Identity Cloud REST API index
Click the link to download the Identity Cloud REST API Postman collection.
This page features a list of, and links to, all the Identity Cloud REST API operations.
Authentication API
The Authentication API provides methods for creating accounts on, and logging in to, websites and apps.
Access tokens and codes
| Operation | Method |
|---|---|
| Get an authorization code /access/getAuthorizationCode Returns an authorization code you can exchange for an access token and a refresh token. Note that this operation can't be used to obtain Hosted Login access and refresh tokens. | POST |
| Get an access token /access/getAccessToken Retrieves an Identity Cloud access token. Note that this access token can’t be used to obtain Hosted Login access tokens. | POST |
| Exchange an authorization code /oauth/token Returns an Identity Cloud access token for an authenticated user. You need to exchange either an authorization code or a refresh token in order to get an access token. An authorization code is generated when a user is authenticated by using the JavaScript SDK or the Authentication API. Note that the authorization code and refresh tokens used with this operation can’t be exchanged for a Hosted Login access token. See also: • Exchange an authorization code | POST |
| Complete social registration /oauth/register_native Completes social registration. With social registration, a user creates an Identity Cloud account by using credentials and profile information derived from a social login identity provider such as Facebook or Twitter. See JavaScript SDK registration overview for a comparison of social logins and registrations and traditional logins and registrations. See also: • Complete social login and registration | POST |
| Complete traditional registration /oauth/register_native_traditional Completes a traditional registration. After registration completes, a user can authenticate on your website by using an email address and password. See JavaScript SDK registration overview for a comparison of social logins and registrations and traditional logins and registrations. See also: • Complete traditional login and registration | POST |
| Complete social login /oauth/auth_native Completes social login, a login carried out by first authenticating with a social login identity provider (IdP) and then using the IdP's credentials to log in to Identity Cloud. See JavaScript SDK registration overview for a comparison of social logins and registrations and traditional logins and registrations. See also: • Complete social login and registration | POST |
| Complete traditional login /oauth/auth_native_traditional Completes a traditional login, a process involving an email address and password. See JavaScript SDK registration overview for a comparison of social logins and registrations and traditional logins and registrations. See also: • Complete traditional login and registration | POST |
User profiles
| Operation | Method |
|---|---|
| Update a user profile /oauth/update_profile_native Updates a user profile based on input from a user. To make this call, you must have a valid Registration access token for the user profile to be updated. See also: • Update a user profile | POST |
| Get a verification code /access/getVerificationCode Returns a verification code for setting an attribute to the current date and time. This is useful for such tasks as recording the date and time when an email address is verified. | POST |
| Set a timestamp /access/use_verification_code Uses a one-time verification code to set a field value to the current date and time. For example, setting the emailVerified attribute to a timestamp indicates that the associated email address has been verified. | POST |
| Send a password reset link /oauth/forgot_password_native Sends an email that includes a link for resetting a password. Clicking the link (which includes a one-time pass code) takes the user to a screen where they can reset their password. See also: • Reset a password | POST |
| Verify an email address /oauth/verify_email _native Sends an email that includes a one-use verification link a user can click to complete the email verification process. The destination URL for this link is configured in the verify_email_url setting of the API client used to make the API call. | POST |
| Link a social identity to a user account /oauth/link_account_native Links a new social identity provider (IdP) to an existing user account. After a provider is linked, you can use that IdP to log on to your Identity Cloud account. Note that social logins can be used in addition to or instead of traditional Identity Cloud logins. In a traditional login, the user logs in by supplying an email address and password. See also: • Link or unlink accounts | POST |
| Unlink a social identity from a user account /oauth/unlink_account_native Unlinks a social provider from a user account. Once unlinked, the social provider can't be used to sign into that user account. To make this call, you must have a valid Registration access token for the user record being updated. See also: • Link or unlink accounts | POST |
Configuration API
The Configuration API is a large collection of endpoints revolving around three areas of Identity Cloud administration:
- Applications, API clients, and settings
- Entity types and attributes
- Flows
Client and Settings APIs
API clients
| Operation | Method |
|---|---|
| Get all API clients /config/{app_id}/clients Returns information about the API clients associated with an application. API clients are primarily used to control access to the Identity Cloud APIs and to help define the user login and registration experience. | GET |
| Get an API client /config/{app_id}/clients/{client_id} Returns information about a specific API client. | GET |
| Modify an API client /config/{app_id}/clients/{client_id} Modifies permissions and settings for an API client. | PUT |
| Reset an API client secret /config/{app_id}/clients/{client_id}/secret Resets the client secret for an API client. For example, you might reset the secret if you believe that secret has been exposed to unauthorized users or if someone who had access to the secret has left your organization. It's recommended that you contact your Akamai representative before resetting the client secret for an owner client. | POST |
| Create an API client /config/{app_id}/clients Creates an API client. | POST |
| Delete an API client /config/{app_id}/clients/{client_id} Deletes an existing API client. You can't delete an API client assigned the owner feature. | DELETE |
Application and client settings
| Operation | Method |
|---|---|
