Identity Cloud REST API index

📘

Click the link to download the Identity Cloud REST API Postman collection.


This page features a list of, and links to, all the Identity Cloud REST API operatiosn.


Authentication API

The Authentication API provides methods for creating accounts on, and logging in to, websites and apps.


Access tokens and codes

OperationMethod
Get an authorization code
/access/getAuthorizationCode

Returns an authorization code you can exchange for an access token and a refresh token. Note that this operation can't be used to obtain Hosted Login access and refresh tokens.


POST
Get an access token
/access/getAccessToken

Retrieves an Identity Cloud access token. Note that this access token can’t be used to obtain Hosted Login access tokens.


POST
Exchange an authorization code
/oauth/token

Returns an Identity Cloud access token for an authenticated user. You need to exchange either an authorization code or a refresh token in order to get an access token. An authorization code is generated when a user is authenticated by using the JavaScript SDK or the Authentication API.

Note that the authorization code and refresh tokens used with this operation can’t be exchanged for a Hosted Login access token.

See also:
    • Exchange an authorization code


POST
Complete social registration
/oauth/register_native

Completes social registration. With social registration, a user creates an Identity Cloud account by using credentials and profile information derived from a social login identity provider such as Facebook or Twitter.

See JavaScript SDK registration overview for a comparison of social logins and registrations and traditional logins and registrations.

See also:
    • Complete social login and registration


POST
Complete traditional registration
/oauth/register_native_traditional

Completes a traditional registration. After registration completes, a user can authenticate on your website by using an email address and password.

See JavaScript SDK registration overview for a comparison of social logins and registrations and traditional logins and registrations.

See also:
    • Complete traditional login and registration


POST
Complete social login
/oauth/auth_native

Completes social login, a login carried out by first authenticating with a social login identity provider (IdP) and then using the IdP's credentials to log in to Identity Cloud.

See JavaScript SDK registration overview for a comparison of social logins and registrations and traditional logins and registrations.

See also:
    • Complete social login and registration


POST
Complete traditional login
/oauth/auth_native_traditional

Completes a traditional login, a process involving an email address and password.

See JavaScript SDK registration overview for a comparison of social logins and registrations and traditional logins and registrations.

See also:
    • Complete traditional login and registration


POST

User profiles

OperationMethod
Update a user profile
/oauth/update_profile_native

Updates a user profile based on input from a user. To make this call, you must have a valid Registration access token for the user profile to be updated.

See also:
    • Update a user profile


POST
Get a verification code
/access/getVerificationCode

Returns a verification code for setting an attribute to the current date and time. This is useful for such tasks as recording the date and time when an email address is verified.


POST
Set a timestamp
/access/use_verification_code

Uses a one-time verification code to set a field value to the current date and time. For example, setting the emailVerified attribute to a timestamp indicates that the associated email address has been verified.


POST
Send a password reset link
/oauth/forgot_password_native

Sends an email that includes a link for resetting a password. Clicking the link (which includes a one-time pass code) takes the user to a screen where they can reset their password.

See also:
    • Reset a password


POST
Verify an email address
/oauth/verify_email _native

Sends an email that includes a one-use verification link a user can click to complete the email verification process. The destination URL for this link is configured in the verify_email_url setting of the API client used to make the API call.


POST
Link a social identity to a user account
/oauth/link_account_native

Links a new social identity provider (IdP) to an existing user account. After a provider is linked, you can use that IdP to log on to your Identity Cloud account. Note that social logins can be used in addition to or instead of traditional Identity Cloud logins. In a traditional login, the user logs in by supplying an email address and password.

See also:
    • Link or unlink accounts


POST
Unlink a social identity from a user account
/oauth/unlink_account_native

Unlinks a social provider from a user account. Once unlinked, the social provider can't be used to sign into that user account. To make this call, you must have a valid Registration access token for the user record being updated.

See also:
    • Link or unlink accounts


POST

Configuration API

The Configuration API is a large collection of endpoints revolving around three areas of Identity Cloud administration:

  • Applications, API clients, and settings
  • Entity types and attributes
  • Flows

Client and Settings APIs


API clients

OperationMethod
Get all API clients
/config/{app_id}/clients

Returns information about the API clients associated with an application. API clients are primarily used to control access to the Identity Cloud APIs and to help define the user login and registration experience.


GET
Get an API client
/config/{app_id}/clients/{client_id}

Returns information about a specific API client.


GET
Modify an API client
/config/{app_id}/clients/{client_id}

Modifies permissions and settings for an API client.


PUT
Reset an API client secret
/config/{app_id}/clients/{client_id}/secret

Resets the client secret for an API client. For example, you might reset the secret if you believe that secret has been exposed to unauthorized users or if someone who had access to the secret has left your organization.

It's recommended that you contact your Akamai representative before resetting the client secret for an owner client.


POST
Create an API client
/config/{app_id}/clients

Creates an API client.


POST
Delete an API client
/config/{app_id}/clients/{client_id}

Deletes an existing API client. You can't delete an API client assigned the owner feature.


DELETE

Application and client settings

OperationMethod
Get all application and client settings
/config/{app_id}/settings

Returns settings and values for the specified API client. This operation returns both the application settings and the settings applied specifically to the API client. Your operation must have owner permissions in order to return the global settings.


