diff --git a/Dockerfile b/Dockerfile
index 9379e8952d4..962eed554e1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -118,6 +118,43 @@ RUN gem install bundler -v 2.3.26 && \
apt-get update && \
apt-get install -y --no-install-recommends ruby-dev=1:2.7+2
+# swift
+
+RUN apt-get -y install libncurses5 clang
+
+RUN apt-get -y install libxml2
+
+RUN \
+ curl https://download.swift.org/swift-5.9.2-release/ubuntu1804/swift-5.9.2-RELEASE/swift-5.9.2-RELEASE-ubuntu18.04.tar.gz -o swift.tar.gz &&\
+ tar xzf swift.tar.gz && \
+ mv swift-5.9.2-RELEASE-ubuntu18.04 /usr/share/swift && \
+ export PATH=/usr/share/swift/usr/bin:$PATH && \
+ swift -v
+
+ENV PATH /usr/share/swift/usr/bin:$PATH
+
+# Install swift-openapi-generator
+RUN git clone https://github.com/apple/swift-openapi-generator.git \
+&& cd swift-openapi-generator \
+&& swift build \
+&& ln -s $(pwd)/.build/debug/swift-openapi-generator /usr/local/bin/swift-openapi-generator \
+&& swift-openapi-generator --help
+
+# Install Homebrew
+RUN git clone https://github.com/Homebrew/brew /home/linuxbrew/Homebrew \
+ && mkdir -p /home/linuxbrew/bin \
+ && ln -s /home/linuxbrew/Homebrew/bin/brew /home/linuxbrew/bin/ \
+ && export PATH="/home/linuxbrew/bin:$PATH"
+
+# Export Homebrew binary directory to PATH
+ENV PATH /home/linuxbrew/bin:$PATH
+
+# Disable automatic updates
+ENV HOMEBREW_NO_AUTO_UPDATE=1
+
+# Install SourceDocs to generate swift client documentation
+RUN brew install sourcedocs
+
ADD go.mod go.mod
ADD go.sum go.sum
RUN go build -o /usr/local/bin/ory github.com/ory/cli
diff --git a/contrib/clients/swift/CustomDateTranscoder.swift b/contrib/clients/swift/CustomDateTranscoder.swift
new file mode 100644
index 00000000000..3f5b2813cb5
--- /dev/null
+++ b/contrib/clients/swift/CustomDateTranscoder.swift
@@ -0,0 +1,26 @@
+import Foundation
+import OpenAPIRuntime
+
+/// A transcoder for dates encoded as an ISO-8601 string (in RFC 3339 format). Allows date with internet date time and fractional seconds.
+public struct CustomDateTranscoder: DateTranscoder, @unchecked Sendable {
+
+ /// Creates and returns an ISO 8601 formatted string representation of the specified date.
+ public func encode(_ date: Date) throws -> String {
+ let formatter = ISO8601DateFormatter()
+ formatter.formatOptions = [.withInternetDateTime, .withFractionalSeconds]
+ return formatter.string(from: date) }
+
+ /// Creates and returns a date object from the specified ISO 8601 formatted string representation.
+ public func decode(_ dateString: String) throws -> Date {
+ let formatter = ISO8601DateFormatter()
+ formatter.formatOptions = [.withInternetDateTime, .withFractionalSeconds]
+ print(dateString)
+ guard let date = formatter.date(from: dateString) else {
+ throw DecodingError.dataCorrupted(
+ .init(codingPath: [], debugDescription: "Expected date string to be ISO8601-formatted.")
+ )
+ }
+ return date
+ }
+}
+
diff --git a/contrib/clients/swift/Package.swift b/contrib/clients/swift/Package.swift
new file mode 100644
index 00000000000..938db653d94
--- /dev/null
+++ b/contrib/clients/swift/Package.swift
@@ -0,0 +1,23 @@
+// swift-tools-version: 5.9
+// The swift-tools-version declares the minimum version of Swift required to build this package.
+
+import PackageDescription
+
+
+let package = Package(
+ name: "OryClient",
+ platforms: [.macOS(.v10_15), .iOS(.v13), .tvOS(.v13), .watchOS(.v6), .visionOS(.v1)],
+ dependencies: [
+ .package(url: "https://github.com/apple/swift-openapi-runtime", from: "1.0.0"),
+ .package(url: "https://github.com/apple/swift-openapi-urlsession", from: "1.0.0")
+ ],
+ targets: [
+ .executableTarget(
+ name: "OryClient",
+ dependencies: [
+ .product(name: "OpenAPIRuntime", package: "swift-openapi-runtime"),
+ .product(name: "OpenAPIURLSession", package: "swift-openapi-urlsession")
+ ]
+ )
+ ]
+)
diff --git a/contrib/clients/swift/README.md b/contrib/clients/swift/README.md
new file mode 100644
index 00000000000..4cebfc35fb6
--- /dev/null
+++ b/contrib/clients/swift/README.md
@@ -0,0 +1,45 @@
+# Ory Swift SDK
+
+Documentation for all public and administrative Ory APIs. Administrative APIs can only be accessed with a valid Personal Access Token. Public APIs are mostly used in browsers.
+
+
+This package is atomatically generated by [Swift OpenAPI Generator](https://github.com/apple/swift-openapi-generator)
+
+## Installation
+
+Add the package dependency in your Package.swift:
+
+```swift
+.package(url: "https://github.com/ory/client-swift", from: "1.0.0"),
+```
+
+Next, in your target, add OryClient to your dependencies:
+
+```swift
+.target(name: "MyTarget", dependencies: [
+ .product(name: "OryCLient", package: "OryClient"),
+]),
+```
+
+
+
+## Usage
+
+When creating an Ory client, use CustomDateTranscoder to support date with internet date time and fractional seconds.
+
+```swift
+import OpenAPIRuntime
+import OpenAPIURLSession
+import Foundation
+
+let serverURL = URL(string: "https://{your-project-slug}.projects.oryapis.com")
+let customDateTranscoder = CustomDateTranscoder()
+let transport = URLSessionTransport()
+
+let oryClient = Client(serverURL: serverURL!,
+ configuration: Configuration(dateTranscoder: customDateTranscoder),
+ transport: transport)
+
+let response = try await oryClient.createNativeLoginFlow()
+print(try response.ok)
+```
\ No newline at end of file
diff --git a/contrib/clients/swift/openapi.yaml b/contrib/clients/swift/openapi.yaml
new file mode 100644
index 00000000000..9b3629474c5
--- /dev/null
+++ b/contrib/clients/swift/openapi.yaml
@@ -0,0 +1,19337 @@
+openapi: 3.0.3
+info:
+ contact:
+ email: support@ory.sh
+ name: API Support
+ description: |
+ Documentation for all public and administrative Ory APIs. Administrative APIs can only be accessed
+ with a valid Personal Access Token. Public APIs are mostly used in browsers.
+ license:
+ name: Apache 2.0
+ url: https://www.apache.org/licenses/LICENSE-2.0.html
+ termsOfService: /ptos
+ title: Ory APIs
+ version: v1.5.1
+servers:
+- url: "https://{project}.projects.oryapis.com/"
+ variables:
+ project:
+ default: playground
+ description: Project slug as provided by the Ory Console.
+tags:
+- description: APIs for managing identities.
+ name: identity
+- description: "Endpoints used by frontend applications (e.g. Single-Page-App, Native\
+ \ Apps, Server Apps, ...) to manage a user's own profile."
+ name: frontend
+- description: APIs for managing email and SMS message delivery.
+ name: courier
+- description: Server Metadata provides relevant information about the running server.
+ Only available when self-hosting this service.
+ name: metadata
+paths:
+ /.well-known/jwks.json:
+ get:
+ description: |-
+ This endpoint returns JSON Web Keys required to verifying OpenID Connect ID Tokens and,
+ if enabled, OAuth 2.0 JWT Access Tokens. This endpoint can be used with client libraries like
+ [node-jwks-rsa](https://github.com/auth0/node-jwks-rsa) among others.
+ operationId: discoverJsonWebKeys
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonWebKeySet'
+ description: jsonWebKeySet
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ summary: Discover Well-Known JSON Web Keys
+ tags:
+ - wellknown
+ /.well-known/openid-configuration:
+ get:
+ description: |-
+ A mechanism for an OpenID Connect Relying Party to discover the End-User's OpenID Provider and obtain information needed to interact with it, including its OAuth 2.0 endpoint locations.
+
+ Popular libraries for OpenID Connect clients include oidc-client-js (JavaScript), go-oidc (Golang), and others.
+ For a full list of clients go here: https://openid.net/developers/certified/
+ operationId: discoverOidcConfiguration
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oidcConfiguration'
+ description: oidcConfiguration
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ summary: OpenID Connect Discovery
+ tags:
+ - oidc
+ /.well-known/ory/webauthn.js:
+ get:
+ description: |-
+ This endpoint provides JavaScript which is needed in order to perform WebAuthn login and registration.
+
+ If you are building a JavaScript Browser App (e.g. in ReactJS or AngularJS) you will need to load this file:
+
+ ```html
+
+ ```
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: getWebAuthnJavaScript
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/webAuthnJavaScript'
+ description: webAuthnJavaScript
+ summary: Get WebAuthn JavaScript
+ tags:
+ - frontend
+ /admin/clients:
+ get:
+ description: |-
+ This endpoint lists all clients in the database, and never returns client secrets.
+ As a default it lists the first 100 clients.
+ operationId: listOAuth2Clients
+ parameters:
+ - description: |-
+ Items per Page
+
+ This is the number of items per page to return.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_size
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 500
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Next Page Token
+
+ The next page token.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_token
+ required: false
+ schema:
+ default: "1"
+ minimum: 1
+ type: string
+ style: form
+ - description: The name of the clients to filter by.
+ explode: true
+ in: query
+ name: client_name
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: The owner of the clients to filter by.
+ explode: true
+ in: query
+ name: owner
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/oAuth2Client'
+ type: array
+ description: Paginated OAuth2 Client List Response
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Default Error Response
+ security:
+ - oryAccessToken: []
+ summary: List OAuth 2.0 Clients
+ tags:
+ - oAuth2
+ post:
+ description: |-
+ Create a new OAuth 2.0 client. If you pass `client_secret` the secret is used, otherwise a random secret
+ is generated. The secret is echoed in the response. It is not possible to retrieve it later on.
+ operationId: createOAuth2Client
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: OAuth 2.0 Client Request Body
+ required: true
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: oAuth2Client
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Bad Request Error Response
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Default Error Response
+ security:
+ - oryAccessToken: []
+ summary: Create OAuth 2.0 Client
+ tags:
+ - oAuth2
+ /admin/clients/{id}:
+ delete:
+ description: |-
+ Delete an existing OAuth 2.0 Client by its ID.
+
+ OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
+ generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
+
+ Make sure that this endpoint is well protected and only callable by first-party components.
+ operationId: deleteOAuth2Client
+ parameters:
+ - description: The id of the OAuth 2.0 Client.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ summary: Delete OAuth 2.0 Client
+ tags:
+ - oAuth2
+ get:
+ description: |-
+ Get an OAuth 2.0 client by its ID. This endpoint never returns the client secret.
+
+ OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
+ generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
+ operationId: getOAuth2Client
+ parameters:
+ - description: The id of the OAuth 2.0 Client.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: oAuth2Client
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Default Error Response
+ security:
+ - oryAccessToken: []
+ summary: Get an OAuth 2.0 Client
+ tags:
+ - oAuth2
+ patch:
+ description: |-
+ Patch an existing OAuth 2.0 Client using JSON Patch. If you pass `client_secret`
+ the secret will be updated and returned via the API. This is the
+ only time you will be able to retrieve the client secret, so write it down and keep it safe.
+
+ OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
+ generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
+ operationId: patchOAuth2Client
+ parameters:
+ - description: The id of the OAuth 2.0 Client.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonPatchDocument'
+ description: OAuth 2.0 Client JSON Patch Body
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: oAuth2Client
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Not Found Error Response
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Default Error Response
+ security:
+ - oryAccessToken: []
+ summary: Patch OAuth 2.0 Client
+ tags:
+ - oAuth2
+ put:
+ description: |-
+ Replaces an existing OAuth 2.0 Client with the payload you send. If you pass `client_secret` the secret is used,
+ otherwise the existing secret is used.
+
+ If set, the secret is echoed in the response. It is not possible to retrieve it later on.
+
+ OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
+ generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
+ operationId: setOAuth2Client
+ parameters:
+ - description: OAuth 2.0 Client ID
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: OAuth 2.0 Client Request Body
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: oAuth2Client
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Bad Request Error Response
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Not Found Error Response
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Default Error Response
+ security:
+ - oryAccessToken: []
+ summary: Set OAuth 2.0 Client
+ tags:
+ - oAuth2
+ /admin/clients/{id}/lifespans:
+ put:
+ description: Set lifespans of different token types issued for this OAuth 2.0
+ client. Does not modify other fields.
+ operationId: setOAuth2ClientLifespans
+ parameters:
+ - description: OAuth 2.0 Client ID
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2ClientTokenLifespans'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: oAuth2Client
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ summary: Set OAuth2 Client Token Lifespans
+ tags:
+ - oAuth2
+ /admin/courier/messages:
+ get:
+ description: Lists all messages by given status and recipient.
+ operationId: listCourierMessages
+ parameters:
+ - description: |-
+ Items per Page
+
+ This is the number of items per page to return.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_size
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Next Page Token
+
+ The next page token.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_token
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ Status filters out messages based on status.
+ If no value is provided, it doesn't take effect on filter.
+ explode: true
+ in: query
+ name: status
+ required: false
+ schema:
+ $ref: '#/components/schemas/courierMessageStatus'
+ style: form
+ - description: |-
+ Recipient filters out messages based on recipient.
+ If no value is provided, it doesn't take effect on filter.
+ explode: true
+ in: query
+ name: recipient
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/message'
+ type: array
+ description: Paginated Courier Message List Response
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: List Messages
+ tags:
+ - courier
+ /admin/courier/messages/{id}:
+ get:
+ description: Gets a specific messages by the given ID.
+ operationId: getCourierMessage
+ parameters:
+ - description: MessageID is the ID of the message.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/message'
+ description: message
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Get a Message
+ tags:
+ - courier
+ /admin/identities:
+ get:
+ description: "Lists all [identities](https://www.ory.sh/docs/kratos/concepts/identity-user-model)\
+ \ in the system."
+ operationId: listIdentities
+ parameters:
+ - description: |-
+ Deprecated Items per Page
+
+ DEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.
+
+ This is the number of items per page.
+ explode: true
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Deprecated Pagination Page
+
+ DEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.
+
+ This value is currently an integer, but it is not sequential. The value is not the page number, but a
+ reference. The next page can be any number and some numbers might return an empty list.
+
+ For example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.
+ The first page can be retrieved by omitting this parameter. Following page pointers will be returned in the
+ `Link` header.
+ explode: true
+ in: query
+ name: page
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ - description: |-
+ Page Size
+
+ This is the number of items per page to return. For details on pagination please head over to the
+ [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_size
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 500
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Next Page Token
+
+ The next page token. For details on pagination please head over to the
+ [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_token
+ required: false
+ schema:
+ default: "1"
+ minimum: 1
+ type: string
+ style: form
+ - description: |-
+ Read Consistency Level (preview)
+
+ The read consistency level determines the consistency guarantee for reads:
+
+ strong (slow): The read is guaranteed to return the most recent data committed at the start of the read.
+ eventual (very fast): The result will return data that is about 4.8 seconds old.
+
+ The default consistency guarantee can be changed in the Ory Network Console or using the Ory CLI with
+ `ory patch project --replace '/previews/default_read_consistency_level="strong"'`.
+
+ Setting the default consistency level to `eventual` may cause regressions in the future as we add consistency
+ controls to more APIs. Currently, the following APIs will be affected by this setting:
+
+ `GET /admin/identities`
+
+ This feature is in preview and only available in Ory Network.
+ ConsistencyLevelUnset ConsistencyLevelUnset is the unset / default consistency level.
+ strong ConsistencyLevelStrong ConsistencyLevelStrong is the strong consistency level.
+ eventual ConsistencyLevelEventual ConsistencyLevelEventual is the eventual consistency level using follower read timestamps.
+ explode: true
+ in: query
+ name: consistency
+ required: false
+ schema:
+ enum:
+ - ""
+ - strong
+ - eventual
+ type: string
+ style: form
+ x-go-enum-desc: |2-
+ ConsistencyLevelUnset ConsistencyLevelUnset is the unset / default consistency level.
+ strong ConsistencyLevelStrong ConsistencyLevelStrong is the strong consistency level.
+ eventual ConsistencyLevelEventual ConsistencyLevelEventual is the eventual consistency level using follower read timestamps.
+ - description: |-
+ IdsFilter is list of ids used to filter identities.
+ If this list is empty, then no filter will be applied.
+ explode: true
+ in: query
+ name: ids_filter
+ required: false
+ schema:
+ items:
+ type: string
+ type: array
+ style: form
+ - description: |-
+ CredentialsIdentifier is the identifier (username, email) of the credentials to look up using exact match.
+ Only one of CredentialsIdentifier and CredentialsIdentifierSimilar can be used.
+ explode: true
+ in: query
+ name: credentials_identifier
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ This is an EXPERIMENTAL parameter that WILL CHANGE. Do NOT rely on consistent, deterministic behavior.
+ THIS PARAMETER WILL BE REMOVED IN AN UPCOMING RELEASE WITHOUT ANY MIGRATION PATH.
+
+ CredentialsIdentifierSimilar is the (partial) identifier (username, email) of the credentials to look up using similarity search.
+ Only one of CredentialsIdentifier and CredentialsIdentifierSimilar can be used.
+ explode: true
+ in: query
+ name: preview_credentials_identifier_similar
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/identity'
+ type: array
+ description: Paginated Identity List Response
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: List Identities
+ tags:
+ - identity
+ patch:
+ description: |-
+ Creates or delete multiple
+ [identities](https://www.ory.sh/docs/kratos/concepts/identity-user-model).
+ This endpoint can also be used to [import
+ credentials](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities)
+ for instance passwords, social sign in configurations or multifactor methods.
+ operationId: batchPatchIdentities
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/patchIdentitiesBody'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/batchPatchIdentitiesResponse'
+ description: batchPatchIdentitiesResponse
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Create and deletes multiple identities
+ tags:
+ - identity
+ post:
+ description: |-
+ Create an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model). This endpoint can also be used to
+ [import credentials](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities)
+ for instance passwords, social sign in configurations or multifactor methods.
+ operationId: createIdentity
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/createIdentityBody'
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identity'
+ description: identity
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Create an Identity
+ tags:
+ - identity
+ /admin/identities/{id}:
+ delete:
+ description: |-
+ Calling this endpoint irrecoverably and permanently deletes the [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model) given its ID. This action can not be undone.
+ This endpoint returns 204 when the identity was deleted or when the identity was not found, in which case it is
+ assumed that is has been deleted already.
+ operationId: deleteIdentity
+ parameters:
+ - description: ID is the identity's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Delete an Identity
+ tags:
+ - identity
+ get:
+ description: |-
+ Return an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model) by its ID. You can optionally
+ include credentials (e.g. social sign in connections) in the response by using the `include_credential` query parameter.
+ operationId: getIdentity
+ parameters:
+ - description: ID must be set to the ID of identity you want to get
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Include Credentials in Response
+
+ Include any credential, for example `password` or `oidc`, in the response. When set to `oidc`, This will return
+ the initial OAuth 2.0 Access Token, OAuth 2.0 Refresh Token and the OpenID Connect ID Token if available.
+ explode: true
+ in: query
+ name: include_credential
+ required: false
+ schema:
+ items:
+ enum:
+ - password
+ - totp
+ - oidc
+ - webauthn
+ - lookup_secret
+ - code
+ type: string
+ type: array
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identity'
+ description: identity
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Get an Identity
+ tags:
+ - identity
+ patch:
+ description: |-
+ Partially updates an [identity's](https://www.ory.sh/docs/kratos/concepts/identity-user-model) field using [JSON Patch](https://jsonpatch.com/).
+ The fields `id`, `stateChangedAt` and `credentials` can not be updated using this method.
+ operationId: patchIdentity
+ parameters:
+ - description: ID must be set to the ID of identity you want to update
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonPatchDocument'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identity'
+ description: identity
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Patch an Identity
+ tags:
+ - identity
+ put:
+ description: |-
+ This endpoint updates an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model). The full identity
+ payload (except credentials) is expected. It is possible to update the identity's credentials as well.
+ operationId: updateIdentity
+ parameters:
+ - description: ID must be set to the ID of identity you want to update
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/updateIdentityBody'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identity'
+ description: identity
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Update an Identity
+ tags:
+ - identity
+ /admin/identities/{id}/credentials/{type}:
+ delete:
+ description: |-
+ Delete an [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model) credential by its type
+ You can only delete second factor (aal2) credentials.
+ operationId: deleteIdentityCredentials
+ parameters:
+ - description: ID is the identity's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Type is the credential's Type.
+ One of totp, webauthn, lookup
+ explode: false
+ in: path
+ name: type
+ required: true
+ schema:
+ enum:
+ - totp
+ - webauthn
+ - lookup
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Delete a credential for a specific identity
+ tags:
+ - identity
+ /admin/identities/{id}/sessions:
+ delete:
+ description: Calling this endpoint irrecoverably and permanently deletes and
+ invalidates all sessions that belong to the given Identity.
+ operationId: deleteIdentitySessions
+ parameters:
+ - description: ID is the identity's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Delete & Invalidate an Identity's Sessions
+ tags:
+ - identity
+ get:
+ description: This endpoint returns all sessions that belong to the given Identity.
+ operationId: listIdentitySessions
+ parameters:
+ - description: |-
+ Deprecated Items per Page
+
+ DEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.
+
+ This is the number of items per page.
+ explode: true
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Deprecated Pagination Page
+
+ DEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.
+
+ This value is currently an integer, but it is not sequential. The value is not the page number, but a
+ reference. The next page can be any number and some numbers might return an empty list.
+
+ For example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.
+ The first page can be retrieved by omitting this parameter. Following page pointers will be returned in the
+ `Link` header.
+ explode: true
+ in: query
+ name: page
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ - description: |-
+ Page Size
+
+ This is the number of items per page to return. For details on pagination please head over to the
+ [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_size
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 500
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Next Page Token
+
+ The next page token. For details on pagination please head over to the
+ [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_token
+ required: false
+ schema:
+ default: "1"
+ minimum: 1
+ type: string
+ style: form
+ - description: ID is the identity's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: "Active is a boolean flag that filters out sessions based on\
+ \ the state. If no value is provided, all sessions are returned."
+ explode: true
+ in: query
+ name: active
+ required: false
+ schema:
+ type: boolean
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/session'
+ type: array
+ description: List Identity Sessions Response
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: List an Identity's Sessions
+ tags:
+ - identity
+ /admin/keys/{set}:
+ delete:
+ description: |-
+ Use this endpoint to delete a complete JSON Web Key Set and all the keys in that set.
+
+ A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
+ operationId: deleteJsonWebKeySet
+ parameters:
+ - description: The JSON Web Key Set
+ explode: false
+ in: path
+ name: set
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Delete JSON Web Key Set
+ tags:
+ - jwk
+ get:
+ description: |-
+ This endpoint can be used to retrieve JWK Sets stored in ORY Hydra.
+
+ A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
+ operationId: getJsonWebKeySet
+ parameters:
+ - description: JSON Web Key Set ID
+ explode: false
+ in: path
+ name: set
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonWebKeySet'
+ description: jsonWebKeySet
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Retrieve a JSON Web Key Set
+ tags:
+ - jwk
+ post:
+ description: |-
+ This endpoint is capable of generating JSON Web Key Sets for you. There a different strategies available, such as symmetric cryptographic keys (HS256, HS512) and asymetric cryptographic keys (RS256, ECDSA). If the specified JSON Web Key Set does not exist, it will be created.
+
+ A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
+ operationId: createJsonWebKeySet
+ parameters:
+ - description: The JSON Web Key Set ID
+ explode: false
+ in: path
+ name: set
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/createJsonWebKeySet'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonWebKeySet'
+ description: jsonWebKeySet
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Create JSON Web Key
+ tags:
+ - jwk
+ put:
+ description: |-
+ Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.
+
+ A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
+ operationId: setJsonWebKeySet
+ parameters:
+ - description: The JSON Web Key Set ID
+ explode: false
+ in: path
+ name: set
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonWebKeySet'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonWebKeySet'
+ description: jsonWebKeySet
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Update a JSON Web Key Set
+ tags:
+ - jwk
+ /admin/keys/{set}/{kid}:
+ delete:
+ description: |-
+ Use this endpoint to delete a single JSON Web Key.
+
+ A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A
+ JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses
+ this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens),
+ and allows storing user-defined keys as well.
+ operationId: deleteJsonWebKey
+ parameters:
+ - description: The JSON Web Key Set
+ explode: false
+ in: path
+ name: set
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: The JSON Web Key ID (kid)
+ explode: false
+ in: path
+ name: kid
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Delete JSON Web Key
+ tags:
+ - jwk
+ get:
+ description: This endpoint returns a singular JSON Web Key contained in a set.
+ It is identified by the set and the specific key ID (kid).
+ operationId: getJsonWebKey
+ parameters:
+ - description: JSON Web Key Set ID
+ explode: false
+ in: path
+ name: set
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: JSON Web Key ID
+ explode: false
+ in: path
+ name: kid
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonWebKeySet'
+ description: jsonWebKeySet
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Get JSON Web Key
+ tags:
+ - jwk
+ put:
+ description: |-
+ Use this method if you do not want to let Hydra generate the JWKs for you, but instead save your own.
+
+ A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. A JWK Set is a JSON data structure that represents a set of JWKs. A JSON Web Key is identified by its set and key id. ORY Hydra uses this functionality to store cryptographic keys used for TLS and JSON Web Tokens (such as OpenID Connect ID tokens), and allows storing user-defined keys as well.
+ operationId: setJsonWebKey
+ parameters:
+ - description: The JSON Web Key Set ID
+ explode: false
+ in: path
+ name: set
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: JSON Web Key ID
+ explode: false
+ in: path
+ name: kid
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonWebKey'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/jsonWebKey'
+ description: jsonWebKey
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Set JSON Web Key
+ tags:
+ - jwk
+ /admin/oauth2/auth/requests/consent:
+ get:
+ description: |-
+ When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
+ to authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if
+ the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
+
+ The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent
+ provider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted
+ or rejected the request.
+
+ The default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please
+ head over to the OAuth 2.0 documentation.
+ operationId: getOAuth2ConsentRequest
+ parameters:
+ - description: OAuth 2.0 Consent Request Challenge
+ explode: true
+ in: query
+ name: consent_challenge
+ required: true
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2ConsentRequest'
+ description: oAuth2ConsentRequest
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2RedirectTo'
+ description: oAuth2RedirectTo
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Get OAuth 2.0 Consent Request
+ tags:
+ - oAuth2
+ /admin/oauth2/auth/requests/consent/accept:
+ put:
+ description: |-
+ When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
+ to authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if
+ the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
+
+ The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent
+ provider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted
+ or rejected the request.
+
+ This endpoint tells Ory that the subject has authorized the OAuth 2.0 client to access resources on his/her behalf.
+ The consent provider includes additional information, such as session data for access and ID tokens, and if the
+ consent request should be used as basis for future requests.
+
+ The response contains a redirect URL which the consent provider should redirect the user-agent to.
+
+ The default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please
+ head over to the OAuth 2.0 documentation.
+ operationId: acceptOAuth2ConsentRequest
+ parameters:
+ - description: OAuth 2.0 Consent Request Challenge
+ explode: true
+ in: query
+ name: consent_challenge
+ required: true
+ schema:
+ type: string
+ style: form
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/acceptOAuth2ConsentRequest'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2RedirectTo'
+ description: oAuth2RedirectTo
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Accept OAuth 2.0 Consent Request
+ tags:
+ - oAuth2
+ /admin/oauth2/auth/requests/consent/reject:
+ put:
+ description: |-
+ When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
+ to authenticate the subject and then tell Ory now about it. If the subject authenticated, he/she must now be asked if
+ the OAuth 2.0 Client which initiated the flow should be allowed to access the resources on the subject's behalf.
+
+ The consent challenge is appended to the consent provider's URL to which the subject's user-agent (browser) is redirected to. The consent
+ provider uses that challenge to fetch information on the OAuth2 request and then tells Ory if the subject accepted
+ or rejected the request.
+
+ This endpoint tells Ory that the subject has not authorized the OAuth 2.0 client to access resources on his/her behalf.
+ The consent provider must include a reason why the consent was not granted.
+
+ The response contains a redirect URL which the consent provider should redirect the user-agent to.
+
+ The default consent provider is available via the Ory Managed Account Experience. To customize the consent provider, please
+ head over to the OAuth 2.0 documentation.
+ operationId: rejectOAuth2ConsentRequest
+ parameters:
+ - description: OAuth 2.0 Consent Request Challenge
+ explode: true
+ in: query
+ name: consent_challenge
+ required: true
+ schema:
+ type: string
+ style: form
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/rejectOAuth2Request'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2RedirectTo'
+ description: oAuth2RedirectTo
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Reject OAuth 2.0 Consent Request
+ tags:
+ - oAuth2
+ /admin/oauth2/auth/requests/login:
+ get:
+ description: |-
+ When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
+ to authenticate the subject and then tell the Ory OAuth2 Service about it.
+
+ Per default, the login provider is Ory itself. You may use a different login provider which needs to be a web-app
+ you write and host, and it must be able to authenticate ("show the subject a login screen")
+ a subject (in OAuth2 the proper name for subject is "resource owner").
+
+ The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login
+ provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
+ operationId: getOAuth2LoginRequest
+ parameters:
+ - description: OAuth 2.0 Login Request Challenge
+ explode: true
+ in: query
+ name: login_challenge
+ required: true
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2LoginRequest'
+ description: oAuth2LoginRequest
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2RedirectTo'
+ description: oAuth2RedirectTo
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Get OAuth 2.0 Login Request
+ tags:
+ - oAuth2
+ /admin/oauth2/auth/requests/login/accept:
+ put:
+ description: |-
+ When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
+ to authenticate the subject and then tell the Ory OAuth2 Service about it.
+
+ The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login
+ provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
+
+ This endpoint tells Ory that the subject has successfully authenticated and includes additional information such as
+ the subject's ID and if Ory should remember the subject's subject agent for future authentication attempts by setting
+ a cookie.
+
+ The response contains a redirect URL which the login provider should redirect the user-agent to.
+ operationId: acceptOAuth2LoginRequest
+ parameters:
+ - description: OAuth 2.0 Login Request Challenge
+ explode: true
+ in: query
+ name: login_challenge
+ required: true
+ schema:
+ type: string
+ style: form
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/acceptOAuth2LoginRequest'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2RedirectTo'
+ description: oAuth2RedirectTo
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Accept OAuth 2.0 Login Request
+ tags:
+ - oAuth2
+ /admin/oauth2/auth/requests/login/reject:
+ put:
+ description: |-
+ When an authorization code, hybrid, or implicit OAuth 2.0 Flow is initiated, Ory asks the login provider
+ to authenticate the subject and then tell the Ory OAuth2 Service about it.
+
+ The authentication challenge is appended to the login provider URL to which the subject's user-agent (browser) is redirected to. The login
+ provider uses that challenge to fetch information on the OAuth2 request and then accept or reject the requested authentication process.
+
+ This endpoint tells Ory that the subject has not authenticated and includes a reason why the authentication
+ was denied.
+
+ The response contains a redirect URL which the login provider should redirect the user-agent to.
+ operationId: rejectOAuth2LoginRequest
+ parameters:
+ - description: OAuth 2.0 Login Request Challenge
+ explode: true
+ in: query
+ name: login_challenge
+ required: true
+ schema:
+ type: string
+ style: form
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/rejectOAuth2Request'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2RedirectTo'
+ description: oAuth2RedirectTo
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Reject OAuth 2.0 Login Request
+ tags:
+ - oAuth2
+ /admin/oauth2/auth/requests/logout:
+ get:
+ description: Use this endpoint to fetch an Ory OAuth 2.0 logout request.