| Get all application and client settings /config/{app_id}/settings Returns settings and values for the specified API client. This operation returns both the application settings and the settings applied specifically to the API client. Your operation must have owner permissions in order to return the global settings. | GET |
| Get all the standard application settings /config/{app_id}/settings/options Returns information about Identity Cloud's predefined application and client settings. Custom settings that you’ve added yourself aren’t returned by this operation. | GET |
| Modify application settings /config/{app_id}/settings Modifies the global settings for an application. | PUT |
| Get API client settings /config/{app_id}/clients/{client_id}/settings Returns the settings associated with a specific API client. In the API response, client settings, global settings, and custom settings are returned as separate JSON objects. | GET |
| Modify API client settings /config/{app_id}/clients/{client_id}/settings Modifies the client settings associated with a specific API client. | PUT |
Entity Type APIs
| Operation | Method |
|---|---|
| Get all entity types /config/{app_id}/entityTypes Returns information about the entity types associated with an application. Entity types are databases that store user profile information. | GET |
| Get an entity type /config/{app_id}/entityTypes/{entity_type} Returns information about the specified entity type. | GET |
| Get the attributes in an entity type /config/{app_id}/entityTypes/{entity_type}/attributes Returns detailed information about each attribute in an entity type, including the attribute name and datatype. Attributes (roughly equivalent to database fields) represent individual bits of user information such as a user’s first name or a user’s email address. | GET |
| Get an entity type attribute /config/{app_id}/entityTypes/{entity_type}/attributes/{attribute_name} Returns detailed information about the specified attribute, including the attribute name and data type. | GET |
Flows and flow management APIs
Flows
| Operation | Method |
|---|---|
| Get all flows /config/{app_id}/flows Returns the flows associated with an application. Flows are JSON files that, among other things, help determine the look and feel of the user experience. | GET |
| Get a flow /config/{app_id}/flows/{flow} Returns information about the specified flow. | GET |
| Get all the versions of a flow /config/{app_id}/flows/{flow}/versions Returns a list of available versions for a flow. Each time you make and save a change to a flow (for example, adding a new field or deleting an existing translation) a new flow version is created. | GET |
| Get a specific flow version /config/{app_id}/flows/{flow}/versions/{version} Returns the specified version of a flow. | GET |
| Modify a flow /config/{app_id}/flows/{flow} Updates or replaces the userData object or the entity type schemas object assigned to the flow. The userData object lists the schema attributes to be stored in the janrainCaptureProfileData object in local storage following a successful authentication. The schemas object contains the name of your user profile databases. | PUT |
| Copy a flow /config/{app_id}/flows/{flow}/copy Creates a new flow by copying an existing flow. This operation can't be used to overwrite an existing flow, it can only be used to create a brand-new flow. | POST |
| Promote a flow /config/{app_id}/flows/{flow}/promote Promotes a flow to another application. Promoting a flow simply means copying that flow from one application (such as your development environment) to another application (such as your production environment). | POST |
| Restore a flow /config/{app_id}/flows/{flow}/versions/{version} Restores a flow to a previous version of that flow. When you restore a flow, the selected version becomes the current (HEAD) version of the flow. | POST |
Fields
| Operation | Method |
|---|---|
| Get all the fields in a flow /config/{app_id}/flows/{flow}/fields Returns a list of fields defined in the flow. Fields provide a link between onscreen form elements and their underlying user profile attributes. For example, onscreen a user might enter their first name in a field labeled First Name. In turn, the value entered in that field will be written to the givenName attribute in the user’s user profile. | GET |
| Get a field /config/{app_id}/flows/{flow}/fields/{field} Returns information about a field. | GET |
| Modify a field /config/{app_id}/flows/{flow}/fields/{field} Updates a field. | PUT |
| Create a field /config/{app_id}/flows/{flow}/fields Creates a new field and adds that field to a flow. See also: • Create a field and add it to a Hosted Login form • Manage custom fields • Field reference | POST |
| Remove a field /config/{app_id}/flows/{flow}/fields/{field} Removes a field from the flow. This operation also removes the field from any forms that reference the field. | DELETE |
Forms
| Operation | Method |
|---|---|
| Get all the forms in a flow /config/{app_id}/flows/{flow}/forms Returns a list of forms in the flow. Forms serve as a container for fields. For example, the traditionalRegistrationForm form contains fields for all the information (name, email address, password, phone number, etc.) you want to collect from a user when creating their user account. | GET |
| Get a form /config/{app_id}/flows/{flow}/forms/{form} Returns detailed information about the specified form. | GET |
| Modify a form /config/{app_id}/flows/{flow}/forms/{form} Updates or replaces the list of fields and features in the form. Any fields added to the form must already exist in the flow. See also: • Add a field to a Hosted Login form | PUT |
| Create a form /config/{app_id}/flows/{flow}/forms Creates a form. | POST |
| Delete a form /config/{app_id}/flows/{flow}/forms/{form} Deletes the specified form, but without deleting the fields associated with the form. | DELETE |
Email templates
| Operation | Method |
|---|---|
| Get all the email templates in a flow /config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates Returns a list of all the transaction email templates in the specified locale. Transactional emails are emails automatically sent by Identity Cloud in response to specific user activities. For example, after a user creates an account an email is sent asking the user to verify their email address. | GET |
| Get an email template /config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template} Returns information about the specified email template. | GET |
| Modify an email template /config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template} Modifies an email template. Note that, while you can modify your email templates, you can’t delete those templates nor can you create new templates. See also: • Modify transactional emails | PUT |
| Get the body of an email template /config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template}/body Returns the body for an email template. | GET |