GET
Get all the standard application settings
/config/{app_id}/settings/options

Returns information about Identity Cloud's predefined application and client settings. Custom settings that you’ve added yourself aren’t returned by this operation.


GET
Modify application settings
/config/{app_id}/settings

Modifies the global settings for an application.


PUT
Get API client settings
/config/{app_id}/clients/{client_id}/settings

Returns the settings associated with a specific API client. In the API response, client settings, global settings, and custom settings are returned as separate JSON objects.


GET
Modify API client settings
/config/{app_id}/clients/{client_id}/settings

Modifies the client settings associated with a specific API client.


PUT

Entity Type APIs

OperationMethod
Get all entity types
/config/{app_id}/entityTypes

Returns information about the entity types associated with an application. Entity types are databases that store user profile information.


GET
Get an entity type
/config/{app_id}/entityTypes/{entity_type}

Returns information about the specified entity type.


GET
Get the attributes in an entity type
/config/{app_id}/entityTypes/{entity_type}/attributes

Returns detailed information about each attribute in an entity type, including the attribute name and datatype. Attributes (roughly equivalent to database fields) represent individual bits of user information such as a user’s first name or a user’s email address.


GET
Get an entity type attribute
/config/{app_id}/entityTypes/{entity_type}/attributes/{attribute_name}

Returns detailed information about the specified attribute, including the attribute name and data type.


GET

Flows and flow management APIs


Flows

OperationMethod
Get all flows
/config/{app_id}/flows

Returns the flows associated with an application. Flows are JSON files that, among other things, help determine the look and feel of the user experience.


GET
Get a flow
/config/{app_id}/flows/{flow}

Returns information about the specified flow.


GET
Get all the versions of a flow
/config/{app_id}/flows/{flow}/versions

Returns a list of available versions for a flow. Each time you make and save a change to a flow (for example, adding a new field or deleting an existing translation) a new flow version is created.


GET
Get a specific flow version
/config/{app_id}/flows/{flow}/versions/{version}

Returns the specified version of a flow.


GET
Modify a flow
/config/{app_id}/flows/{flow}

Updates or replaces the userData object or the entity type schemas object assigned to the flow. The userData object lists the schema attributes to be stored in the janrainCaptureProfileData object in local storage following a successful authentication. The schemas object contains the name of your user profile databases.


PUT
Copy a flow
/config/{app_id}/flows/{flow}/copy

Creates a new flow by copying an existing flow. This operation can't be used to overwrite an existing flow, it can only be used to create a brand-new flow.


POST
Promote a flow
/config/{app_id}/flows/{flow}/promote

Promotes a flow to another application. Promoting a flow simply means copying that flow from one application (such as your development environment) to another application (such as your production environment).


POST
Restore a flow
/config/{app_id}/flows/{flow}/versions/{version}

Restores a flow to a previous version of that flow. When you restore a flow, the selected version becomes the current (HEAD) version of the flow.


POST

Fields

OperationMethod
Get all the fields in a flow
/config/{app_id}/flows/{flow}/fields

Returns a list of fields defined in the flow. Fields provide a link between onscreen form elements and their underlying user profile attributes. For example, onscreen a user might enter their first name in a field labeled First Name. In turn, the value entered in that field will be written to the givenName attribute in the user’s user profile.


GET
Get a field
/config/{app_id}/flows/{flow}/fields/{field}

Returns information about a field.


GET
Modify a field
/config/{app_id}/flows/{flow}/fields/{field}

Updates a field.


PUT
Create a field
/config/{app_id}/flows/{flow}/fields

Creates a new field and adds that field to a flow.

See also:
    • Create a field and add it to a Hosted Login form
    • Manage custom fields
    • Field reference


POST
Remove a field
/config/{app_id}/flows/{flow}/fields/{field}

Removes a field from the flow. This operation also removes the field from any forms that reference the field.


DELETE

Forms

OperationMethod
Get all the forms in a flow
/config/{app_id}/flows/{flow}/forms

Returns a list of forms in the flow. Forms serve as a container for fields. For example, the traditionalRegistrationForm form contains fields for all the information (name, email address, password, phone number, etc.) you want to collect from a user when creating their user account.


GET
Get a form
/config/{app_id}/flows/{flow}/forms/{form}

Returns detailed information about the specified form.


GET
Modify a form
/config/{app_id}/flows/{flow}/forms/{form}

Updates or replaces the list of fields and features in the form. Any fields added to the form must already exist in the flow.

See also:
    • Add a field to a Hosted Login form


PUT
Create a form
/config/{app_id}/flows/{flow}/forms

Creates a form.


POST
Delete a form
/config/{app_id}/flows/{flow}/forms/{form}

Deletes the specified form, but without deleting the fields associated with the form.


DELETE

Email templates

OperationMethod
Get all the email templates in a flow
/config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates

Returns a list of all the transaction email templates in the specified locale. Transactional emails are emails automatically sent by Identity Cloud in response to specific user activities. For example, after a user creates an account an email is sent asking the user to verify their email address.


GET
Get an email template
/config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template}

Returns information about the specified email template.


GET
Modify an email template
/config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template}

Modifies an email template. Note that, while you can modify your email templates, you can’t delete those templates nor can you create new templates.