+ operationId: getOAuth2LogoutRequest
+ parameters:
+ - explode: true
+ in: query
+ name: logout_challenge
+ required: true
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2LogoutRequest'
+ description: oAuth2LogoutRequest
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2RedirectTo'
+ description: oAuth2RedirectTo
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Get OAuth 2.0 Session Logout Request
+ tags:
+ - oAuth2
+ /admin/oauth2/auth/requests/logout/accept:
+ put:
+ description: |-
+ When a user or an application requests Ory OAuth 2.0 to remove the session state of a subject, this endpoint is used to confirm that logout request.
+
+ The response contains a redirect URL which the consent provider should redirect the user-agent to.
+ operationId: acceptOAuth2LogoutRequest
+ parameters:
+ - description: OAuth 2.0 Logout Request Challenge
+ explode: true
+ in: query
+ name: logout_challenge
+ required: true
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2RedirectTo'
+ description: oAuth2RedirectTo
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Accept OAuth 2.0 Session Logout Request
+ tags:
+ - oAuth2
+ /admin/oauth2/auth/requests/logout/reject:
+ put:
+ description: |-
+ When a user or an application requests Ory OAuth 2.0 to remove the session state of a subject, this endpoint is used to deny that logout request.
+ No HTTP request body is required.
+
+ The response is empty as the logout provider has to chose what action to perform next.
+ operationId: rejectOAuth2LogoutRequest
+ parameters:
+ - explode: true
+ in: query
+ name: logout_challenge
+ required: true
+ schema:
+ type: string
+ style: form
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Reject OAuth 2.0 Session Logout Request
+ tags:
+ - oAuth2
+ /admin/oauth2/auth/sessions/consent:
+ delete:
+ description: |-
+ This endpoint revokes a subject's granted consent sessions and invalidates all
+ associated OAuth 2.0 Access Tokens. You may also only revoke sessions for a specific OAuth 2.0 Client ID.
+ operationId: revokeOAuth2ConsentSessions
+ parameters:
+ - description: |-
+ OAuth 2.0 Consent Subject
+
+ The subject whose consent sessions should be deleted.
+ explode: true
+ in: query
+ name: subject
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ OAuth 2.0 Client ID
+
+ If set, deletes only those consent sessions that have been granted to the specified OAuth 2.0 Client ID.
+ explode: true
+ in: query
+ name: client
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ Revoke All Consent Sessions
+
+ If set to `true` deletes all consent sessions by the Subject that have been granted.
+ explode: true
+ in: query
+ name: all
+ required: false
+ schema:
+ type: boolean
+ style: form
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Revoke OAuth 2.0 Consent Sessions of a Subject
+ tags:
+ - oAuth2
+ get:
+ description: |-
+ This endpoint lists all subject's granted consent sessions, including client and granted scope.
+ If the subject is unknown or has not granted any consent sessions yet, the endpoint returns an
+ empty JSON array with status code 200 OK.
+ operationId: listOAuth2ConsentSessions
+ parameters:
+ - description: |-
+ Items per Page
+
+ This is the number of items per page to return.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_size
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 500
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Next Page Token
+
+ The next page token.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_token
+ required: false
+ schema:
+ default: "1"
+ minimum: 1
+ type: string
+ style: form
+ - description: The subject to list the consent sessions for.
+ explode: true
+ in: query
+ name: subject
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: The login session id to list the consent sessions for.
+ explode: true
+ in: query
+ name: login_session_id
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2ConsentSessions'
+ description: oAuth2ConsentSessions
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: List OAuth 2.0 Consent Sessions of a Subject
+ tags:
+ - oAuth2
+ /admin/oauth2/auth/sessions/login:
+ delete:
+ description: |-
+ This endpoint invalidates authentication sessions. After revoking the authentication session(s), the subject
+ has to re-authenticate at the Ory OAuth2 Provider. This endpoint does not invalidate any tokens.
+
+ If you send the subject in a query param, all authentication sessions that belong to that subject are revoked.
+ No OpenID Connect Front- or Back-channel logout is performed in this case.
+
+ Alternatively, you can send a SessionID via `sid` query param, in which case, only the session that is connected
+ to that SessionID is revoked. OpenID Connect Back-channel logout is performed in this case.
+ operationId: revokeOAuth2LoginSessions
+ parameters:
+ - description: |-
+ OAuth 2.0 Subject
+
+ The subject to revoke authentication sessions for.
+ explode: true
+ in: query
+ name: subject
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ OAuth 2.0 Subject
+
+ The subject to revoke authentication sessions for.
+ explode: true
+ in: query
+ name: sid
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Revokes OAuth 2.0 Login Sessions by either a Subject or a SessionID
+ tags:
+ - oAuth2
+ /admin/oauth2/introspect:
+ post:
+ description: |-
+ The introspection endpoint allows to check if a token (both refresh and access) is active or not. An active token
+ is neither expired nor revoked. If a token is active, additional information on the token will be included. You can
+ set additional data for a token by setting `session.access_token` during the consent flow.
+ operationId: introspectOAuth2Token
+ requestBody:
+ content:
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/introspectOAuth2Token_request'
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/introspectedOAuth2Token'
+ description: introspectedOAuth2Token
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Introspect OAuth2 Access and Refresh Tokens
+ tags:
+ - oAuth2
+ /admin/oauth2/tokens:
+ delete:
+ description: This endpoint deletes OAuth2 access tokens issued to an OAuth 2.0
+ Client from the database.
+ operationId: deleteOAuth2Token
+ parameters:
+ - description: OAuth 2.0 Client ID
+ explode: true
+ in: query
+ name: client_id
+ required: true
+ schema:
+ type: string
+ style: form
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oryAccessToken: []
+ summary: Delete OAuth 2.0 Access Tokens from specific OAuth 2.0 Client
+ tags:
+ - oAuth2
+ /admin/recovery/code:
+ post:
+ description: |-
+ This endpoint creates a recovery code which should be given to the user in order for them to recover
+ (or activate) their account.
+ operationId: createRecoveryCodeForIdentity
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/createRecoveryCodeForIdentityBody'
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/recoveryCodeForIdentity'
+ description: recoveryCodeForIdentity
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Create a Recovery Code
+ tags:
+ - identity
+ /admin/recovery/link:
+ post:
+ description: |-
+ This endpoint creates a recovery link which should be given to the user in order for them to recover
+ (or activate) their account.
+ operationId: createRecoveryLinkForIdentity
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/createRecoveryLinkForIdentityBody'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/recoveryLinkForIdentity'
+ description: recoveryLinkForIdentity
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Create a Recovery Link
+ tags:
+ - identity
+ /admin/relation-tuples:
+ delete:
+ description: Use this endpoint to delete relationships
+ operationId: deleteRelationships
+ parameters:
+ - description: Namespace of the Relationship
+ explode: true
+ in: query
+ name: namespace
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Object of the Relationship
+ explode: true
+ in: query
+ name: object
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Relation of the Relationship
+ explode: true
+ in: query
+ name: relation
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: SubjectID of the Relationship
+ explode: true
+ in: query
+ name: subject_id
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Namespace of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.namespace
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Object of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.object
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Relation of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.relation
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Delete Relationships
+ tags:
+ - relationship
+ patch:
+ description: Use this endpoint to patch one or more relationships.
+ operationId: patchRelationships
+ requestBody:
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/relationshipPatch'
+ type: array
+ x-originalParamName: Body
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Patch Multiple Relationships
+ tags:
+ - relationship
+ put:
+ description: Use this endpoint to create a relationship.
+ operationId: createRelationship
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/createRelationshipBody'
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/relationship'
+ description: relationship
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Create a Relationship
+ tags:
+ - relationship
+ /admin/sessions:
+ get:
+ description: Listing all sessions that exist.
+ operationId: listSessions
+ parameters:
+ - description: |-
+ Items per Page
+
+ This is the number of items per page to return.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_size
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Next Page Token
+
+ The next page token.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_token
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: "Active is a boolean flag that filters out sessions based on\
+ \ the state. If no value is provided, all sessions are returned."
+ explode: true
+ in: query
+ name: active
+ required: false
+ schema:
+ type: boolean
+ style: form
+ - description: |-
+ ExpandOptions is a query parameter encoded list of all properties that must be expanded in the Session.
+ If no value is provided, the expandable properties are skipped.
+ explode: true
+ in: query
+ name: expand
+ required: false
+ schema:
+ enum:
+ - identity
+ - devices
+ items:
+ type: string
+ type: array
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/session'
+ type: array
+ description: |-
+ Session List Response
+
+ The response given when listing sessions in an administrative context.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: List All Sessions
+ tags:
+ - identity
+ /admin/sessions/{id}:
+ delete:
+ description: Calling this endpoint deactivates the specified session. Session
+ data is not deleted.
+ operationId: disableSession
+ parameters:
+ - description: ID is the session's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Deactivate a Session
+ tags:
+ - identity
+ get:
+ description: |-
+ This endpoint is useful for:
+
+ Getting a session object with all specified expandables that exist in an administrative context.
+ operationId: getSession
+ parameters:
+ - description: |-
+ ExpandOptions is a query parameter encoded list of all properties that must be expanded in the Session.
+ Example - ?expand=Identity&expand=Devices
+ If no value is provided, the expandable properties are skipped.
+ explode: true
+ in: query
+ name: expand
+ required: false
+ schema:
+ enum:
+ - identity
+ - devices
+ items:
+ type: string
+ type: array
+ style: form
+ - description: ID is the session's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/session'
+ description: session
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Get Session
+ tags:
+ - identity
+ /admin/sessions/{id}/extend:
+ patch:
+ description: |-
+ Calling this endpoint extends the given session ID. If `session.earliest_possible_extend` is set it
+ will only extend the session after the specified time has passed.
+
+ Retrieve the session ID from the `/sessions/whoami` endpoint / `toSession` SDK method.
+ operationId: extendSession
+ parameters:
+ - description: ID is the session's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/session'
+ description: session
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Extend a Session
+ tags:
+ - identity
+ /admin/trust/grants/jwt-bearer/issuers:
+ get:
+ description: Use this endpoint to list all trusted JWT Bearer Grant Type Issuers.
+ operationId: listTrustedOAuth2JwtGrantIssuers
+ parameters:
+ - explode: true
+ in: query
+ name: MaxItems
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ - explode: true
+ in: query
+ name: DefaultItems
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ - description: "If optional \"issuer\" is supplied, only jwt-bearer grants with\
+ \ this issuer will be returned."
+ explode: true
+ in: query
+ name: issuer
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/trustedOAuth2JwtGrantIssuers'
+ description: trustedOAuth2JwtGrantIssuers
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ summary: List Trusted OAuth2 JWT Bearer Grant Type Issuers
+ tags:
+ - oAuth2
+ post:
+ description: |-
+ Use this endpoint to establish a trust relationship for a JWT issuer
+ to perform JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication
+ and Authorization Grants [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523).
+ operationId: trustOAuth2JwtGrantIssuer
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/trustOAuth2JwtGrantIssuer'
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/trustedOAuth2JwtGrantIssuer'
+ description: trustedOAuth2JwtGrantIssuer
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ summary: Trust OAuth2 JWT Bearer Grant Type Issuer
+ tags:
+ - oAuth2
+ /admin/trust/grants/jwt-bearer/issuers/{id}:
+ delete:
+ description: |-
+ Use this endpoint to delete trusted JWT Bearer Grant Type Issuer. The ID is the one returned when you
+ created the trust relationship.
+
+ Once deleted, the associated issuer will no longer be able to perform the JSON Web Token (JWT) Profile
+ for OAuth 2.0 Client Authentication and Authorization Grant.
+ operationId: deleteTrustedOAuth2JwtGrantIssuer
+ parameters:
+ - description: The id of the desired grant
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ summary: Delete Trusted OAuth2 JWT Bearer Grant Type Issuer
+ tags:
+ - oAuth2
+ get:
+ description: |-
+ Use this endpoint to get a trusted JWT Bearer Grant Type Issuer. The ID is the one returned when you
+ created the trust relationship.
+ operationId: getTrustedOAuth2JwtGrantIssuer
+ parameters:
+ - description: The id of the desired grant
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/trustedOAuth2JwtGrantIssuer'
+ description: trustedOAuth2JwtGrantIssuer
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ summary: Get Trusted OAuth2 JWT Bearer Grant Type Issuer
+ tags:
+ - oAuth2
+ /console/active/project:
+ get:
+ description: Use this API to get your active project in the Ory Network Console
+ UI.
+ operationId: getActiveProjectInConsole
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/activeProjectInConsole'
+ description: activeProjectInConsole
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ summary: Returns the Ory Network Project selected in the Ory Network Console
+ tags:
+ - project
+ put:
+ description: Use this API to set your active project in the Ory Network Console
+ UI.
+ operationId: setActiveProjectInConsole
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/setActiveProjectInConsoleBody'
+ x-originalParamName: Body
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ summary: Sets the Ory Network Project active in the Ory Network Console
+ tags:
+ - project
+ /credentials:
+ post:
+ description: |-
+ This endpoint creates a verifiable credential that attests that the user
+ authenticated with the provided access token owns a certain public/private key
+ pair.
+
+ More information can be found at
+ https://openid.net/specs/openid-connect-userinfo-vc-1_0.html.
+ operationId: createVerifiableCredential
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/CreateVerifiableCredentialRequestBody'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/verifiableCredentialResponse'
+ description: verifiableCredentialResponse
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/verifiableCredentialPrimingResponse'
+ description: verifiableCredentialPrimingResponse
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ summary: Issues a Verifiable Credential
+ tags:
+ - oidc
+ /health/alive:
+ get:
+ description: |-
+ This endpoint returns a HTTP 200 status code when Ory Kratos is accepting incoming
+ HTTP requests. This status does currently not include checks whether the database connection is working.
+
+ If the service supports TLS Edge Termination, this endpoint does not require the
+ `X-Forwarded-Proto` header to be set.
+
+ Be aware that if you are running multiple nodes of this service, the health status will never
+ refer to the cluster state, only to a single instance.
+ operationId: isAlive
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/healthStatus'
+ description: Ory Kratos is ready to accept connections.
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ default:
+ content:
+ text/plain:
+ schema:
+ type: string
+ description: Unexpected error
+ security:
+ - oryAccessToken: []
+ summary: Check HTTP Server Status
+ tags:
+ - metadata
+ /health/ready:
+ get:
+ description: |-
+ This endpoint returns a HTTP 200 status code when Ory Kratos is up running and the environment dependencies (e.g.
+ the database) are responsive as well.
+
+ If the service supports TLS Edge Termination, this endpoint does not require the
+ `X-Forwarded-Proto` header to be set.
+
+ Be aware that if you are running multiple nodes of Ory Kratos, the health status will never
+ refer to the cluster state, only to a single instance.
+ operationId: isReady
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/isReady_200_response'
+ description: Ory Kratos is ready to accept requests.
+ "503":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/isReady_503_response'
+ description: Ory Kratos is not yet ready to accept requests.
+ default:
+ content:
+ text/plain:
+ schema:
+ type: string
+ description: Unexpected error
+ security:
+ - oryAccessToken: []
+ summary: Check HTTP Server and Database Status
+ tags:
+ - metadata
+ /namespaces:
+ get:
+ description: Get all namespaces
+ operationId: listRelationshipNamespaces
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/relationshipNamespaces'
+ description: relationshipNamespaces
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Query namespaces
+ tags:
+ - relationship
+ /oauth2/auth:
+ get:
+ description: |-
+ Use open source libraries to perform OAuth 2.0 and OpenID Connect
+ available for any programming language. You can find a list of libraries at https://oauth.net/code/
+
+ The Ory SDK is not yet able to this endpoint properly.
+ operationId: oAuth2Authorize
+ responses:
+ "302":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ summary: OAuth 2.0 Authorize Endpoint
+ tags:
+ - oAuth2
+ /oauth2/register:
+ post:
+ description: |-
+ This endpoint behaves like the administrative counterpart (`createOAuth2Client`) but is capable of facing the
+ public internet directly and can be used in self-service. It implements the OpenID Connect
+ Dynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint
+ is disabled by default. It can be enabled by an administrator.
+
+ Please note that using this endpoint you are not able to choose the `client_secret` nor the `client_id` as those
+ values will be server generated when specifying `token_endpoint_auth_method` as `client_secret_basic` or
+ `client_secret_post`.
+
+ The `client_secret` will be returned in the response and you will not be able to retrieve it later on.
+ Write the secret down and keep it somewhere safe.
+ operationId: createOidcDynamicClient
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: Dynamic Client Registration Request Body
+ required: true
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: oAuth2Client
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Bad Request Error Response
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Default Error Response
+ summary: Register OAuth2 Client using OpenID Dynamic Client Registration
+ tags:
+ - oidc
+ /oauth2/register/{id}:
+ delete:
+ description: |-
+ This endpoint behaves like the administrative counterpart (`deleteOAuth2Client`) but is capable of facing the
+ public internet directly and can be used in self-service. It implements the OpenID Connect
+ Dynamic Client Registration Protocol. This feature needs to be enabled in the configuration. This endpoint
+ is disabled by default. It can be enabled by an administrator.
+
+ To use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client
+ uses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.
+ If it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.
+
+ OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
+ generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
+ operationId: deleteOidcDynamicClient
+ parameters:
+ - description: The id of the OAuth 2.0 Client.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - bearer: []
+ summary: Delete OAuth 2.0 Client using the OpenID Dynamic Client Registration
+ Management Protocol
+ tags:
+ - oidc
+ get:
+ description: |-
+ This endpoint behaves like the administrative counterpart (`getOAuth2Client`) but is capable of facing the
+ public internet directly and can be used in self-service. It implements the OpenID Connect
+ Dynamic Client Registration Protocol.
+
+ To use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client
+ uses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.
+ If it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.
+ operationId: getOidcDynamicClient
+ parameters:
+ - description: The id of the OAuth 2.0 Client.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: oAuth2Client
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Default Error Response
+ security:
+ - bearer: []
+ summary: Get OAuth2 Client using OpenID Dynamic Client Registration
+ tags:
+ - oidc
+ put:
+ description: |-
+ This endpoint behaves like the administrative counterpart (`setOAuth2Client`) but is capable of facing the
+ public internet directly to be used by third parties. It implements the OpenID Connect
+ Dynamic Client Registration Protocol.
+
+ This feature is disabled per default. It can be enabled by a system administrator.
+
+ If you pass `client_secret` the secret is used, otherwise the existing secret is used. If set, the secret is echoed in the response.
+ It is not possible to retrieve it later on.
+
+ To use this endpoint, you will need to present the client's authentication credentials. If the OAuth2 Client
+ uses the Token Endpoint Authentication Method `client_secret_post`, you need to present the client secret in the URL query.
+ If it uses `client_secret_basic`, present the Client ID and the Client Secret in the Authorization header.
+
+ OAuth 2.0 clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
+ generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
+ operationId: setOidcDynamicClient
+ parameters:
+ - description: OAuth 2.0 Client ID
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: OAuth 2.0 Client Request Body
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2Client'
+ description: oAuth2Client
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Not Found Error Response
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Default Error Response
+ security:
+ - bearer: []
+ summary: Set OAuth2 Client using OpenID Dynamic Client Registration
+ tags:
+ - oidc
+ /oauth2/revoke:
+ post:
+ description: |-
+ Revoking a token (both access and refresh) means that the tokens will be invalid. A revoked access token can no
+ longer be used to make access requests, and a revoked refresh token can no longer be used to refresh an access token.
+ Revoking a refresh token also invalidates the access token that was created with it. A token may only be revoked by
+ the client the token was generated for.
+ operationId: revokeOAuth2Token
+ requestBody:
+ content:
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/revokeOAuth2Token_request'
+ responses:
+ "200":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - basic: []
+ - oauth2: []
+ summary: Revoke OAuth 2.0 Access or Refresh Token
+ tags:
+ - oAuth2
+ /oauth2/sessions/logout:
+ get:
+ description: |-
+ This endpoint initiates and completes user logout at the Ory OAuth2 & OpenID provider and initiates OpenID Connect Front- / Back-channel logout:
+
+ https://openid.net/specs/openid-connect-frontchannel-1_0.html
+ https://openid.net/specs/openid-connect-backchannel-1_0.html
+
+ Back-channel logout is performed asynchronously and does not affect logout flow.
+ operationId: revokeOidcSession
+ responses:
+ "302":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ summary: OpenID Connect Front- and Back-channel Enabled Logout
+ tags:
+ - oidc
+ /oauth2/token:
+ post:
+ description: |-
+ Use open source libraries to perform OAuth 2.0 and OpenID Connect
+ available for any programming language. You can find a list of libraries here https://oauth.net/code/
+
+ The Ory SDK is not yet able to this endpoint properly.
+ operationId: oauth2TokenExchange
+ requestBody:
+ content:
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/oauth2TokenExchange_request'
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oAuth2TokenExchange'
+ description: oAuth2TokenExchange
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - basic: []
+ - oauth2: []
+ summary: The OAuth 2.0 Token Endpoint
+ tags:
+ - oAuth2
+ /opl/syntax/check:
+ post:
+ description: The OPL file is expected in the body of the request.
+ operationId: checkOplSyntax
+ requestBody:
+ content:
+ text/plain:
+ schema:
+ $ref: '#/components/schemas/checkOplSyntaxBody'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/checkOplSyntaxResult'
+ description: checkOplSyntaxResult
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Check the syntax of an OPL file
+ tags:
+ - relationship
+ /projects:
+ get:
+ description: Lists all projects you have access to.
+ operationId: listProjects
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/projectMetadataList'
+ description: projectMetadataList
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: List All Projects
+ tags:
+ - project
+ post:
+ description: Creates a new project.
+ operationId: createProject
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/createProjectBody'
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/project'
+ description: project
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Create a Project
+ tags:
+ - project
+ /projects/{project_id}:
+ delete:
+ description: |-
+ !! Use with extreme caution !!
+
+ Using this API endpoint you can purge (completely delete) a project and its data.
+ This action can not be undone and will delete ALL your data.
+
+ !! Use with extreme caution !!
+ operationId: purgeProject
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ summary: Irrecoverably purge a project
+ tags:
+ - project
+ get:
+ description: Get a projects you have access to by its ID.
+ operationId: getProject
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/project'
+ description: project
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Get a Project
+ tags:
+ - project
+ patch:
+ description: |-
+ Deprecated: Use the `patchProjectWithRevision` endpoint instead to specify the exact revision the patch was generated for.
+
+ This endpoints allows you to patch individual Ory Network project configuration keys for
+ Ory's services (identity, permission, ...). The configuration format is fully compatible
+ with the open source projects for the respective services (e.g. Ory Kratos for Identity, Ory Keto for Permissions).
+
+ This endpoint expects the `version` key to be set in the payload. If it is unset, it
+ will try to import the config as if it is from the most recent version.
+
+ If you have an older version of a configuration, you should set the version key in the payload!
+
+ While this endpoint is able to process all configuration items related to features (e.g. password reset),
+ it does not support operational configuration items (e.g. port, tracing, logging) otherwise available in the
+ open source.
+
+ For configuration items that can not be translated to the Ory Network, this endpoint will return a list of warnings
+ to help you understand which parts of your config could not be processed.
+ operationId: patchProject
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/jsonPatch'
+ type: array
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/successfulProjectUpdate'
+ description: successfulProjectUpdate
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Patch an Ory Network Project Configuration
+ tags:
+ - project
+ put:
+ description: |-
+ This endpoints allows you to update the Ory Network project configuration for
+ individual services (identity, permission, ...). The configuration is fully compatible
+ with the open source projects for the respective services (e.g. Ory Kratos for Identity, Ory Keto for Permissions).
+
+ This endpoint expects the `version` key to be set in the payload. If it is unset, it
+ will try to import the config as if it is from the most recent version.
+
+ If you have an older version of a configuration, you should set the version key in the payload!
+
+ While this endpoint is able to process all configuration items related to features (e.g. password reset),
+ it does not support operational configuration items (e.g. port, tracing, logging) otherwise available in the
+ open source.
+
+ For configuration items that can not be translated to the Ory Network, this endpoint will return a list of warnings
+ to help you understand which parts of your config could not be processed.
+
+ Be aware that updating any service's configuration will completely override your current configuration for that
+ service!
+ operationId: setProject
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/setProject'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/successfulProjectUpdate'
+ description: successfulProjectUpdate
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Update an Ory Network Project Configuration
+ tags:
+ - project
+ /projects/{project_id}/eventstreams:
+ get:
+ operationId: listEventStreams
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/listEventStreams'
+ description: listEventStreams
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: List all event streams for the project. This endpoint is not paginated.
+ tags:
+ - events
+ post:
+ operationId: createEventStream
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/createEventStreamBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/eventStream'
+ description: eventStream
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Create an event stream for your project.
+ tags:
+ - events
+ /projects/{project_id}/eventstreams/{event_stream_id}:
+ delete:
+ description: Remove an event stream from a project.
+ operationId: deleteEventStream
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Event Stream ID
+
+ The ID of the event stream to be deleted, as returned when created.
+ explode: false
+ in: path
+ name: event_stream_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Remove an event stream from a project
+ tags:
+ - events
+ put:
+ operationId: setEventStream
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Event Stream ID
+
+ The event stream's ID.
+ explode: false
+ in: path
+ name: event_stream_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/setEventStreamBody'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/eventStream'
+ description: eventStream
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Update an event stream for a project.
+ tags:
+ - events
+ /projects/{project_id}/metrics:
+ get:
+ description: Retrieves project metrics for the specified event type and time
+ range
+ operationId: getProjectMetrics
+ parameters:
+ - description: Project ID
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: The event type to query for
+ explode: true
+ in: query
+ name: event_type
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ The resolution of the buckets
+
+ The minimum resolution is 1 hour.
+ explode: true
+ in: query
+ name: resolution
+ required: true
+ schema:
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ style: form
+ - description: The start RFC3339 date of the time window
+ explode: true
+ in: query
+ name: from
+ required: true
+ schema:
+ format: date-time
+ type: string
+ style: form
+ - description: The end RFC3339 date of the time window
+ explode: true
+ in: query
+ name: to
+ required: true
+ schema:
+ format: date-time
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/getProjectMetricsResponse'
+ description: getProjectMetricsResponse
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ tags:
+ - project
+ /projects/{project_id}/organizations:
+ get:
+ operationId: listOrganizations
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/listOrganizationsResponse'
+ description: listOrganizationsResponse
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ tags:
+ - project
+ post:
+ description: Create a B2B SSO Organization
+ operationId: createOrganization
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OrganizationBody'
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/organization'
+ description: organization
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ tags:
+ - project
+ /projects/{project_id}/organizations/{organization_id}:
+ delete:
+ operationId: deleteOrganization
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Organization ID
+
+ The Organization's ID.
+ explode: false
+ in: path
+ name: organization_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Delete a B2B SSO Organization for a project.
+ tags:
+ - project
+ get:
+ operationId: getOrganization
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Organization ID
+
+ The Organization's ID.
+ explode: false
+ in: path
+ name: organization_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/getOrganizationResponse'
+ description: getOrganizationResponse
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Returns a B2B SSO Organization for a project by it's ID.
+ tags:
+ - project
+ put:
+ operationId: updateOrganization
+ parameters:
+ - description: |-
+ Project ID
+
+ The project's ID.
+ explode: false
+ in: path
+ name: project_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Organization ID
+
+ The Organization's ID.
+ explode: false
+ in: path
+ name: organization_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/OrganizationBody'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/organization'
+ description: organization
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "409":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Update a B2B SSO Organization for a project.
+ tags:
+ - project
+ /projects/{project}/members:
+ get:
+ description: This endpoint requires the user to be a member of the project with
+ the role `OWNER` or `DEVELOPER`.
+ operationId: getProjectMembers
+ parameters:
+ - explode: false
+ in: path
+ name: project
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/projectMembers'
+ description: projectMembers
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ "406":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ summary: Get all members associated with this project
+ tags:
+ - project
+ /projects/{project}/members/{member}:
+ delete:
+ description: |-
+ This also sets their invite status to `REMOVED`.
+ This endpoint requires the user to be a member of the project with the role `OWNER`.
+ operationId: removeProjectMember
+ parameters:
+ - explode: false
+ in: path
+ name: project
+ required: true
+ schema:
+ type: string
+ style: simple
+ - explode: false
+ in: path
+ name: member
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ "406":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/genericError'
+ description: genericError
+ security:
+ - oryAccessToken: []
+ summary: Remove a member associated with this project
+ tags:
+ - project
+ /projects/{project}/tokens:
+ get:
+ description: A list of all the project's API tokens.
+ operationId: listProjectApiKeys
+ parameters:
+ - description: The Project ID or Project slug
+ explode: false
+ in: path
+ name: project
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/projectApiKeys'
+ description: projectApiKeys
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: List a project's API Tokens
+ tags:
+ - project
+ post:
+ description: Create an API token for a project.
+ operationId: createProjectApiKey
+ parameters:
+ - description: The Project ID or Project slug
+ explode: false
+ in: path
+ name: project
+ required: true
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/createProjectApiKey_request'
+ x-originalParamName: Body
+ responses:
+ "201":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/projectApiKey'
+ description: projectApiKey
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Create project API token
+ tags:
+ - project
+ /projects/{project}/tokens/{token_id}:
+ delete:
+ description: Deletes an API token and immediately removes it.
+ operationId: deleteProjectApiKey
+ parameters:
+ - description: The Project ID or Project slug
+ explode: false
+ in: path
+ name: project
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: The Token ID
+ explode: false
+ in: path
+ name: token_id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Delete project API token
+ tags:
+ - project
+ /relation-tuples:
+ get:
+ description: Get all relationships that match the query. Only the namespace
+ field is required.
+ operationId: getRelationships
+ parameters:
+ - explode: true
+ in: query
+ name: page_token
+ required: false
+ schema:
+ type: string
+ style: form
+ - explode: true
+ in: query
+ name: page_size
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ - description: Namespace of the Relationship
+ explode: true
+ in: query
+ name: namespace
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Object of the Relationship
+ explode: true
+ in: query
+ name: object
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Relation of the Relationship
+ explode: true
+ in: query
+ name: relation
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: SubjectID of the Relationship
+ explode: true
+ in: query
+ name: subject_id
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Namespace of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.namespace
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Object of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.object
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Relation of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.relation
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/relationships'
+ description: relationships
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Query relationships
+ tags:
+ - relationship
+ /relation-tuples/check:
+ get:
+ description: "To learn how relationship tuples and the check works, head over\
+ \ to [the documentation](https://www.ory.sh/docs/keto/concepts/api-overview)."
+ operationId: checkPermissionOrError
+ parameters:
+ - description: Namespace of the Relationship
+ explode: true
+ in: query
+ name: namespace
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Object of the Relationship
+ explode: true
+ in: query
+ name: object
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Relation of the Relationship
+ explode: true
+ in: query
+ name: relation
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: SubjectID of the Relationship
+ explode: true
+ in: query
+ name: subject_id
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Namespace of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.namespace
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Object of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.object
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Relation of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.relation
+ required: false
+ schema:
+ type: string
+ style: form
+ - explode: true
+ in: query
+ name: max-depth
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/checkPermissionResult'
+ description: checkPermissionResult
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/checkPermissionResult'
+ description: checkPermissionResult
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Check a permission
+ tags:
+ - permission
+ post:
+ description: "To learn how relationship tuples and the check works, head over\
+ \ to [the documentation](https://www.ory.sh/docs/keto/concepts/api-overview)."
+ operationId: postCheckPermissionOrError
+ parameters:
+ - description: "nolint:deadcode,unused"
+ explode: true
+ in: query
+ name: max-depth
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/postCheckPermissionOrErrorBody'
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/checkPermissionResult'
+ description: checkPermissionResult
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/checkPermissionResult'
+ description: checkPermissionResult
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Check a permission
+ tags:
+ - permission
+ /relation-tuples/check/openapi:
+ get:
+ description: "To learn how relationship tuples and the check works, head over\
+ \ to [the documentation](https://www.ory.sh/docs/keto/concepts/api-overview)."
