type: type: string salt: type: string TestUserGenerateEnchantedLinkRequest: type: object properties: loginId: type: string redirectUrl: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' TestUserGenerateEnchantedLinkResponse: type: object properties: loginId: type: string link: type: string pendingRef: type: string TestUserGenerateMagicLinkRequest: type: object properties: loginId: type: string deliveryMethod: type: string redirectUrl: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' TestUserGenerateMagicLinkResponse: type: object properties: loginId: type: string link: type: string TestUserGenerateOTPRequest: type: object properties: loginId: type: string deliveryMethod: type: string loginOptions: $ref: '#/components/schemas/LoginOptions' TestUserGenerateOTPResponse: type: object properties: loginId: type: string code: type: string WebauthnImportAuth0: type: object properties: keyId: type: string rpId: type: string publicKey: type: string format: bytes aaguid: type: string transports: type: array items: type: string credentialDeviceType: type: string credentialBackedUp: type: boolean userHandle: type: string description: >- The keyId, rpId and publicKey fields in this message are present in both passkey and MFA webauthn types. The other fields are missing in the MFA webauthn type. WebauthnImportDescope: type: object properties: credentialId: type: string rpId: type: string publicKey: type: string format: bytes attestationType: type: string default: false aaguid: type: string transports: type: array items: type: string backupEligible: type: boolean backupState: type: boolean WebauthnImportDevice: type: object properties: descope: $ref: '#/components/schemas/WebauthnImportDescope' auth0: $ref: '#/components/schemas/WebauthnImportAuth0' CompleteExternalAuthRequest: type: object properties: externalAuthReqId: type: string loginId: type: string user: $ref: '#/components/schemas/SignUpUser' emailVerified: type: boolean phoneVerified: type: boolean customClaims: type: object description: >- Custom claims to include in the JWT as key-value pairs. Keys must be strings; values can be strings, numbers, or booleans. additionalProperties: type: string example: claim-name: claim-value selectedTenantId: type: string userTenants: type: array items: $ref: '#/components/schemas/onetimev1.AssociatedTenant' CompleteExternalAuthResponse: type: object properties: redirectUrl: type: string DeleteFlowsRequest: type: object properties: ids: type: array items: type: string ExportFlowDeprecatedResponse: type: object properties: flow: $ref: '#/components/schemas/Flow' screens: type: array items: $ref: '#/components/schemas/Screen' ExportFlowRequest: type: object properties: flowId: type: string ExportFlowResponse: type: object properties: flow: $ref: '#/components/schemas/ExportedFlow' ExportThemeDeprecatedResponse: type: object properties: theme: $ref: '#/components/schemas/Theme' ExportThemeResponse: type: object properties: theme: $ref: '#/components/schemas/ExportedTheme' ExportedFlow: type: object properties: flowId: type: string metadata: $ref: '#/components/schemas/ExportedFlowMetadata' contents: type: object screens: type: array items: $ref: '#/components/schemas/ExportedScreen' references: $ref: '#/components/schemas/ProjectReferences' description: >- Used by managementservice snapshots - make sure not to break compatibility ExportedFlowMetadata: type: object properties: name: type: string description: type: string componentsVersion: type: string disabled: type: boolean fingerprint: type: boolean widget: type: boolean translation: $ref: '#/components/schemas/ExportedFlowTranslation' sharedInteractions: type: array items: $ref: '#/components/schemas/Interaction' management: type: boolean managementConfig: $ref: '#/components/schemas/ManagementConfig' description: >- Used by managementservice snapshots - make sure not to break compatibility ExportedFlowTranslation: type: object properties: enabled: type: boolean connectorId: type: string sourceLanguage: type: string targetLanguages: type: array items: type: string description: >- Used by managementservice snapshots - make sure not to break compatibility ExportedScreen: type: object properties: screenId: type: string interactions: type: array items: $ref: '#/components/schemas/Interaction' contents: type: object description: >- Used by managementservice snapshots - make sure not to break compatibility ExportedTheme: type: object properties: styles: type: object componentsVersion: type: string references: $ref: '#/components/schemas/ProjectReferences' description: >- Used by managementservice snapshots - make sure not to break compatibility Flow: type: object properties: id: type: string version: type: integer format: int32 name: type: string description: type: string dsl: type: object modifiedTime: type: string etag: type: string disabled: type: boolean translate: type: boolean translateConnectorID: type: string translateSourceLang: type: string translateTargetLangs: type: array items: type: string fingerprint: type: boolean widget: type: boolean sharedInteractions: type: array items: $ref: '#/components/schemas/Interaction' management: type: boolean managementConfig: $ref: '#/components/schemas/ManagementConfig' referencesGlobalStrings: type: boolean FlowLocalizationOverrides: type: object properties: id: type: string version: type: integer format: int32 modifiedTime: type: string flowId: type: string languages: type: object additionalProperties: type: object FlowTemplate: type: object properties: id: type: string name: type: string description: type: string dsl: type: object modifiedTime: type: string etag: type: string tags: type: array items: type: string methods: type: array items: type: string screens: type: array items: $ref: '#/components/schemas/FlowTemplateScreen' keywords: type: array items: type: string FlowTemplateScreen: type: object properties: id: type: string inputs: type: array items: $ref: '#/components/schemas/Input' interactions: type: array items: $ref: '#/components/schemas/Interaction' htmlTemplate: type: object GetManagementFlowAsyncResultRequest: type: object properties: executionId: type: string ImportFlowDeprecatedRequest: type: object properties: flowId: type: string flow: $ref: '#/components/schemas/Flow' screens: type: array items: $ref: '#/components/schemas/Screen' ImportFlowDeprecatedResponse: type: object properties: flow: $ref: '#/components/schemas/Flow' screens: type: array items: $ref: '#/components/schemas/Screen' ImportFlowRequest: type: object properties: flow: $ref: '#/components/schemas/ExportedFlow' skipRender: type: boolean changelog: type: string ImportThemeDeprecatedRequest: type: object properties: theme: $ref: '#/components/schemas/Theme' ImportThemeDeprecatedResponse: type: object properties: theme: $ref: '#/components/schemas/Theme' ImportThemeRequest: type: object properties: theme: $ref: '#/components/schemas/ExportedTheme' Input: type: object properties: type: type: string name: type: string required: type: boolean visible: type: boolean displayName: type: string displayType: type: string dependsOn: type: array items: type: string nameValueMap: type: object contextAware: type: boolean options: type: array items: $ref: '#/components/schemas/Option' defaultValue: type: string helperText: type: string Interaction: type: object properties: id: type: string type: type: string label: type: string icon: type: string subType: type: string ManagementConfig: type: object properties: triggers: $ref: '#/components/schemas/ManagementConfigTriggers' ManagementConfigEventTriggers: type: object properties: triggeringEventTypes: type: array items: type: string ManagementConfigTriggers: type: object properties: enabled: type: boolean triggerType: type: string eventTriggers: $ref: '#/components/schemas/ManagementConfigEventTriggers' ManagementFlowOptions: type: object properties: input: type: object preview: type: boolean tenant: type: string Option: type: object properties: value: type: string label: type: string ProjectReferences: type: object properties: connectors: type: object additionalProperties: type: string oauth: type: array items: type: string omitted: type: array items: type: string roles: type: object additionalProperties: type: string userAttributes: type: array items: type: string tenantAttributes: type: array items: type: string description: >- Used by managementservice snapshots - make sure not to break compatibility RunManagementFlowAsyncResponse: type: object properties: executionId: type: string RunManagementFlowRequest: type: object properties: flowId: type: string options: $ref: '#/components/schemas/ManagementFlowOptions' RunManagementFlowResponse: type: object properties: output: type: object Screen: type: object properties: id: type: string version: type: integer format: int32 flowId: type: string inputs: type: array items: $ref: '#/components/schemas/Input' interactions: type: array items: $ref: '#/components/schemas/Interaction' htmlTemplate: type: object componentsVersion: type: string SearchFlowTemplatesRequest: type: object properties: {} SearchFlowsRequest: type: object properties: ids: type: array items: type: string Theme: type: object properties: id: type: string version: type: integer format: int32 cssTemplate: type: object componentsVersion: type: string codeMode: type: boolean URLParam: type: object properties: key: type: string value: type: string projectv1.ApplicationScope: type: object properties: name: type: string description: type: string optional: type: boolean values: type: array items: type: string description: >- Keep this message synchronized with the matching one in ManagementService BatchCreateResourcePoliciesRequest: type: object properties: policies: type: array items: $ref: '#/components/schemas/CreateResourcePolicyRequest' description: Batch resource policy operations BatchCreateResourcePoliciesResponse: type: object properties: resourcePolicies: type: array items: $ref: '#/components/schemas/ResourcePolicy' BatchDeleteResourcePoliciesRequest: type: object properties: policies: type: array items: $ref: '#/components/schemas/ResourcePolicyIdentifier' CIMDDomainPolicies: type: object properties: policies: type: array items: $ref: '#/components/schemas/CIMDDomainPolicy' CIMDDomainPolicy: type: object properties: domainPattern: type: string enabled: type: boolean CIMDSettings: type: object properties: enabled: type: boolean domainPolicies: $ref: '#/components/schemas/CIMDDomainPolicies' CreateResourcePolicyRequest: type: object properties: thirdPartyApplicationId: type: string resourceId: type: string userAccessScopes: type: array items: type: string clientAccessScopes: type: array items: type: string allUserScopes: type: boolean allClientScopes: type: boolean CreateResourcePolicyResponse: type: object properties: resourcePolicy: $ref: '#/components/schemas/ResourcePolicy' CreateResourceRequest: type: object properties: id: type: string name: type: string scopes: $ref: '#/components/schemas/DynamicClientRegistrationApprovedScopes' userAccess: type: string clientAccess: type: string description: type: string CreateResourceResponse: type: object properties: resource: $ref: '#/components/schemas/Resource' DeleteResourcePolicyRequest: type: object properties: resourceId: type: string thirdPartyApplicationId: type: string DeleteResourceRequest: type: object properties: id: type: string DeleteResourcesRequest: type: object properties: ids: type: array items: type: string DynamicClientRegistrationApprovedScopes: type: object properties: permissionsScopes: type: array items: $ref: '#/components/schemas/projectv1.ApplicationScope' attributesScopes: type: array items: $ref: '#/components/schemas/projectv1.ApplicationScope' connectionsScopes: type: array items: $ref: '#/components/schemas/projectv1.ApplicationScope' LoadAllResourcesResponse: type: object properties: resources: type: array items: $ref: '#/components/schemas/Resource' total: type: integer format: int32 LoadResourcePoliciesByAppResponse: type: object properties: resourcePolicies: type: array items: $ref: '#/components/schemas/ResourcePolicy' LoadResourceResponse: type: object properties: resource: $ref: '#/components/schemas/Resource' Resource: type: object properties: id: type: string version: type: string name: type: string scopes: $ref: '#/components/schemas/DynamicClientRegistrationApprovedScopes' createdTime: type: string modifiedTime: type: string userAccess: type: string clientAccess: type: string description: type: string description: Resource CRUD messages ResourcePolicy: type: object properties: version: type: string thirdPartyApplicationId: type: string resourceId: type: string userAccessScopes: type: array items: type: string clientAccessScopes: type: array items: type: string allUserScopes: type: boolean allClientScopes: type: boolean createdTime: type: string modifiedTime: type: string description: ResourcePolicy CRUD messages ResourcePolicyIdentifier: type: object properties: resourceId: type: string thirdPartyApplicationId: type: string TemplateLocalizationOverrides: type: object properties: id: type: string version: type: integer format: int32 modifiedTime: type: string languages: type: object additionalProperties: type: object UpdateResourcePolicyRequest: type: object properties: resourceId: type: string thirdPartyApplicationId: type: string userAccessScopes: type: array items: type: string clientAccessScopes: type: array items: type: string allUserScopes: type: boolean allClientScopes: type: boolean UpdateResourcePolicyResponse: type: object properties: resourcePolicy: $ref: '#/components/schemas/ResourcePolicy' UpdateResourceRequest: type: object properties: resource: $ref: '#/components/schemas/Resource' UpdateResourceResponse: type: object properties: resource: $ref: '#/components/schemas/Resource' SearchField: type: object properties: field: type: string valArr: type: array items: type: string valStr: type: string negative: type: boolean valType: type: string description: Custom Attributes DeleteAllTestUsersResponse: type: object properties: {} StringArray: type: object properties: values: type: array items: type: string and: type: boolean EmptyBody: type: object nullable: true securitySchemes: Descope Project ID: type: http scheme: bearer bearerFormat: Project ID description: Project ID as bearer token. Descope Project ID:Refresh JWT: type: http scheme: bearer bearerFormat: Project ID:Refresh JWT description: Project ID:Refresh JWT as bearer token. Descope Project ID:Access Key: type: http scheme: bearer bearerFormat: ProjectId:AccessKey description: Project ID:Access Key as bearer token. Descope Project ID:Session JWT: type: http scheme: bearer bearerFormat: Project ID:Session JWT description: Project ID:Session JWT as bearer token. Descope Project ID and Management Key: type: http description: Project ID:Management Key as bearer token. scheme: bearer bearerFormat: ProjectId:ManagementKey parameters: oauthProviderEnum: in: query name: provider description: Name of OAuth provider (case sensitive) schema: type: string enum: - apple - discord - facebook - github - gitlab - google - microsoft authRedirectUrl: in: query name: redirectURL description: URL to redirect end user to after they have successfully signed-in schema: type: string security: - Descope Project ID: [] Descope Project ID:Refresh JWT: [] Descope Project ID:Session JWT: [] Descope Project ID and Management Key: [] Descope Project ID:Access Key: [] externalDocs: description: Descope Server url: https://docs.descope.com tags: - name: Email - name: Text Message (SMS)