See also:
    • Modify transactional emails


PUT
Get the body of an email template
/config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template}/body

Returns the body for an email template.


GET
Modify the body of an email template
/config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template}/body

Returns the body for an email template.


PUT
Get the subject of an email template
/config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template}/subject

Returns the subject line for an email template.


GET
Modify the subject of an email template
/config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template}/subject

Updates the subject line for an email template.


PUT

Hosted Login upgrades

OperationMethod
Get all available Hosted Login upgrades
/config/{app_id}/flows/{flow}/upgrades

Returns the version numbers of Hosted Login you can upgrade to.


GET
Get Hosted Login upgrade requirements
/config/{app_id}/flows/{flow}/upgrades/{upgradeId}

Returns information about the fields, translations, and screens that need to be added to or removed from a flow to make that flow compatible with the specified version of Hosted Login.


GET
Upgrade Hosted Login
/config/{app_id}/flows/{flow}/upgrades/{upgradeId}

Adds the fields, translations, and screens required to help ensure that a flow is compatible with the specified version of Hosted Login.


POST

Hosted Login links

OperationMethod
Get all the Hosted Login links in a flow
/config/{app_id}/flows/{flow}/links

Returns a collection of all the Hosted Login links defined within the specified flow. These links appear on Hosted Login screens and direct your users to locations such as your help center or privacy policy.


GET
Get a Hosted Login link
/config/{app_id}/flows/{flow}/links/{linkId}

Returns detailed information about a Hosted Login link.


GET
Modify a Hosted Login link
/config/{app_id}/flows/{flow}/links/{linkId}

Updates a Hosted Login link.

See also:
    • Change the target of a Hosted Login link


PUT
Create a Hosted Login link
/config/{app_id}/flows/{flow}/links

Creates a new Hosted Login link .

See also:
    • Create a Hosted Login link


POST
Delete a Hosted Login link
/config/{app_id}/flows/{flow}/links/{linkId}

Deletes the specified Hosted Login link.


DELETE

Hosted Login 2FA messages

OperationMethod
Get all the 2FA messages in a flow
/config/{app_id}/flows/{flow}/locales/{locale}/2faMessages

Returns information about the two-factor authentication (2FA) messages included in a flow.

See also:
    • View 2FA messages


GET
Get a 2FA message
/config/{app_id}/flows/{flow}/locales/{locale}/2faMessages/{messageId}

Returns the specified two-factor authentication (2FA) message. Note that each 2FA message actually consists of: 1) an SMS message; 2) a plain-text email message; and 3) an HTML-formatted email message.

See also:
    • View 2FA messages


GET
Add the default 2FA messages to a flow
/config/{app_id}/flows/{flow}/locales/{locale}/2faMessages

Adds the default collection of two-factor authentication (2FA) messages to the specified flow.

See also:
    • Add 2FA messages to a flow


POST
Modify a 2FA message
/config/{app_id}/flows/{flow}/locales/{locale}/2faMessages/{messageId}

Modifies the specified two-factor authentication (2FA) message.

See also:
    • Modify a 2FA message


PUT

Locales

OperationMethod
Get all the locales in a flow
/config/{app_id}/flows/{flow}/locales/{locale}

Returns a list of all the locales associated with a flow. Each locale represents a specific language, region, and collection of locale variant preferences. Having different locales enable you to better personalize the user login and registration experience.


GET
Get all the localized fields in a flow

/config/{app_id}/flows/{flow}/locales/{locale}/fields

Returns a list of fields defined for the specified locale.


GET
Create a localized field
/config/{app_id}/flows/{flow}/locales/{locale}/fields

Adds a field to the specified locale.


POST
Get a localized field
/config/{app_id}/flows/{flow}/locales/{locale}/fields/{field}

Returns information about a localized field.


GET
Modify a localized field
/config/{app_id}/flows/{flow}/locales/{locale}/fields/{field}

Updates a localized field.


PUT

Strings

OperationMethod
Get all the strings in a flow
/config/{app_id}/flows/{flow}/strings

Returns the strings defined in the flow. Strings are text elements that aren’t tied to a specific form.


GET
Get a string
/config/{app_id}/flows/{flow}/strings/{string}

Returns information about the specified string.


GET
Create a string
/config/{app_id}/flows/{flow}/strings

Adds a string to the flow.


POST
Modify a string
/config/{app_id}/flows/{flow}/strings/{string}

Updates or replaces a string.


PUT
Delete a string
/config/{app_id}/flows/{flow}/strings/{string}

Removes a string from a flow.


DELETE
Get all the localized strings in a flow
/config/{app_id}/flows/{flow}/locales/{locale}/strings

Returns a list of all the localized strings defined in a flow.


GET
Get a localized string
/config/{app_id}/flows/{flow}/locales/{locale}/strings/{string}

Returns information about the localized string.


GET
Create a localized string
/config/{app_id}/flows/{flow}/locales/{locale}/strings

Adds a localized string to a flow.


POST
Modify a localized string
/config/{app_id}/flows/{flow}/locales/{locale}/strings/{string}

Updates or replaces a localized string in the flow.


PUT
Delete a localized string
/config/{app_id}/flows/{flow}/locales/{locale}/strings/{string}

Removes a localized string from a flow.