+ operationId: checkPermission
+ parameters:
+ - description: Namespace of the Relationship
+ explode: true
+ in: query
+ name: namespace
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Object of the Relationship
+ explode: true
+ in: query
+ name: object
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Relation of the Relationship
+ explode: true
+ in: query
+ name: relation
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: SubjectID of the Relationship
+ explode: true
+ in: query
+ name: subject_id
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Namespace of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.namespace
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Object of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.object
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: Relation of the Subject Set
+ explode: true
+ in: query
+ name: subject_set.relation
+ required: false
+ schema:
+ type: string
+ style: form
+ - explode: true
+ in: query
+ name: max-depth
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/checkPermissionResult'
+ description: checkPermissionResult
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Check a permission
+ tags:
+ - permission
+ post:
+ description: "To learn how relationship tuples and the check works, head over\
+ \ to [the documentation](https://www.ory.sh/docs/keto/concepts/api-overview)."
+ operationId: postCheckPermission
+ parameters:
+ - explode: true
+ in: query
+ name: max-depth
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/postCheckPermissionBody'
+ x-originalParamName: Payload
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/checkPermissionResult'
+ description: checkPermissionResult
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Check a permission
+ tags:
+ - permission
+ /relation-tuples/expand:
+ get:
+ description: Use this endpoint to expand a relationship tuple into permissions.
+ operationId: expandPermissions
+ parameters:
+ - description: Namespace of the Subject Set
+ explode: true
+ in: query
+ name: namespace
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: Object of the Subject Set
+ explode: true
+ in: query
+ name: object
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: Relation of the Subject Set
+ explode: true
+ in: query
+ name: relation
+ required: true
+ schema:
+ type: string
+ style: form
+ - explode: true
+ in: query
+ name: max-depth
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/expandedPermissionTree'
+ description: expandedPermissionTree
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Expand a Relationship into permissions.
+ tags:
+ - permission
+ /schemas:
+ get:
+ description: Returns a list of all identity schemas currently in use.
+ operationId: listIdentitySchemas
+ parameters:
+ - description: |-
+ Deprecated Items per Page
+
+ DEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.
+
+ This is the number of items per page.
+ explode: true
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Deprecated Pagination Page
+
+ DEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.
+
+ This value is currently an integer, but it is not sequential. The value is not the page number, but a
+ reference. The next page can be any number and some numbers might return an empty list.
+
+ For example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.
+ The first page can be retrieved by omitting this parameter. Following page pointers will be returned in the
+ `Link` header.
+ explode: true
+ in: query
+ name: page
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ - description: |-
+ Page Size
+
+ This is the number of items per page to return. For details on pagination please head over to the
+ [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_size
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 500
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Next Page Token
+
+ The next page token. For details on pagination please head over to the
+ [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_token
+ required: false
+ schema:
+ default: "1"
+ minimum: 1
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identitySchemas'
+ description: List Identity JSON Schemas Response
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Get all Identity Schemas
+ tags:
+ - identity
+ /schemas/{id}:
+ get:
+ description: Return a specific identity schema.
+ operationId: getIdentitySchema
+ parameters:
+ - description: ID must be set to the ID of schema you want to get
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identitySchema'
+ description: identitySchema
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Get Identity JSON Schema
+ tags:
+ - identity
+ /self-service/errors:
+ get:
+ description: |-
+ This endpoint returns the error associated with a user-facing self service errors.
+
+ This endpoint supports stub values to help you implement the error UI:
+
+ `?id=stub:500` - returns a stub 500 (Internal Server Error) error.
+
+ More information can be found at [Ory Kratos User User Facing Error Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-facing-errors).
+ operationId: getFlowError
+ parameters:
+ - description: Error is the error's ID
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/flowError'
+ description: flowError
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Get User-Flow Errors
+ tags:
+ - frontend
+ /self-service/login:
+ post:
+ description: |-
+ Use this endpoint to complete a login flow. This endpoint
+ behaves differently for API and browser flows.
+
+ API flows expect `application/json` to be sent in the body and responds with
+ HTTP 200 and a application/json body with the session token on success;
+ HTTP 410 if the original flow expired with the appropriate error messages set and optionally a `use_flow_id` parameter in the body;
+ HTTP 400 on form validation errors.
+
+ Browser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with
+ a HTTP 303 redirect to the post/after login URL or the `return_to` value if it was set and if the login succeeded;
+ a HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.
+
+ Browser flows with an accept header of `application/json` will not redirect but instead respond with
+ HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
+ HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
+ HTTP 400 on form validation errors.
+
+ If this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+ `browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.
+ Most likely used in Social Sign In flows.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: updateLoginFlow
+ parameters:
+ - description: |-
+ The Login Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/login?flow=abcde`).
+ explode: true
+ in: query
+ name: flow
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: The Session Token of the Identity performing the settings flow.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/updateLoginFlowBody'
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/updateLoginFlowBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/successfulNativeLogin'
+ description: successfulNativeLogin
+ "303":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/loginFlow'
+ description: loginFlow
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "422":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorBrowserLocationChangeRequired'
+ description: errorBrowserLocationChangeRequired
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Submit a Login Flow
+ tags:
+ - frontend
+ /self-service/login/api:
+ get:
+ description: |-
+ This endpoint initiates a login flow for native apps that do not use a browser, such as mobile devices, smart TVs, and so on.
+
+ If a valid provided session cookie or session token is provided, a 400 Bad Request error
+ will be returned unless the URL query parameter `?refresh=true` is set.
+
+ To fetch an existing login flow call `/self-service/login/flows?flow=`.
+
+ You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+ Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+ you vulnerable to a variety of CSRF attacks, including CSRF login attacks.
+
+ In the case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `session_aal1_required`: Multi-factor auth (e.g. 2fa) was requested but the user has no session yet.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+
+ This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: createNativeLoginFlow
+ parameters:
+ - description: |-
+ Refresh a login session
+
+ If set to true, this will refresh an existing login session by
+ asking the user to sign in again. This will reset the
+ authenticated_at time of the session.
+ explode: true
+ in: query
+ name: refresh
+ required: false
+ schema:
+ type: boolean
+ style: form
+ - description: |-
+ Request a Specific AuthenticationMethod Assurance Level
+
+ Use this parameter to upgrade an existing session's authenticator assurance level (AAL). This
+ allows you to ask for multi-factor authentication. When an identity sign in using e.g. username+password,
+ the AAL is 1. If you wish to "upgrade" the session's security by asking the user to perform TOTP / WebAuth/ ...
+ you would set this to "aal2".
+ explode: true
+ in: query
+ name: aal
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: The Session Token of the Identity performing the settings flow.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ EnableSessionTokenExchangeCode requests the login flow to include a code that can be used to retrieve the session token
+ after the login flow has been completed.
+ explode: true
+ in: query
+ name: return_session_token_exchange_code
+ required: false
+ schema:
+ type: boolean
+ style: form
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/loginFlow'
+ description: loginFlow
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Create Login Flow for Native Apps
+ tags:
+ - frontend
+ /self-service/login/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based user login flow. This endpoint will set the appropriate
+ cookies and anti-CSRF measures required for browser-based flows.
+
+ If this endpoint is opened as a link in the browser, it will be redirected to
+ `selfservice.flows.login.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session
+ exists already, the browser will be redirected to `urls.default_redirect_url` unless the query parameter
+ `?refresh=true` was set.
+
+ If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `session_aal1_required`: Multi-factor auth (e.g. 2fa) was requested but the user has no session yet.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+
+ The optional query parameter login_challenge is set when using Kratos with
+ Hydra in an OAuth2 flow. See the oauth2_provider.url configuration
+ option.
+
+ This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: createBrowserLoginFlow
+ parameters:
+ - description: |-
+ Refresh a login session
+
+ If set to true, this will refresh an existing login session by
+ asking the user to sign in again. This will reset the
+ authenticated_at time of the session.
+ explode: true
+ in: query
+ name: refresh
+ required: false
+ schema:
+ type: boolean
+ style: form
+ - description: |-
+ Request a Specific AuthenticationMethod Assurance Level
+
+ Use this parameter to upgrade an existing session's authenticator assurance level (AAL). This
+ allows you to ask for multi-factor authentication. When an identity sign in using e.g. username+password,
+ the AAL is 1. If you wish to "upgrade" the session's security by asking the user to perform TOTP / WebAuth/ ...
+ you would set this to "aal2".
+ explode: true
+ in: query
+ name: aal
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ An optional Hydra login challenge. If present, Kratos will cooperate with
+ Ory Hydra to act as an OAuth2 identity provider.
+
+ The value for this parameter comes from `login_challenge` URL Query parameter sent to your
+ application (e.g. `/login?login_challenge=abcde`).
+ explode: true
+ in: query
+ name: login_challenge
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ An optional organization ID that should be used for logging this user in.
+ This parameter is only effective in the Ory Network.
+ explode: true
+ in: query
+ name: organization
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/loginFlow'
+ description: loginFlow
+ "303":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Create Login Flow for Browsers
+ tags:
+ - frontend
+ /self-service/login/flows:
+ get:
+ description: |-
+ This endpoint returns a login flow's context with, for example, error details and other information.
+
+ Browser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.
+ For AJAX requests you must ensure that cookies are included in the request or requests will fail.
+
+ If you use the browser-flow for server-side apps, the services need to run on a common top-level-domain
+ and you need to forward the incoming HTTP Cookie header to this endpoint:
+
+ ```js
+ pseudo-code example
+ router.get('/login', async function (req, res) {
+ const flow = await client.getLoginFlow(req.header('cookie'), req.query['flow'])
+
+ res.render('login', flow)
+ })
+ ```
+
+ This request may fail due to several reasons. The `error.id` can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `self_service_flow_expired`: The flow is expired and you should request a new one.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: getLoginFlow
+ parameters:
+ - description: |-
+ The Login Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/login?flow=abcde`).
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/loginFlow'
+ description: loginFlow
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Get Login Flow
+ tags:
+ - frontend
+ /self-service/logout:
+ get:
+ description: |-
+ This endpoint logs out an identity in a self-service manner.
+
+ If the `Accept` HTTP header is not set to `application/json`, the browser will be redirected (HTTP 303 See Other)
+ to the `return_to` parameter of the initial request or fall back to `urls.default_return_to`.
+
+ If the `Accept` HTTP header is set to `application/json`, a 204 No Content response
+ will be sent on successful logout instead.
+
+ This endpoint is NOT INTENDED for API clients and only works
+ with browsers (Chrome, Firefox, ...). For API clients you can
+ call the `/self-service/logout/api` URL directly with the Ory Session Token.
+
+ More information can be found at [Ory Kratos User Logout Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-logout).
+ operationId: updateLogoutFlow
+ parameters:
+ - description: |-
+ A Valid Logout Token
+
+ If you do not have a logout token because you only have a session cookie,
+ call `/self-service/logout/browser` to generate a URL for this endpoint.
+ explode: true
+ in: query
+ name: token
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: The URL to return to after the logout was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "303":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Update Logout Flow
+ tags:
+ - frontend
+ /self-service/logout/api:
+ delete:
+ description: |-
+ Use this endpoint to log out an identity using an Ory Session Token. If the Ory Session Token was successfully
+ revoked, the server returns a 204 No Content response. A 204 No Content response is also sent when
+ the Ory Session Token has been revoked already before.
+
+ If the Ory Session Token is malformed or does not exist a 403 Forbidden response will be returned.
+
+ This endpoint does not remove any HTTP
+ Cookies - use the Browser-Based Self-Service Logout Flow instead.
+ operationId: performNativeLogout
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/performNativeLogoutBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Perform Logout for Native Apps
+ tags:
+ - frontend
+ /self-service/logout/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based user logout flow and a URL which can be used to log out the user.
+
+ This endpoint is NOT INTENDED for API clients and only works
+ with browsers (Chrome, Firefox, ...). For API clients you can
+ call the `/self-service/logout/api` URL directly with the Ory Session Token.
+
+ The URL is only valid for the currently signed in user. If no user is signed in, this endpoint returns
+ a 401 error.
+
+ When calling this endpoint from a backend, please ensure to properly forward the HTTP cookies.
+ operationId: createBrowserLogoutFlow
+ parameters:
+ - description: |-
+ HTTP Cookies
+
+ If you call this endpoint from a backend, please include the
+ original Cookie header in the request.
+ explode: false
+ in: header
+ name: cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Return to URL
+
+ The URL to which the browser should be redirected to after the logout
+ has been performed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/logoutFlow'
+ description: logoutFlow
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "500":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Create a Logout URL for Browsers
+ tags:
+ - frontend
+ /self-service/recovery:
+ post:
+ description: |-
+ Use this endpoint to update a recovery flow. This endpoint
+ behaves differently for API and browser flows and has several states:
+
+ `choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent
+ and works with API- and Browser-initiated flows.
+ For API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid.
+ and a HTTP 303 See Other redirect with a fresh recovery flow if the flow was otherwise invalid (e.g. expired).
+ For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 303 See Other redirect to the Recovery UI URL with the Recovery Flow ID appended.
+ `sent_email` is the success state after `choose_method` for the `link` method and allows the user to request another recovery email. It
+ works for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.
+ `passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow ("sending a recovery link")
+ does not have any API capabilities. The server responds with a HTTP 303 See Other redirect either to the Settings UI URL
+ (if the link was valid) and instructs the user to update their password, or a redirect to the Recover UI URL with
+ a new Recovery Flow ID which contains an error message that the recovery link was invalid.
+
+ More information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).
+ operationId: updateRecoveryFlow
+ parameters:
+ - description: |-
+ The Recovery Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/recovery?flow=abcde`).
+ explode: true
+ in: query
+ name: flow
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ Recovery Token
+
+ The recovery token which completes the recovery request. If the token
+ is invalid (e.g. expired) an error will be shown to the end-user.
+
+ This parameter is usually set in a link and not used by any direct API call.
+ explode: true
+ in: query
+ name: token
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/updateRecoveryFlowBody'
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/updateRecoveryFlowBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/recoveryFlow'
+ description: recoveryFlow
+ "303":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/recoveryFlow'
+ description: recoveryFlow
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "422":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorBrowserLocationChangeRequired'
+ description: errorBrowserLocationChangeRequired
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Update Recovery Flow
+ tags:
+ - frontend
+ /self-service/recovery/api:
+ get:
+ description: |-
+ This endpoint initiates a recovery flow for API clients such as mobile devices, smart TVs, and so on.
+
+ If a valid provided session cookie or session token is provided, a 400 Bad Request error.
+
+ On an existing recovery flow, use the `getRecoveryFlow` API endpoint.
+
+ You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+ Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+ you vulnerable to a variety of CSRF attacks.
+
+ This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
+
+ More information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).
+ operationId: createNativeRecoveryFlow
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/recoveryFlow'
+ description: recoveryFlow
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Create Recovery Flow for Native Apps
+ tags:
+ - frontend
+ /self-service/recovery/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based account recovery flow. Once initialized, the browser will be redirected to
+ `selfservice.flows.recovery.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session
+ exists, the browser is returned to the configured return URL.
+
+ If this endpoint is called via an AJAX request, the response contains the recovery flow without any redirects
+ or a 400 bad request error if the user is already authenticated.
+
+ This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.
+
+ More information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).
+ operationId: createBrowserRecoveryFlow
+ parameters:
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/recoveryFlow'
+ description: recoveryFlow
+ "303":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Create Recovery Flow for Browsers
+ tags:
+ - frontend
+ /self-service/recovery/flows:
+ get:
+ description: |-
+ This endpoint returns a recovery flow's context with, for example, error details and other information.
+
+ Browser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.
+ For AJAX requests you must ensure that cookies are included in the request or requests will fail.
+
+ If you use the browser-flow for server-side apps, the services need to run on a common top-level-domain
+ and you need to forward the incoming HTTP Cookie header to this endpoint:
+
+ ```js
+ pseudo-code example
+ router.get('/recovery', async function (req, res) {
+ const flow = await client.getRecoveryFlow(req.header('Cookie'), req.query['flow'])
+
+ res.render('recovery', flow)
+ })
+ ```
+
+ More information can be found at [Ory Kratos Account Recovery Documentation](../self-service/flows/account-recovery).
+ operationId: getRecoveryFlow
+ parameters:
+ - description: |-
+ The Flow ID
+
+ The value for this parameter comes from `request` URL Query parameter sent to your
+ application (e.g. `/recovery?flow=abcde`).
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/recoveryFlow'
+ description: recoveryFlow
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Get Recovery Flow
+ tags:
+ - frontend
+ /self-service/registration:
+ post:
+ description: |-
+ Use this endpoint to complete a registration flow by sending an identity's traits and password. This endpoint
+ behaves differently for API and browser flows.
+
+ API flows expect `application/json` to be sent in the body and respond with
+ HTTP 200 and a application/json body with the created identity success - if the session hook is configured the
+ `session` and `session_token` will also be included;
+ HTTP 410 if the original flow expired with the appropriate error messages set and optionally a `use_flow_id` parameter in the body;
+ HTTP 400 on form validation errors.
+
+ Browser flows expect a Content-Type of `application/x-www-form-urlencoded` or `application/json` to be sent in the body and respond with
+ a HTTP 303 redirect to the post/after registration URL or the `return_to` value if it was set and if the registration succeeded;
+ a HTTP 303 redirect to the registration UI URL with the flow ID containing the validation errors otherwise.
+
+ Browser flows with an accept header of `application/json` will not redirect but instead respond with
+ HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
+ HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
+ HTTP 400 on form validation errors.
+
+ If this endpoint is called with `Accept: application/json` in the header, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+ `browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.
+ Most likely used in Social Sign In flows.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: updateRegistrationFlow
+ parameters:
+ - description: |-
+ The Registration Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/registration?flow=abcde`).
+ explode: true
+ in: query
+ name: flow
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/updateRegistrationFlowBody'
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/updateRegistrationFlowBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/successfulNativeRegistration'
+ description: successfulNativeRegistration
+ "303":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/registrationFlow'
+ description: registrationFlow
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "422":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorBrowserLocationChangeRequired'
+ description: errorBrowserLocationChangeRequired
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Update Registration Flow
+ tags:
+ - frontend
+ /self-service/registration/api:
+ get:
+ description: |-
+ This endpoint initiates a registration flow for API clients such as mobile devices, smart TVs, and so on.
+
+ If a valid provided session cookie or session token is provided, a 400 Bad Request error
+ will be returned unless the URL query parameter `?refresh=true` is set.
+
+ To fetch an existing registration flow call `/self-service/registration/flows?flow=`.
+
+ You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+ Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+ you vulnerable to a variety of CSRF attacks.
+
+ In the case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+
+ This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: createNativeRegistrationFlow
+ parameters:
+ - description: |-
+ EnableSessionTokenExchangeCode requests the login flow to include a code that can be used to retrieve the session token
+ after the login flow has been completed.
+ explode: true
+ in: query
+ name: return_session_token_exchange_code
+ required: false
+ schema:
+ type: boolean
+ style: form
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/registrationFlow'
+ description: registrationFlow
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Create Registration Flow for Native Apps
+ tags:
+ - frontend
+ /self-service/registration/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based user registration flow. This endpoint will set the appropriate
+ cookies and anti-CSRF measures required for browser-based flows.
+
+ If this endpoint is opened as a link in the browser, it will be redirected to
+ `selfservice.flows.registration.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session
+ exists already, the browser will be redirected to `urls.default_redirect_url`.
+
+ If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+
+ If this endpoint is called via an AJAX request, the response contains the registration flow without a redirect.
+
+ This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: createBrowserRegistrationFlow
+ parameters:
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ Ory OAuth 2.0 Login Challenge.
+
+ If set will cooperate with Ory OAuth2 and OpenID to act as an OAuth2 server / OpenID Provider.
+
+ The value for this parameter comes from `login_challenge` URL Query parameter sent to your
+ application (e.g. `/registration?login_challenge=abcde`).
+
+ This feature is compatible with Ory Hydra when not running on the Ory Network.
+ explode: true
+ in: query
+ name: login_challenge
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ The URL to return the browser to after the verification flow was completed.
+
+ After the registration flow is completed, the user will be sent a verification email.
+ Upon completing the verification flow, this URL will be used to override the default
+ `selfservice.flows.verification.after.default_redirect_to` value.
+ explode: true
+ in: query
+ name: after_verification_return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ - explode: true
+ in: query
+ name: organization
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/registrationFlow'
+ description: registrationFlow
+ "303":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Create Registration Flow for Browsers
+ tags:
+ - frontend
+ /self-service/registration/flows:
+ get:
+ description: |-
+ This endpoint returns a registration flow's context with, for example, error details and other information.
+
+ Browser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.
+ For AJAX requests you must ensure that cookies are included in the request or requests will fail.
+
+ If you use the browser-flow for server-side apps, the services need to run on a common top-level-domain
+ and you need to forward the incoming HTTP Cookie header to this endpoint:
+
+ ```js
+ pseudo-code example
+ router.get('/registration', async function (req, res) {
+ const flow = await client.getRegistrationFlow(req.header('cookie'), req.query['flow'])
+
+ res.render('registration', flow)
+ })
+ ```
+
+ This request may fail due to several reasons. The `error.id` can be one of:
+
+ `session_already_available`: The user is already signed in.
+ `self_service_flow_expired`: The flow is expired and you should request a new one.
+
+ More information can be found at [Ory Kratos User Login](https://www.ory.sh/docs/kratos/self-service/flows/user-login) and [User Registration Documentation](https://www.ory.sh/docs/kratos/self-service/flows/user-registration).
+ operationId: getRegistrationFlow
+ parameters:
+ - description: |-
+ The Registration Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/registration?flow=abcde`).
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/registrationFlow'
+ description: registrationFlow
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Get Registration Flow
+ tags:
+ - frontend
+ /self-service/settings:
+ post:
+ description: |-
+ Use this endpoint to complete a settings flow by sending an identity's updated password. This endpoint
+ behaves differently for API and browser flows.
+
+ API-initiated flows expect `application/json` to be sent in the body and respond with
+ HTTP 200 and an application/json body with the session token on success;
+ HTTP 303 redirect to a fresh settings flow if the original flow expired with the appropriate error messages set;
+ HTTP 400 on form validation errors.
+ HTTP 401 when the endpoint is called without a valid session token.
+ HTTP 403 when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.
+ Implies that the user needs to re-authenticate.
+
+ Browser flows without HTTP Header `Accept` or with `Accept: text/*` respond with
+ a HTTP 303 redirect to the post/after settings URL or the `return_to` value if it was set and if the flow succeeded;
+ a HTTP 303 redirect to the Settings UI URL with the flow ID containing the validation errors otherwise.
+ a HTTP 303 redirect to the login endpoint when `selfservice.flows.settings.privileged_session_max_age` was reached or the session's AAL is too low.
+
+ Browser flows with HTTP Header `Accept: application/json` respond with
+ HTTP 200 and a application/json body with the signed in identity and a `Set-Cookie` header on success;
+ HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set;
+ HTTP 401 when the endpoint is called without a valid session cookie.
+ HTTP 403 when the page is accessed without a session cookie or the session's AAL is too low.
+ HTTP 400 on form validation errors.
+
+ Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator
+ Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn
+ credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user
+ to sign in with the second factor (happens automatically for server-side browser flows) or change the configuration.
+
+ If this endpoint is called with a `Accept: application/json` HTTP header, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `session_refresh_required`: The identity requested to change something that needs a privileged session. Redirect
+ the identity to the login init endpoint with query parameters `?refresh=true&return_to=`,
+ or initiate a refresh login flow otherwise.
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `session_inactive`: No Ory Session was found - sign in a user first.
+ `security_identity_mismatch`: The flow was interrupted with `session_refresh_required` but apparently some other
+ identity logged in instead.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+ `browser_location_change_required`: Usually sent when an AJAX request indicates that the browser needs to open a specific URL.
+ Most likely used in Social Sign In flows.
+
+ More information can be found at [Ory Kratos User Settings & Profile Management Documentation](../self-service/flows/user-settings).
+ operationId: updateSettingsFlow
+ parameters:
+ - description: |-
+ The Settings Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/settings?flow=abcde`).
+ explode: true
+ in: query
+ name: flow
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: The Session Token of the Identity performing the settings flow.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/updateSettingsFlowBody'
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/updateSettingsFlowBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/settingsFlow'
+ description: settingsFlow
+ "303":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/settingsFlow'
+ description: settingsFlow
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "422":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorBrowserLocationChangeRequired'
+ description: errorBrowserLocationChangeRequired
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ security:
+ - oryAccessToken: []
+ summary: Complete Settings Flow
+ tags:
+ - frontend
+ /self-service/settings/api:
+ get:
+ description: |-
+ This endpoint initiates a settings flow for API clients such as mobile devices, smart TVs, and so on.
+ You must provide a valid Ory Kratos Session Token for this endpoint to respond with HTTP 200 OK.
+
+ To fetch an existing settings flow call `/self-service/settings/flows?flow=`.
+
+ You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+ Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+ you vulnerable to a variety of CSRF attacks.
+
+ Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator
+ Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn
+ credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user
+ to sign in with the second factor or change the configuration.
+
+ In the case of an error, the `error.id` of the JSON response body can be one of:
+
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `session_inactive`: No Ory Session was found - sign in a user first.
+
+ This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
+
+ More information can be found at [Ory Kratos User Settings & Profile Management Documentation](../self-service/flows/user-settings).
+ operationId: createNativeSettingsFlow
+ parameters:
+ - description: The Session Token of the Identity performing the settings flow.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/settingsFlow'
+ description: settingsFlow
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Create Settings Flow for Native Apps
+ tags:
+ - frontend
+ /self-service/settings/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based user settings flow. Once initialized, the browser will be redirected to
+ `selfservice.flows.settings.ui_url` with the flow ID set as the query parameter `?flow=`. If no valid
+ Ory Kratos Session Cookie is included in the request, a login flow will be initialized.
+
+ If this endpoint is opened as a link in the browser, it will be redirected to
+ `selfservice.flows.settings.ui_url` with the flow ID set as the query parameter `?flow=`. If no valid user session
+ was set, the browser will be redirected to the login endpoint.
+
+ If this endpoint is called via an AJAX request, the response contains the settings flow without any redirects
+ or a 401 forbidden error if no valid session was set.
+
+ Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator
+ Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn
+ credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user
+ to sign in with the second factor (happens automatically for server-side browser flows) or change the configuration.
+
+ If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `session_inactive`: No Ory Session was found - sign in a user first.
+ `security_identity_mismatch`: The requested `?return_to` address is not allowed to be used. Adjust this in the configuration!
+
+ This endpoint is NOT INTENDED for clients that do not have a browser (Chrome, Firefox, ...) as cookies are needed.
+
+ More information can be found at [Ory Kratos User Settings & Profile Management Documentation](../self-service/flows/user-settings).
+ operationId: createBrowserSettingsFlow
+ parameters:
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/settingsFlow'
+ description: settingsFlow
+ "303":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Create Settings Flow for Browsers
+ tags:
+ - frontend
+ /self-service/settings/flows:
+ get:
+ description: |-
+ When accessing this endpoint through Ory Kratos' Public API you must ensure that either the Ory Kratos Session Cookie
+ or the Ory Kratos Session Token are set.
+
+ Depending on your configuration this endpoint might return a 403 error if the session has a lower Authenticator
+ Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn
+ credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user
+ to sign in with the second factor or change the configuration.
+
+ You can access this endpoint without credentials when using Ory Kratos' Admin API.
+
+ If this endpoint is called via an AJAX request, the response contains the flow without a redirect. In the
+ case of an error, the `error.id` of the JSON response body can be one of:
+
+ `security_csrf_violation`: Unable to fetch the flow because a CSRF violation occurred.
+ `session_inactive`: No Ory Session was found - sign in a user first.
+ `security_identity_mismatch`: The flow was interrupted with `session_refresh_required` but apparently some other
+ identity logged in instead.
+
+ More information can be found at [Ory Kratos User Settings & Profile Management Documentation](../self-service/flows/user-settings).
+ operationId: getSettingsFlow
+ parameters:
+ - description: |-
+ ID is the Settings Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/settings?flow=abcde`).
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ The Session Token
+
+ When using the SDK in an app without a browser, please include the
+ session token here.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/settingsFlow'
+ description: settingsFlow
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Get Settings Flow
+ tags:
+ - frontend
+ /self-service/verification:
+ post:
+ description: |-
+ Use this endpoint to complete a verification flow. This endpoint
+ behaves differently for API and browser flows and has several states:
+
+ `choose_method` expects `flow` (in the URL query) and `email` (in the body) to be sent
+ and works with API- and Browser-initiated flows.
+ For API clients and Browser clients with HTTP Header `Accept: application/json` it either returns a HTTP 200 OK when the form is valid and HTTP 400 OK when the form is invalid
+ and a HTTP 303 See Other redirect with a fresh verification flow if the flow was otherwise invalid (e.g. expired).
+ For Browser clients without HTTP Header `Accept` or with `Accept: text/*` it returns a HTTP 303 See Other redirect to the Verification UI URL with the Verification Flow ID appended.
+ `sent_email` is the success state after `choose_method` when using the `link` method and allows the user to request another verification email. It
+ works for both API and Browser-initiated flows and returns the same responses as the flow in `choose_method` state.
+ `passed_challenge` expects a `token` to be sent in the URL query and given the nature of the flow ("sending a verification link")
+ does not have any API capabilities. The server responds with a HTTP 303 See Other redirect either to the Settings UI URL
+ (if the link was valid) and instructs the user to update their password, or a redirect to the Verification UI URL with
+ a new Verification Flow ID which contains an error message that the verification link was invalid.
+
+ More information can be found at [Ory Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation).
+ operationId: updateVerificationFlow
+ parameters:
+ - description: |-
+ The Verification Flow ID
+
+ The value for this parameter comes from `flow` URL Query parameter sent to your
+ application (e.g. `/verification?flow=abcde`).
+ explode: true
+ in: query
+ name: flow
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ Verification Token
+
+ The verification token which completes the verification request. If the token
+ is invalid (e.g. expired) an error will be shown to the end-user.
+
+ This parameter is usually set in a link and not used by any direct API call.
+ explode: true
+ in: query
+ name: token
+ required: false
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK in a browser app, on the server side you must include the HTTP Cookie Header
+ sent by the client to your server here. This ensures that CSRF and session cookies are respected.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ requestBody:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/updateVerificationFlowBody'
+ application/x-www-form-urlencoded:
+ schema:
+ $ref: '#/components/schemas/updateVerificationFlowBody'
+ required: true
+ x-originalParamName: Body
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/verificationFlow'
+ description: verificationFlow
+ "303":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/verificationFlow'
+ description: verificationFlow
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Complete Verification Flow
+ tags:
+ - frontend
+ /self-service/verification/api:
+ get:
+ description: |-
+ This endpoint initiates a verification flow for API clients such as mobile devices, smart TVs, and so on.
+
+ To fetch an existing verification flow call `/self-service/verification/flows?flow=`.
+
+ You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server
+ Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make
+ you vulnerable to a variety of CSRF attacks.
+
+ This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
+
+ More information can be found at [Ory Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation).
+ operationId: createNativeVerificationFlow
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/verificationFlow'
+ description: verificationFlow
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Create Verification Flow for Native Apps
+ tags:
+ - frontend
+ /self-service/verification/browser:
+ get:
+ description: |-
+ This endpoint initializes a browser-based account verification flow. Once initialized, the browser will be redirected to
+ `selfservice.flows.verification.ui_url` with the flow ID set as the query parameter `?flow=`.
+
+ If this endpoint is called via an AJAX request, the response contains the recovery flow without any redirects.
+
+ This endpoint is NOT INTENDED for API clients and only works with browsers (Chrome, Firefox, ...).
+
+ More information can be found at [Ory Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation).
+ operationId: createBrowserVerificationFlow
+ parameters:
+ - description: The URL to return the browser to after the flow was completed.