| Modify the body of an email template /config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template}/body Returns the body for an email template. | PUT |
| Get the subject of an email template /config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template}/subject Returns the subject line for an email template. | GET |
| Modify the subject of an email template /config/{app_id}/flows/{flow}/locales/{locale}/mailTemplates/{template}/subject Updates the subject line for an email template. | PUT |
Hosted Login upgrades
| Operation | Method |
|---|---|
| Get all available Hosted Login upgrades /config/{app_id}/flows/{flow}/upgrades Returns the version numbers of Hosted Login you can upgrade to. | GET |
| Get Hosted Login upgrade requirements /config/{app_id}/flows/{flow}/upgrades/{upgradeId} Returns information about the fields, translations, and screens that need to be added to or removed from a flow to make that flow compatible with the specified version of Hosted Login. | GET |
| Upgrade Hosted Login /config/{app_id}/flows/{flow}/upgrades/{upgradeId} Adds the fields, translations, and screens required to help ensure that a flow is compatible with the specified version of Hosted Login. | POST |
Hosted Login links
| Operation | Method |
|---|---|
| Get all the Hosted Login links in a flow /config/{app_id}/flows/{flow}/links Returns a collection of all the Hosted Login links defined within the specified flow. These links appear on Hosted Login screens and direct your users to locations such as your help center or privacy policy. | GET |
| Get a Hosted Login link /config/{app_id}/flows/{flow}/links/{linkId} Returns detailed information about a Hosted Login link. | GET |
| Modify a Hosted Login link /config/{app_id}/flows/{flow}/links/{linkId} Updates a Hosted Login link. See also: • Change the target of a Hosted Login link | PUT |
| Create a Hosted Login link /config/{app_id}/flows/{flow}/links Creates a new Hosted Login link . See also: • Create a Hosted Login link | POST |
| Delete a Hosted Login link /config/{app_id}/flows/{flow}/links/{linkId} Deletes the specified Hosted Login link. | DELETE |
Hosted Login 2FA messages
| Operation | Method |
|---|---|
| Get all the 2FA messages in a flow /config/{app_id}/flows/{flow}/locales/{locale}/2faMessages Returns information about the two-factor authentication (2FA) messages included in a flow. See also: • View 2FA messages | GET |
| Get a 2FA message /config/{app_id}/flows/{flow}/locales/{locale}/2faMessages/{messageId} Returns the specified two-factor authentication (2FA) message. Note that each 2FA message actually consists of: 1) an SMS message; 2) a plain-text email message; and 3) an HTML-formatted email message. See also: • View 2FA messages | GET |
| Add the default 2FA messages to a flow /config/{app_id}/flows/{flow}/locales/{locale}/2faMessages Adds the default collection of two-factor authentication (2FA) messages to the specified flow. See also: • Add 2FA messages to a flow | POST |
| Modify a 2FA message /config/{app_id}/flows/{flow}/locales/{locale}/2faMessages/{messageId} Modifies the specified two-factor authentication (2FA) message. See also: • Modify a 2FA message | PUT |
Locales
| Operation | Method |
|---|---|
| Get all the locales in a flow /config/{app_id}/flows/{flow}/locales/{locale} Returns a list of all the locales associated with a flow. Each locale represents a specific language, region, and collection of locale variant preferences. Having different locales enable you to better personalize the user login and registration experience. | GET |
| Get all the localized fields in a flow /config/{app_id}/flows/{flow}/locales/{locale}/fields Returns a list of fields defined for the specified locale. | GET |
| Create a localized field /config/{app_id}/flows/{flow}/locales/{locale}/fields Adds a field to the specified locale. | POST |
| Get a localized field /config/{app_id}/flows/{flow}/locales/{locale}/fields/{field} Returns information about a localized field. | GET |
| Modify a localized field /config/{app_id}/flows/{flow}/locales/{locale}/fields/{field} Updates a localized field. | PUT |
Strings
| Operation | Method |
|---|---|
| Get all the strings in a flow /config/{app_id}/flows/{flow}/strings Returns the strings defined in the flow. Strings are text elements that aren’t tied to a specific form. | GET |
| Get a string /config/{app_id}/flows/{flow}/strings/{string} Returns information about the specified string. | GET |
| Create a string /config/{app_id}/flows/{flow}/strings Adds a string to the flow. | POST |
| Modify a string /config/{app_id}/flows/{flow}/strings/{string} Updates or replaces a string. | PUT |
| Delete a string /config/{app_id}/flows/{flow}/strings/{string} Removes a string from a flow. | DELETE |
| Get all the localized strings in a flow /config/{app_id}/flows/{flow}/locales/{locale}/strings Returns a list of all the localized strings defined in a flow. | GET |
| Get a localized string /config/{app_id}/flows/{flow}/locales/{locale}/strings/{string} Returns information about the localized string. | GET |
| Create a localized string /config/{app_id}/flows/{flow}/locales/{locale}/strings Adds a localized string to a flow. | POST |
| Modify a localized string /config/{app_id}/flows/{flow}/locales/{locale}/strings/{string} Updates or replaces a localized string in the flow. | PUT |
| Delete a localized string /config/{app_id}/flows/{flow}/locales/{locale}/strings/{string} Removes a localized string from a flow. | DELETE |
Screens
| Operation | Method |
|---|---|
| Get all the screens in a flow /config/{app_id}/flows/{flow}/screens Returns the screens associated with a flow. | GET |
| Get a screen /config/{app_id}/flows/{flow}/screens/{screen} Returns information about a specific screen. | GET |
| Modify a screen /config/{app_id}/flows/{flow}/screens/{screen} Updates property values for the specified screen. | PUT |
| Create a screen /config/{app_id}/flows/{flow}/screens Creates a new screen. New screens are primarily designed for use with the JavaScript SDK. | POST |
| Delete a screen /config/{app_id}/flows/{flow}/screens/{screen} Deletes the specified screen. Be forewarned that it’s possible (although not recommended) to delete the default screens that ship with Hosted Login and the JavaScript SDK. | DELETE |
Translations
| Operation | Method |
|---|---|
| Get all the translations in a flow /config/{app_id}/flows/{flow}/translations Returns all the translations in a flow. | GET |
| Get a translation /config/{app_id}/flows/{flow}/translations/{key} Returns all the translations for the specified translation key (i.e., all the translated values of a word or phrase). | GET |