DELETE

Screens

OperationMethod
Get all the screens in a flow
/config/{app_id}/flows/{flow}/screens

Returns the screens associated with a flow.


GET
Get a screen
/config/{app_id}/flows/{flow}/screens/{screen}

Returns information about a specific screen.


GET
Modify a screen
/config/{app_id}/flows/{flow}/screens/{screen}

Updates property values for the specified screen.


PUT
Create a screen
/config/{app_id}/flows/{flow}/screens

Creates a new screen. New screens are primarily designed for use with the JavaScript SDK.


POST
Delete a screen
/config/{app_id}/flows/{flow}/screens/{screen}

Deletes the specified screen. Be forewarned that it’s possible (although not recommended) to delete the default screens that ship with Hosted Login and the JavaScript SDK.


DELETE

Translations

OperationMethod
Get all the translations in a flow
/config/{app_id}/flows/{flow}/translations

Returns all the translations in a flow.


GET
Get a translation
/config/{app_id}/flows/{flow}/translations/{key}

Returns all the translations for the specified translation key (i.e., all the translated values of a word or phrase).


GET
Create a translation
/config/{app_id}/flows/{flow}/translations

Creates a translation for the specified locale. You’re on your own to provide the correctly translated value.


POST
Delete a translation
/config/{app_id}/flows/{flow}/translations/{key}

Deletes a translation.


DELETE
Modify a translation

/config/{app_id}/flows/{flow}/translations

Updates an existing translation.

See also:
    • Modify screen text
    • Localize screen text


PATCH

Custom Provider API

The Custom Provider API enables organizations to leverage almost any social login IdP they want, as long as that identity provider uses one of the following protocols:

  • OAuth 2.0
  • OpenID Connect
  • SAML 2
OperationMethod
Get all social login applications
/{customerId}/v2/config/low/services/engage-v2/apps

Returns information about your social login applications. You need a social login application to configure social login for Hosted Login and to create custom providers.


GET
Get a social login application

/{customerId}/v2/config/low/services/engage-v2/apps/{appId}

Returns detailed information about a specific social login application.


GET
Get all the custom providers in an application

/{customerId}/v2/config/low/services/engage-v2/apps/{appId}/custom-providers

Returns information about your custom providers. Custom providers are social login identity providers (IdPs) that weren't predefined by Akamai. Most IdPs that support OAuth 2.0, OpenID Connect, or SAML2 can be configured as custom providers.


GET
Get a custom provider

/{customerId}/v2/config/low/services/engage-v2/apps/{appId}/custom-providers/{providerId}

Returns detailed information about the specified custom provider.


GET
Modify a custom provider

/{customerId}/v2/config/low/services/engage-v2/apps/{appId}/custom-providers/{providerId}

Modifies a custom provider.


PATCH
Create a custom provider

/{customerId}/v2/config/low/services/engage-v2/apps/{appId}/custom-providers

Creates a custom provider. The social login identity provider being used as a custom provider needs to support OAuth 2.0, OpenID Connect, or SAML2.

See also:
    • Create a custom provider


POST

Entity and Entity Type API

API operations for managing user profiles and user profile databases.


Entities and user profiles

OperationMethod
Get a user profile
/entity

Returns the specified user profile. By default, this endpoint returns all the attributes associated with the user profile. However, it’s also possible to return a specified subset of attributes.


POST
Search for user profiles
/entity.find

Searches an entity type for users meeting the specified criteria. For example, you might search for all the users who have not logged on since a specified date, or for all the users whose accounts were created after that date.


POST
Count user profiles
/entity.count

Returns the number of user profiles in an entity type that meet the specified criteria. For example, you might return the number of users who live in France or the number of users who work for Akamai.


POST
Modify a user profile
/entity.update

Updates a user profile. Note that this operation only modifies attributes specified in the request. Any attributes not included in the request are left exactly as-is.


POST
Replace a user profile
/entity.replace

Replaces all the attribute values in a user profile with a new set of attribute values. By default, any attributes not included in your operation are replaced with null values.


POST
Create a user profile
/entity.create

Creates a user profile. Note that, because of database replication requirements, it might take a few minutes for the new user profile to be available to other operations.


POST
Create multiple user profiles
/entity.bulkCreate

Creates multiple user profiles with a single operation. Note that your request body can't be larger than 5 MB. If you encounter a client intended to send too large body error you must reduce the size of the request body. For example, you might divide the list of accounts to be created in half, then use two API calls instead of one.

See also:
    • Query or import large data sets


POST
Delete a user profile
/entity.delete

Deletes the specified user profile. Alternatively, you can use this endpoint to delete a child attribute of a plural attribute. In that case, only the child attribute is deleted and the rest of the user profile remains as-is.


POST
Invalidate user access tokens
/entity.deleteAccess

Removes all existing access grants issued to the user, including all the access tokens, refresh tokens, and refresh secrets.


POST

Entity types

OperationMethod
Get all entity types
/entityType.list

Returns information about your entity types. An entity type is a user profile data store.


POST
Get an entity type
/entityType

Returns detailed information about the specified entity type.


POST
Create an entity type
/entityType.create

Creates an entity type.

See also:
    • Schema data types


POST

Attributes, validations, and constraints

OperationMethod
Create an attribute
/entityType.addAttribute

Adds an attribute to an entity type. This operation also adds the new attribute to all existing user profiles.