+ explode: true
+ in: query
+ name: return_to
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/verificationFlow'
+ description: verificationFlow
+ "303":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Create Verification Flow for Browser Clients
+ tags:
+ - frontend
+ /self-service/verification/flows:
+ get:
+ description: |-
+ This endpoint returns a verification flow's context with, for example, error details and other information.
+
+ Browser flows expect the anti-CSRF cookie to be included in the request's HTTP Cookie Header.
+ For AJAX requests you must ensure that cookies are included in the request or requests will fail.
+
+ If you use the browser-flow for server-side apps, the services need to run on a common top-level-domain
+ and you need to forward the incoming HTTP Cookie header to this endpoint:
+
+ ```js
+ pseudo-code example
+ router.get('/recovery', async function (req, res) {
+ const flow = await client.getVerificationFlow(req.header('cookie'), req.query['flow'])
+
+ res.render('verification', flow)
+ })
+ ```
+
+ More information can be found at [Ory Kratos Email and Phone Verification Documentation](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation).
+ operationId: getVerificationFlow
+ parameters:
+ - description: |-
+ The Flow ID
+
+ The value for this parameter comes from `request` URL Query parameter sent to your
+ application (e.g. `/verification?flow=abcde`).
+ explode: true
+ in: query
+ name: id
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: |-
+ HTTP Cookies
+
+ When using the SDK on the server side you must include the HTTP Cookie Header
+ originally sent to your HTTP handler here.
+ explode: false
+ in: header
+ name: cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/verificationFlow'
+ description: verificationFlow
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Get Verification Flow
+ tags:
+ - frontend
+ /sessions:
+ delete:
+ description: |-
+ Calling this endpoint invalidates all except the current session that belong to the logged-in user.
+ Session data are not deleted.
+ operationId: disableMyOtherSessions
+ parameters:
+ - description: Set the Session Token when calling from non-browser clients.
+ A session token has a format of `MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj`.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Set the Cookie Header. This is especially useful when calling this endpoint from a server-side application. In that
+ scenario you must include the HTTP Cookie Header which originally was included in the request to your server.
+ An example of a session in the HTTP Cookie Header is: `ory_kratos_session=a19iOVAbdzdgl70Rq1QZmrKmcjDtdsviCTZx7m9a9yHIUS8Wa9T7hvqyGTsLHi6Qifn2WUfpAKx9DWp0SJGleIn9vh2YF4A16id93kXFTgIgmwIOvbVAScyrx7yVl6bPZnCx27ec4WQDtaTewC1CpgudeDV2jQQnSaCP6ny3xa8qLH-QUgYqdQuoA_LF1phxgRCUfIrCLQOkolX5nv3ze_f==`.
+
+ It is ok if more than one cookie are included here as all other cookies will be ignored.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/deleteMySessionsCount'
+ description: deleteMySessionsCount
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Disable my other sessions
+ tags:
+ - frontend
+ get:
+ description: |-
+ This endpoints returns all other active sessions that belong to the logged-in user.
+ The current session can be retrieved by calling the `/sessions/whoami` endpoint.
+ operationId: listMySessions
+ parameters:
+ - description: |-
+ Deprecated Items per Page
+
+ DEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.
+
+ This is the number of items per page.
+ explode: true
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Deprecated Pagination Page
+
+ DEPRECATED: Please use `page_token` instead. This parameter will be removed in the future.
+
+ This value is currently an integer, but it is not sequential. The value is not the page number, but a
+ reference. The next page can be any number and some numbers might return an empty list.
+
+ For example, page 2 might not follow after page 1. And even if page 3 and 5 exist, but page 4 might not exist.
+ The first page can be retrieved by omitting this parameter. Following page pointers will be returned in the
+ `Link` header.
+ explode: true
+ in: query
+ name: page
+ required: false
+ schema:
+ format: int64
+ type: integer
+ style: form
+ - description: |-
+ Page Size
+
+ This is the number of items per page to return. For details on pagination please head over to the
+ [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_size
+ required: false
+ schema:
+ default: 250
+ format: int64
+ maximum: 500
+ minimum: 1
+ type: integer
+ style: form
+ - description: |-
+ Next Page Token
+
+ The next page token. For details on pagination please head over to the
+ [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ explode: true
+ in: query
+ name: page_token
+ required: false
+ schema:
+ default: "1"
+ minimum: 1
+ type: string
+ style: form
+ - description: Set the Session Token when calling from non-browser clients.
+ A session token has a format of `MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj`.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Set the Cookie Header. This is especially useful when calling this endpoint from a server-side application. In that
+ scenario you must include the HTTP Cookie Header which originally was included in the request to your server.
+ An example of a session in the HTTP Cookie Header is: `ory_kratos_session=a19iOVAbdzdgl70Rq1QZmrKmcjDtdsviCTZx7m9a9yHIUS8Wa9T7hvqyGTsLHi6Qifn2WUfpAKx9DWp0SJGleIn9vh2YF4A16id93kXFTgIgmwIOvbVAScyrx7yVl6bPZnCx27ec4WQDtaTewC1CpgudeDV2jQQnSaCP6ny3xa8qLH-QUgYqdQuoA_LF1phxgRCUfIrCLQOkolX5nv3ze_f==`.
+
+ It is ok if more than one cookie are included here as all other cookies will be ignored.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/session'
+ type: array
+ description: List My Session Response
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Get My Active Sessions
+ tags:
+ - frontend
+ /sessions/token-exchange:
+ get:
+ operationId: exchangeSessionToken
+ parameters:
+ - description: The part of the code return when initializing the flow.
+ explode: true
+ in: query
+ name: init_code
+ required: true
+ schema:
+ type: string
+ style: form
+ - description: The part of the code returned by the return_to URL.
+ explode: true
+ in: query
+ name: return_to_code
+ required: true
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/successfulNativeLogin'
+ description: successfulNativeLogin
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "404":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "410":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Exchange Session Token
+ tags:
+ - frontend
+ /sessions/whoami:
+ get:
+ description: |-
+ Uses the HTTP Headers in the GET request to determine (e.g. by using checking the cookies) who is authenticated.
+ Returns a session object in the body or 401 if the credentials are invalid or no credentials were sent.
+ When the request it successful it adds the user ID to the 'X-Kratos-Authenticated-Identity-Id' header
+ in the response.
+
+ If you call this endpoint from a server-side application, you must forward the HTTP Cookie Header to this endpoint:
+
+ ```js
+ pseudo-code example
+ router.get('/protected-endpoint', async function (req, res) {
+ const session = await client.toSession(undefined, req.header('cookie'))
+
+ console.log(session)
+ })
+ ```
+
+ When calling this endpoint from a non-browser application (e.g. mobile app) you must include the session token:
+
+ ```js
+ pseudo-code example
+ ...
+ const session = await client.toSession("the-session-token")
+
+ console.log(session)
+ ```
+
+ When using a token template, the token is included in the `tokenized` field of the session.
+
+ ```js
+ pseudo-code example
+ ...
+ const session = await client.toSession("the-session-token", { tokenize_as: "example-jwt-template" })
+
+ console.log(session.tokenized) // The JWT
+ ```
+
+ Depending on your configuration this endpoint might return a 403 status code if the session has a lower Authenticator
+ Assurance Level (AAL) than is possible for the identity. This can happen if the identity has password + webauthn
+ credentials (which would result in AAL2) but the session has only AAL1. If this error occurs, ask the user
+ to sign in with the second factor or change the configuration.
+
+ This endpoint is useful for:
+
+ AJAX calls. Remember to send credentials and set up CORS correctly!
+ Reverse proxies and API Gateways
+ Server-side calls - use the `X-Session-Token` header!
+
+ This endpoint authenticates users by checking:
+
+ if the `Cookie` HTTP header was set containing an Ory Kratos Session Cookie;
+ if the `Authorization: bearer ` HTTP header was set with a valid Ory Kratos Session Token;
+ if the `X-Session-Token` HTTP header was set with a valid Ory Kratos Session Token.
+
+ If none of these headers are set or the cookie or token are invalid, the endpoint returns a HTTP 401 status code.
+
+ As explained above, this request may fail due to several reasons. The `error.id` can be one of:
+
+ `session_inactive`: No active session was found in the request (e.g. no Ory Session Cookie / Ory Session Token).
+ `session_aal2_required`: An active session was found but it does not fulfil the Authenticator Assurance Level, implying that the session must (e.g.) authenticate the second factor.
+ operationId: toSession
+ parameters:
+ - description: Set the Session Token when calling from non-browser clients.
+ A session token has a format of `MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj`.
+ example: MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Set the Cookie Header. This is especially useful when calling this endpoint from a server-side application. In that
+ scenario you must include the HTTP Cookie Header which originally was included in the request to your server.
+ An example of a session in the HTTP Cookie Header is: `ory_kratos_session=a19iOVAbdzdgl70Rq1QZmrKmcjDtdsviCTZx7m9a9yHIUS8Wa9T7hvqyGTsLHi6Qifn2WUfpAKx9DWp0SJGleIn9vh2YF4A16id93kXFTgIgmwIOvbVAScyrx7yVl6bPZnCx27ec4WQDtaTewC1CpgudeDV2jQQnSaCP6ny3xa8qLH-QUgYqdQuoA_LF1phxgRCUfIrCLQOkolX5nv3ze_f==`.
+
+ It is ok if more than one cookie are included here as all other cookies will be ignored.
+ example: ory_session=a19iOVAbdzdgl70Rq1QZmrKmcjDtdsviCTZx7m9a9yHIUS8Wa9T7hvqyGTsLHi6Qifn2WUfpAKx9DWp0SJGleIn9vh2YF4A16id93kXFTgIgmwIOvbVAScyrx7yVl6bPZnCx27ec4WQDtaTewC1CpgudeDV2jQQnSaCP6ny3xa8qLH-QUgYqdQuoA_LF1phxgRCUfIrCLQOkolX5nv3ze_f==
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Returns the session additionally as a token (such as a JWT)
+
+ The value of this parameter has to be a valid, configured Ory Session token template. For more information head over to [the documentation](http://ory.sh/docs/identities/session-to-jwt-cors).
+ explode: true
+ in: query
+ name: tokenize_as
+ required: false
+ schema:
+ type: string
+ style: form
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/session'
+ description: session
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "403":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Check Who the Current HTTP Session Belongs To
+ tags:
+ - frontend
+ /sessions/{id}:
+ delete:
+ description: |-
+ Calling this endpoint invalidates the specified session. The current session cannot be revoked.
+ Session data are not deleted.
+ operationId: disableMySession
+ parameters:
+ - description: ID is the session's ID.
+ explode: false
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ style: simple
+ - description: Set the Session Token when calling from non-browser clients.
+ A session token has a format of `MP2YWEMeM8MxjkGKpH4dqOQ4Q4DlSPaj`.
+ explode: false
+ in: header
+ name: X-Session-Token
+ required: false
+ schema:
+ type: string
+ style: simple
+ - description: |-
+ Set the Cookie Header. This is especially useful when calling this endpoint from a server-side application. In that
+ scenario you must include the HTTP Cookie Header which originally was included in the request to your server.
+ An example of a session in the HTTP Cookie Header is: `ory_kratos_session=a19iOVAbdzdgl70Rq1QZmrKmcjDtdsviCTZx7m9a9yHIUS8Wa9T7hvqyGTsLHi6Qifn2WUfpAKx9DWp0SJGleIn9vh2YF4A16id93kXFTgIgmwIOvbVAScyrx7yVl6bPZnCx27ec4WQDtaTewC1CpgudeDV2jQQnSaCP6ny3xa8qLH-QUgYqdQuoA_LF1phxgRCUfIrCLQOkolX5nv3ze_f==`.
+
+ It is ok if more than one cookie are included here as all other cookies will be ignored.
+ explode: false
+ in: header
+ name: Cookie
+ required: false
+ schema:
+ type: string
+ style: simple
+ responses:
+ "204":
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ "400":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ "401":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorGeneric'
+ description: errorGeneric
+ summary: Disable one of my sessions
+ tags:
+ - frontend
+ /userinfo:
+ get:
+ description: |-
+ This endpoint returns the payload of the ID Token, including `session.id_token` values, of
+ the provided OAuth 2.0 Access Token's consent request.
+
+ In the case of authentication error, a WWW-Authenticate header might be set in the response
+ with more information about the error. See [the spec](https://datatracker.ietf.org/doc/html/rfc6750#section-3)
+ for more details about header format.
+ operationId: getOidcUserInfo
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/oidcUserInfo'
+ description: oidcUserInfo
+ default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: errorOAuth2
+ security:
+ - oauth2: []
+ summary: OpenID Connect Userinfo
+ tags:
+ - oidc
+ /version:
+ get:
+ description: |-
+ This endpoint returns the version of Ory Kratos.
+
+ If the service supports TLS Edge Termination, this endpoint does not require the
+ `X-Forwarded-Proto` header to be set.
+
+ Be aware that if you are running multiple nodes of this service, the version will never
+ refer to the cluster state, only to a single instance.
+ operationId: getVersion
+ responses:
+ "200":
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/getVersion_200_response'
+ description: Returns the Ory Kratos version.
+ security:
+ - oryAccessToken: []
+ summary: Return Running Software Version.
+ tags:
+ - metadata
+components:
+ responses:
+ emptyResponse:
+ description: |-
+ Empty responses are sent when, for example, resources are deleted. The HTTP status code for empty responses is
+ typically 201.
+ errorOAuth2BadRequest:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Bad Request Error Response
+ errorOAuth2Default:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Default Error Response
+ errorOAuth2NotFound:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/errorOAuth2'
+ description: Not Found Error Response
+ identitySchemas:
+ content:
+ application/json:
+ schema:
+ $ref: '#/components/schemas/identitySchemas'
+ description: List Identity JSON Schemas Response
+ listCourierMessages:
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/message'
+ type: array
+ description: Paginated Courier Message List Response
+ listIdentities:
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/identity'
+ type: array
+ description: Paginated Identity List Response
+ listIdentitySessions:
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/session'
+ type: array
+ description: List Identity Sessions Response
+ listMySessions:
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/session'
+ type: array
+ description: List My Session Response
+ listOAuth2Clients:
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/oAuth2Client'
+ type: array
+ description: Paginated OAuth2 Client List Response
+ listSessions:
+ content:
+ application/json:
+ schema:
+ items:
+ $ref: '#/components/schemas/session'
+ type: array
+ description: |-
+ Session List Response
+
+ The response given when listing sessions in an administrative context.
+ schemas:
+ Attribute:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ type: object
+ AttributeFilter:
+ properties:
+ attribute:
+ type: string
+ condition:
+ enum:
+ - equals
+ - not_equals
+ - contains
+ - not_contains
+ - regex
+ - not_regex
+ - set
+ - not_set
+ type: string
+ x-go-enum-desc: |-
+ equals ConditionEquals
+ not_equals ConditionNotEquals
+ contains ConditionContains
+ not_contains ConditionNotContains
+ regex ConditionRegex
+ not_regex ConditionNotRegex
+ set ConditionSet
+ not_set ConditionNotSet
+ value:
+ type: string
+ type: object
+ AttributesCountDatapoint:
+ properties:
+ count:
+ description: Count of the attribute value for given key
+ format: int64
+ type: integer
+ name:
+ description: Name of the attribute value for given key
+ type: string
+ required:
+ - count
+ - name
+ type: object
+ CodeAddressType:
+ type: string
+ CreateInviteResponse:
+ properties:
+ all_invites:
+ description: A list of all invites for this resource
+ items:
+ $ref: '#/components/schemas/memberInvite'
+ type: array
+ created_invite:
+ $ref: '#/components/schemas/memberInvite'
+ required:
+ - all_invites
+ - created_invite
+ type: object
+ CreateProjectMemberInviteBody:
+ description: Create Project MemberInvite Request Body
+ properties:
+ invitee_email:
+ description: A email to invite
+ type: string
+ type: object
+ CreateVerifiableCredentialRequestBody:
+ example:
+ types:
+ - types
+ - types
+ format: format
+ proof:
+ proof_type: proof_type
+ jwt: jwt
+ properties:
+ format:
+ type: string
+ proof:
+ $ref: '#/components/schemas/VerifiableCredentialProof'
+ types:
+ items:
+ type: string
+ type: array
+ title: CreateVerifiableCredentialRequestBody contains the request body to request
+ a verifiable credential.
+ type: object
+ CreateWorkspaceMemberInviteBody:
+ description: Create Workspace Invite Request Body
+ properties:
+ invitee_email:
+ description: A email to invite
+ type: string
+ type: object
+ CustomHostnameStatus:
+ title: CustomHostnameStatus is the enumeration of valid state values in the
+ CustomHostnameSSL.
+ type: string
+ DefaultError: {}
+ Duration:
+ description: |-
+ A Duration represents the elapsed time between two instants
+ as an int64 nanosecond count. The representation limits the
+ largest representable duration to approximately 290 years.
+ format: int64
+ type: integer
+ GenericUsage:
+ properties:
+ additional_price:
+ description: AdditionalPrice is the price per-unit in cent exceeding IncludedUsage.
+ A price of 0 means that no other items can be consumed.
+ format: int64
+ type: integer
+ included_usage:
+ description: IncludedUsage is the number of included items.
+ format: int64
+ type: integer
+ required:
+ - additional_price
+ - included_usage
+ title: GenericUsage is the generic usage type that can be used for any feature.
+ type: object
+ ID:
+ format: int64
+ type: integer
+ JSONRawMessage:
+ title: "JSONRawMessage represents a json.RawMessage that works well with JSON,\
+ \ SQL, and Swagger."
+ type: object
+ KetoNamespace:
+ properties:
+ id:
+ format: int64
+ type: integer
+ name:
+ type: string
+ type: object
+ KetoNamespaces:
+ items:
+ $ref: '#/components/schemas/KetoNamespace'
+ type: array
+ ListMyWorkspacesResponse:
+ properties:
+ has_next_page:
+ type: boolean
+ next_page_token:
+ type: string
+ workspaces:
+ items:
+ $ref: '#/components/schemas/workspace'
+ type: array
+ required:
+ - has_next_page
+ - next_page_token
+ - workspaces
+ type: object
+ NormalizedProjectRevisionCourierChannel:
+ properties:
+ channel_id:
+ description: The Channel's public ID
+ type: string
+ created_at:
+ description: The creation date
+ format: date-time
+ readOnly: true
+ type: string
+ request_config_auth_config_api_key_in:
+ description: |-
+ API key location
+
+ Can either be "header" or "query"
+ example: header
+ type: string
+ request_config_auth_config_api_key_name:
+ description: |-
+ API key name
+
+ Only used if the auth type is api_key
+ type: string
+ request_config_auth_config_api_key_value:
+ description: |-
+ API key value
+
+ Only used if the auth type is api_key
+ type: string
+ request_config_auth_config_basic_auth_password:
+ description: |-
+ Basic Auth Password
+
+ Only used if the auth type is basic_auth
+ type: string
+ request_config_auth_config_basic_auth_user:
+ description: |-
+ Basic Auth Username
+
+ Only used if the auth type is basic_auth
+ type: string
+ request_config_auth_type:
+ description: |-
+ HTTP Auth Method to use for the HTTP call
+
+ Can either be basic_auth or api_key
+ basic_auth CourierChannelAuthTypeBasicAuth
+ api_key CourierChannelAuthTypeApiKey
+ enum:
+ - basic_auth
+ - api_key
+ type: string
+ x-go-enum-desc: |-
+ basic_auth CourierChannelAuthTypeBasicAuth
+ api_key CourierChannelAuthTypeApiKey
+ request_config_body:
+ description: URI pointing to the JsonNet template used for HTTP body payload
+ generation.
+ type: string
+ request_config_headers:
+ description: "NullJSONRawMessage represents a json.RawMessage that works\
+ \ well with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ type: object
+ request_config_method:
+ description: "The HTTP method to use (GET, POST, etc) for the HTTP call"
+ example: POST
+ type: string
+ request_config_url:
+ type: string
+ updated_at:
+ description: Last upate time
+ format: date-time
+ readOnly: true
+ type: string
+ required:
+ - channel_id
+ - request_config_body
+ - request_config_method
+ type: object
+ NullBool:
+ nullable: true
+ type: boolean
+ NullDuration:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ NullInt:
+ nullable: true
+ type: integer
+ NullString:
+ nullable: true
+ type: string
+ NullTime:
+ format: date-time
+ nullable: true
+ type: string
+ NullUUID:
+ format: uuid4
+ nullable: true
+ type: string
+ OAuth2LoginChallengeParams:
+ type: object
+ OrganizationBody:
+ description: Create B2B SSO Organization Request Body
+ example:
+ domains:
+ - domains
+ - domains
+ label: label
+ properties:
+ domains:
+ description: Domains contains the list of organization's domains.
+ items:
+ type: string
+ type: array
+ label:
+ description: Label contains the organization's label.
+ type: string
+ type: object
+ ParseError:
+ example:
+ start:
+ Line: 0
+ column: 6
+ end:
+ Line: 0
+ column: 6
+ message: message
+ properties:
+ end:
+ $ref: '#/components/schemas/SourcePosition'
+ message:
+ type: string
+ start:
+ $ref: '#/components/schemas/SourcePosition'
+ type: object
+ Plan:
+ properties:
+ name:
+ description: Name is the name of the plan.
+ type: string
+ version:
+ description: Version is the version of the plan. The combination of `name@version`
+ must be unique.
+ format: int64
+ type: integer
+ required:
+ - name
+ - version
+ type: object
+ PlanDetails:
+ properties:
+ base_fee_monthly:
+ description: BaseFeeMonthly is the monthly base fee for the plan.
+ format: int64
+ type: integer
+ base_fee_yearly:
+ description: BaseFeeYearly is the yearly base fee for the plan.
+ format: int64
+ type: integer
+ custom:
+ description: Custom is true if the plan is custom. This means it will be
+ hidden from the pricing page.
+ type: boolean
+ description:
+ description: Description is the description of the plan.
+ type: string
+ features:
+ additionalProperties:
+ $ref: '#/components/schemas/GenericUsage'
+ description: Features are the feature definitions included in the plan.
+ type: object
+ name:
+ description: Name is the name of the plan.
+ type: string
+ version:
+ description: Version is the version of the plan. The combination of `name@version`
+ must be unique.
+ format: int64
+ type: integer
+ required:
+ - base_fee_monthly
+ - base_fee_yearly
+ - custom
+ - description
+ - features
+ - name
+ - version
+ type: object
+ Pricing:
+ items:
+ $ref: '#/components/schemas/PlanDetails'
+ type: array
+ ProjectEventsDatapoint:
+ properties:
+ attributes:
+ description: Event attributes with details
+ items:
+ $ref: '#/components/schemas/Attribute'
+ type: array
+ name:
+ description: Name of the event
+ type: string
+ timestamp:
+ description: Time of occurence
+ format: date-time
+ type: string
+ required:
+ - attributes
+ - name
+ - timestamp
+ type: object
+ RFC6749ErrorJson:
+ properties:
+ error:
+ type: string
+ error_debug:
+ type: string
+ error_description:
+ type: string
+ error_hint:
+ type: string
+ status_code:
+ format: int64
+ type: integer
+ title: RFC6749ErrorJson is a helper struct for JSON encoding/decoding of RFC6749Error.
+ type: object
+ RecoveryAddressType:
+ title: RecoveryAddressType must not exceed 16 characters as that is the limitation
+ in the SQL Schema.
+ type: string
+ SessionActivityDatapoint:
+ properties:
+ country:
+ description: Country of the events
+ type: string
+ failed:
+ description: Number of events that failed in the given timeframe
+ format: int64
+ type: integer
+ succeeded:
+ description: Number of events that succeeded in the given timeframe
+ format: int64
+ type: integer
+ required:
+ - country
+ - failed
+ - succeeded
+ type: object
+ SourcePosition:
+ example:
+ Line: 0
+ column: 6
+ properties:
+ Line:
+ format: int64
+ type: integer
+ column:
+ format: int64
+ type: integer
+ type: object
+ String:
+ $ref: '#/components/schemas/NullString'
+ StringSliceJSONFormat:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ SubscriptionStatus:
+ description: |-
+ For `collection_method=charge_automatically` a subscription moves into `incomplete` if the initial payment attempt fails. A subscription in this state can only have metadata and default_source updated. Once the first invoice is paid, the subscription moves into an `active` state. If the first invoice is not paid within 23 hours, the subscription transitions to `incomplete_expired`. This is a terminal state, the open invoice will be voided and no further invoices will be generated.
+
+ A subscription that is currently in a trial period is `trialing` and moves to `active` when the trial period is over.
+
+ If subscription `collection_method=charge_automatically`, it becomes `past_due` when payment is required but cannot be paid (due to failed payment or awaiting additional user actions). Once Stripe has exhausted all payment retry attempts, the subscription will become `canceled` or `unpaid` (depending on your subscriptions settings).
+
+ If subscription `collection_method=send_invoice` it becomes `past_due` when its invoice is not paid by the due date, and `canceled` or `unpaid` if it is still not paid by an additional deadline after that. Note that when a subscription has a status of `unpaid`, no subsequent invoices will be attempted (invoices will be created, but then immediately automatically closed). After receiving updated payment information from a customer, you may choose to reopen and pay their closed invoices.
+ title: "Possible values are `incomplete`, `incomplete_expired`, `trialing`,\
+ \ `active`, `past_due`, `canceled`, or `unpaid`."
+ type: string
+ Time:
+ format: date-time
+ type: string
+ UUID:
+ format: uuid4
+ type: string
+ Usage:
+ properties:
+ GenericUsage:
+ $ref: '#/components/schemas/GenericUsage'
+ type: object
+ VerifiableCredentialProof:
+ example:
+ proof_type: proof_type
+ jwt: jwt
+ properties:
+ jwt:
+ type: string
+ proof_type:
+ type: string
+ title: VerifiableCredentialProof contains the proof of a verifiable credential.
+ type: object
+ Warning:
+ example:
+ code: 0
+ message: message
+ properties:
+ code:
+ format: int64
+ type: integer
+ message:
+ type: string
+ type: object
+ acceptOAuth2ConsentRequest:
+ properties:
+ grant_access_token_audience:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ grant_scope:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ handled_at:
+ format: date-time
+ title: NullTime implements sql.NullTime functionality.
+ type: string
+ remember:
+ description: |-
+ Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same
+ client asks the same user for the same, or a subset of, scope.
+ type: boolean
+ remember_for:
+ description: |-
+ RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the
+ authorization will be remembered indefinitely.
+ format: int64
+ type: integer
+ session:
+ $ref: '#/components/schemas/acceptOAuth2ConsentRequestSession'
+ title: The request payload used to accept a consent request.
+ type: object
+ acceptOAuth2ConsentRequestSession:
+ example:
+ access_token: ""
+ id_token: ""
+ properties:
+ access_token:
+ description: |-
+ AccessToken sets session data for the access and refresh token, as well as any future tokens issued by the
+ refresh grant. Keep in mind that this data will be available to anyone performing OAuth 2.0 Challenge Introspection.
+ If only your services can perform OAuth 2.0 Challenge Introspection, this is usually fine. But if third parties
+ can access that endpoint as well, sensitive data from the session might be exposed to them. Use with care!
+ id_token:
+ description: |-
+ IDToken sets session data for the OpenID Connect ID token. Keep in mind that the session'id payloads are readable
+ by anyone that has access to the ID Challenge. Use with care!
+ title: Pass session data to a consent request.
+ type: object
+ acceptOAuth2LoginRequest:
+ properties:
+ acr:
+ description: |-
+ ACR sets the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it
+ to express that, for example, a user authenticated using two factor authentication.
+ type: string
+ amr:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ context:
+ title: "JSONRawMessage represents a json.RawMessage that works well with\
+ \ JSON, SQL, and Swagger."
+ type: object
+ extend_session_lifespan:
+ description: |-
+ Extend OAuth2 authentication session lifespan
+
+ If set to `true`, the OAuth2 authentication cookie lifespan is extended. This is for example useful if you want the user to be able to use `prompt=none` continuously.
+
+ This value can only be set to `true` if the user has an authentication, which is the case if the `skip` value is `true`.
+ type: boolean
+ force_subject_identifier:
+ description: |-
+ ForceSubjectIdentifier forces the "pairwise" user ID of the end-user that authenticated. The "pairwise" user ID refers to the
+ (Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID
+ Connect specification. It allows you to set an obfuscated subject ("user") identifier that is unique to the client.
+
+ Please note that this changes the user ID on endpoint /userinfo and sub claim of the ID Token. It does not change the
+ sub claim in the OAuth 2.0 Introspection.
+
+ Per default, ORY Hydra handles this value with its own algorithm. In case you want to set this yourself
+ you can use this field. Please note that setting this field has no effect if `pairwise` is not configured in
+ ORY Hydra or the OAuth 2.0 Client does not expect a pairwise identifier (set via `subject_type` key in the client's
+ configuration).
+
+ Please also be aware that ORY Hydra is unable to properly compute this value during authentication. This implies
+ that you have to compute this value on every authentication process (probably depending on the client ID or some
+ other unique value).
+
+ If you fail to compute the proper value, then authentication processes which have id_token_hint set might fail.
+ type: string
+ identity_provider_session_id:
+ description: |-
+ IdentityProviderSessionID is the session ID of the end-user that authenticated.
+ If specified, we will use this value to propagate the logout.
+ type: string
+ remember:
+ description: |-
+ Remember, if set to true, tells ORY Hydra to remember this user by telling the user agent (browser) to store
+ a cookie with authentication data. If the same user performs another OAuth 2.0 Authorization Request, he/she
+ will not be asked to log in again.
+ type: boolean
+ remember_for:
+ description: |-
+ RememberFor sets how long the authentication should be remembered for in seconds. If set to `0`, the
+ authorization will be remembered for the duration of the browser session (using a session cookie).
+ format: int64
+ type: integer
+ subject:
+ description: Subject is the user ID of the end-user that authenticated.
+ type: string
+ required:
+ - subject
+ title: HandledLoginRequest is the request payload used to accept a login request.
+ type: object
+ activeProjectInConsole:
+ description: The Active Project ID
+ example:
+ project_id: project_id
+ properties:
+ project_id:
+ description: |-
+ The Active Project ID
+
+ format: uuid
+ type: string
+ type: object
+ authenticatorAssuranceLevel:
+ description: |-
+ The authenticator assurance level can be one of "aal1", "aal2", or "aal3". A higher number means that it is harder
+ for an attacker to compromise the account.
+
+ Generally, "aal1" implies that one authentication factor was used while AAL2 implies that two factors (e.g.
+ password + TOTP) have been used.
+
+ To learn more about these levels please head over to: https://www.ory.sh/kratos/docs/concepts/credentials
+ enum:
+ - aal0
+ - aal1
+ - aal2
+ - aal3
+ title: Authenticator Assurance Level (AAL)
+ type: string
+ batchPatchIdentitiesResponse:
+ description: Patch identities response
+ example:
+ identities:
+ - patch_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ identity: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ action: create
+ - patch_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ identity: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ action: create
+ properties:
+ identities:
+ description: The patch responses for the individual identities.
+ items:
+ $ref: '#/components/schemas/identityPatchResponse'
+ type: array
+ type: object
+ checkOplSyntaxBody:
+ description: Ory Permission Language Document
+ type: string
+ checkOplSyntaxResult:
+ example:
+ errors:
+ - start:
+ Line: 0
+ column: 6
+ end:
+ Line: 0
+ column: 6
+ message: message
+ - start:
+ Line: 0
+ column: 6
+ end:
+ Line: 0
+ column: 6
+ message: message
+ properties:
+ errors:
+ description: The list of syntax errors
+ items:
+ $ref: '#/components/schemas/ParseError'
+ type: array
+ title: CheckOPLSyntaxResponse represents the response for an OPL syntax check
+ request.
+ type: object
+ checkPermissionResult:
+ description: The content of the allowed field is mirrored in the HTTP status
+ code.