| Create a translation /config/{app_id}/flows/{flow}/translations Creates a translation for the specified locale. You’re on your own to provide the correctly translated value. | POST |
| Delete a translation /config/{app_id}/flows/{flow}/translations/{key} Deletes a translation. | DELETE |
| Modify a translation /config/{app_id}/flows/{flow}/translations Updates an existing translation. See also: • Modify screen text • Localize screen text | PATCH |
Custom Provider API
The Custom Provider API enables organizations to leverage almost any social login IdP they want, as long as that identity provider uses one of the following protocols:
- OAuth 2.0
- OpenID Connect
- SAML 2
| Operation | Method |
|---|---|
| Get all social login applications /{customerId}/v2/config/low/services/engage-v2/apps Returns information about your social login applications. You need a social login application to configure social login for Hosted Login and to create custom providers. | GET |
| Get a social login application /{customerId}/v2/config/low/services/engage-v2/apps/{appId} Returns detailed information about a specific social login application. | GET |
| Get all the custom providers in an application /{customerId}/v2/config/low/services/engage-v2/apps/{appId}/custom-providers Returns information about your custom providers. Custom providers are social login identity providers (IdPs) that weren't predefined by Akamai. Most IdPs that support OAuth 2.0, OpenID Connect, or SAML2 can be configured as custom providers. | GET |
| Get a custom provider /{customerId}/v2/config/low/services/engage-v2/apps/{appId}/custom-providers/{providerId} Returns detailed information about the specified custom provider. | GET |
| Modify a custom provider /{customerId}/v2/config/low/services/engage-v2/apps/{appId}/custom-providers/{providerId} Modifies a custom provider. | PATCH |
| Create a custom provider /{customerId}/v2/config/low/services/engage-v2/apps/{appId}/custom-providers Creates a custom provider. The social login identity provider being used as a custom provider needs to support OAuth 2.0, OpenID Connect, or SAML2. See also: • Create a custom provider | POST |
Entity and Entity Type API
API operations for managing user profiles and user profile databases.
Entities and user profiles
| Operation | Method |
|---|---|
| Get a user profile /entity Returns the specified user profile. By default, this endpoint returns all the attributes associated with the user profile. However, it’s also possible to return a specified subset of attributes. | POST |
| Search for user profiles /entity.find Searches an entity type for users meeting the specified criteria. For example, you might search for all the users who have not logged on since a specified date, or for all the users whose accounts were created after that date. | POST |
| Count user profiles /entity.count Returns the number of user profiles in an entity type that meet the specified criteria. For example, you might return the number of users who live in France or the number of users who work for Akamai. | POST |
| Modify a user profile /entity.update Updates a user profile. Note that this operation only modifies attributes specified in the request. Any attributes not included in the request are left exactly as-is. | POST |
| Replace a user profile /entity.replace Replaces all the attribute values in a user profile with a new set of attribute values. By default, any attributes not included in your operation are replaced with null values. | POST |
| Create a user profile /entity.create Creates a user profile. Note that, because of database replication requirements, it might take a few minutes for the new user profile to be available to other operations. | POST |
| Create multiple user profiles /entity.bulkCreate Creates multiple user profiles with a single operation. Note that your request body can't be larger than 5 MB. If you encounter a client intended to send too large body error you must reduce the size of the request body. For example, you might divide the list of accounts to be created in half, then use two API calls instead of one. See also: • Query or import large data sets | POST |
| Delete a user profile /entity.delete Deletes the specified user profile. Alternatively, you can use this endpoint to delete a child attribute of a plural attribute. In that case, only the child attribute is deleted and the rest of the user profile remains as-is. | POST |
| Invalidate user access tokens /entity.deleteAccess Removes all existing access grants issued to the user, including all the access tokens, refresh tokens, and refresh secrets. | POST |
Entity types
| Operation | Method |
|---|---|
| Get all entity types /entityType.list Returns information about your entity types. An entity type is a user profile data store. | POST |
| Get an entity type /entityType Returns detailed information about the specified entity type. | POST |
| Create an entity type /entityType.create Creates an entity type. See also: • Schema data types | POST |
Attributes, validations, and constraints
| Operation | Method |
|---|---|
| Create an attribute /entityType.addAttribute Adds an attribute to an entity type. This operation also adds the new attribute to all existing user profiles. | POST |
| Delete an attribute }/entityType.removeAttribute Removes an attribute from an entity type. Note that all the data associated with this attribute is deleted as well. That means that the attribute and its value are removed from each user profile in the entity type. | POST |
| Get all validation rules /entityType.rules Returns all the data validation rules configured for the specified entity type. Identity Cloud uses these rules to validate attribute data with each user profile update. | POST |
| Create a validation rule /entityType.addRule Creates a data validation rule for specified attributes in your schema. | POST |
| Delete a validation rule /entityType.removeRule Removes the specified validation rule. | POST |
| Assign constraints to an attribute /entityType.setAttributeConstraints Configures the list of constraints for an attribute. Constraints place restrictions on the type of data that can be stored in an attribute. | POST |
Unique password enforcement
| Operation | Method |
|---|---|
| Modify password history settings /entityType.setPasswordSettings Manages the password history settings for an entity type. Password history tracks the last 1-10 passwords employed by a user, and prevents the user from setting their password to any of those prior values. See also: • Configure unique password enforcement | POST |
Access Schemas
| Operation | Method |
|---|---|