POST
Delete an attribute
}/entityType.removeAttribute

Removes an attribute from an entity type. Note that all the data associated with this attribute is deleted as well. That means that the attribute and its value are removed from each user profile in the entity type.


POST
Get all validation rules
/entityType.rules

Returns all the data validation rules configured for the specified entity type. Identity Cloud uses these rules to validate attribute data with each user profile update.


POST
Create a validation rule
/entityType.addRule

Creates a data validation rule for specified attributes in your schema.


POST
Delete a validation rule
/entityType.removeRule

Removes the specified validation rule.


POST
Assign constraints to an attribute
/entityType.setAttributeConstraints

Configures the list of constraints for an attribute. Constraints place restrictions on the type of data that can be stored in an attribute.


POST

Unique password enforcement

OperationMethod
Modify password history settings
/entityType.setPasswordSettings

Manages the password history settings for an entity type. Password history tracks the last 1-10 passwords employed by a user, and prevents the user from setting their password to any of those prior values.

See also:
    • Configure unique password enforcement


POST

Access Schemas

OperationMethod
Get an access schema
/entityType.getAccessSchema

Retrieves the access schema for the specified API client. An access schema defines the subset of attributes to which a client has read or write access.

Note that access schemas only apply to API-based implementations of the Identity Cloud. If you're using a JavaScript SDK-based implementation of Identity Cloud then access to forms and fields is managed by the flow rather than by an access schema.


POST
Create an access schema
/entityType.setAccessSchema

Creates an access schema for the specified API client. Each client can have one read access schema and one write access schema.

Note that access schemas only apply to API-based implementations of the Identity Cloud. If you're using a JavaScript SDK-based implementation of Identity Cloud then access to forms and fields is managed by the flow rather than by an access schema.


POST
Delete an access schema
/entityType.deleteAccessSchema

Deletes the specified access schema for a client. Deleting an access schema gives a client read or write access to all attributes.

Note that access schemas only apply to API-based implementations of the Identity Cloud. If you're using a JavaScript SDK-based implementation of Identity Cloud then access to forms and fields is managed by the flow rather than by an access schema.


POST

Legacy Clients and Settings API

Manages API clients and applications. As the word "legacy" implies, this API no longer represents the preferred way to programmatically manage API clients and applications. Instead, we recommend you use the Configuration API.


API clients

OperationMethod
List all API clients
/clients/list

Returns a list of API clients, optionally filtered by client feature. API clients manage access to Identity Cloud APIs. Note that only the owner client can run this operation.


POST
Modify API client features
/clients/set_features

Modifies the client features for an API client. Features define the permissions assigned to an API client.

See also:
    • API clients and permissions


POST
Reset an API client secret
/clients/reset_secret

Resets the client secret for the specified API client.


POST
Rename an API client
/clients/set_description

Assigns a new name to an API client. Note that, for API clients, the client name and the client description refer to the same value.


POST
Create an API client
/clients/add

Creates an API client.


POST
Delete an API client
/clients/delete

Deletes an API client.


POST
Modify an API client allowlist
/clients/set_whitelist

Modifies the IP allowlist for the specified API client. When used, the allowlist specifies the range of IP addresses that can use the client when calling Identity Cloud APIs. By default, IP allowlists are set to ["0.0.0.0"], allowing access to the client from any IP address.


POST
Clear an API client allowlist
/clients/clear_whitelist

Clears the IP allowlist for the specified API client.


POST

Published Settings

OperationMethod
Get published application settings
/settings/widget/get

Returns a list of published settings files for the application. Published client settings do such things as support a configurable minimum age requirement for registration or track user acceptance of different terms of service and privacy policies.

With this operation at least three files are returned, including a JSON file for each settings version and both a JSON file and a JavaScript file pointing to the location where the most recent file versions are hosted. If no members are included, all the published settings files assigned to the application are be returned.


POST
Get published client settings
/settings/widget/list

Returns the published settings for the specified API client and version. If the version member isn't included, the most recent version of the published settings is returned.


POST
Publish application and API client settings
/settings/widget/publish

Publishes settings to a JSON file available for client-side use with the Registration user interface. This allows the settings to be loaded prior to any server-side operations.


POST
Delete published settings
_/settings/widget/delete

Deletes the published settings for the specified API client and version. If the version member isn't included, all versions of the settings published for the API client are deleted.


POST

Application and Client Settings

OperationMethod
Get an API client settings value
/settings/get_default

Returns the value associated with a settings key. If the key has no value at the client scope then the application scope value is returned instead. A null value is returned if the key has no application value either.


POST
Get an application setting value
/settings/get

Returns the value of an application settings key.


POST
Get multiple API client setting values
/settings/get_multi

Returns values for multiple keys. By design, values are returned for keys configured at the client scope. If a key doesn't exist at the client scope the value of the key as configured at the application scope is returned instead.


POST
Delete an application settings key
/settings/delete_default

Deletes an application settings key.


POST
Get all API client setting values
/settings/items

Returns all the settings for the specified API client, including all settings configured at the application scope. If a key is defined in both the client and application settings only the client-specific value is returned.


POST
Get all API client setting keys
/settings/keys

Returns all the setting keys for a client, including those from the application-wide default settings.