+ example:
+ allowed: true
+ properties:
+ allowed:
+ description: whether the relation tuple is allowed
+ type: boolean
+ required:
+ - allowed
+ title: Check Permission Result
+ type: object
+ cloudAccount:
+ properties:
+ email:
+ type: string
+ id:
+ format: uuid
+ type: string
+ name:
+ type: string
+ type: object
+ consistencyRequestParameters:
+ description: Control API consistency guarantees
+ properties:
+ consistency:
+ description: |-
+ Read Consistency Level (preview)
+
+ The read consistency level determines the consistency guarantee for reads:
+
+ strong (slow): The read is guaranteed to return the most recent data committed at the start of the read.
+ eventual (very fast): The result will return data that is about 4.8 seconds old.
+
+ The default consistency guarantee can be changed in the Ory Network Console or using the Ory CLI with
+ `ory patch project --replace '/previews/default_read_consistency_level="strong"'`.
+
+ Setting the default consistency level to `eventual` may cause regressions in the future as we add consistency
+ controls to more APIs. Currently, the following APIs will be affected by this setting:
+
+ `GET /admin/identities`
+
+ This feature is in preview and only available in Ory Network.
+ ConsistencyLevelUnset ConsistencyLevelUnset is the unset / default consistency level.
+ strong ConsistencyLevelStrong ConsistencyLevelStrong is the strong consistency level.
+ eventual ConsistencyLevelEventual ConsistencyLevelEventual is the eventual consistency level using follower read timestamps.
+ enum:
+ - ""
+ - strong
+ - eventual
+ type: string
+ x-go-enum-desc: |2-
+ ConsistencyLevelUnset ConsistencyLevelUnset is the unset / default consistency level.
+ strong ConsistencyLevelStrong ConsistencyLevelStrong is the strong consistency level.
+ eventual ConsistencyLevelEventual ConsistencyLevelEventual is the eventual consistency level using follower read timestamps.
+ type: object
+ continueWith:
+ discriminator:
+ mapping:
+ set_ory_session_token: '#/components/schemas/continueWithSetOrySessionToken'
+ show_recovery_ui: '#/components/schemas/continueWithRecoveryUi'
+ show_settings_ui: '#/components/schemas/continueWithSettingsUi'
+ show_verification_ui: '#/components/schemas/continueWithVerificationUi'
+ propertyName: action
+ oneOf:
+ - $ref: '#/components/schemas/continueWithVerificationUi'
+ - $ref: '#/components/schemas/continueWithSetOrySessionToken'
+ - $ref: '#/components/schemas/continueWithSettingsUi'
+ - $ref: '#/components/schemas/continueWithRecoveryUi'
+ continueWithRecoveryUi:
+ description: "Indicates, that the UI flow could be continued by showing a recovery\
+ \ ui"
+ properties:
+ action:
+ description: |-
+ Action will always be `show_recovery_ui`
+ show_recovery_ui ContinueWithActionShowRecoveryUIString
+ enum:
+ - show_recovery_ui
+ type: string
+ x-go-enum-desc: show_recovery_ui ContinueWithActionShowRecoveryUIString
+ flow:
+ $ref: '#/components/schemas/continueWithRecoveryUiFlow'
+ required:
+ - action
+ - flow
+ type: object
+ continueWithRecoveryUiFlow:
+ properties:
+ id:
+ description: The ID of the recovery flow
+ format: uuid
+ type: string
+ url:
+ description: The URL of the recovery flow
+ type: string
+ required:
+ - id
+ type: object
+ continueWithSetOrySessionToken:
+ description: "Indicates that a session was issued, and the application should\
+ \ use this token for authenticated requests"
+ properties:
+ action:
+ description: |-
+ Action will always be `set_ory_session_token`
+ set_ory_session_token ContinueWithActionSetOrySessionTokenString
+ enum:
+ - set_ory_session_token
+ type: string
+ x-go-enum-desc: set_ory_session_token ContinueWithActionSetOrySessionTokenString
+ ory_session_token:
+ description: Token is the token of the session
+ type: string
+ required:
+ - action
+ - ory_session_token
+ type: object
+ continueWithSettingsUi:
+ description: "Indicates, that the UI flow could be continued by showing a settings\
+ \ ui"
+ properties:
+ action:
+ description: |-
+ Action will always be `show_settings_ui`
+ show_settings_ui ContinueWithActionShowSettingsUIString
+ enum:
+ - show_settings_ui
+ type: string
+ x-go-enum-desc: show_settings_ui ContinueWithActionShowSettingsUIString
+ flow:
+ $ref: '#/components/schemas/continueWithSettingsUiFlow'
+ required:
+ - action
+ - flow
+ type: object
+ continueWithSettingsUiFlow:
+ properties:
+ id:
+ description: The ID of the settings flow
+ format: uuid
+ type: string
+ required:
+ - id
+ type: object
+ continueWithVerificationUi:
+ description: "Indicates, that the UI flow could be continued by showing a verification\
+ \ ui"
+ properties:
+ action:
+ description: |-
+ Action will always be `show_verification_ui`
+ show_verification_ui ContinueWithActionShowVerificationUIString
+ enum:
+ - show_verification_ui
+ type: string
+ x-go-enum-desc: show_verification_ui ContinueWithActionShowVerificationUIString
+ flow:
+ $ref: '#/components/schemas/continueWithVerificationUiFlow'
+ required:
+ - action
+ - flow
+ type: object
+ continueWithVerificationUiFlow:
+ properties:
+ id:
+ description: The ID of the verification flow
+ format: uuid
+ type: string
+ url:
+ description: The URL of the verification flow
+ type: string
+ verifiable_address:
+ description: The address that should be verified in this flow
+ type: string
+ required:
+ - id
+ - verifiable_address
+ type: object
+ courierMessageStatus:
+ description: A Message's Status
+ enum:
+ - queued
+ - sent
+ - processing
+ - abandoned
+ type: string
+ courierMessageType:
+ description: It can either be `email` or `phone`
+ enum:
+ - email
+ - phone
+ title: A Message's Type
+ type: string
+ createCustomDomainBody:
+ description: Create Custom Hostname Request Body
+ properties:
+ cookie_domain:
+ description: The domain where cookies will be set. Has to be a parent domain
+ of the custom hostname to work.
+ type: string
+ cors_allowed_origins:
+ description: CORS Allowed origins for the custom hostname.
+ items:
+ type: string
+ type: array
+ cors_enabled:
+ description: CORS Enabled for the custom hostname.
+ type: boolean
+ custom_ui_base_url:
+ description: The base URL where the custom user interface will be exposed.
+ type: string
+ hostname:
+ description: The custom hostname where the API will be exposed.
+ type: string
+ type: object
+ createEventStreamBody:
+ description: Create Event Stream Request Body
+ properties:
+ role_arn:
+ description: The AWS IAM role ARN to assume when publishing to the SNS topic.
+ type: string
+ topic_arn:
+ description: The AWS SNS topic ARN.
+ type: string
+ type:
+ description: "The type of the event stream (AWS SNS, GCP Pub/Sub, etc)."
+ enum:
+ - sns
+ type: string
+ required:
+ - role_arn
+ - topic_arn
+ - type
+ type: object
+ createIdentityBody:
+ description: Create Identity Body
+ properties:
+ credentials:
+ $ref: '#/components/schemas/identityWithCredentials'
+ metadata_admin:
+ description: Store metadata about the user which is only accessible through
+ admin APIs such as `GET /admin/identities/`.
+ metadata_public:
+ description: |-
+ Store metadata about the identity which the identity itself can see when calling for example the
+ session endpoint. Do not store sensitive information (e.g. credit score) about the identity in this field.
+ recovery_addresses:
+ description: |-
+ RecoveryAddresses contains all the addresses that can be used to recover an identity.
+
+ Use this structure to import recovery addresses for an identity. Please keep in mind
+ that the address needs to be represented in the Identity Schema or this field will be overwritten
+ on the next identity update.
+ items:
+ $ref: '#/components/schemas/recoveryIdentityAddress'
+ type: array
+ schema_id:
+ description: SchemaID is the ID of the JSON Schema to be used for validating
+ the identity's traits.
+ type: string
+ state:
+ $ref: '#/components/schemas/identityState'
+ traits:
+ description: |-
+ Traits represent an identity's traits. The identity is able to create, modify, and delete traits
+ in a self-service manner. The input will always be validated against the JSON Schema defined
+ in `schema_url`.
+ type: object
+ verifiable_addresses:
+ description: |-
+ VerifiableAddresses contains all the addresses that can be verified by the user.
+
+ Use this structure to import verified addresses for an identity. Please keep in mind
+ that the address needs to be represented in the Identity Schema or this field will be overwritten
+ on the next identity update.
+ items:
+ $ref: '#/components/schemas/verifiableIdentityAddress'
+ type: array
+ required:
+ - schema_id
+ - traits
+ type: object
+ createJsonWebKeySet:
+ description: Create JSON Web Key Set Request Body
+ properties:
+ alg:
+ description: |-
+ JSON Web Key Algorithm
+
+ The algorithm to be used for creating the key. Supports `RS256`, `ES256`, `ES512`, `HS512`, and `HS256`.
+ type: string
+ kid:
+ description: |-
+ JSON Web Key ID
+
+ The Key ID of the key to be created.
+ type: string
+ use:
+ description: |-
+ JSON Web Key Use
+
+ The "use" (public key use) parameter identifies the intended use of
+ the public key. The "use" parameter is employed to indicate whether
+ a public key is used for encrypting data or verifying the signature
+ on data. Valid values are "enc" and "sig".
+ type: string
+ required:
+ - alg
+ - kid
+ - use
+ type: object
+ createMemberInviteResponse:
+ $ref: '#/components/schemas/CreateInviteResponse'
+ createProjectBody:
+ description: Create Project Request Body
+ properties:
+ name:
+ description: The name of the project to be created
+ type: string
+ workspace_id:
+ format: uuid4
+ nullable: true
+ type: string
+ required:
+ - name
+ type: object
+ createProjectBranding:
+ description: Create a Project Branding
+ properties:
+ favicon_type:
+ type: string
+ favicon_url:
+ type: string
+ logo_type:
+ type: string
+ logo_url:
+ type: string
+ name:
+ type: string
+ theme:
+ $ref: '#/components/schemas/projectBrandingColors'
+ type: object
+ createProjectNormalizedPayload:
+ description: Create project (normalized) request payload
+ properties:
+ created_at:
+ description: The Project's Revision Creation Date
+ format: date-time
+ readOnly: true
+ type: string
+ disable_account_experience_welcome_screen:
+ description: "Whether to disable the account experience welcome screen,\
+ \ which is hosted under `/ui/welcome`."
+ type: boolean
+ hydra_oauth2_allowed_top_level_claims:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_oauth2_client_credentials_default_grant_allowed_scope:
+ description: |-
+ Automatically grant authorized OAuth2 Scope in OAuth2 Client Credentials Flow.
+
+ Each OAuth2 Client is allowed to request a predefined OAuth2 Scope (for example `read write`). If this option is enabled, the full
+ scope is automatically granted when performing the OAuth2 Client Credentials flow.
+
+ If disabled, the OAuth2 Client has to request the scope in the OAuth2 request by providing the `scope` query parameter.
+
+ Setting this option to true is common if you need compatibility with MITREid.
+
+ This governs the "oauth2.client_credentials.default_grant_allowed_scope" setting.
+ type: boolean
+ hydra_oauth2_exclude_not_before_claim:
+ description: |-
+ Set to true if you want to exclude claim `nbf (not before)` part of access token.
+
+ This governs the "oauth2.exclude_not_before_claim" setting.
+ type: boolean
+ hydra_oauth2_grant_jwt_iat_optional:
+ description: |-
+ Configures if the issued at (`iat`) claim is required in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523).
+
+ If set to `false`, the `iat` claim is required. Set this value to `true` only after careful consideration.
+
+ This governs the "oauth2.grant.jwt.iat_optional" setting.
+ type: boolean
+ hydra_oauth2_grant_jwt_jti_optional:
+ description: |-
+ Configures if the JSON Web Token ID (`jti`) claim is required in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523).
+
+ If set to `false`, the `jti` claim is required. Set this value to `true` only after careful consideration.
+
+ This governs the "oauth2.grant.jwt.jti_optional" setting.
+ type: boolean
+ hydra_oauth2_grant_jwt_max_ttl:
+ default: 720h
+ description: |-
+ Configures what the maximum age of a JWT assertion used in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523) can be.
+
+ This feature uses the `exp` claim and `iat` claim to calculate assertion age. Assertions exceeding the max age will be denied.
+
+ Useful as a safety measure and recommended to keep below 720h.
+
+ This governs the "oauth2.grant.jwt.max_ttl" setting.
+ example: 30m
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ hydra_oauth2_pkce_enforced:
+ description: |-
+ Configures whether PKCE should be enforced for all OAuth2 Clients.
+
+ This governs the "oauth2.pkce.enforced" setting.
+ type: boolean
+ hydra_oauth2_pkce_enforced_for_public_clients:
+ description: |-
+ Configures whether PKCE should be enforced for OAuth2 Clients without a client secret (public clients).
+
+ This governs the "oauth2.pkce.enforced_for_public_clients" setting.
+ type: boolean
+ hydra_oauth2_refresh_token_hook:
+ description: |-
+ Sets the Refresh Token Hook Endpoint. If set this endpoint will be called during the OAuth2 Token Refresh grant update the OAuth2 Access Token claims.
+
+ This governs the "oauth2.refresh_token_hook" setting.
+ type: string
+ hydra_oauth2_token_hook:
+ description: |-
+ Sets the token hook endpoint for all grant types. If set it will be called while providing token to customize claims.
+
+ This governs the "oauth2.token_hook.url" setting.
+ type: string
+ hydra_oidc_dynamic_client_registration_default_scope:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_oidc_dynamic_client_registration_enabled:
+ description: |-
+ Configures OpenID Connect Dynamic Client Registration.
+
+ This governs the "oidc.dynamic_client_registration.enabled" setting.
+ type: boolean
+ hydra_oidc_subject_identifiers_pairwise_salt:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites the pairwise algorithm
+
+ This governs the "oidc.subject_identifiers.pairwise_salt" setting.
+ type: string
+ hydra_oidc_subject_identifiers_supported_types:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_secrets_cookie:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_secrets_system:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_serve_cookies_same_site_legacy_workaround:
+ description: |-
+ Configures the Ory Hydra Cookie Same Site Legacy Workaround
+
+ This governs the "serve.cookies.same_site_legacy_workaround" setting.
+ type: boolean
+ hydra_serve_cookies_same_site_mode:
+ description: |-
+ Configures the Ory Hydra Cookie Same Site Mode
+
+ This governs the "serve.cookies.same_site_mode" setting.
+ type: string
+ hydra_strategies_access_token:
+ default: opaque
+ description: |-
+ Defines access token type. jwt is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens
+
+ This governs the "strategies.access_token" setting.
+ opaque Oauth2AccessTokenStrategyOpaque
+ jwt Oauth2AccessTokenStrategyJwt
+ enum:
+ - opaque
+ - jwt
+ type: string
+ x-go-enum-desc: |-
+ opaque Oauth2AccessTokenStrategyOpaque
+ jwt Oauth2AccessTokenStrategyJwt
+ hydra_strategies_scope:
+ default: wildcard
+ description: |-
+ Defines how scopes are matched. For more details have a look at https://github.com/ory/fosite#scopes
+
+ This governs the "strategies.scope" setting.
+ exact Oauth2ScopeStrategyExact
+ wildcard Oauth2ScopeStrategyWildcard
+ enum:
+ - exact
+ - wildcard
+ type: string
+ x-go-enum-desc: |-
+ exact Oauth2ScopeStrategyExact
+ wildcard Oauth2ScopeStrategyWildcard
+ hydra_ttl_access_token:
+ default: 30m
+ description: This governs the "ttl.access_token" setting.
+ example: 1h
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ hydra_ttl_auth_code:
+ default: 720h
+ description: |-
+ Configures how long refresh tokens are valid.
+
+ Set to -1 for refresh tokens to never expire. This is not recommended!
+
+ This governs the "ttl.auth_code" setting.
+ example: 30m
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ hydra_ttl_id_token:
+ default: 30m
+ description: This governs the "ttl.id_token" setting.
+ example: 1h
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ hydra_ttl_login_consent_request:
+ default: 30m
+ description: |-
+ Configures how long a user login and consent flow may take.
+
+ This governs the "ttl.login_consent_request" setting.
+ example: 1h
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ hydra_ttl_refresh_token:
+ default: 720h
+ description: |-
+ Configures how long refresh tokens are valid.
+
+ Set to -1 for refresh tokens to never expire. This is not recommended!
+
+ This governs the "ttl.refresh_token" setting.
+ example: 30m
+ pattern: "^([0-9]+(ns|us|ms|s|m|h)|-1)$"
+ type: string
+ hydra_urls_consent:
+ description: |-
+ Sets the OAuth2 Consent Endpoint URL of the OAuth2 User Login & Consent flow.
+
+ Defaults to the Ory Account Experience if left empty.
+
+ This governs the "urls.consent" setting.
+ type: string
+ hydra_urls_error:
+ description: |-
+ Sets the OAuth2 Error URL of the OAuth2 User Login & Consent flow.
+
+ Defaults to the Ory Account Experience if left empty.
+
+ This governs the "urls.error" setting.
+ type: string
+ hydra_urls_login:
+ description: |-
+ Sets the OAuth2 Login Endpoint URL of the OAuth2 User Login & Consent flow.
+
+ Defaults to the Ory Account Experience if left empty.
+
+ This governs the "urls.login" setting.
+ type: string
+ hydra_urls_logout:
+ description: |-
+ Sets the logout endpoint.
+
+ Defaults to the Ory Account Experience if left empty.
+
+ This governs the "urls.logout" setting.
+ type: string
+ hydra_urls_post_logout_redirect:
+ description: |-
+ When an OAuth2-related user agent requests to log out, they will be redirected to this url afterwards per default.
+
+ Defaults to the Ory Account Experience in development and your application in production mode when a custom domain is connected.
+
+ This governs the "urls.post_logout_redirect" setting.
+ type: string
+ hydra_urls_registration:
+ description: |-
+ Sets the OAuth2 Registration Endpoint URL of the OAuth2 User Login & Consent flow.
+
+ Defaults to the Ory Account Experience if left empty.
+
+ This governs the "urls.registration" setting.
+ type: string
+ hydra_urls_self_issuer:
+ description: |-
+ This value will be used as the issuer in access and ID tokens. It must be specified and using HTTPS protocol, unless the development mode is enabled.
+
+ On the Ory Network it will be very rare that you want to modify this value. If left empty, it will default to the correct value for the Ory Network.
+
+ This governs the "urls.self.issuer" setting.
+ type: string
+ hydra_webfinger_jwks_broadcast_keys:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_webfinger_oidc_discovery_auth_url:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites the OAuth2 Authorization URL.
+
+ This governs the "webfinger.oidc.discovery.auth_url" setting.
+ type: string
+ hydra_webfinger_oidc_discovery_client_registration_url:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites the OpenID Connect Dynamic Client Registration Endpoint.
+
+ This governs the "webfinger.oidc.discovery.client_registration_url" setting.
+ type: string
+ hydra_webfinger_oidc_discovery_jwks_url:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites the JWKS URL.
+
+ This governs the "webfinger.oidc.discovery.jwks_url" setting.
+ type: string
+ hydra_webfinger_oidc_discovery_supported_claims:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_webfinger_oidc_discovery_supported_scope:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_webfinger_oidc_discovery_token_url:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites the OAuth2 Token URL.
+
+ This governs the "webfinger.oidc.discovery.token_url" setting.
+ type: string
+ hydra_webfinger_oidc_discovery_userinfo_url:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites userinfo endpoint to be advertised at the OpenID Connect Discovery endpoint /.well-known/openid-configuration. Defaults to Ory Hydra's userinfo endpoint at /userinfo. Set this value if you want to handle this endpoint yourself.
+
+ This governs the "webfinger.oidc.discovery.userinfo_url" setting.
+ type: string
+ id:
+ description: The revision ID.
+ format: uuid
+ readOnly: true
+ type: string
+ keto_namespace_configuration:
+ description: |-
+ The Revisions' Keto Namespace Configuration
+
+ The string is a URL pointing to an OPL file with the configuration.
+ type: string
+ keto_namespaces:
+ items:
+ $ref: '#/components/schemas/KetoNamespace'
+ type: array
+ kratos_cookies_same_site:
+ description: |-
+ Configures the Ory Kratos Cookie SameSite Attribute
+
+ This governs the "cookies.same_site" setting.
+ type: string
+ kratos_courier_channels:
+ items:
+ $ref: '#/components/schemas/NormalizedProjectRevisionCourierChannel'
+ type: array
+ kratos_courier_delivery_strategy:
+ default: smtp
+ description: |-
+ The delivery strategy to use when sending emails
+
+ `smtp`: Use SMTP server
+ `http`: Use the built in HTTP client to send the email to some remote service
+ type: string
+ kratos_courier_http_request_config_auth_api_key_in:
+ description: |-
+ The location of the API key to use in the HTTP email sending service's authentication
+
+ `header`: Send the key value pair as a header
+ `cookie`: Send the key value pair as a cookie
+ This governs the "courier.http.auth.config.in" setting
+ type: string
+ kratos_courier_http_request_config_auth_api_key_name:
+ description: |-
+ The name of the API key to use in the HTTP email sending service's authentication
+
+ This governs the "courier.http.auth.config.name" setting
+ type: string
+ kratos_courier_http_request_config_auth_api_key_value:
+ description: |-
+ The value of the API key to use in the HTTP email sending service's authentication
+
+ This governs the "courier.http.auth.config.value" setting
+ type: string
+ kratos_courier_http_request_config_auth_basic_auth_password:
+ description: |-
+ The password to use for basic auth in the HTTP email sending service's authentication
+
+ This governs the "courier.http.auth.config.password" setting
+ type: string
+ kratos_courier_http_request_config_auth_basic_auth_user:
+ description: |-
+ The user to use for basic auth in the HTTP email sending service's authentication
+
+ This governs the "courier.http.auth.config.user" setting
+ type: string
+ kratos_courier_http_request_config_auth_type:
+ default: empty (no authentication)
+ description: |-
+ The authentication type to use while contacting the remote HTTP email sending service
+
+ `basic_auth`: Use Basic Authentication
+ `api_key`: Use API Key Authentication in a header or cookie
+ type: string
+ kratos_courier_http_request_config_body:
+ description: |-
+ The Jsonnet template to generate the body to send to the remote HTTP email sending service
+
+ Should be valid Jsonnet and base64 encoded
+
+ This governs the "courier.http.body" setting
+ type: string
+ kratos_courier_http_request_config_headers:
+ description: "NullJSONRawMessage represents a json.RawMessage that works\
+ \ well with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ type: object
+ kratos_courier_http_request_config_method:
+ default: POST
+ description: The http METHOD to use when calling the remote HTTP email sending
+ service
+ type: string
+ kratos_courier_http_request_config_url:
+ description: |-
+ The URL of the remote HTTP email sending service
+
+ This governs the "courier.http.url" setting
+ type: string
+ kratos_courier_smtp_connection_uri:
+ description: |-
+ Configures the Ory Kratos SMTP Connection URI
+
+ This governs the "courier.smtp.connection_uri" setting.
+ type: string
+ kratos_courier_smtp_from_address:
+ description: |-
+ Configures the Ory Kratos SMTP From Address
+
+ This governs the "courier.smtp.from_address" setting.
+ type: string
+ kratos_courier_smtp_from_name:
+ description: |-
+ Configures the Ory Kratos SMTP From Name
+
+ This governs the "courier.smtp.from_name" setting.
+ type: string
+ kratos_courier_smtp_headers:
+ description: "NullJSONRawMessage represents a json.RawMessage that works\
+ \ well with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ type: object
+ kratos_courier_smtp_local_name:
+ description: |-
+ Configures the local_name to use in SMTP connections
+
+ This governs the "courier.smtp.local_name" setting.
+ type: string
+ kratos_courier_templates_login_code_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Login via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.login_code.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_login_code_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Login via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.login_code.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_login_code_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Login via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.login_code.valid.email.subject" setting.
+ type: string
+ kratos_courier_templates_recovery_code_invalid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.recovery_code.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_code_invalid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.recovery_code.invalid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_recovery_code_invalid_email_subject:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.recovery_code.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_code_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Recovery via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.recovery_code.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_code_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Recovery via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.recovery_code.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_recovery_code_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Recovery via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.recovery_code.valid.email.subject" setting.
+ type: string
+ kratos_courier_templates_recovery_invalid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery Email Body HTML Template
+
+ This governs the "courier.smtp.templates.recovery.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_invalid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.recovery.invalid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_recovery_invalid_email_subject:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery Email Subject Template
+
+ This governs the "courier.smtp.templates.recovery.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Recovery Email Body HTML Template
+
+ This governs the "courier.smtp.templates.recovery.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Recovery Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.recovery.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_recovery_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Recovery Email Subject Template
+
+ This governs the "courier.smtp.templates.recovery.valid.email.subject" setting.
+ type: string
+ kratos_courier_templates_registration_code_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Registration via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.registration_code.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_registration_code_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Registration via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.registration_code.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_registration_code_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Registration via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.registration_code.valid.email.subject" setting.
+ type: string
+ kratos_courier_templates_verification_code_invalid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Invalid Verification via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.verification_code.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_verification_code_invalid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Invalid Verification via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.verification_code.invalid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_verification_code_invalid_email_subject:
+ description: |-
+ Configures the Ory Kratos Invalid Verification via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.verification_code.invalid.email.subject" setting.
+ type: string
+ kratos_courier_templates_verification_code_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Verification via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.verification_code.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_verification_code_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Verification via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.verification_code.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_verification_code_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Verification via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.verification_code.valid.email.subject" setting.
+ type: string
+ kratos_courier_templates_verification_code_valid_sms_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Verification via Code SMS Body Plaintext
+
+ This governs the "courier.smtp.templates.verification_code.valid.sms.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_verification_invalid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Invalid Verification Email Body HTML Template
+
+ This governs the "courier.smtp.templates.verification.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_verification_invalid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Invalid Verification Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.verification.invalid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_verification_invalid_email_subject:
+ description: |-
+ Configures the Ory Kratos Invalid Verification Email Subject Template
+
+ This governs the "courier.smtp.templates.verification.invalid.email.subject" setting.
+ type: string
+ kratos_courier_templates_verification_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Verification Email Body HTML Template
+
+ This governs the "courier.smtp.templates.verification.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_verification_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Verification Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.verification.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_verification_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Verification Email Subject Template
+
+ This governs the "courier.smtp.templates.verification.valid.email.subject" setting.
+ type: string
+ kratos_feature_flags_cacheable_sessions:
+ description: |-
+ Configures the Ory Kratos Session caching feature flag
+
+ This governs the "feature_flags.cacheable_sessions" setting.
+ type: boolean
+ kratos_feature_flags_use_continue_with_transitions:
+ description: |-
+ Configures the Ory Kratos Session use_continue_with_transitions flag
+
+ This governs the "feature_flags.use_continue_with_transitions" setting.
+ type: boolean
+ kratos_identity_schemas:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionIdentitySchema'
+ type: array
+ kratos_oauth2_provider_headers:
+ description: "NullJSONRawMessage represents a json.RawMessage that works\
+ \ well with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ type: object
+ kratos_oauth2_provider_override_return_to:
+ description: |-
+ Kratos OAuth2 Provider Override Return To
+
+ Enabling this allows Kratos to set the return_to parameter automatically to the OAuth2 request URL on the login flow, allowing complex flows such as recovery to continue to the initial OAuth2 flow.
+ type: boolean
+ kratos_oauth2_provider_url:
+ description: |-
+ The Revisions' OAuth2 Provider Integration URL
+
+ This governs the "oauth2_provider.url" setting.
+ type: string
+ kratos_preview_default_read_consistency_level:
+ description: |-
+ Configures the default read consistency level for identity APIs
+
+ This governs the `preview.default_read_consistency_level` setting.
+
+ The read consistency level determines the consistency guarantee for reads:
+
+ strong (slow): The read is guaranteed to return the most recent data committed at the start of the read.
+ eventual (very fast): The result will return data that is about 4.8 seconds old.
+
+ Setting the default consistency level to `eventual` may cause regressions in the future as we add consistency
+ controls to more APIs. Currently, the following APIs will be affected by this setting:
+
+ `GET /admin/identities`
+
+ Defaults to "strong" for new and existing projects. This feature is in preview. Use with caution.
+ type: string
+ kratos_secrets_cipher:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ kratos_secrets_cookie:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ kratos_secrets_default:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ kratos_selfservice_allowed_return_urls:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ kratos_selfservice_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Default Return URL
+
+ This governs the "selfservice.allowed_return_urls" setting.
+ type: string
+ kratos_selfservice_flows_error_ui_url:
+ description: |-
+ Configures the Ory Kratos Error UI URL
+
+ This governs the "selfservice.flows.error.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_code_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After Password Default Return URL
+
+ This governs the "selfservice.flows.code.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login Default Return URL
+
+ This governs the "selfservice.flows.login.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_lookup_secret_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After Password Default Return URL
+
+ This governs the "selfservice.flows.lookup_secret.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_oidc_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After OIDC Default Return URL
+
+ This governs the "selfservice.flows.login.after.oidc.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_password_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After Password Default Return URL
+
+ This governs the "selfservice.flows.login.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_totp_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After Password Default Return URL
+
+ This governs the "selfservice.flows.totp.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_webauthn_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After WebAuthn Default Return URL
+
+ This governs the "selfservice.flows.login.after.webauthn.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_lifespan:
+ description: |-
+ Configures the Ory Kratos Login Lifespan
+
+ This governs the "selfservice.flows.login.lifespan" setting.
+ type: string
+ kratos_selfservice_flows_login_ui_url:
+ description: |-
+ Configures the Ory Kratos Login UI URL
+
+ This governs the "selfservice.flows.login.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_logout_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Logout Default Return URL
+
+ This governs the "selfservice.flows.logout.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_recovery_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Recovery Default Return URL
+
+ This governs the "selfservice.flows.recovery.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_recovery_enabled:
+ description: |-
+ Configures the Ory Kratos Recovery Enabled Setting
+
+ This governs the "selfservice.flows.recovery.enabled" setting.
+ type: boolean
+ kratos_selfservice_flows_recovery_lifespan:
+ description: |-
+ Configures the Ory Kratos Recovery Lifespan
+
+ This governs the "selfservice.flows.recovery.lifespan" setting.
+ type: string
+ kratos_selfservice_flows_recovery_notify_unknown_recipients:
+ description: |-
+ Configures whether to notify unknown recipients of a Ory Kratos recovery flow
+
+ This governs the "selfservice.flows.recovery.notify_unknown_recipients" setting.
+ type: boolean
+ kratos_selfservice_flows_recovery_ui_url:
+ description: |-
+ Configures the Ory Kratos Recovery UI URL
+
+ This governs the "selfservice.flows.recovery.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_recovery_use:
+ description: |-
+ Configures the Ory Kratos Recovery strategy to use ("link" or "code")
+
+ This governs the "selfservice.flows.recovery.use" setting.
+ link SelfServiceMessageVerificationStrategyLink
+ code SelfServiceMessageVerificationStrategyCode
+ enum:
+ - link
+ - code
+ type: string
+ x-go-enum-desc: |-
+ link SelfServiceMessageVerificationStrategyLink
+ code SelfServiceMessageVerificationStrategyCode
+ kratos_selfservice_flows_registration_after_code_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Registration After Code Default Return URL
+
+ This governs the "selfservice.flows.registration.after.code.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_registration_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Registration Default Return URL
+
+ This governs the "selfservice.flows.registration.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_registration_after_oidc_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Registration After OIDC Default Return URL
+
+ This governs the "selfservice.flows.registration.after.oidc.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_registration_after_password_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Registration After Password Default Return URL
+
+ This governs the "selfservice.flows.registration.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_registration_after_webauthn_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Registration After Password Default Return URL
+
+ This governs the "selfservice.flows.registration.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_registration_enabled:
+ description: |-
+ Configures the Whether Ory Kratos Registration is Enabled
+
+ This governs the "selfservice.flows.registration.enabled" setting.0
+ type: boolean
+ kratos_selfservice_flows_registration_lifespan:
+ description: |-
+ Configures the Ory Kratos Registration Lifespan
+
+ This governs the "selfservice.flows.registration.lifespan" setting.