| Get an access schema /entityType.getAccessSchema Retrieves the access schema for the specified API client. An access schema defines the subset of attributes to which a client has read or write access. Note that access schemas only apply to API-based implementations of the Identity Cloud. If you're using a JavaScript SDK-based implementation of Identity Cloud then access to forms and fields is managed by the flow rather than by an access schema. | POST |
| Create an access schema /entityType.setAccessSchema Creates an access schema for the specified API client. Each client can have one read access schema and one write access schema. Note that access schemas only apply to API-based implementations of the Identity Cloud. If you're using a JavaScript SDK-based implementation of Identity Cloud then access to forms and fields is managed by the flow rather than by an access schema. | POST |
| Delete an access schema /entityType.deleteAccessSchema Deletes the specified access schema for a client. Deleting an access schema gives a client read or write access to all attributes. Note that access schemas only apply to API-based implementations of the Identity Cloud. If you're using a JavaScript SDK-based implementation of Identity Cloud then access to forms and fields is managed by the flow rather than by an access schema. | POST |
Legacy Clients and Settings API
Manages API clients and applications. As the word "legacy" implies, this API no longer represents the preferred way to programmatically manage API clients and applications. Instead, we recommend you use the Configuration API.
API clients
| Operation | Method |
|---|---|
| List all API clients /clients/list Returns a list of API clients, optionally filtered by client feature. API clients manage access to Identity Cloud APIs. Note that only the owner client can run this operation. | POST |
| Modify API client features /clients/set_features Modifies the client features for an API client. Features define the permissions assigned to an API client. See also: • API clients and permissions | POST |
| Reset an API client secret /clients/reset_secret Resets the client secret for the specified API client. | POST |
| Rename an API client /clients/set_description Assigns a new name to an API client. Note that, for API clients, the client name and the client description refer to the same value. | POST |
| Create an API client /clients/add Creates an API client. | POST |
| Delete an API client /clients/delete Deletes an API client. | POST |
| Modify an API client allowlist /clients/set_whitelist Modifies the IP allowlist for the specified API client. When used, the allowlist specifies the range of IP addresses that can use the client when calling Identity Cloud APIs. By default, IP allowlists are set to ["0.0.0.0"], allowing access to the client from any IP address. | POST |
| Clear an API client allowlist /clients/clear_whitelist Clears the IP allowlist for the specified API client. | POST |
Published Settings
| Operation | Method |
|---|---|
| Get published application settings /settings/widget/get Returns a list of published settings files for the application. Published client settings do such things as support a configurable minimum age requirement for registration or track user acceptance of different terms of service and privacy policies. With this operation at least three files are returned, including a JSON file for each settings version and both a JSON file and a JavaScript file pointing to the location where the most recent file versions are hosted. If no members are included, all the published settings files assigned to the application are be returned. | POST |
| Get published client settings /settings/widget/list Returns the published settings for the specified API client and version. If the version member isn't included, the most recent version of the published settings is returned. | POST |
| Publish application and API client settings /settings/widget/publish Publishes settings to a JSON file available for client-side use with the Registration user interface. This allows the settings to be loaded prior to any server-side operations. | POST |
| Delete published settings _/settings/widget/delete Deletes the published settings for the specified API client and version. If the version member isn't included, all versions of the settings published for the API client are deleted. | POST |
Application and Client Settings
| Operation | Method |
|---|---|
| Get an API client settings value /settings/get_default Returns the value associated with a settings key. If the key has no value at the client scope then the application scope value is returned instead. A null value is returned if the key has no application value either. | POST |
| Get an application setting value /settings/get Returns the value of an application settings key. | POST |
| Get multiple API client setting values /settings/get_multi Returns values for multiple keys. By design, values are returned for keys configured at the client scope. If a key doesn't exist at the client scope the value of the key as configured at the application scope is returned instead. | POST |
| Delete an application settings key /settings/delete_default Deletes an application settings key. | POST |
| Get all API client setting values /settings/items Returns all the settings for the specified API client, including all settings configured at the application scope. If a key is defined in both the client and application settings only the client-specific value is returned. | POST |
| Get all API client setting keys /settings/keys Returns all the setting keys for a client, including those from the application-wide default settings. | POST |
| Delete an API client setting /settings/delete Deletes a settings key from an API client. | POST |
| Modify an API client setting /settings/set Assigns a setting and setting value to an API client. If the specified setting doesn't exist, it's created. If the setting does exists, then the current value of that setting is overwritten. | POST |
| Modify an application setting /settings/set_default Creates or updates a setting in the application-wide default settings. If the setting doesn't exist, a new setting is created. If the setting does exist, the current value of that setting is overwritten. | POST |
| Modify multiple application settings /settings/set_default_multi Creates or updates a setting in the application-wide default settings. If the setting doesn't exist, a new setting is created. If the setting does exist, the current value of that setting is overwritten. | POST |
| Modify multiple API client settings /settings/set_multi Assigns multiple settings for the specified API client. If a setting doesn't, a new setting is created. If the setting does exist, the current value of that setting is overwritten. | POST |
Hosted Login API
Your primary toolset for managing Hosted Login, Identity Cloud’s preferred method for managing user logins and registrations.