POST
Delete an API client setting
/settings/delete

Deletes a settings key from an API client.


POST
Modify an API client setting
/settings/set

Assigns a setting and setting value to an API client. If the specified setting doesn't exist, it's created. If the setting does exists, then the current value of that setting is overwritten.


POST
Modify an application setting
/settings/set_default

Creates or updates a setting in the application-wide default settings. If the setting doesn't exist, a new setting is created. If the setting does exist, the current value of that setting is overwritten.


POST
Modify multiple application settings
/settings/set_default_multi

Creates or updates a setting in the application-wide default settings. If the setting doesn't exist, a new setting is created. If the setting does exist, the current value of that setting is overwritten.


POST
Modify multiple API client settings
/settings/set_multi

Assigns multiple settings for the specified API client. If a setting doesn't, a new setting is created. If the setting does exist, the current value of that setting is overwritten.


POST

Hosted Login API

Your primary toolset for managing Hosted Login, Identity Cloud’s preferred method for managing user logins and registrations.


Tokens

OperationMethods
Get an administrative access token
/{customerId}/login/token

Requests an administrative access token. An administrative access token is needed to call the other Hosted Login configuration endpoints.


POST
Introspect an access or refresh token
/{customerId}/login/token/introspect

Returns the current state of a Hosted Login access or refresh token. If the token is active then additional claims associated with the token are also returned.


POST
Revoke an access or refresh token
/{customerId}/login/token/revoke

Revokes a previously-issued access token or refresh token. After an access token has been revoked that token can't be used to access a protected resource. After a refresh token has been revoked that token can’t be used to request a new access token.


POST

OpenID Connect Endpoints

OperationMethod
Get your discovery document
/{customerId}/login/.well-known/openid-configuration

Returns the discovery document, a set of OpenID Connect values that can be retrieved by a client. These values enable OIDC clients to configure themselves.

See also:
    • Discovery document


GET
Get your JSON web keys
/{customerId}/login/jwk

Returns information about the JSON web keys (JWK) assigned to a customer. JSON web keys are public cryptographic keys used to verify the signatures on Hosted Login identity tokens.

See also:
    • JSON web keys


GET
Get userinfo Information
/{cusomerId}/profiles/oidc/userinfo

Returns user profile information from the userinfo endpoint.


GET

OpenID Connect Clients

OperationMethod
Get all OpenID Connect clients
/{customerId}/config/clients

Returns information about all the OpenID Connect clients assigned to a customer.


GET
Get an OpenID Connect client
/{customerId}/config/clients/{oidcClientId}

Returns information about an OpenID Connect client.


GET
Modify an OpenID Connect client
/{customerId}/config/clients/{oidcClientId}

Modifies the specified OpenID Connect client.


PUT
Get an OpenID Connect client secret

/{customerId}/config/clients/{oidcClientId}/secret

Returns the client secret for the specified OIDC client. Note that this is the only way to return the secret for a confidential or configuration client.


GET
Reset an OpenID Connect client secret
/config/clients/{oidcClientId}/secret

Resets the client secret for an OpenID Connect confidential client or configuration client. Resetting the secret enables you to rotate client secrets or to change a client secret you believe might have been compromised.


PUT
Create an OpenID Connect client
/{customerId}/config/clients

Creates an OpenID Connect client.

See also:
    • Create an OIDC login client
    • Create a Hosted Login configuration client


POST
Delete an OpenID Conect client
/{customerId}/config/clients/{oidcClientId}

Deletes the specified OpenID Connect.


DELETE

Login Policies

OperationMethod
Get all login policies
/{customerId}/config/loginPolicies

Returns information about the login policies associated with the specified customer. Login policies help manage the user login experience by doing such things as specifying the exact path to the Capture domain and the user profile entity type, and defining the login URL for the directory.

See also:
    • List login policies

GET
Get a login policy
/{customerId}/config/loginPolicies/{loginPolicyId}

Returns information about the specified login policy. All OpenID Connect clients used for logins and registrations need to be assigned a login policy.


GET
Modify a login policy
/{customerId}/config/loginPolicies/{loginPolicyId}

Returns information about the specified login policy. All OpenID Connect clients used for logins and registrations need to be assigned a login policy.

See also:
    • Modify a login policy


PUT
Create a login policy
/{customerId}/config/loginPolicies

Creates a login policy. Login policies help manage the user login experience by doing such things as specifying the exact path to the Capture domain and the user profile entity type, and defining the login URL.

See also:
    • Create a login policy


POST
Delete a login policy
/{customerId}/config/loginPolicies

Deletes the specified login policy. Login policies help manage the user login experience by doing such things as: specifying the exact path to the Capture domain and the user profile entity type, and defining the login URL.

See also:
    • Delete a login policy


DELETE
Get a login policy's push claim status
/{customerId}/config/loginPolicies/{loginPolicyId}/pushClaims

Returns information about a login policy’s push claims status. Push claims centralize and standardize the user profile information added to an identity token or made available from the userinfo endpoint following a successful authentication.

See also:
    • Push claims


GET
Modify a login policy's push claim status
/{customerId}/config/loginPolicies/{loginPolicyId}/pushClaims

Enables or disables push claims for the specified login policy. Push claims centralize and standardize the user profile information added to an identity token or made available from the userinfo endpoint following a successful authentication.