+ type: string
+ kratos_selfservice_flows_registration_login_hints:
+ description: |-
+ Configures the Ory Kratos Registration Login Hints
+
+ Shows helpful information when a user tries to sign up with a duplicate account.
+
+ This governs the "selfservice.flows.registration.login_hints" setting.
+ type: boolean
+ kratos_selfservice_flows_registration_ui_url:
+ description: |-
+ Configures the Ory Kratos Registration UI URL
+
+ This governs the "selfservice.flows.registration.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL
+
+ This governs the "selfservice.flows.settings.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_lookup_secret_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating Lookup Secrets
+
+ This governs the "selfservice.flows.settings.after.lookup_secret.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_oidc_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating Social Sign In
+
+ This governs the "selfservice.flows.settings.after.oidc.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_password_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating Passwords
+
+ This governs the "selfservice.flows.settings.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_profile_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating Profiles
+
+ This governs the "selfservice.flows.settings.after.profile.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_totp_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating TOTP
+
+ This governs the "selfservice.flows.settings.after.totp.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_webauthn_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating WebAuthn
+
+ This governs the "selfservice.flows.settings.webauthn.profile.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_lifespan:
+ description: |-
+ Configures the Ory Kratos Settings Lifespan
+
+ This governs the "selfservice.flows.settings.lifespan" setting.
+ type: string
+ kratos_selfservice_flows_settings_privileged_session_max_age:
+ description: |-
+ Configures the Ory Kratos Settings Privileged Session Max Age
+
+ This governs the "selfservice.flows.settings.privileged_session_max_age" setting.
+ type: string
+ kratos_selfservice_flows_settings_required_aal:
+ description: |-
+ Configures the Ory Kratos Settings Required AAL
+
+ This governs the "selfservice.flows.settings.required_aal" setting.
+ type: string
+ kratos_selfservice_flows_settings_ui_url:
+ description: |-
+ Configures the Ory Kratos Settings UI URL
+
+ This governs the "selfservice.flows.settings.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_verification_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Verification Default Return URL
+
+ This governs the "selfservice.flows.verification.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_verification_enabled:
+ description: |-
+ Configures the Ory Kratos Verification Enabled Setting
+
+ This governs the "selfservice.flows.verification.enabled" setting.
+ type: boolean
+ kratos_selfservice_flows_verification_lifespan:
+ description: |-
+ Configures the Ory Kratos Verification Lifespan
+
+ This governs the "selfservice.flows.verification.lifespan" setting.
+ type: string
+ kratos_selfservice_flows_verification_notify_unknown_recipients:
+ description: |-
+ Configures whether to notify unknown recipients of a Ory Kratos verification flow
+
+ This governs the "selfservice.flows.verification.notify_unknown_recipients" setting.
+ type: boolean
+ kratos_selfservice_flows_verification_ui_url:
+ description: |-
+ Configures the Ory Kratos Verification UI URL
+
+ This governs the "selfservice.flows.verification.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_verification_use:
+ description: |-
+ Configures the Ory Kratos Strategy to use for Verification
+
+ This governs the "selfservice.flows.verification.use" setting.
+ link SelfServiceMessageVerificationStrategyLink
+ code SelfServiceMessageVerificationStrategyCode
+ enum:
+ - link
+ - code
+ type: string
+ x-go-enum-desc: |-
+ link SelfServiceMessageVerificationStrategyLink
+ code SelfServiceMessageVerificationStrategyCode
+ kratos_selfservice_methods_code_config_lifespan:
+ description: |-
+ Configures the Ory Kratos Code Method's lifespan
+
+ This governs the "selfservice.methods.code.config.lifespan" setting.
+ type: string
+ kratos_selfservice_methods_code_enabled:
+ description: |-
+ Configures whether Ory Kratos Code Method is enabled
+
+ This governs the "selfservice.methods.code.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_code_passwordless_enabled:
+ description: |-
+ Configues whether Ory Kratos Passwordless should use the Code Method
+
+ This governs the "selfservice.methods.code.passwordless_enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_link_config_base_url:
+ description: |-
+ Configures the Base URL which Recovery, Verification, and Login Links Point to
+
+ It is recommended to leave this value empty. It will be appropriately configured to the best matching domain
+ (e.g. when using custom domains) automatically.
+
+ This governs the "selfservice.methods.link.config.base_url" setting.
+ type: string
+ kratos_selfservice_methods_link_config_lifespan:
+ description: |-
+ Configures the Ory Kratos Link Method's lifespan
+
+ This governs the "selfservice.methods.link.config.lifespan" setting.
+ type: string
+ kratos_selfservice_methods_link_enabled:
+ description: |-
+ Configures whether Ory Kratos Link Method is enabled
+
+ This governs the "selfservice.methods.link.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_lookup_secret_enabled:
+ description: |-
+ Configures whether Ory Kratos TOTP Lookup Secret is enabled
+
+ This governs the "selfservice.methods.lookup_secret.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_oidc_config_base_redirect_uri:
+ description: |-
+ Configures the Ory Kratos Third Party / OpenID Connect base redirect URI
+
+ This governs the "selfservice.methods.oidc.config.base_redirect_uri" setting.
+ type: string
+ kratos_selfservice_methods_oidc_config_providers:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionThirdPartyProvider'
+ type: array
+ kratos_selfservice_methods_oidc_enabled:
+ description: |-
+ Configures whether Ory Kratos Third Party / OpenID Connect Login is enabled
+
+ This governs the "selfservice.methods.oidc.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_password_config_haveibeenpwned_enabled:
+ description: |-
+ Configures whether Ory Kratos Password HIBP Checks is enabled
+
+ This governs the "selfservice.methods.password.config.haveibeenpwned_enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_password_config_identifier_similarity_check_enabled:
+ description: |-
+ Configures whether Ory Kratos Password should disable the similarity policy.
+
+ This governs the "selfservice.methods.password.config.identifier_similarity_check_enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_password_config_ignore_network_errors:
+ description: |-
+ Configures whether Ory Kratos Password Should ignore HIBPWND Network Errors
+
+ This governs the "selfservice.methods.password.config.ignore_network_errors" setting.
+ type: boolean
+ kratos_selfservice_methods_password_config_max_breaches:
+ description: |-
+ Configures Ory Kratos Password Max Breaches Detection
+
+ This governs the "selfservice.methods.password.config.max_breaches" setting.
+ format: int64
+ type: integer
+ kratos_selfservice_methods_password_config_min_password_length:
+ description: |-
+ Configures the minimum length of passwords.
+
+ This governs the "selfservice.methods.password.config.min_password_length" setting.
+ format: int64
+ type: integer
+ kratos_selfservice_methods_password_enabled:
+ description: |-
+ Configures whether Ory Kratos Password Method is enabled
+
+ This governs the "selfservice.methods.password.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_profile_enabled:
+ description: |-
+ Configures whether Ory Kratos Profile Method is enabled
+
+ This governs the "selfservice.methods.profile.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_totp_config_issuer:
+ description: |-
+ Configures Ory Kratos TOTP Issuer
+
+ This governs the "selfservice.methods.totp.config.issuer" setting.
+ type: string
+ kratos_selfservice_methods_totp_enabled:
+ description: |-
+ Configures whether Ory Kratos TOTP Method is enabled
+
+ This governs the "selfservice.methods.totp.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_webauthn_config_passwordless:
+ description: |-
+ Configures whether Ory Kratos Webauthn is used for passwordless flows
+
+ This governs the "selfservice.methods.webauthn.config.passwordless" setting.
+ type: boolean
+ kratos_selfservice_methods_webauthn_config_rp_display_name:
+ description: |-
+ Configures the Ory Kratos Webauthn RP Display Name
+
+ This governs the "selfservice.methods.webauthn.config.rp.display_name" setting.
+ type: string
+ kratos_selfservice_methods_webauthn_config_rp_icon:
+ description: |-
+ Configures the Ory Kratos Webauthn RP Icon
+
+ This governs the "selfservice.methods.webauthn.config.rp.icon" setting.
+ Deprecated: This value will be ignored due to security considerations.
+ type: string
+ kratos_selfservice_methods_webauthn_config_rp_id:
+ description: |-
+ Configures the Ory Kratos Webauthn RP ID
+
+ This governs the "selfservice.methods.webauthn.config.rp.id" setting.
+ type: string
+ kratos_selfservice_methods_webauthn_config_rp_origins:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ kratos_selfservice_methods_webauthn_enabled:
+ description: |-
+ Configures whether Ory Kratos Webauthn is enabled
+
+ This governs the "selfservice.methods.webauthn.enabled" setting.
+ type: boolean
+ kratos_session_cookie_persistent:
+ description: |-
+ Configures the Ory Kratos Session Cookie Persistent Attribute
+
+ This governs the "session.cookie.persistent" setting.
+ type: boolean
+ kratos_session_cookie_same_site:
+ description: |-
+ Configures the Ory Kratos Session Cookie SameSite Attribute
+
+ This governs the "session.cookie.same_site" setting.
+ type: string
+ kratos_session_lifespan:
+ description: |-
+ Configures the Ory Kratos Session Lifespan
+
+ This governs the "session.lifespan" setting.
+ type: string
+ kratos_session_whoami_required_aal:
+ description: |-
+ Configures the Ory Kratos Session Whoami AAL requirement
+
+ This governs the "session.whoami.required_aal" setting.
+ type: string
+ kratos_session_whoami_tokenizer_templates:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionTokenizerTemplate'
+ type: array
+ name:
+ description: The project's name.
+ type: string
+ project_id:
+ description: The Revision's Project ID
+ format: uuid
+ type: string
+ project_revision_hooks:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionHook'
+ type: array
+ serve_admin_cors_allowed_origins:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ serve_admin_cors_enabled:
+ description: |-
+ Enable CORS headers on all admin APIs
+
+ This governs the "serve.admin.cors.enabled" setting.
+ type: boolean
+ serve_public_cors_allowed_origins:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ serve_public_cors_enabled:
+ description: |-
+ Enable CORS headers on all public APIs
+
+ This governs the "serve.public.cors.enabled" setting.
+ type: boolean
+ strict_security:
+ description: Whether the project should employ strict security measures.
+ Setting this to true is recommended for going into production.
+ type: boolean
+ updated_at:
+ description: Last Time Project's Revision was Updated
+ format: date-time
+ readOnly: true
+ type: string
+ workspace_id:
+ format: uuid4
+ nullable: true
+ type: string
+ required:
+ - name
+ type: object
+ createRecoveryCodeForIdentityBody:
+ description: Create Recovery Code for Identity Request Body
+ properties:
+ expires_in:
+ description: |-
+ Code Expires In
+
+ The recovery code will expire after that amount of time has passed. Defaults to the configuration value of
+ `selfservice.methods.code.config.lifespan`.
+ pattern: "^([0-9]+(ns|us|ms|s|m|h))*$"
+ type: string
+ identity_id:
+ description: |-
+ Identity to Recover
+
+ The identity's ID you wish to recover.
+ format: uuid
+ type: string
+ required:
+ - identity_id
+ type: object
+ createRecoveryLinkForIdentityBody:
+ description: Create Recovery Link for Identity Request Body
+ properties:
+ expires_in:
+ description: |-
+ Link Expires In
+
+ The recovery link will expire after that amount of time has passed. Defaults to the configuration value of
+ `selfservice.methods.code.config.lifespan`.
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ identity_id:
+ description: |-
+ Identity to Recover
+
+ The identity's ID you wish to recover.
+ format: uuid
+ type: string
+ required:
+ - identity_id
+ type: object
+ createRelationshipBody:
+ description: Create Relationship Request Body
+ properties:
+ namespace:
+ description: Namespace to query
+ type: string
+ object:
+ description: Object to query
+ type: string
+ relation:
+ description: Relation to query
+ type: string
+ subject_id:
+ description: |-
+ SubjectID to query
+
+ Either SubjectSet or SubjectID can be provided.
+ type: string
+ subject_set:
+ $ref: '#/components/schemas/subjectSet'
+ type: object
+ createSubscriptionBody:
+ description: Create Subscription Request Body
+ properties:
+ currency:
+ description: |2-
+
+ usd USD
+ eur Euro
+ enum:
+ - usd
+ - eur
+ type: string
+ x-go-enum-desc: |-
+ usd USD
+ eur Euro
+ interval:
+ description: |2-
+
+ monthly Monthly
+ yearly Yearly
+ enum:
+ - monthly
+ - yearly
+ type: string
+ x-go-enum-desc: |-
+ monthly Monthly
+ yearly Yearly
+ plan:
+ type: string
+ provision_first_project:
+ format: uuid4
+ nullable: true
+ type: string
+ return_to:
+ type: string
+ workspace:
+ format: uuid4
+ nullable: true
+ type: string
+ required:
+ - interval
+ - plan
+ type: object
+ credentialSupportedDraft00:
+ description: Includes information about the supported verifiable credentials.
+ example:
+ types:
+ - types
+ - types
+ cryptographic_suites_supported:
+ - cryptographic_suites_supported
+ - cryptographic_suites_supported
+ cryptographic_binding_methods_supported:
+ - cryptographic_binding_methods_supported
+ - cryptographic_binding_methods_supported
+ format: format
+ properties:
+ cryptographic_binding_methods_supported:
+ description: |-
+ OpenID Connect Verifiable Credentials Cryptographic Binding Methods Supported
+
+ Contains a list of cryptographic binding methods supported for signing the proof.
+ items:
+ type: string
+ type: array
+ cryptographic_suites_supported:
+ description: |-
+ OpenID Connect Verifiable Credentials Cryptographic Suites Supported
+
+ Contains a list of cryptographic suites methods supported for signing the proof.
+ items:
+ type: string
+ type: array
+ format:
+ description: |-
+ OpenID Connect Verifiable Credentials Format
+
+ Contains the format that is supported by this authorization server.
+ type: string
+ types:
+ description: |-
+ OpenID Connect Verifiable Credentials Types
+
+ Contains the types of verifiable credentials supported.
+ items:
+ type: string
+ type: array
+ title: Verifiable Credentials Metadata (Draft 00)
+ type: object
+ customDomain:
+ description: Custom Hostname
+ properties:
+ cookie_domain:
+ type: string
+ cors_allowed_origins:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ cors_enabled:
+ type: boolean
+ created_at:
+ format: date-time
+ type: string
+ custom_ui_base_url:
+ type: string
+ hostname:
+ type: string
+ id:
+ format: uuid
+ type: string
+ ssl_status:
+ enum:
+ - initializing
+ - pending_validation
+ - deleted
+ - pending_issuance
+ - pending_deployment
+ - pending_deletion
+ - pending_expiration
+ - expired
+ - active
+ - initializing_timed_out
+ - validation_timed_out
+ - issuance_timed_out
+ - deployment_timed_out
+ - deletion_timed_out
+ - pending_cleanup
+ - staging_deployment
+ - staging_active
+ - deactivating
+ - inactive
+ - backup_issued
+ - holding_deployment
+ - ""
+ type: string
+ x-go-enum-desc: |-
+ initializing initializing
+ pending_validation pending_validation
+ deleted deleted
+ pending_issuance pending_issuance
+ pending_deployment pending_deployment
+ pending_deletion pending_deletion
+ pending_expiration pending_expiration
+ expired expired
+ active active
+ initializing_timed_out initializing_timed_out
+ validation_timed_out validation_timed_out
+ issuance_timed_out issuance_timed_out
+ deployment_timed_out deployment_timed_out
+ deletion_timed_out deletion_timed_out
+ pending_cleanup pending_cleanup
+ staging_deployment staging_deployment
+ staging_active staging_active
+ deactivating deactivating
+ inactive inactive
+ backup_issued backup_issued
+ holding_deployment holding_deployment
+ unknown Cloudflare sometimes returns an empty string.
+ updated_at:
+ format: date-time
+ type: string
+ verification_errors:
+ items:
+ type: string
+ type: array
+ verification_status:
+ title: CustomHostnameStatus is the enumeration of valid state values in
+ the CustomHostnameSSL.
+ type: string
+ type: object
+ deleteMySessionsCount:
+ description: Deleted Session Count
+ example:
+ count: 0
+ properties:
+ count:
+ description: The number of sessions that were revoked.
+ format: int64
+ type: integer
+ type: object
+ emailTemplateData:
+ description: "Contains the data of the email template, including the subject\
+ \ and body in HTML and plaintext variants"
+ properties:
+ body:
+ $ref: '#/components/schemas/emailTemplateDataBody'
+ subject:
+ type: string
+ required:
+ - body
+ - subject
+ type: object
+ emailTemplateDataBody:
+ properties:
+ html:
+ type: string
+ plaintext:
+ type: string
+ required:
+ - html
+ - plaintext
+ type: object
+ errorAuthenticatorAssuranceLevelNotSatisfied:
+ properties:
+ error:
+ $ref: '#/components/schemas/genericError'
+ redirect_browser_to:
+ description: Points to where to redirect the user to next.
+ type: string
+ title: Is returned when an active session was found but the requested AAL is
+ not satisfied.
+ type: object
+ errorBrowserLocationChangeRequired:
+ properties:
+ error:
+ $ref: '#/components/schemas/errorGeneric'
+ redirect_browser_to:
+ description: Points to where to redirect the user to next.
+ type: string
+ title: Is sent when a flow requires a browser to change its location.
+ type: object
+ errorFlowReplaced:
+ description: Is sent when a flow is replaced by a different flow of the same
+ class
+ properties:
+ error:
+ $ref: '#/components/schemas/genericError'
+ use_flow_id:
+ description: The flow ID that should be used for the new flow as it contains
+ the correct messages.
+ format: uuid
+ type: string
+ type: object
+ errorGeneric:
+ description: The standard Ory JSON API error format.
+ properties:
+ error:
+ $ref: '#/components/schemas/genericErrorContent'
+ required:
+ - error
+ title: JSON API Error Response
+ type: object
+ errorOAuth2:
+ description: Error
+ example:
+ error_debug: error_debug
+ status_code: 401
+ error_description: error_description
+ error: error
+ error_hint: The redirect URL is not allowed.
+ properties:
+ error:
+ description: Error
+ type: string
+ error_debug:
+ description: |-
+ Error Debug Information
+
+ Only available in dev mode.
+ type: string
+ error_description:
+ description: Error Description
+ type: string
+ error_hint:
+ description: |-
+ Error Hint
+
+ Helps the user identify the error cause.
+ example: The redirect URL is not allowed.
+ type: string
+ status_code:
+ description: HTTP Status Code
+ example: 401
+ format: int64
+ type: integer
+ type: object
+ eventStream:
+ description: Event Stream
+ example:
+ role_arn: role_arn
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ topic_arn: topic_arn
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ type: type
+ properties:
+ created_at:
+ format: date-time
+ type: string
+ id:
+ format: uuid
+ type: string
+ role_arn:
+ type: string
+ topic_arn:
+ type: string
+ type:
+ type: string
+ updated_at:
+ format: date-time
+ type: string
+ type: object
+ expandedPermissionTree:
+ example:
+ tuple:
+ subject_id: subject_id
+ namespace: namespace
+ object: object
+ relation: relation
+ subject_set:
+ namespace: namespace
+ object: object
+ relation: relation
+ children:
+ - null
+ - null
+ type: union
+ properties:
+ children:
+ description: "The children of the node, possibly none."
+ items:
+ $ref: '#/components/schemas/expandedPermissionTree'
+ type: array
+ tuple:
+ $ref: '#/components/schemas/relationship'
+ type:
+ description: |-
+ The type of the node.
+ union TreeNodeUnion
+ exclusion TreeNodeExclusion
+ intersection TreeNodeIntersection
+ leaf TreeNodeLeaf
+ tuple_to_subject_set TreeNodeTupleToSubjectSet
+ computed_subject_set TreeNodeComputedSubjectSet
+ not TreeNodeNot
+ unspecified TreeNodeUnspecified
+ enum:
+ - union
+ - exclusion
+ - intersection
+ - leaf
+ - tuple_to_subject_set
+ - computed_subject_set
+ - not
+ - unspecified
+ type: string
+ x-go-enum-desc: |-
+ union TreeNodeUnion
+ exclusion TreeNodeExclusion
+ intersection TreeNodeIntersection
+ leaf TreeNodeLeaf
+ tuple_to_subject_set TreeNodeTupleToSubjectSet
+ computed_subject_set TreeNodeComputedSubjectSet
+ not TreeNodeNot
+ unspecified TreeNodeUnspecified
+ required:
+ - type
+ type: object
+ flowError:
+ example:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ error: "{}"
+ properties:
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ error:
+ type: object
+ id:
+ description: ID of the error container.
+ format: uuid
+ type: string
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ required:
+ - id
+ type: object
+ genericError:
+ description: "Error responses are sent when an error (e.g. unauthorized, bad\
+ \ request, ...) occurred."
+ properties:
+ code:
+ description: The status code
+ example: 404
+ format: int64
+ type: integer
+ debug:
+ description: |-
+ Debug information
+
+ This field is often not exposed to protect against leaking
+ sensitive information.
+ example: SQL field "foo" is not a bool.
+ type: string
+ details:
+ description: Further error details
+ error:
+ $ref: '#/components/schemas/genericErrorContent'
+ id:
+ description: |-
+ The error ID
+
+ Useful when trying to identify various errors in application logic.
+ type: string
+ message:
+ description: |-
+ Error message
+
+ The error's message.
+ example: The resource could not be found
+ type: string
+ reason:
+ description: A human-readable reason for the error
+ example: User with ID 1234 does not exist.
+ type: string
+ request:
+ description: |-
+ The request ID
+
+ The request ID is often exposed internally in order to trace
+ errors across service architectures. This is often a UUID.
+ example: d7ef54b1-ec15-46e6-bccb-524b82c035e6
+ type: string
+ status:
+ description: The status description
+ example: Not Found
+ type: string
+ required:
+ - message
+ title: Error response
+ type: object
+ genericErrorContent:
+ description: Error response
+ properties:
+ debug:
+ description: Debug contains debug information. This is usually not available
+ and has to be enabled.
+ example: The database adapter was unable to find the element
+ type: string
+ error:
+ description: Name is the error name.
+ example: The requested resource could not be found
+ type: string
+ error_description:
+ description: Description contains further information on the nature of the
+ error.
+ example: Object with ID 12345 does not exist
+ type: string
+ message:
+ description: Message contains the error message.
+ type: string
+ status_code:
+ description: "Code represents the error status code (404, 403, 401, ...)."
+ example: 404
+ format: int64
+ type: integer
+ type: object
+ getAttributesCountResponse:
+ description: Response of the getAttributesCount endpoint
+ properties:
+ data:
+ description: The list of data points.
+ items:
+ $ref: '#/components/schemas/AttributesCountDatapoint'
+ readOnly: true
+ type: array
+ required:
+ - data
+ type: object
+ getManagedIdentitySchemaLocation:
+ description: Ory Identity Schema Location
+ properties:
+ location:
+ type: string
+ type: object
+ getMetricsEventAttributesResponse:
+ description: Response of the getMetricsEventAttributes endpoint
+ properties:
+ events:
+ description: The list of data points.
+ items:
+ type: string
+ readOnly: true
+ type: array
+ required:
+ - events
+ type: object
+ getMetricsEventTypesResponse:
+ description: Response of the getMetricsEventTypes endpoint
+ properties:
+ events:
+ description: The list of data points.
+ items:
+ type: string
+ readOnly: true
+ type: array
+ required:
+ - events
+ type: object
+ getOrganizationResponse:
+ example:
+ organization:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ project_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ created_at: 2000-01-23T04:56:07.000+00:00
+ domains:
+ - domains
+ - domains
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ label: label
+ properties:
+ organization:
+ $ref: '#/components/schemas/organization'
+ required:
+ - organization
+ title: getOrganizationResponse represents a B2B SSO Organization.
+ type: object
+ getProjectEventsBody:
+ description: Body of the getProjectEvents endpoint
+ properties:
+ event_name:
+ description: The event name to query for
+ type: string
+ filters:
+ default: []
+ description: Event attribute filters
+ items:
+ $ref: '#/components/schemas/AttributeFilter'
+ type: array
+ from:
+ description: The start RFC3339 date of the time window
+ format: date-time
+ type: string
+ page_size:
+ default: 25
+ description: Maximum number of events to return
+ format: int64
+ type: integer
+ page_token:
+ description: "Pagination token to fetch next page, empty if first page"
+ type: string
+ to:
+ description: The end RFC3339 date of the time window
+ format: date-time
+ type: string
+ required:
+ - from
+ - to
+ type: object
+ getProjectEventsResponse:
+ description: Response of the getProjectEvents endpoint
+ properties:
+ events:
+ description: The list of data points.
+ items:
+ $ref: '#/components/schemas/ProjectEventsDatapoint'
+ readOnly: true
+ type: array
+ page_token:
+ description: Pagination token to be included in next page request
+ readOnly: true
+ type: string
+ required:
+ - events
+ type: object
+ getProjectMetricsResponse:
+ description: Response of the getMetrics endpoint
+ example:
+ data:
+ - count: 0
+ time: 2000-01-23T04:56:07.000+00:00
+ - count: 0
+ time: 2000-01-23T04:56:07.000+00:00
+ properties:
+ data:
+ description: The list of data points.
+ items:
+ $ref: '#/components/schemas/metricsDatapoint'
+ readOnly: true
+ type: array
+ required:
+ - data
+ type: object
+ getSessionActivityResponse:
+ description: Response of the getSessionActivity endpoint
+ properties:
+ data:
+ description: The list of data points.
+ items:
+ $ref: '#/components/schemas/SessionActivityDatapoint'
+ readOnly: true
+ type: array
+ required:
+ - data
+ type: object
+ healthNotReadyStatus:
+ properties:
+ errors:
+ additionalProperties:
+ type: string
+ description: Errors contains a list of errors that caused the not ready
+ status.
+ type: object
+ type: object
+ healthStatus:
+ example:
+ status: status
+ properties:
+ status:
+ description: Status always contains "ok".
+ type: string
+ type: object
+ identity:
+ description: "An [identity](https://www.ory.sh/docs/kratos/concepts/identity-user-model)\
+ \ represents a (human) user in Ory."
+ example:
+ traits: ""
+ credentials:
+ key:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ identifiers:
+ - identifiers
+ - identifiers
+ created_at: 2000-01-23T04:56:07.000+00:00
+ type: null
+ config: "{}"
+ version: 0
+ state_changed_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ recovery_addresses:
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ metadata_admin: "{}"
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ verifiable_addresses:
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ organization_id: organization_id
+ schema_id: schema_id
+ schema_url: schema_url
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ metadata_public: "{}"
+ properties:
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ credentials:
+ additionalProperties:
+ $ref: '#/components/schemas/identityCredentials'
+ description: Credentials represents all credentials that can be used for
+ authenticating this identity.
+ type: object
+ id:
+ description: |-
+ ID is the identity's unique identifier.
+
+ The Identity ID can not be changed and can not be chosen. This ensures future
+ compatibility and optimization for distributed stores such as CockroachDB.
+ format: uuid
+ type: string
+ metadata_admin:
+ description: "NullJSONRawMessage represents a json.RawMessage that works\
+ \ well with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ type: object
+ metadata_public:
+ description: "NullJSONRawMessage represents a json.RawMessage that works\
+ \ well with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ type: object
+ organization_id:
+ format: uuid4
+ nullable: true
+ type: string
+ recovery_addresses:
+ description: RecoveryAddresses contains all the addresses that can be used
+ to recover an identity.
+ items:
+ $ref: '#/components/schemas/recoveryIdentityAddress'
+ type: array
+ x-omitempty: true
+ schema_id:
+ description: SchemaID is the ID of the JSON Schema to be used for validating
+ the identity's traits.
+ type: string
+ schema_url:
+ description: |-
+ SchemaURL is the URL of the endpoint where the identity's traits schema can be fetched from.
+
+ format: url
+ type: string
+ state:
+ $ref: '#/components/schemas/identityState'
+ state_changed_at:
+ format: date-time
+ title: NullTime implements sql.NullTime functionality.
+ type: string
+ traits:
+ description: |-
+ Traits represent an identity's traits. The identity is able to create, modify, and delete traits
+ in a self-service manner. The input will always be validated against the JSON Schema defined
+ in `schema_url`.
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ verifiable_addresses:
+ description: VerifiableAddresses contains all the addresses that can be
+ verified by the user.
+ items:
+ $ref: '#/components/schemas/verifiableIdentityAddress'
+ type: array
+ x-omitempty: true
+ required:
+ - id
+ - schema_id
+ - schema_url
+ - traits
+ title: Identity represents an Ory Kratos identity
+ type: object
+ identityCredentials:
+ description: Credentials represents a specific credential type
+ example:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ identifiers:
+ - identifiers
+ - identifiers
+ created_at: 2000-01-23T04:56:07.000+00:00
+ type: null
+ config: "{}"
+ version: 0
+ properties:
+ config:
+ title: "JSONRawMessage represents a json.RawMessage that works well with\
+ \ JSON, SQL, and Swagger."
+ type: object
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ identifiers:
+ description: Identifiers represents a list of unique identifiers this credential
+ type matches.
+ items:
+ type: string
+ type: array
+ type:
+ $ref: '#/components/schemas/identityCredentialsType'
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ version:
+ description: Version refers to the version of the credential. Useful when
+ changing the config schema.
+ format: int64
+ type: integer
+ type: object
+ identityCredentialsCode:
+ description: CredentialsCode represents a one time login/registration code
+ properties:
+ address_type:
+ type: string
+ used_at:
+ format: date-time
+ nullable: true
+ type: string
+ type: object
+ identityCredentialsOidc:
+ properties:
+ providers:
+ items:
+ $ref: '#/components/schemas/identityCredentialsOidcProvider'
+ type: array
+ title: CredentialsOIDC is contains the configuration for credentials of the
+ type oidc.
+ type: object
+ identityCredentialsOidcProvider:
+ properties:
+ initial_access_token:
+ type: string
+ initial_id_token:
+ type: string
+ initial_refresh_token:
+ type: string
+ organization:
+ type: string
+ provider:
+ type: string
+ subject:
+ type: string
+ title: CredentialsOIDCProvider is contains a specific OpenID COnnect credential
+ for a particular connection (e.g. Google).
+ type: object
+ identityCredentialsPassword:
+ properties:
+ hashed_password:
+ description: HashedPassword is a hash-representation of the password.
+ type: string
+ title: CredentialsPassword is contains the configuration for credentials of
+ the type password.
+ type: object
+ identityCredentialsType:
+ description: and so on.
+ enum:
+ - password
+ - totp
+ - oidc
+ - webauthn
+ - lookup_secret
+ - code
+ title: "CredentialsType represents several different credential types, like\
+ \ password credentials, passwordless credentials,"
+ type: string
+ identityMetaSchema:
+ description: Identity Meta Schema
+ type: object
+ identityPatch:
+ description: Payload for patching an identity
+ properties:
+ create:
+ $ref: '#/components/schemas/createIdentityBody'
+ patch_id:
+ description: |-
+ The ID of this patch.
+
+ The patch ID is optional. If specified, the ID will be returned in the
+ response, so consumers of this API can correlate the response with the
+ patch.
+ format: uuid
+ type: string
+ type: object
+ identityPatchResponse:
+ description: Response for a single identity patch
+ example:
+ patch_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ identity: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ action: create
+ properties:
+ action:
+ description: |-
+ The action for this specific patch
+ create ActionCreate Create this identity.
+ enum:
+ - create
+ type: string
+ x-go-enum-desc: create ActionCreate Create this identity.
+ identity:
+ description: The identity ID payload of this patch
+ format: uuid
+ type: string
+ patch_id:
+ description: "The ID of this patch response, if an ID was specified in the\
+ \ patch."