Tokens
| Operation | Methods |
|---|---|
| Get an administrative access token /{customerId}/login/token Requests an administrative access token. An administrative access token is needed to call the other Hosted Login configuration endpoints. | POST |
| Introspect an access or refresh token /{customerId}/login/token/introspect Returns the current state of a Hosted Login access or refresh token. If the token is active then additional claims associated with the token are also returned. | POST |
| Revoke an access or refresh token /{customerId}/login/token/revoke Revokes a previously-issued access token or refresh token. After an access token has been revoked that token can't be used to access a protected resource. After a refresh token has been revoked that token can’t be used to request a new access token and the existing access token is also revoked. | POST |
OpenID Connect Endpoints
| Operation | Method |
|---|---|
| Get your discovery document /{customerId}/login/.well-known/openid-configuration Returns the discovery document, a set of OpenID Connect values that can be retrieved by a client. These values enable OIDC clients to configure themselves. See also: • Discovery document | GET |
| Get your JSON web keys /{customerId}/login/jwk Returns information about the JSON web keys (JWK) assigned to a customer. JSON web keys are public cryptographic keys used to verify the signatures on Hosted Login identity tokens. See also: • JSON web keys | GET |
| Get userinfo Information /{cusomerId}/profiles/oidc/userinfo Returns user profile information from the userinfo endpoint. | GET |
OpenID Connect Clients
| Operation | Method |
|---|---|
| Get all OpenID Connect clients /{customerId}/config/clients Returns information about all the OpenID Connect clients assigned to a customer. | GET |
| Get an OpenID Connect client /{customerId}/config/clients/{oidcClientId} Returns information about an OpenID Connect client. | GET |
| Modify an OpenID Connect client /{customerId}/config/clients/{oidcClientId} Modifies the specified OpenID Connect client. | PUT |
| Get an OpenID Connect client secret /{customerId}/config/clients/{oidcClientId}/secret Returns the client secret for the specified OIDC client. Note that this is the only way to return the secret for a confidential or configuration client. | GET |
| Reset an OpenID Connect client secret /config/clients/{oidcClientId}/secret Resets the client secret for an OpenID Connect confidential client or configuration client. Resetting the secret enables you to rotate client secrets or to change a client secret you believe might have been compromised. | PUT |
| Create an OpenID Connect client /{customerId}/config/clients Creates an OpenID Connect client. See also: • Create an OIDC login client • Create a Hosted Login configuration client | POST |
| Delete an OpenID Conect client /{customerId}/config/clients/{oidcClientId} Deletes the specified OpenID Connect. | DELETE |
Login Policies
| Operation | Method |
|---|---|
| Get all login policies /{customerId}/config/loginPolicies Returns information about the login policies associated with the specified customer. Login policies help manage the user login experience by doing such things as specifying the exact path to the Capture domain and the user profile entity type, and defining the login URL for the directory. See also: • List login policies | GET |
| Get a login policy /{customerId}/config/loginPolicies/{loginPolicyId} Returns information about the specified login policy. All OpenID Connect clients used for logins and registrations need to be assigned a login policy. | GET |
| Modify a login policy /{customerId}/config/loginPolicies/{loginPolicyId} Returns information about the specified login policy. All OpenID Connect clients used for logins and registrations need to be assigned a login policy. See also: • Modify a login policy | PUT |
| Create a login policy /{customerId}/config/loginPolicies Creates a login policy. Login policies help manage the user login experience by doing such things as specifying the exact path to the Capture domain and the user profile entity type, and defining the login URL. See also: • Create a login policy | POST |
| Delete a login policy /{customerId}/config/loginPolicies Deletes the specified login policy. Login policies help manage the user login experience by doing such things as: specifying the exact path to the Capture domain and the user profile entity type, and defining the login URL. See also: • Delete a login policy | DELETE |
| Get a login policy's push claim status /{customerId}/config/loginPolicies/{loginPolicyId}/pushClaims Returns information about a login policy’s push claims status. Push claims centralize and standardize the user profile information added to an identity token or made available from the userinfo endpoint following a successful authentication. See also: • Push claims | GET |
| Modify a login policy's push claim status /{customerId}/config/loginPolicies/{loginPolicyId}/pushClaims Enables or disables push claims for the specified login policy. Push claims centralize and standardize the user profile information added to an identity token or made available from the userinfo endpoint following a successful authentication. See also: : • Push claims | PUT |
| Get a login policy's allowed response types /{customerId}/config/loginPolicies/{loginPolicyId}/allowedResponseTypes Returns information about the response types assigned to the specified login policy. In an authorization request, the response_type parameter specifies the items clients expect to get back from the authorization server following a successful authentication. See also: • Supported response types | GET |
| Modify a login policy's allowed response types /{customerId}/config/loginPolicies/{loginPolicyId}/allowedResponseTypes Modifies the response types assigned to the specified login policy. In an authorization request, the response_type parameter specifies the items clients expect to get back from the authorization server following a successful authentication. See also: • Supported response types | PUT |
Token Policies
| Operation | Method |
|---|---|
| Get all token policies /{customerId}/config/tokenPolicies Returns information about your token policies. Token policies specify token lifetimes and define the allowed scopes for OpenID Connect clients. See also: • List token policies | GET |