See also: :
    • Push claims


PUT
Get a login policy's allowed response types
/{customerId}/config/loginPolicies/{loginPolicyId}/allowedResponseTypes

Returns information about the response types assigned to the specified login policy. In an authorization request, the response_type parameter specifies the items clients expect to get back from the authorization server following a successful authentication.

See also:
    • Supported response types


GET
Modify a login policy's allowed response types

/{customerId}/config/loginPolicies/{loginPolicyId}/allowedResponseTypes

Modifies the response types assigned to the specified login policy. In an authorization request, the response_type parameter specifies the items clients expect to get back from the authorization server following a successful authentication.

See also:
    • Supported response types


PUT

Token Policies

OperationMethod
Get all token policies
/{customerId}/config/tokenPolicies

Returns information about your token policies. Token policies specify token lifetimes and define the allowed scopes for OpenID Connect clients.

See also:
    • List token policies


GET
Get a token policy
/{customerId}/config/tokenPolicies/{tokenPolicyId}

Returns information about the specified token policy. Token policies specify token lifetimes and define the allowed scopes for OpenID Connect clients.


GET
Modify a token policy
/{customerId}/config/tokenPolicies/{tokenPolicyId}

Modifies a token policy. Token policies specify token lifetimes and define the allowed scopes for OpenID Connect clients.

See also:
    • Modify a token policy


PUT
Create a token policy
/{customerId}/config/tokenPolicies

Creates a token policy. Token policies specify token lifetimes and define the allowed scopes for OpenID Connect clients associated.

See also:
    • Create a token policy


POST
Delete a token policy
/{customerId}/config/tokenPolicies/{tokenPolicyId}

Deletes a token policy. Token policies specify token lifetimes and define the allowed scopes for OpenID Connect clients.

See also:
    • Delete a token policy


DELETE
Get a token policy's allowed grant types
/{customerId}/config/tokenPolicies/{tokenPolicyId}/allowedGrantTypes

Returns information about the grant types defined in the specified token policy. A grant is a standard methodology for obtaining tokens and, as a result, obtaining access to resources.

See also:
    • Supported authorization grant types


GET
Modify a token policy's allowed grant types
/{customerId}/config/tokenPolicies/{tokenPolicyId}/allowedGrantTypes

Modifies the grant types supported by the specified token policy. A grant is a standard methodology for obtaining tokens and, as a result, obtaining access to resources.

See also:
    • Supported authorization grant types


PUT
Get a token policy's allowed resource indicators
/{customerId}/config/tokenPolicies/{tokenPolicyId}/allowedResourceIndicators

Returns information about the resource indicators supported by the specified token policy. Resource indicators are identifiers representing items that can be referenced when using the resource parameter.

See also:
    • Secure audience injection and the resource parameter


GET
Modify a token policy's allowed resource indicators
/{customerId}/config/tokenPolicies/{tokenPolicyId}/allowedResourceIndicators

Modifies the resource indicators supported by the specified token policy. Resource indicators are identifiers representing items that can be referenced when using the resource parameter.

See also:
    • Secure audience injection and the resource parameter


PUT

Authorization requests. logins, and logouts

OperationMethod
Submit an authorization request
/{customerId}/{hostedLoginDomain}/login/token

Requests Hosted Login authorization for an end user.

See also:
    • Authorization code + PKCE grant type


POST
Logout from Hosted Login
/{customerId}/{hostedLoginDomain}/auth-ui/logout?{clientId}&{redirectUri}

Logs a user out of a Hosted Login session.


GET

SIEM Event Delivery API

Operations for managing Identity Cloud’s Security Event and Information Management (SIEM) service. SIEM is a recognized standard for collecting, aggregating, and analyzing events that take place on a website or within an app.

OperationMethod
Get the SIEM event service status
/config/applications/{appId}/eventdelivery/readStatus

Returns the SIEM event delivery service activation or deactivation status for the specified application.

See also:
    • Activate or deactivate SIEM event feeds


GET
Activate the SIEM event service
/config/applications/{appId}/eventdelivery/activate

Activates the SIEM event delivery service. You can't collect SIEM events unless the service is activated.

See also:
    • Activate or deactivate SIEM event feeds

POST
Deactivate the SIEM event service
/config/applications/{appId}/eventdelivery/deactivate

Deactivates the SIEM event delivery service for the specified application. After you call this operation, SIEM event messages for the application are no longer delivered.

See also:
    • Activate or deactivate SIEM event feeds


POST
Get the SIEM event blocklist
/config/applications/{appId}/eventdelivery/readBlocklist

Returns a list of the SIEM event delivery service event types blocked for the specified application. If an event type is blocked, event messages for that event aren't delivered. For example, if you block the new_email_verification event you won’t receive a notification when a user verifies an email address.

See also:
    • Block SIEM events


POST
Add an event to the SIEM event blocklist
/config/applications/{appId}/eventdelivery/addBlocklist

Adds an event to the SIEM event delivery service event types blocked for the specified application. If an event type is blocked, event messages for that event aren't delivered.


GET
Remove an event from the SIEM event blocklist
/config/applications/{appId}/eventdelivery/deleteBlocklist

Removes one or more events from an application’s SIEM event delivery service blocklist. After an event is removed from the blocklist you'll receive a notification each time that event occurs.