+ format: uuid
+ type: string
+ type: object
+ identitySchema:
+ description: Raw JSON Schema
+ type: object
+ identitySchemaContainer:
+ description: An Identity JSON Schema Container
+ example:
+ schema: "{}"
+ id: id
+ properties:
+ id:
+ description: The ID of the Identity JSON Schema
+ type: string
+ schema:
+ description: The actual Identity JSON Schema
+ type: object
+ type: object
+ identitySchemaPreset:
+ properties:
+ schema:
+ description: Schema is the Identity JSON Schema
+ type: object
+ url:
+ description: URL is the preset identifier
+ type: string
+ required:
+ - schema
+ - url
+ type: object
+ identitySchemaPresets:
+ items:
+ $ref: '#/components/schemas/identitySchemaPreset'
+ type: array
+ identitySchemas:
+ description: List of Identity JSON Schemas
+ items:
+ $ref: '#/components/schemas/identitySchemaContainer'
+ type: array
+ identityState:
+ description: The state can either be `active` or `inactive`.
+ enum:
+ - active
+ - inactive
+ title: An Identity's State
+ type: string
+ identityTraits:
+ description: |-
+ Traits represent an identity's traits. The identity is able to create, modify, and delete traits
+ in a self-service manner. The input will always be validated against the JSON Schema defined
+ in `schema_url`.
+ identityVerifiableAddressStatus:
+ description: VerifiableAddressStatus must not exceed 16 characters as that is
+ the limitation in the SQL Schema
+ type: string
+ identityWithCredentials:
+ description: Create Identity and Import Credentials
+ properties:
+ oidc:
+ $ref: '#/components/schemas/identityWithCredentialsOidc'
+ password:
+ $ref: '#/components/schemas/identityWithCredentialsPassword'
+ type: object
+ identityWithCredentialsOidc:
+ description: Create Identity and Import Social Sign In Credentials
+ properties:
+ config:
+ $ref: '#/components/schemas/identityWithCredentialsOidcConfig'
+ type: object
+ identityWithCredentialsOidcConfig:
+ properties:
+ config:
+ $ref: '#/components/schemas/identityWithCredentialsPasswordConfig'
+ providers:
+ description: A list of OpenID Connect Providers
+ items:
+ $ref: '#/components/schemas/identityWithCredentialsOidcConfigProvider'
+ type: array
+ type: object
+ identityWithCredentialsOidcConfigProvider:
+ description: Create Identity and Import Social Sign In Credentials Configuration
+ properties:
+ provider:
+ description: The OpenID Connect provider to link the subject to. Usually
+ something like `google` or `github`.
+ type: string
+ subject:
+ description: The subject (`sub`) of the OpenID Connect connection. Usually
+ the `sub` field of the ID Token.
+ type: string
+ required:
+ - provider
+ - subject
+ type: object
+ identityWithCredentialsPassword:
+ description: Create Identity and Import Password Credentials
+ properties:
+ config:
+ $ref: '#/components/schemas/identityWithCredentialsPasswordConfig'
+ type: object
+ identityWithCredentialsPasswordConfig:
+ description: Create Identity and Import Password Credentials Configuration
+ properties:
+ hashed_password:
+ description: "The hashed password in [PHC format](https://www.ory.sh/docs/kratos/manage-identities/import-user-accounts-identities#hashed-passwords)"
+ type: string
+ password:
+ description: The password in plain text if no hash is available.
+ type: string
+ type: object
+ internalGetProjectBrandingBody:
+ description: Get Project Branding Request Body
+ properties:
+ hostname:
+ type: string
+ type: object
+ internalIsAXWelcomeScreenEnabledForProjectBody:
+ description: Is Account Experience Enabled For Project Request Body
+ properties:
+ path:
+ description: Path is the path of the request.
+ type: string
+ project_slug:
+ description: ProjectSlug is the project's slug.
+ type: string
+ required:
+ - path
+ - project_slug
+ type: object
+ internalIsOwnerForProjectBySlugBody:
+ description: Is Owner For Project By Slug Request Body
+ properties:
+ namespace:
+ description: Namespace is the namespace of the subject.
+ enum:
+ - User
+ - ' ApiKey'
+ type: string
+ project_scope:
+ description: |-
+ ProjectScope is the project_id resolved from the
+ API Token.
+ type: string
+ project_slug:
+ description: ProjectSlug is the project's slug.
+ type: string
+ subject:
+ description: Subject is the subject acting (user or API key).
+ type: string
+ required:
+ - namespace
+ - project_slug
+ - subject
+ type: object
+ internalIsOwnerForProjectBySlugResponse:
+ properties:
+ project_id:
+ description: ProjectID is the project's ID.
+ type: string
+ required:
+ - project_id
+ type: object
+ internalProvisionMockSubscription:
+ description: Internal Provision Mock Subscription Request Body
+ properties:
+ currency:
+ description: |-
+ Currency
+ usd USD
+ eur Euro
+ enum:
+ - usd
+ - eur
+ type: string
+ x-go-enum-desc: |-
+ usd USD
+ eur Euro
+ identity_id:
+ description: Identity ID
+ format: uuid
+ type: string
+ interval:
+ description: |-
+ Billing Interval
+ monthly Monthly
+ yearly Yearly
+ enum:
+ - monthly
+ - yearly
+ type: string
+ x-go-enum-desc: |-
+ monthly Monthly
+ yearly Yearly
+ plan:
+ description: Plan ID
+ type: string
+ required:
+ - currency
+ - identity_id
+ - interval
+ - plan
+ type: object
+ introspectedOAuth2Token:
+ description: |-
+ Introspection contains an access token's session data as specified by
+ [IETF RFC 7662](https://tools.ietf.org/html/rfc7662)
+ example:
+ ext:
+ key: ""
+ sub: sub
+ iss: iss
+ active: true
+ obfuscated_subject: obfuscated_subject
+ token_type: token_type
+ client_id: client_id
+ aud:
+ - aud
+ - aud
+ nbf: 1
+ token_use: token_use
+ scope: scope
+ exp: 0
+ iat: 6
+ username: username
+ properties:
+ active:
+ description: |-
+ Active is a boolean indicator of whether or not the presented token
+ is currently active. The specifics of a token's "active" state
+ will vary depending on the implementation of the authorization
+ server and the information it keeps about its tokens, but a "true"
+ value return for the "active" property will generally indicate
+ that a given token has been issued by this authorization server,
+ has not been revoked by the resource owner, and is within its
+ given time window of validity (e.g., after its issuance time and
+ before its expiration time).
+ type: boolean
+ aud:
+ description: Audience contains a list of the token's intended audiences.
+ items:
+ type: string
+ type: array
+ client_id:
+ description: |-
+ ID is aclient identifier for the OAuth 2.0 client that
+ requested this token.
+ type: string
+ exp:
+ description: |-
+ Expires at is an integer timestamp, measured in the number of seconds
+ since January 1 1970 UTC, indicating when this token will expire.
+ format: int64
+ type: integer
+ ext:
+ additionalProperties: {}
+ description: Extra is arbitrary data set by the session.
+ type: object
+ iat:
+ description: |-
+ Issued at is an integer timestamp, measured in the number of seconds
+ since January 1 1970 UTC, indicating when this token was
+ originally issued.
+ format: int64
+ type: integer
+ iss:
+ description: IssuerURL is a string representing the issuer of this token
+ type: string
+ nbf:
+ description: |-
+ NotBefore is an integer timestamp, measured in the number of seconds
+ since January 1 1970 UTC, indicating when this token is not to be
+ used before.
+ format: int64
+ type: integer
+ obfuscated_subject:
+ description: |-
+ ObfuscatedSubject is set when the subject identifier algorithm was set to "pairwise" during authorization.
+ It is the `sub` value of the ID Token that was issued.
+ type: string
+ scope:
+ description: |-
+ Scope is a JSON string containing a space-separated list of
+ scopes associated with this token.
+ type: string
+ sub:
+ description: |-
+ Subject of the token, as defined in JWT [RFC7519].
+ Usually a machine-readable identifier of the resource owner who
+ authorized this token.
+ type: string
+ token_type:
+ description: "TokenType is the introspected token's type, typically `Bearer`."
+ type: string
+ token_use:
+ description: "TokenUse is the introspected token's use, for example `access_token`\
+ \ or `refresh_token`."
+ type: string
+ username:
+ description: |-
+ Username is a human-readable identifier for the resource owner who
+ authorized this token.
+ type: string
+ required:
+ - active
+ type: object
+ isOwnerForProjectBySlug:
+ properties:
+ ProjectSlug:
+ description: ProjectSlug is the project's slug.
+ type: string
+ Subject:
+ description: Subject is the subject from the API Token.
+ type: string
+ required:
+ - ProjectSlug
+ - Subject
+ type: object
+ jsonPatch:
+ description: A JSONPatch document as defined by RFC 6902
+ properties:
+ from:
+ description: |-
+ This field is used together with operation "move" and uses JSON Pointer notation.
+
+ Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).
+ example: /name
+ type: string
+ op:
+ description: "The operation to be performed. One of \"add\", \"remove\"\
+ , \"replace\", \"move\", \"copy\", or \"test\"."
+ enum:
+ - add
+ - remove
+ - replace
+ - move
+ - copy
+ - test
+ example: replace
+ type: string
+ path:
+ description: |-
+ The path to the target path. Uses JSON pointer notation.
+
+ Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).
+ example: /name
+ type: string
+ value:
+ description: |-
+ The value to be used within the operations.
+
+ Learn more [about JSON Pointers](https://datatracker.ietf.org/doc/html/rfc6901#section-5).
+ example: foobar
+ required:
+ - op
+ - path
+ type: object
+ jsonPatchDocument:
+ description: A JSONPatchDocument request
+ items:
+ $ref: '#/components/schemas/jsonPatch'
+ type: array
+ jsonWebKey:
+ example:
+ d: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE
+ e: AQAB
+ crv: P-256
+ use: sig
+ kid: 1603dfe0af8f4596
+ x5c:
+ - x5c
+ - x5c
+ k: GawgguFyGrWKav7AX4VKUg
+ dp: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0
+ dq: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk
+ "n": vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0
+ p: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ
+ kty: RSA
+ q: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ
+ qi: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU
+ x: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU
+ "y": x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0
+ alg: RS256
+ properties:
+ alg:
+ description: |-
+ The "alg" (algorithm) parameter identifies the algorithm intended for
+ use with the key. The values used should either be registered in the
+ IANA "JSON Web Signature and Encryption Algorithms" registry
+ established by [JWA] or be a value that contains a Collision-
+ Resistant Name.
+ example: RS256
+ type: string
+ crv:
+ example: P-256
+ type: string
+ d:
+ example: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE
+ type: string
+ dp:
+ example: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0
+ type: string
+ dq:
+ example: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk
+ type: string
+ e:
+ example: AQAB
+ type: string
+ k:
+ example: GawgguFyGrWKav7AX4VKUg
+ type: string
+ kid:
+ description: |-
+ The "kid" (key ID) parameter is used to match a specific key. This
+ is used, for instance, to choose among a set of keys within a JWK Set
+ during key rollover. The structure of the "kid" value is
+ unspecified. When "kid" values are used within a JWK Set, different
+ keys within the JWK Set SHOULD use distinct "kid" values. (One
+ example in which different keys might use the same "kid" value is if
+ they have different "kty" (key type) values but are considered to be
+ equivalent alternatives by the application using them.) The "kid"
+ value is a case-sensitive string.
+ example: 1603dfe0af8f4596
+ type: string
+ kty:
+ description: |-
+ The "kty" (key type) parameter identifies the cryptographic algorithm
+ family used with the key, such as "RSA" or "EC". "kty" values should
+ either be registered in the IANA "JSON Web Key Types" registry
+ established by [JWA] or be a value that contains a Collision-
+ Resistant Name. The "kty" value is a case-sensitive string.
+ example: RSA
+ type: string
+ "n":
+ example: vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0
+ type: string
+ p:
+ example: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ
+ type: string
+ q:
+ example: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ
+ type: string
+ qi:
+ example: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU
+ type: string
+ use:
+ description: |-
+ Use ("public key use") identifies the intended use of
+ the public key. The "use" parameter is employed to indicate whether
+ a public key is used for encrypting data or verifying the signature
+ on data. Values are commonly "sig" (signature) or "enc" (encryption).
+ example: sig
+ type: string
+ x:
+ example: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU
+ type: string
+ x5c:
+ description: |-
+ The "x5c" (X.509 certificate chain) parameter contains a chain of one
+ or more PKIX certificates [RFC5280]. The certificate chain is
+ represented as a JSON array of certificate value strings. Each
+ string in the array is a base64-encoded (Section 4 of [RFC4648] --
+ not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
+ The PKIX certificate containing the key value MUST be the first
+ certificate.
+ items:
+ type: string
+ type: array
+ "y":
+ example: x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0
+ type: string
+ required:
+ - alg
+ - kid
+ - kty
+ - use
+ type: object
+ jsonWebKeySet:
+ description: JSON Web Key Set
+ example:
+ keys:
+ - d: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE
+ e: AQAB
+ crv: P-256
+ use: sig
+ kid: 1603dfe0af8f4596
+ x5c:
+ - x5c
+ - x5c
+ k: GawgguFyGrWKav7AX4VKUg
+ dp: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0
+ dq: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk
+ "n": vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0
+ p: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ
+ kty: RSA
+ q: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ
+ qi: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU
+ x: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU
+ "y": x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0
+ alg: RS256
+ - d: T_N8I-6He3M8a7X1vWt6TGIx4xB_GP3Mb4SsZSA4v-orvJzzRiQhLlRR81naWYxfQAYt5isDI6_C2L9bdWo4FFPjGQFvNoRX-_sBJyBI_rl-TBgsZYoUlAj3J92WmY2inbA-PwyJfsaIIDceYBC-eX-xiCu6qMqkZi3MwQAFL6bMdPEM0z4JBcwFT3VdiWAIRUuACWQwrXMq672x7fMuaIaHi7XDGgt1ith23CLfaREmJku9PQcchbt_uEY-hqrFY6ntTtS4paWWQj86xLL94S-Tf6v6xkL918PfLSOTq6XCzxvlFwzBJqApnAhbwqLjpPhgUG04EDRrqrSBc5Y1BLevn6Ip5h1AhessBp3wLkQgz_roeckt-ybvzKTjESMuagnpqLvOT7Y9veIug2MwPJZI2VjczRc1vzMs25XrFQ8DpUy-bNdp89TmvAXwctUMiJdgHloJw23Cv03gIUAkDnsTqZmkpbIf-crpgNKFmQP_EDKoe8p_PXZZgfbRri3NoEVGP7Mk6yEu8LjJhClhZaBNjuWw2-KlBfOA3g79mhfBnkInee5KO9mGR50qPk1V-MorUYNTFMZIm0kFE6eYVWFBwJHLKYhHU34DoiK1VP-svZpC2uAMFNA_UJEwM9CQ2b8qe4-5e9aywMvwcuArRkAB5mBIfOaOJao3mfukKAE
+ e: AQAB
+ crv: P-256
+ use: sig
+ kid: 1603dfe0af8f4596
+ x5c:
+ - x5c
+ - x5c
+ k: GawgguFyGrWKav7AX4VKUg
+ dp: G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0
+ dq: s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk
+ "n": vTqrxUyQPl_20aqf5kXHwDZrel-KovIp8s7ewJod2EXHl8tWlRB3_Rem34KwBfqlKQGp1nqah-51H4Jzruqe0cFP58hPEIt6WqrvnmJCXxnNuIB53iX_uUUXXHDHBeaPCSRoNJzNysjoJ30TIUsKBiirhBa7f235PXbKiHducLevV6PcKxJ5cY8zO286qJLBWSPm-OIevwqsIsSIH44Qtm9sioFikhkbLwoqwWORGAY0nl6XvVOlhADdLjBSqSAeT1FPuCDCnXwzCDR8N9IFB_IjdStFkC-rVt2K5BYfPd0c3yFp_vHR15eRd0zJ8XQ7woBC8Vnsac6Et1pKS59pX6256DPWu8UDdEOolKAPgcd_g2NpA76cAaF_jcT80j9KrEzw8Tv0nJBGesuCjPNjGs_KzdkWTUXt23Hn9QJsdc1MZuaW0iqXBepHYfYoqNelzVte117t4BwVp0kUM6we0IqyXClaZgOI8S-WDBw2_Ovdm8e5NmhYAblEVoygcX8Y46oH6bKiaCQfKCFDMcRgChme7AoE1yZZYsPbaG_3IjPrC4LBMHQw8rM9dWjJ8ImjicvZ1pAm0dx-KHCP3y5PVKrxBDf1zSOsBRkOSjB8TPODnJMz6-jd5hTtZxpZPwPoIdCanTZ3ZD6uRBpTmDwtpRGm63UQs1m5FWPwb0T2IF0
+ p: 6NbkXwDWUhi-eR55Cgbf27FkQDDWIamOaDr0rj1q0f1fFEz1W5A_09YvG09Fiv1AO2-D8Rl8gS1Vkz2i0zCSqnyy8A025XOcRviOMK7nIxE4OH_PEsko8dtIrb3TmE2hUXvCkmzw9EsTF1LQBOGC6iusLTXepIC1x9ukCKFZQvdgtEObQ5kzd9Nhq-cdqmSeMVLoxPLd1blviVT9Vm8-y12CtYpeJHOaIDtVPLlBhJiBoPKWg3vxSm4XxIliNOefqegIlsmTIa3MpS6WWlCK3yHhat0Q-rRxDxdyiVdG_wzJvp0Iw_2wms7pe-PgNPYvUWH9JphWP5K38YqEBiJFXQ
+ kty: RSA
+ q: 0A1FmpOWR91_RAWpqreWSavNaZb9nXeKiBo0DQGBz32DbqKqQ8S4aBJmbRhJcctjCLjain-ivut477tAUMmzJwVJDDq2MZFwC9Q-4VYZmFU4HJityQuSzHYe64RjN-E_NQ02TWhG3QGW6roq6c57c99rrUsETwJJiwS8M5p15Miuz53DaOjv-uqqFAFfywN5WkxHbraBcjHtMiQuyQbQqkCFh-oanHkwYNeytsNhTu2mQmwR5DR2roZ2nPiFjC6nsdk-A7E3S3wMzYYFw7jvbWWoYWo9vB40_MY2Y0FYQSqcDzcBIcq_0tnnasf3VW4Fdx6m80RzOb2Fsnln7vKXAQ
+ qi: GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU
+ x: f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU
+ "y": x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0
+ alg: RS256
+ properties:
+ keys:
+ description: |-
+ List of JSON Web Keys
+
+ The value of the "keys" parameter is an array of JSON Web Key (JWK)
+ values. By default, the order of the JWK values within the array does
+ not imply an order of preference among them, although applications
+ of JWK Sets can choose to assign a meaning to the order for their
+ purposes, if desired.
+ items:
+ $ref: '#/components/schemas/jsonWebKey'
+ type: array
+ type: object
+ listCustomDomains:
+ description: Custom Hostname List
+ items:
+ $ref: '#/components/schemas/customDomain'
+ type: array
+ listEventStreams:
+ description: Event Stream List
+ example:
+ event_streams:
+ - role_arn: role_arn
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ topic_arn: topic_arn
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ type: type
+ - role_arn: role_arn
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ topic_arn: topic_arn
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ type: type
+ properties:
+ event_streams:
+ items:
+ $ref: '#/components/schemas/eventStream'
+ type: array
+ type: object
+ listOrganizationsResponse:
+ description: B2B SSO Organization List
+ example:
+ organizations:
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ project_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ created_at: 2000-01-23T04:56:07.000+00:00
+ domains:
+ - domains
+ - domains
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ label: label
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ project_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ created_at: 2000-01-23T04:56:07.000+00:00
+ domains:
+ - domains
+ - domains
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ label: label
+ properties:
+ organizations:
+ items:
+ $ref: '#/components/schemas/organization'
+ type: array
+ required:
+ - organizations
+ type: object
+ loginFlow:
+ description: |-
+ This object represents a login flow. A login flow is initiated at the "Initiate Login API / Browser Flow"
+ endpoint by a client.
+
+ Once a login flow is completed successfully, a session cookie or session token will be issued.
+ example:
+ requested_aal: null
+ active: null
+ created_at: 2000-01-23T04:56:07.000+00:00
+ refresh: true
+ return_to: return_to
+ session_token_exchange_code: session_token_exchange_code
+ type: type
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ request_url: request_url
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ oauth2_login_request:
+ requested_access_token_audience:
+ - requested_access_token_audience
+ - requested_access_token_audience
+ subject: subject
+ oidc_context:
+ login_hint: login_hint
+ ui_locales:
+ - ui_locales
+ - ui_locales
+ id_token_hint_claims:
+ key: ""
+ acr_values:
+ - acr_values
+ - acr_values
+ display: display
+ challenge: challenge
+ client:
+ metadata: "{}"
+ token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg
+ client_uri: client_uri
+ jwt_bearer_grant_access_token_lifespan: jwt_bearer_grant_access_token_lifespan
+ jwks: ""
+ logo_uri: logo_uri
+ created_at: 2000-01-23T04:56:07.000+00:00
+ registration_client_uri: registration_client_uri
+ allowed_cors_origins:
+ - allowed_cors_origins
+ - allowed_cors_origins
+ refresh_token_grant_access_token_lifespan: refresh_token_grant_access_token_lifespan
+ registration_access_token: registration_access_token
+ client_id: client_id
+ token_endpoint_auth_method: client_secret_basic
+ userinfo_signed_response_alg: userinfo_signed_response_alg
+ authorization_code_grant_id_token_lifespan: authorization_code_grant_id_token_lifespan
+ authorization_code_grant_refresh_token_lifespan: authorization_code_grant_refresh_token_lifespan
+ client_credentials_grant_access_token_lifespan: client_credentials_grant_access_token_lifespan
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ scope: scope1 scope-2 scope.3 scope:4
+ request_uris:
+ - request_uris
+ - request_uris
+ client_secret: client_secret
+ backchannel_logout_session_required: true
+ backchannel_logout_uri: backchannel_logout_uri
+ client_name: client_name
+ policy_uri: policy_uri
+ owner: owner
+ skip_consent: true
+ audience:
+ - audience
+ - audience
+ authorization_code_grant_access_token_lifespan: authorization_code_grant_access_token_lifespan
+ post_logout_redirect_uris:
+ - post_logout_redirect_uris
+ - post_logout_redirect_uris
+ grant_types:
+ - grant_types
+ - grant_types
+ subject_type: subject_type
+ refresh_token_grant_refresh_token_lifespan: refresh_token_grant_refresh_token_lifespan
+ redirect_uris:
+ - redirect_uris
+ - redirect_uris
+ sector_identifier_uri: sector_identifier_uri
+ frontchannel_logout_session_required: true
+ frontchannel_logout_uri: frontchannel_logout_uri
+ refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
+ implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
+ client_secret_expires_at: 0
+ implicit_grant_access_token_lifespan: implicit_grant_access_token_lifespan
+ access_token_strategy: access_token_strategy
+ jwks_uri: jwks_uri
+ request_object_signing_alg: request_object_signing_alg
+ tos_uri: tos_uri
+ contacts:
+ - contacts
+ - contacts
+ response_types:
+ - response_types
+ - response_types
+ session_id: session_id
+ skip: true
+ request_url: request_url
+ requested_scope:
+ - requested_scope
+ - requested_scope
+ ui:
+ nodes:
+ - meta:
+ label:
+ context: "{}"
+ id: 0
+ text: text
+ type: info
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ attributes: null
+ type: text
+ group: default
+ - meta:
+ label:
+ context: "{}"
+ id: 0
+ text: text
+ type: info
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ attributes: null
+ type: text
+ group: default
+ method: method
+ action: action
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ oauth2_login_challenge: oauth2_login_challenge
+ organization_id: organization_id
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: ""
+ properties:
+ active:
+ $ref: '#/components/schemas/identityCredentialsType'
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ expires_at:
+ description: |-
+ ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in,
+ a new flow has to be initiated.
+ format: date-time
+ type: string
+ id:
+ description: |-
+ ID represents the flow's unique ID. When performing the login flow, this
+ represents the id in the login UI's query parameter: http:///?flow=
+ format: uuid
+ type: string
+ issued_at:
+ description: IssuedAt is the time (UTC) when the flow started.
+ format: date-time
+ type: string
+ oauth2_login_challenge:
+ description: |-
+ Ory OAuth 2.0 Login Challenge.
+
+ This value is set using the `login_challenge` query parameter of the registration and login endpoints.
+ If set will cooperate with Ory OAuth2 and OpenID to act as an OAuth2 server / OpenID Provider.
+ type: string
+ oauth2_login_request:
+ $ref: '#/components/schemas/oAuth2LoginRequest'
+ organization_id:
+ format: uuid4
+ nullable: true
+ type: string
+ refresh:
+ description: Refresh stores whether this login flow should enforce re-authentication.
+ type: boolean
+ request_url:
+ description: |-
+ RequestURL is the initial URL that was requested from Ory Kratos. It can be used
+ to forward information contained in the URL's path or query for example.
+ type: string
+ requested_aal:
+ $ref: '#/components/schemas/authenticatorAssuranceLevel'
+ return_to:
+ description: ReturnTo contains the requested return_to URL.
+ type: string
+ session_token_exchange_code:
+ description: |-
+ SessionTokenExchangeCode holds the secret code that the client can use to retrieve a session token after the login flow has been completed.
+ This is only set if the client has requested a session token exchange code, and if the flow is of type "api",
+ and only on creating the login flow.
+ type: string
+ state:
+ description: |-
+ State represents the state of this request:
+
+ choose_method: ask the user to choose a method to sign in with
+ sent_email: the email has been sent to the user
+ passed_challenge: the request was successful and the login challenge was passed.
+ type:
+ description: The flow type can either be `api` or `browser`.
+ title: Type is the flow type.
+ type: string
+ ui:
+ $ref: '#/components/schemas/uiContainer'
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ required:
+ - expires_at
+ - id
+ - issued_at
+ - request_url
+ - state
+ - type
+ - ui
+ title: Login Flow
+ type: object
+ loginFlowState:
+ description: |-
+ The state represents the state of the login flow.
+
+ choose_method: ask the user to choose a method (e.g. login account via email)
+ sent_email: the email has been sent to the user
+ passed_challenge: the request was successful and the login challenge was passed.
+ enum:
+ - choose_method
+ - sent_email
+ - passed_challenge
+ title: Login Flow State
+ type: string
+ logoutFlow:
+ description: Logout Flow
+ example:
+ logout_url: logout_url
+ logout_token: logout_token
+ properties:
+ logout_token:
+ description: LogoutToken can be used to perform logout using AJAX.
+ type: string
+ logout_url:
+ description: |-
+ LogoutURL can be opened in a browser to sign the user out.
+
+ format: uri
+ type: string
+ required:
+ - logout_token
+ - logout_url
+ type: object
+ managedIdentitySchema:
+ description: |-
+ Together the name and identity uuid are a unique index constraint.
+ This prevents a user from having schemas with the same name.
+ This also allows schemas to have the same name across the system.
+ properties:
+ blob_name:
+ description: |-
+ The gcs file name
+
+ This is a randomly generated name which is used to uniquely identify the file on the blob storage
+ type: string
+ blob_url:
+ description: The publicly accessible url of the schema
+ type: string
+ content_hash:
+ description: |-
+ The Content Hash
+
+ Contains a hash of the schema's content.
+ type: string
+ created_at:
+ description: The Schema's Creation Date
+ format: date-time
+ readOnly: true
+ type: string
+ id:
+ description: The schema's ID.
+ format: uuid
+ readOnly: true
+ type: string
+ name:
+ description: |-
+ The schema name
+
+ This is set by the user and is for them to easily recognise their schema
+ example: CustomerIdentity
+ type: string
+ updated_at:
+ description: Last Time Schema was Updated
+ format: date-time
+ readOnly: true
+ type: string
+ required:
+ - blob_name
+ - blob_url
+ - created_at
+ - id
+ - name
+ - updated_at
+ title: Schema represents an Ory Kratos Identity Schema
+ type: object
+ managedIdentitySchemaValidationResult:
+ description: Ory Identity Schema Validation Result
+ properties:
+ message:
+ type: string
+ valid:
+ type: boolean
+ type: object
+ managedIdentitySchemas:
+ items:
+ $ref: '#/components/schemas/managedIdentitySchema'
+ type: array
+ memberInvite:
+ properties:
+ created_at:
+ description: The Project's Revision Creation Date
+ format: date-time
+ readOnly: true
+ type: string
+ id:
+ description: The invite's ID.
+ format: uuid
+ readOnly: true
+ type: string
+ invitee_email:
+ description: The invitee's email
+ type: string
+ invitee_id:
+ format: uuid4
+ nullable: true
+ type: string
+ owner_email:
+ description: |-
+ The invite owner's email
+ Usually the project's owner email
+ type: string
+ owner_id:
+ description: |-
+ The invite owner's ID
+ Usually the project's owner
+ format: uuid
+ type: string
+ project_id:
+ format: uuid4
+ nullable: true
+ type: string
+ status:
+ description: |-
+ The invite's status
+ Keeps track of the invites status such as pending, accepted, declined, expired
+ pending PENDING
+ accepted ACCEPTED
+ declined DECLINED
+ expired EXPIRED
+ cancelled CANCELLED
+ removed REMOVED
+ enum:
+ - pending
+ - accepted
+ - declined
+ - expired
+ - cancelled
+ - removed
+ type: string
+ x-go-enum-desc: |-
+ pending PENDING
+ accepted ACCEPTED
+ declined DECLINED
+ expired EXPIRED
+ cancelled CANCELLED
+ removed REMOVED
+ updated_at:
+ description: Last Time Project's Revision was Updated
+ format: date-time
+ readOnly: true
+ type: string
+ workspace_id:
+ format: uuid4
+ nullable: true
+ type: string
+ required:
+ - created_at
+ - id
+ - invitee_email
+ - owner_email
+ - owner_id
+ - status
+ - updated_at
+ type: object
+ memberInvites:
+ items:
+ $ref: '#/components/schemas/memberInvite'
+ type: array
+ message:
+ example:
+ dispatches:
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ message_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ error: "{}"
+ status: failed
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ message_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ error: "{}"
+ status: failed
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ subject: subject
+ channel: channel
+ recipient: recipient
+ created_at: 2000-01-23T04:56:07.000+00:00
+ send_count: 0
+ template_type: recovery_invalid
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ body: body
+ type: null
+ status: null
+ properties:
+ body:
+ type: string
+ channel:
+ type: string
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ dispatches:
+ description: |-
+ Dispatches store information about the attempts of delivering a message
+ May contain an error if any happened, or just the `success` state.
+ items:
+ $ref: '#/components/schemas/messageDispatch'
+ type: array
+ id:
+ format: uuid
+ type: string
+ recipient:
+ type: string
+ send_count:
+ format: int64
+ type: integer
+ status:
+ $ref: '#/components/schemas/courierMessageStatus'
+ subject:
+ type: string
+ template_type:
+ description: |2-
+
+ recovery_invalid TypeRecoveryInvalid
+ recovery_valid TypeRecoveryValid
+ recovery_code_invalid TypeRecoveryCodeInvalid
+ recovery_code_valid TypeRecoveryCodeValid
+ verification_invalid TypeVerificationInvalid
+ verification_valid TypeVerificationValid
+ verification_code_invalid TypeVerificationCodeInvalid
+ verification_code_valid TypeVerificationCodeValid
+ stub TypeTestStub
+ login_code_valid TypeLoginCodeValid
+ registration_code_valid TypeRegistrationCodeValid
+ enum:
+ - recovery_invalid
+ - recovery_valid
+ - recovery_code_invalid
+ - recovery_code_valid
+ - verification_invalid
+ - verification_valid
+ - verification_code_invalid
+ - verification_code_valid
+ - stub
+ - login_code_valid
+ - registration_code_valid
+ type: string
+ x-go-enum-desc: |-
+ recovery_invalid TypeRecoveryInvalid
+ recovery_valid TypeRecoveryValid
+ recovery_code_invalid TypeRecoveryCodeInvalid
+ recovery_code_valid TypeRecoveryCodeValid
+ verification_invalid TypeVerificationInvalid
+ verification_valid TypeVerificationValid
+ verification_code_invalid TypeVerificationCodeInvalid
+ verification_code_valid TypeVerificationCodeValid
+ stub TypeTestStub
+ login_code_valid TypeLoginCodeValid
+ registration_code_valid TypeRegistrationCodeValid
+ type:
+ $ref: '#/components/schemas/courierMessageType'
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ required:
+ - body
+ - created_at
+ - id
+ - recipient
+ - send_count
+ - status
+ - subject
+ - template_type
+ - type
+ - updated_at
+ type: object
+ messageDispatch:
+ description: |-
+ MessageDispatch represents an attempt of sending a courier message
+ It contains the status of the attempt (failed or successful) and the error if any occured
+ example:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ message_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ error: "{}"
+ status: failed
+ properties:
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ error:
+ title: "JSONRawMessage represents a json.RawMessage that works well with\
+ \ JSON, SQL, and Swagger."