| Get a token policy /{customerId}/config/tokenPolicies/{tokenPolicyId} Returns information about the specified token policy. Token policies specify token lifetimes and define the allowed scopes for OpenID Connect clients. | GET |
| Modify a token policy /{customerId}/config/tokenPolicies/{tokenPolicyId} Modifies a token policy. Token policies specify token lifetimes and define the allowed scopes for OpenID Connect clients. See also: • Modify a token policy | PUT |
| Create a token policy /{customerId}/config/tokenPolicies Creates a token policy. Token policies specify token lifetimes and define the allowed scopes for OpenID Connect clients associated. See also: • Create a token policy | POST |
| Delete a token policy /{customerId}/config/tokenPolicies/{tokenPolicyId} Deletes a token policy. Token policies specify token lifetimes and define the allowed scopes for OpenID Connect clients. See also: • Delete a token policy | DELETE |
| Get a token policy's allowed grant types /{customerId}/config/tokenPolicies/{tokenPolicyId}/allowedGrantTypes Returns information about the grant types defined in the specified token policy. A grant is a standard methodology for obtaining tokens and, as a result, obtaining access to resources. See also: • Supported authorization grant types | GET |
| Modify a token policy's allowed grant types /{customerId}/config/tokenPolicies/{tokenPolicyId}/allowedGrantTypes Modifies the grant types supported by the specified token policy. A grant is a standard methodology for obtaining tokens and, as a result, obtaining access to resources. See also: • Supported authorization grant types | PUT |
| Get a token policy's allowed resource indicators /{customerId}/config/tokenPolicies/{tokenPolicyId}/allowedResourceIndicators Returns information about the resource indicators supported by the specified token policy. Resource indicators are identifiers representing items that can be referenced when using the resource parameter. See also: • Secure audience injection and the resource parameter | GET |
| Modify a token policy's allowed resource indicators /{customerId}/config/tokenPolicies/{tokenPolicyId}/allowedResourceIndicators Modifies the resource indicators supported by the specified token policy. Resource indicators are identifiers representing items that can be referenced when using the resource parameter. See also: • Secure audience injection and the resource parameter | PUT |
Authorization requests. logins, and logouts
| Operation | Method |
|---|---|
| Submit an authorization request /{customerId}/{hostedLoginDomain}/login/token Requests Hosted Login authorization for an end user. See also: • Authorization code + PKCE grant type | POST |
| Logout from Hosted Login /{customerId}/{hostedLoginDomain}/auth-ui/logout?{clientId}&{redirectUri} Logs a user out of a Hosted Login session. | GET |
SIEM Event Delivery API
Operations for managing Identity Cloud’s Security Event and Information Management (SIEM) service. SIEM is a recognized standard for collecting, aggregating, and analyzing events that take place on a website or within an app.
| Operation | Method |
|---|---|
| Get the SIEM event service status /config/applications/{appId}/eventdelivery/readStatus Returns the SIEM event delivery service activation or deactivation status for the specified application. See also: • Activate or deactivate SIEM event feeds | GET |
| Activate the SIEM event service /config/applications/{appId}/eventdelivery/activate Activates the SIEM event delivery service. You can't collect SIEM events unless the service is activated. See also: • Activate or deactivate SIEM event feeds | POST |
| Deactivate the SIEM event service /config/applications/{appId}/eventdelivery/deactivate Deactivates the SIEM event delivery service for the specified application. After you call this operation, SIEM event messages for the application are no longer delivered. See also: • Activate or deactivate SIEM event feeds | POST |
| Get the SIEM event blocklist /config/applications/{appId}/eventdelivery/readBlocklist Returns a list of the SIEM event delivery service event types blocked for the specified application. If an event type is blocked, event messages for that event aren't delivered. For example, if you block the new_email_verification event you won’t receive a notification when a user verifies an email address. See also: • Block SIEM events | POST |
| Add an event to the SIEM event blocklist /config/applications/{appId}/eventdelivery/addBlocklist Adds an event to the SIEM event delivery service event types blocked for the specified application. If an event type is blocked, event messages for that event aren't delivered. | GET |
| Remove an event from the SIEM event blocklist /config/applications/{appId}/eventdelivery/deleteBlocklist Removes one or more events from an application’s SIEM event delivery service blocklist. After an event is removed from the blocklist you'll receive a notification each time that event occurs. See also: • Block SIEM events | POST |
| Get the SIEM event service public keys /config/applications/{appId}/eventdelivery/readKeys Returns information about the public keys assigned to the specified application. Use public keys to connect to the Amazon S3 bucket and download the event messages delivered by the SIEM event delivery service. See also: • Manage SIEM event public keys (legacy customers only) | POST |
| Assign a public key to the SIEM event service /config/applications/{appId}/eventdelivery/addKeys Assigns public keys to the specified application. Use public keys to connect to the Amazon S3 bucket and download event messages delivered by the SIEM event delivery service. Organizations can assign a maximum of 10 public keys to their S3 bucket. However, you can delete one or more of your older keys and replace them with new keys. See also: • Manage SIEM event public keys (legacy customers only) | GET |
| Delete a SIEM event service public key /config/applications/{appId}/eventdelivery/deleteKeys Removes SIEM event delivery service public keys. See also: • Manage SIEM event public keys (legacy customers only) | POST |
Social API
Manages and configures social login, the technology enabling users to create, and then log in to, an Identity Cloud website by using their Facebook account, their Twitter account, or an account created with any of the other supported social login identity providers.