See also:
    • Block SIEM events



POST
Get the SIEM event service public keys
/config/applications/{appId}/eventdelivery/readKeys

Returns information about the public keys assigned to the specified application. Use public keys to connect to the Amazon S3 bucket and download the event messages delivered by the SIEM event delivery service.

See also:
    • Manage SIEM event public keys (legacy customers only)


POST
Assign a public key to the SIEM event service
/config/applications/{appId}/eventdelivery/addKeys

Assigns public keys to the specified application. Use public keys to connect to the Amazon S3 bucket and download event messages delivered by the SIEM event delivery service. Organizations can assign a maximum of 10 public keys to their S3 bucket. However, you can delete one or more of your older keys and replace them with new keys.

See also:
    • Manage SIEM event public keys (legacy customers only)


GET
Delete a SIEM event service public key
/config/applications/{appId}/eventdelivery/deleteKeys

Removes SIEM event delivery service public keys.

See also:
    • Manage SIEM event public keys (legacy customers only)


POST

Social API

Manages and configures social login, the technology enabling users to create, and then log in to, an Identity Cloud website by using their Facebook account, their Twitter account, or an account created with any of the other supported social login identity providers.


Tokens and Authentication

OperationMethod
Authenticate a social login
/api/v2/auth_info

Authenticates a social login user.


POST
Exchange a social login token for an access token
/api/v2/signin/oauth_token

Exchanges a social login identity provider token for an Identity Cloud social login token.


POST

Social Login Providers

OperationMethod
Get all social login providers
/api/v2/get_available_providers

Returns a list of configured providers for an application.


POST
Get all configured social login providers
/api/v2/providers

Returns a list of configured social login identity providers for an application.


POST
Configure social login authentication providers
/api/v2/set_auth_providers

Defines the list of social login identity providers that appear on the sign-in and registration pages. This is the same list of providers maintained by the Social Login dashboard.


POST

Social Login Settings and Configuration

OperationMethod
Get a domain allowlist
/api/v2/get_domain_patterns

Returns all the domains on the social login allowlist. If the allowlist is configured, then only the domains included on that list can communicate with your social login application.


POST
Add a domain to a domain allowlist
/api/v2/set_domain_patterns

Replaces the social login allowlist for an application. If the allowlist is configured, then only the domains included on that list can communicate with your social login application.


POST
Modify a domain allowlist
/api/v2/add_domain_patterns

Modifies the domains on the social login allowlist. If the allowlist is configured, only the domains included on that list can communicate with your social login application.


POST
Get all social login application settings
/api/v2/get_application_settings

View social login application settings.


POST
Modify social login application settings
/api/v2/set_app_settings

Configures social login application settings.


POST

User Profiles

OperationMethod
Associate an identity provider with a primary key
/api/v2/map

Associates a primary key with a user’s social identity.


POST
Remove an identity provider from a primary key
/api/v2/unmap

Removes a social login identity provider from a primary key.


POST

Webhooks v3 API

Sends you near real-time notifications any time a user account is created, deleted, or modified.


Webhook Subscriptions

OperationMethod
Get all Webhooks v3 subscriptions
/{customerId}/webhooks/subscriptions

Returns information about the webhook subscriptions assigned to customer.


GET
Get a Webhooks v3 subscription
/{customerId}/webhooks/subscriptions/{subscriptionId}

Returns information about the specified webhooks subscription.


GET
Modify a Webhooks v3 subscription
/{customerId}/webhooks/subscriptions/{subscriptionId}

Modifies a webhooks subscription.

See also:
    • Configure webhook subscriptions


PATCH
Create a Webhooks v3 subscription
/{customerId}/webhooks/subscriptions

Creates a webhooks subscription.

See also:
    • Configure webhook subscriptions


POST
Delete a Webhooks v3 subscription
/{customerId}/webhooks/subscriptions/{subscriptionId}

Deletes the specified webhook subscription.


DELETE

Webhook Events

OperationMethod
List Webhooks v3 events
/{customerId}/webhooks/subscriptions/{subscriptionId}/events

Returns event notifications for the specified webhooks subscription.

See also:
    • View webhooks data in the events store


GET
Get a Webhooks v3 event
/{customerId}/webhooks/subscriptions/{subscriptionId}/events/{eventId}

Returns information about the specified webhooks event.

See also:
    • View webhooks data in the events store


GET
Get a Webhooks v3 event's event history
/{customerId}/webhooks/subscriptions/{subscriptionId}/events/{eventId}/history

Returns the event history for the specified webhooks event.


GET
Redeliver a Webhooks v3 event
/{customerId}/webhooks/subscriptions/{subscriptionId}/events/{eventId}/redelivery

Schedules the specified event for redelivery to your listener endpoint.

See also:
    • Schedule redelivery for a failed webhook event


POST
Send a test webhooks v3 event
/{customerId}/webhooks/subscriptions/{subscriptionId}/test

Sends a test notification to your listener endpoint.


POST

Webhooks v3 access tokens

OperationMethod
Get a Webhooks v3 administrative access token
/{customerId}/login/token

Requests an administrative access token for calling the other Webhooks v3 API endpoints.


POST