Tokens and Authentication
| Operation | Method |
|---|---|
| Authenticate a social login /api/v2/auth_info Authenticates a social login user. | POST |
| Exchange a social login token for an access token /api/v2/signin/oauth_token Exchanges a social login identity provider token for an Identity Cloud social login token. | POST |
Social Login Providers
| Operation | Method |
|---|---|
| Get all social login providers /api/v2/get_available_providers Returns a list of configured providers for an application. | POST |
| Get all configured social login providers /api/v2/providers Returns a list of configured social login identity providers for an application. | POST |
| Configure social login authentication providers /api/v2/set_auth_providers Defines the list of social login identity providers that appear on the sign-in and registration pages. This is the same list of providers maintained by the Social Login dashboard. | POST |
Social Login Settings and Configuration
| Operation | Method |
|---|---|
| Get a domain allowlist /api/v2/get_domain_patterns Returns all the domains on the social login allowlist. If the allowlist is configured, then only the domains included on that list can communicate with your social login application. | POST |
| Add a domain to a domain allowlist /api/v2/set_domain_patterns Replaces the social login allowlist for an application. If the allowlist is configured, then only the domains included on that list can communicate with your social login application. | POST |
| Modify a domain allowlist /api/v2/add_domain_patterns Modifies the domains on the social login allowlist. If the allowlist is configured, only the domains included on that list can communicate with your social login application. | POST |
| Get all social login application settings /api/v2/get_application_settings View social login application settings. | POST |
| Modify social login application settings /api/v2/set_app_settings Configures social login application settings. | POST |
User Profiles
| Operation | Method |
|---|---|
| Associate an identity provider with a primary key /api/v2/map Associates a primary key with a user’s social identity. | POST |
| Remove an identity provider from a primary key /api/v2/unmap Removes a social login identity provider from a primary key. | POST |
Webhooks v3 API
Sends you near real-time notifications any time a user account is created, deleted, or modified.
Webhook Subscriptions
| Operation | Method |
|---|---|
| Get all Webhooks v3 subscriptions /{customerId}/webhooks/subscriptions Returns information about the webhook subscriptions assigned to customer. | GET |
| Get a Webhooks v3 subscription /{customerId}/webhooks/subscriptions/{subscriptionId} Returns information about the specified webhooks subscription. | GET |
| Modify a Webhooks v3 subscription /{customerId}/webhooks/subscriptions/{subscriptionId} Modifies a webhooks subscription. See also: • Configure webhook subscriptions | PATCH |
| Create a Webhooks v3 subscription /{customerId}/webhooks/subscriptions Creates a webhooks subscription. See also: • Configure webhook subscriptions | POST |
| Delete a Webhooks v3 subscription /{customerId}/webhooks/subscriptions/{subscriptionId} Deletes the specified webhook subscription. | DELETE |
Webhook Events
| Operation | Method |
|---|---|
| List Webhooks v3 events /{customerId}/webhooks/subscriptions/{subscriptionId}/events Returns event notifications for the specified webhooks subscription. See also: • View webhooks data in the events store | GET |
| Get a Webhooks v3 event /{customerId}/webhooks/subscriptions/{subscriptionId}/events/{eventId} Returns information about the specified webhooks event. See also: • View webhooks data in the events store | GET |
| Get a Webhooks v3 event's event history /{customerId}/webhooks/subscriptions/{subscriptionId}/events/{eventId}/history Returns the event history for the specified webhooks event. | GET |
| Redeliver a Webhooks v3 event /{customerId}/webhooks/subscriptions/{subscriptionId}/events/{eventId}/redelivery Schedules the specified event for redelivery to your listener endpoint. See also: • Schedule redelivery for a failed webhook event | POST |
| Send a Webhooks v3 test notification /{customerId}/webhooks/subscriptions/{subscriptionId}/test Sends a test notification to your listener endpoint. | POST |
Webhooks v3 access tokens
| Operation | Method |
|---|---|
| Get a Webhooks v3 administrative access token /{customerId}/login/token Requests an administrative access token for calling the other Webhooks v3 API endpoints. | POST |
Updated 8 months ago