+ type: object
+ id:
+ description: The ID of this message dispatch
+ format: uuid
+ type: string
+ message_id:
+ description: The ID of the message being dispatched
+ format: uuid
+ type: string
+ status:
+ description: |-
+ The status of this dispatch
+ Either "failed" or "success"
+ failed CourierMessageDispatchStatusFailed
+ success CourierMessageDispatchStatusSuccess
+ enum:
+ - failed
+ - success
+ type: string
+ x-go-enum-desc: |-
+ failed CourierMessageDispatchStatusFailed
+ success CourierMessageDispatchStatusSuccess
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ required:
+ - created_at
+ - id
+ - message_id
+ - status
+ - updated_at
+ type: object
+ metricsDatapoint:
+ description: Represents a single datapoint/bucket of a time series
+ example:
+ count: 0
+ time: 2000-01-23T04:56:07.000+00:00
+ properties:
+ count:
+ description: The count of events that occured in this time
+ format: int64
+ type: integer
+ time:
+ description: The time of the bucket
+ format: date-time
+ type: string
+ required:
+ - count
+ - time
+ type: object
+ namespace:
+ example:
+ name: name
+ properties:
+ name:
+ description: Name of the namespace.
+ type: string
+ type: object
+ needsPrivilegedSessionError:
+ properties:
+ error:
+ $ref: '#/components/schemas/genericError'
+ redirect_browser_to:
+ description: Points to where to redirect the user to next.
+ type: string
+ required:
+ - redirect_browser_to
+ title: Is sent when a privileged session is required to perform the settings
+ update.
+ type: object
+ normalizedProject:
+ properties:
+ created_at:
+ description: The Project's Creation Date
+ format: date-time
+ readOnly: true
+ type: string
+ current_revision:
+ $ref: '#/components/schemas/normalizedProjectRevision'
+ environment:
+ description: |-
+ The environment of the project.
+ prod Production
+ dev Development
+ enum:
+ - prod
+ - dev
+ type: string
+ x-go-enum-desc: |-
+ prod Production
+ dev Development
+ hosts:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ id:
+ description: The project's ID.
+ format: uuid
+ readOnly: true
+ type: string
+ slug:
+ description: The project's slug
+ readOnly: true
+ type: string
+ state:
+ description: |-
+ The state of the project.
+ running Running
+ halted Halted
+ deleted Deleted
+ enum:
+ - running
+ - halted
+ - deleted
+ readOnly: true
+ type: string
+ x-go-enum-desc: |-
+ running Running
+ halted Halted
+ deleted Deleted
+ subscription_id:
+ format: uuid4
+ nullable: true
+ type: string
+ subscription_plan:
+ nullable: true
+ type: string
+ updated_at:
+ description: Last Time Project was Updated
+ format: date-time
+ readOnly: true
+ type: string
+ workspace_id:
+ format: uuid4
+ nullable: true
+ type: string
+ required:
+ - created_at
+ - current_revision
+ - environment
+ - hosts
+ - id
+ - slug
+ - state
+ - updated_at
+ - workspace_id
+ type: object
+ normalizedProjectRevision:
+ properties:
+ created_at:
+ description: The Project's Revision Creation Date
+ format: date-time
+ readOnly: true
+ type: string
+ disable_account_experience_welcome_screen:
+ description: "Whether to disable the account experience welcome screen,\
+ \ which is hosted under `/ui/welcome`."
+ type: boolean
+ hydra_oauth2_allowed_top_level_claims:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_oauth2_client_credentials_default_grant_allowed_scope:
+ description: |-
+ Automatically grant authorized OAuth2 Scope in OAuth2 Client Credentials Flow.
+
+ Each OAuth2 Client is allowed to request a predefined OAuth2 Scope (for example `read write`). If this option is enabled, the full
+ scope is automatically granted when performing the OAuth2 Client Credentials flow.
+
+ If disabled, the OAuth2 Client has to request the scope in the OAuth2 request by providing the `scope` query parameter.
+
+ Setting this option to true is common if you need compatibility with MITREid.
+
+ This governs the "oauth2.client_credentials.default_grant_allowed_scope" setting.
+ type: boolean
+ hydra_oauth2_exclude_not_before_claim:
+ description: |-
+ Set to true if you want to exclude claim `nbf (not before)` part of access token.
+
+ This governs the "oauth2.exclude_not_before_claim" setting.
+ type: boolean
+ hydra_oauth2_grant_jwt_iat_optional:
+ description: |-
+ Configures if the issued at (`iat`) claim is required in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523).
+
+ If set to `false`, the `iat` claim is required. Set this value to `true` only after careful consideration.
+
+ This governs the "oauth2.grant.jwt.iat_optional" setting.
+ type: boolean
+ hydra_oauth2_grant_jwt_jti_optional:
+ description: |-
+ Configures if the JSON Web Token ID (`jti`) claim is required in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523).
+
+ If set to `false`, the `jti` claim is required. Set this value to `true` only after careful consideration.
+
+ This governs the "oauth2.grant.jwt.jti_optional" setting.
+ type: boolean
+ hydra_oauth2_grant_jwt_max_ttl:
+ default: 720h
+ description: |-
+ Configures what the maximum age of a JWT assertion used in the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC7523) can be.
+
+ This feature uses the `exp` claim and `iat` claim to calculate assertion age. Assertions exceeding the max age will be denied.
+
+ Useful as a safety measure and recommended to keep below 720h.
+
+ This governs the "oauth2.grant.jwt.max_ttl" setting.
+ example: 30m
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ hydra_oauth2_pkce_enforced:
+ description: |-
+ Configures whether PKCE should be enforced for all OAuth2 Clients.
+
+ This governs the "oauth2.pkce.enforced" setting.
+ type: boolean
+ hydra_oauth2_pkce_enforced_for_public_clients:
+ description: |-
+ Configures whether PKCE should be enforced for OAuth2 Clients without a client secret (public clients).
+
+ This governs the "oauth2.pkce.enforced_for_public_clients" setting.
+ type: boolean
+ hydra_oauth2_refresh_token_hook:
+ description: |-
+ Sets the Refresh Token Hook Endpoint. If set this endpoint will be called during the OAuth2 Token Refresh grant update the OAuth2 Access Token claims.
+
+ This governs the "oauth2.refresh_token_hook" setting.
+ type: string
+ hydra_oauth2_token_hook:
+ description: |-
+ Sets the token hook endpoint for all grant types. If set it will be called while providing token to customize claims.
+
+ This governs the "oauth2.token_hook.url" setting.
+ type: string
+ hydra_oidc_dynamic_client_registration_default_scope:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_oidc_dynamic_client_registration_enabled:
+ description: |-
+ Configures OpenID Connect Dynamic Client Registration.
+
+ This governs the "oidc.dynamic_client_registration.enabled" setting.
+ type: boolean
+ hydra_oidc_subject_identifiers_pairwise_salt:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites the pairwise algorithm
+
+ This governs the "oidc.subject_identifiers.pairwise_salt" setting.
+ type: string
+ hydra_oidc_subject_identifiers_supported_types:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_secrets_cookie:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_secrets_system:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_serve_cookies_same_site_legacy_workaround:
+ description: |-
+ Configures the Ory Hydra Cookie Same Site Legacy Workaround
+
+ This governs the "serve.cookies.same_site_legacy_workaround" setting.
+ type: boolean
+ hydra_serve_cookies_same_site_mode:
+ description: |-
+ Configures the Ory Hydra Cookie Same Site Mode
+
+ This governs the "serve.cookies.same_site_mode" setting.
+ type: string
+ hydra_strategies_access_token:
+ default: opaque
+ description: |-
+ Defines access token type. jwt is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens
+
+ This governs the "strategies.access_token" setting.
+ opaque Oauth2AccessTokenStrategyOpaque
+ jwt Oauth2AccessTokenStrategyJwt
+ enum:
+ - opaque
+ - jwt
+ type: string
+ x-go-enum-desc: |-
+ opaque Oauth2AccessTokenStrategyOpaque
+ jwt Oauth2AccessTokenStrategyJwt
+ hydra_strategies_scope:
+ default: wildcard
+ description: |-
+ Defines how scopes are matched. For more details have a look at https://github.com/ory/fosite#scopes
+
+ This governs the "strategies.scope" setting.
+ exact Oauth2ScopeStrategyExact
+ wildcard Oauth2ScopeStrategyWildcard
+ enum:
+ - exact
+ - wildcard
+ type: string
+ x-go-enum-desc: |-
+ exact Oauth2ScopeStrategyExact
+ wildcard Oauth2ScopeStrategyWildcard
+ hydra_ttl_access_token:
+ default: 30m
+ description: This governs the "ttl.access_token" setting.
+ example: 1h
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ hydra_ttl_auth_code:
+ default: 720h
+ description: |-
+ Configures how long refresh tokens are valid.
+
+ Set to -1 for refresh tokens to never expire. This is not recommended!
+
+ This governs the "ttl.auth_code" setting.
+ example: 30m
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ hydra_ttl_id_token:
+ default: 30m
+ description: This governs the "ttl.id_token" setting.
+ example: 1h
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ hydra_ttl_login_consent_request:
+ default: 30m
+ description: |-
+ Configures how long a user login and consent flow may take.
+
+ This governs the "ttl.login_consent_request" setting.
+ example: 1h
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ hydra_ttl_refresh_token:
+ default: 720h
+ description: |-
+ Configures how long refresh tokens are valid.
+
+ Set to -1 for refresh tokens to never expire. This is not recommended!
+
+ This governs the "ttl.refresh_token" setting.
+ example: 30m
+ pattern: "^([0-9]+(ns|us|ms|s|m|h)|-1)$"
+ type: string
+ hydra_urls_consent:
+ description: |-
+ Sets the OAuth2 Consent Endpoint URL of the OAuth2 User Login & Consent flow.
+
+ Defaults to the Ory Account Experience if left empty.
+
+ This governs the "urls.consent" setting.
+ type: string
+ hydra_urls_error:
+ description: |-
+ Sets the OAuth2 Error URL of the OAuth2 User Login & Consent flow.
+
+ Defaults to the Ory Account Experience if left empty.
+
+ This governs the "urls.error" setting.
+ type: string
+ hydra_urls_login:
+ description: |-
+ Sets the OAuth2 Login Endpoint URL of the OAuth2 User Login & Consent flow.
+
+ Defaults to the Ory Account Experience if left empty.
+
+ This governs the "urls.login" setting.
+ type: string
+ hydra_urls_logout:
+ description: |-
+ Sets the logout endpoint.
+
+ Defaults to the Ory Account Experience if left empty.
+
+ This governs the "urls.logout" setting.
+ type: string
+ hydra_urls_post_logout_redirect:
+ description: |-
+ When an OAuth2-related user agent requests to log out, they will be redirected to this url afterwards per default.
+
+ Defaults to the Ory Account Experience in development and your application in production mode when a custom domain is connected.
+
+ This governs the "urls.post_logout_redirect" setting.
+ type: string
+ hydra_urls_registration:
+ description: |-
+ Sets the OAuth2 Registration Endpoint URL of the OAuth2 User Login & Consent flow.
+
+ Defaults to the Ory Account Experience if left empty.
+
+ This governs the "urls.registration" setting.
+ type: string
+ hydra_urls_self_issuer:
+ description: |-
+ This value will be used as the issuer in access and ID tokens. It must be specified and using HTTPS protocol, unless the development mode is enabled.
+
+ On the Ory Network it will be very rare that you want to modify this value. If left empty, it will default to the correct value for the Ory Network.
+
+ This governs the "urls.self.issuer" setting.
+ type: string
+ hydra_webfinger_jwks_broadcast_keys:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_webfinger_oidc_discovery_auth_url:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites the OAuth2 Authorization URL.
+
+ This governs the "webfinger.oidc.discovery.auth_url" setting.
+ type: string
+ hydra_webfinger_oidc_discovery_client_registration_url:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites the OpenID Connect Dynamic Client Registration Endpoint.
+
+ This governs the "webfinger.oidc.discovery.client_registration_url" setting.
+ type: string
+ hydra_webfinger_oidc_discovery_jwks_url:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites the JWKS URL.
+
+ This governs the "webfinger.oidc.discovery.jwks_url" setting.
+ type: string
+ hydra_webfinger_oidc_discovery_supported_claims:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_webfinger_oidc_discovery_supported_scope:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ hydra_webfinger_oidc_discovery_token_url:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites the OAuth2 Token URL.
+
+ This governs the "webfinger.oidc.discovery.token_url" setting.
+ type: string
+ hydra_webfinger_oidc_discovery_userinfo_url:
+ description: |-
+ Configures OpenID Connect Discovery and overwrites userinfo endpoint to be advertised at the OpenID Connect Discovery endpoint /.well-known/openid-configuration. Defaults to Ory Hydra's userinfo endpoint at /userinfo. Set this value if you want to handle this endpoint yourself.
+
+ This governs the "webfinger.oidc.discovery.userinfo_url" setting.
+ type: string
+ id:
+ description: The revision ID.
+ format: uuid
+ readOnly: true
+ type: string
+ keto_namespace_configuration:
+ description: |-
+ The Revisions' Keto Namespace Configuration
+
+ The string is a URL pointing to an OPL file with the configuration.
+ type: string
+ keto_namespaces:
+ items:
+ $ref: '#/components/schemas/KetoNamespace'
+ type: array
+ kratos_cookies_same_site:
+ description: |-
+ Configures the Ory Kratos Cookie SameSite Attribute
+
+ This governs the "cookies.same_site" setting.
+ type: string
+ kratos_courier_channels:
+ items:
+ $ref: '#/components/schemas/NormalizedProjectRevisionCourierChannel'
+ type: array
+ kratos_courier_delivery_strategy:
+ default: smtp
+ description: |-
+ The delivery strategy to use when sending emails
+
+ `smtp`: Use SMTP server
+ `http`: Use the built in HTTP client to send the email to some remote service
+ type: string
+ kratos_courier_http_request_config_auth_api_key_in:
+ description: |-
+ The location of the API key to use in the HTTP email sending service's authentication
+
+ `header`: Send the key value pair as a header
+ `cookie`: Send the key value pair as a cookie
+ This governs the "courier.http.auth.config.in" setting
+ type: string
+ kratos_courier_http_request_config_auth_api_key_name:
+ description: |-
+ The name of the API key to use in the HTTP email sending service's authentication
+
+ This governs the "courier.http.auth.config.name" setting
+ type: string
+ kratos_courier_http_request_config_auth_api_key_value:
+ description: |-
+ The value of the API key to use in the HTTP email sending service's authentication
+
+ This governs the "courier.http.auth.config.value" setting
+ type: string
+ kratos_courier_http_request_config_auth_basic_auth_password:
+ description: |-
+ The password to use for basic auth in the HTTP email sending service's authentication
+
+ This governs the "courier.http.auth.config.password" setting
+ type: string
+ kratos_courier_http_request_config_auth_basic_auth_user:
+ description: |-
+ The user to use for basic auth in the HTTP email sending service's authentication
+
+ This governs the "courier.http.auth.config.user" setting
+ type: string
+ kratos_courier_http_request_config_auth_type:
+ default: empty (no authentication)
+ description: |-
+ The authentication type to use while contacting the remote HTTP email sending service
+
+ `basic_auth`: Use Basic Authentication
+ `api_key`: Use API Key Authentication in a header or cookie
+ type: string
+ kratos_courier_http_request_config_body:
+ description: |-
+ The Jsonnet template to generate the body to send to the remote HTTP email sending service
+
+ Should be valid Jsonnet and base64 encoded
+
+ This governs the "courier.http.body" setting
+ type: string
+ kratos_courier_http_request_config_headers:
+ description: "NullJSONRawMessage represents a json.RawMessage that works\
+ \ well with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ type: object
+ kratos_courier_http_request_config_method:
+ default: POST
+ description: The http METHOD to use when calling the remote HTTP email sending
+ service
+ type: string
+ kratos_courier_http_request_config_url:
+ description: |-
+ The URL of the remote HTTP email sending service
+
+ This governs the "courier.http.url" setting
+ type: string
+ kratos_courier_smtp_connection_uri:
+ description: |-
+ Configures the Ory Kratos SMTP Connection URI
+
+ This governs the "courier.smtp.connection_uri" setting.
+ type: string
+ kratos_courier_smtp_from_address:
+ description: |-
+ Configures the Ory Kratos SMTP From Address
+
+ This governs the "courier.smtp.from_address" setting.
+ type: string
+ kratos_courier_smtp_from_name:
+ description: |-
+ Configures the Ory Kratos SMTP From Name
+
+ This governs the "courier.smtp.from_name" setting.
+ type: string
+ kratos_courier_smtp_headers:
+ description: "NullJSONRawMessage represents a json.RawMessage that works\
+ \ well with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ type: object
+ kratos_courier_smtp_local_name:
+ description: |-
+ Configures the local_name to use in SMTP connections
+
+ This governs the "courier.smtp.local_name" setting.
+ type: string
+ kratos_courier_templates_login_code_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Login via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.login_code.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_login_code_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Login via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.login_code.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_login_code_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Login via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.login_code.valid.email.subject" setting.
+ type: string
+ kratos_courier_templates_recovery_code_invalid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.recovery_code.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_code_invalid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.recovery_code.invalid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_recovery_code_invalid_email_subject:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.recovery_code.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_code_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Recovery via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.recovery_code.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_code_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Recovery via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.recovery_code.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_recovery_code_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Recovery via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.recovery_code.valid.email.subject" setting.
+ type: string
+ kratos_courier_templates_recovery_invalid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery Email Body HTML Template
+
+ This governs the "courier.smtp.templates.recovery.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_invalid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.recovery.invalid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_recovery_invalid_email_subject:
+ description: |-
+ Configures the Ory Kratos Invalid Recovery Email Subject Template
+
+ This governs the "courier.smtp.templates.recovery.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Recovery Email Body HTML Template
+
+ This governs the "courier.smtp.templates.recovery.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_recovery_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Recovery Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.recovery.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_recovery_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Recovery Email Subject Template
+
+ This governs the "courier.smtp.templates.recovery.valid.email.subject" setting.
+ type: string
+ kratos_courier_templates_registration_code_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Registration via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.registration_code.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_registration_code_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Registration via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.registration_code.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_registration_code_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Registration via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.registration_code.valid.email.subject" setting.
+ type: string
+ kratos_courier_templates_verification_code_invalid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Invalid Verification via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.verification_code.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_verification_code_invalid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Invalid Verification via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.verification_code.invalid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_verification_code_invalid_email_subject:
+ description: |-
+ Configures the Ory Kratos Invalid Verification via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.verification_code.invalid.email.subject" setting.
+ type: string
+ kratos_courier_templates_verification_code_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Verification via Code Email Body HTML Template
+
+ This governs the "courier.smtp.templates.verification_code.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_verification_code_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Verification via Code Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.verification_code.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_verification_code_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Verification via Code Email Subject Template
+
+ This governs the "courier.smtp.templates.verification_code.valid.email.subject" setting.
+ type: string
+ kratos_courier_templates_verification_code_valid_sms_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Verification via Code SMS Body Plaintext
+
+ This governs the "courier.smtp.templates.verification_code.valid.sms.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_verification_invalid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Invalid Verification Email Body HTML Template
+
+ This governs the "courier.smtp.templates.verification.invalid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_verification_invalid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Invalid Verification Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.verification.invalid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_verification_invalid_email_subject:
+ description: |-
+ Configures the Ory Kratos Invalid Verification Email Subject Template
+
+ This governs the "courier.smtp.templates.verification.invalid.email.subject" setting.
+ type: string
+ kratos_courier_templates_verification_valid_email_body_html:
+ description: |-
+ Configures the Ory Kratos Valid Verification Email Body HTML Template
+
+ This governs the "courier.smtp.templates.verification.valid.email.body.html" setting.
+ type: string
+ kratos_courier_templates_verification_valid_email_body_plaintext:
+ description: |-
+ Configures the Ory Kratos Valid Verification Email Body Plaintext Template
+
+ This governs the "courier.smtp.templates.verification.valid.email.body.plaintext" setting.
+ type: string
+ kratos_courier_templates_verification_valid_email_subject:
+ description: |-
+ Configures the Ory Kratos Valid Verification Email Subject Template
+
+ This governs the "courier.smtp.templates.verification.valid.email.subject" setting.
+ type: string
+ kratos_feature_flags_cacheable_sessions:
+ description: |-
+ Configures the Ory Kratos Session caching feature flag
+
+ This governs the "feature_flags.cacheable_sessions" setting.
+ type: boolean
+ kratos_feature_flags_use_continue_with_transitions:
+ description: |-
+ Configures the Ory Kratos Session use_continue_with_transitions flag
+
+ This governs the "feature_flags.use_continue_with_transitions" setting.
+ type: boolean
+ kratos_identity_schemas:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionIdentitySchema'
+ type: array
+ kratos_oauth2_provider_headers:
+ description: "NullJSONRawMessage represents a json.RawMessage that works\
+ \ well with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ type: object
+ kratos_oauth2_provider_override_return_to:
+ description: |-
+ Kratos OAuth2 Provider Override Return To
+
+ Enabling this allows Kratos to set the return_to parameter automatically to the OAuth2 request URL on the login flow, allowing complex flows such as recovery to continue to the initial OAuth2 flow.
+ type: boolean
+ kratos_oauth2_provider_url:
+ description: |-
+ The Revisions' OAuth2 Provider Integration URL
+
+ This governs the "oauth2_provider.url" setting.
+ type: string
+ kratos_preview_default_read_consistency_level:
+ description: |-
+ Configures the default read consistency level for identity APIs
+
+ This governs the `preview.default_read_consistency_level` setting.
+
+ The read consistency level determines the consistency guarantee for reads:
+
+ strong (slow): The read is guaranteed to return the most recent data committed at the start of the read.
+ eventual (very fast): The result will return data that is about 4.8 seconds old.
+
+ Setting the default consistency level to `eventual` may cause regressions in the future as we add consistency
+ controls to more APIs. Currently, the following APIs will be affected by this setting:
+
+ `GET /admin/identities`
+
+ Defaults to "strong" for new and existing projects. This feature is in preview. Use with caution.
+ type: string
+ kratos_secrets_cipher:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ kratos_secrets_cookie:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ kratos_secrets_default:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ kratos_selfservice_allowed_return_urls:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ kratos_selfservice_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Default Return URL
+
+ This governs the "selfservice.allowed_return_urls" setting.
+ type: string
+ kratos_selfservice_flows_error_ui_url:
+ description: |-
+ Configures the Ory Kratos Error UI URL
+
+ This governs the "selfservice.flows.error.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_code_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After Password Default Return URL
+
+ This governs the "selfservice.flows.code.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login Default Return URL
+
+ This governs the "selfservice.flows.login.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_lookup_secret_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After Password Default Return URL
+
+ This governs the "selfservice.flows.lookup_secret.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_oidc_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After OIDC Default Return URL
+
+ This governs the "selfservice.flows.login.after.oidc.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_password_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After Password Default Return URL
+
+ This governs the "selfservice.flows.login.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_totp_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After Password Default Return URL
+
+ This governs the "selfservice.flows.totp.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_after_webauthn_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Login After WebAuthn Default Return URL
+
+ This governs the "selfservice.flows.login.after.webauthn.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_login_lifespan:
+ description: |-
+ Configures the Ory Kratos Login Lifespan
+
+ This governs the "selfservice.flows.login.lifespan" setting.
+ type: string
+ kratos_selfservice_flows_login_ui_url:
+ description: |-
+ Configures the Ory Kratos Login UI URL
+
+ This governs the "selfservice.flows.login.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_logout_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Logout Default Return URL
+
+ This governs the "selfservice.flows.logout.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_recovery_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Recovery Default Return URL
+
+ This governs the "selfservice.flows.recovery.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_recovery_enabled:
+ description: |-
+ Configures the Ory Kratos Recovery Enabled Setting
+
+ This governs the "selfservice.flows.recovery.enabled" setting.
+ type: boolean
+ kratos_selfservice_flows_recovery_lifespan:
+ description: |-
+ Configures the Ory Kratos Recovery Lifespan
+
+ This governs the "selfservice.flows.recovery.lifespan" setting.
+ type: string
+ kratos_selfservice_flows_recovery_notify_unknown_recipients:
+ description: |-
+ Configures whether to notify unknown recipients of a Ory Kratos recovery flow
+
+ This governs the "selfservice.flows.recovery.notify_unknown_recipients" setting.
+ type: boolean
+ kratos_selfservice_flows_recovery_ui_url:
+ description: |-
+ Configures the Ory Kratos Recovery UI URL
+
+ This governs the "selfservice.flows.recovery.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_recovery_use:
+ description: |-
+ Configures the Ory Kratos Recovery strategy to use ("link" or "code")
+
+ This governs the "selfservice.flows.recovery.use" setting.
+ link SelfServiceMessageVerificationStrategyLink
+ code SelfServiceMessageVerificationStrategyCode
+ enum:
+ - link
+ - code
+ type: string
+ x-go-enum-desc: |-
+ link SelfServiceMessageVerificationStrategyLink
+ code SelfServiceMessageVerificationStrategyCode
+ kratos_selfservice_flows_registration_after_code_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Registration After Code Default Return URL
+
+ This governs the "selfservice.flows.registration.after.code.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_registration_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Registration Default Return URL
+
+ This governs the "selfservice.flows.registration.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_registration_after_oidc_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Registration After OIDC Default Return URL
+
+ This governs the "selfservice.flows.registration.after.oidc.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_registration_after_password_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Registration After Password Default Return URL
+
+ This governs the "selfservice.flows.registration.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_registration_after_webauthn_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Registration After Password Default Return URL
+
+ This governs the "selfservice.flows.registration.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_registration_enabled:
+ description: |-
+ Configures the Whether Ory Kratos Registration is Enabled
+
+ This governs the "selfservice.flows.registration.enabled" setting.0
+ type: boolean
+ kratos_selfservice_flows_registration_lifespan:
+ description: |-
+ Configures the Ory Kratos Registration Lifespan
+
+ This governs the "selfservice.flows.registration.lifespan" setting.
+ type: string
+ kratos_selfservice_flows_registration_login_hints:
+ description: |-
+ Configures the Ory Kratos Registration Login Hints
+
+ Shows helpful information when a user tries to sign up with a duplicate account.
+
+ This governs the "selfservice.flows.registration.login_hints" setting.
+ type: boolean
+ kratos_selfservice_flows_registration_ui_url:
+ description: |-
+ Configures the Ory Kratos Registration UI URL
+
+ This governs the "selfservice.flows.registration.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL
+
+ This governs the "selfservice.flows.settings.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_lookup_secret_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating Lookup Secrets
+
+ This governs the "selfservice.flows.settings.after.lookup_secret.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_oidc_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating Social Sign In
+
+ This governs the "selfservice.flows.settings.after.oidc.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_password_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating Passwords
+
+ This governs the "selfservice.flows.settings.after.password.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_profile_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating Profiles
+
+ This governs the "selfservice.flows.settings.after.profile.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_totp_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating TOTP
+
+ This governs the "selfservice.flows.settings.after.totp.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_after_webauthn_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Settings Default Return URL After Updating WebAuthn
+
+ This governs the "selfservice.flows.settings.webauthn.profile.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_settings_lifespan:
+ description: |-
+ Configures the Ory Kratos Settings Lifespan
+
+ This governs the "selfservice.flows.settings.lifespan" setting.
+ type: string
+ kratos_selfservice_flows_settings_privileged_session_max_age:
+ description: |-
+ Configures the Ory Kratos Settings Privileged Session Max Age
+
+ This governs the "selfservice.flows.settings.privileged_session_max_age" setting.
+ type: string
+ kratos_selfservice_flows_settings_required_aal:
+ description: |-
+ Configures the Ory Kratos Settings Required AAL
+
+ This governs the "selfservice.flows.settings.required_aal" setting.
+ type: string
+ kratos_selfservice_flows_settings_ui_url:
+ description: |-
+ Configures the Ory Kratos Settings UI URL
+
+ This governs the "selfservice.flows.settings.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_verification_after_default_browser_return_url:
+ description: |-
+ Configures the Ory Kratos Verification Default Return URL
+
+ This governs the "selfservice.flows.verification.after.default_browser_return_url" setting.
+ type: string
+ kratos_selfservice_flows_verification_enabled:
+ description: |-
+ Configures the Ory Kratos Verification Enabled Setting
+
+ This governs the "selfservice.flows.verification.enabled" setting.
+ type: boolean
+ kratos_selfservice_flows_verification_lifespan:
+ description: |-
+ Configures the Ory Kratos Verification Lifespan
+
+ This governs the "selfservice.flows.verification.lifespan" setting.
+ type: string
+ kratos_selfservice_flows_verification_notify_unknown_recipients:
+ description: |-
+ Configures whether to notify unknown recipients of a Ory Kratos verification flow
+
+ This governs the "selfservice.flows.verification.notify_unknown_recipients" setting.
+ type: boolean
+ kratos_selfservice_flows_verification_ui_url:
+ description: |-
+ Configures the Ory Kratos Verification UI URL
+
+ This governs the "selfservice.flows.verification.ui_url" setting.
+ type: string
+ kratos_selfservice_flows_verification_use:
+ description: |-
+ Configures the Ory Kratos Strategy to use for Verification
+
+ This governs the "selfservice.flows.verification.use" setting.
+ link SelfServiceMessageVerificationStrategyLink
+ code SelfServiceMessageVerificationStrategyCode
+ enum:
+ - link
+ - code
+ type: string
+ x-go-enum-desc: |-
+ link SelfServiceMessageVerificationStrategyLink
+ code SelfServiceMessageVerificationStrategyCode
+ kratos_selfservice_methods_code_config_lifespan:
+ description: |-
+ Configures the Ory Kratos Code Method's lifespan
+
+ This governs the "selfservice.methods.code.config.lifespan" setting.
+ type: string
+ kratos_selfservice_methods_code_enabled:
+ description: |-
+ Configures whether Ory Kratos Code Method is enabled
+
+ This governs the "selfservice.methods.code.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_code_passwordless_enabled:
+ description: |-
+ Configues whether Ory Kratos Passwordless should use the Code Method
+
+ This governs the "selfservice.methods.code.passwordless_enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_link_config_base_url:
+ description: |-
+ Configures the Base URL which Recovery, Verification, and Login Links Point to
+
+ It is recommended to leave this value empty. It will be appropriately configured to the best matching domain
+ (e.g. when using custom domains) automatically.
+
+ This governs the "selfservice.methods.link.config.base_url" setting.
+ type: string
+ kratos_selfservice_methods_link_config_lifespan:
+ description: |-
+ Configures the Ory Kratos Link Method's lifespan
+
+ This governs the "selfservice.methods.link.config.lifespan" setting.
+ type: string
+ kratos_selfservice_methods_link_enabled:
+ description: |-
+ Configures whether Ory Kratos Link Method is enabled
+
+ This governs the "selfservice.methods.link.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_lookup_secret_enabled:
+ description: |-
+ Configures whether Ory Kratos TOTP Lookup Secret is enabled
+
+ This governs the "selfservice.methods.lookup_secret.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_oidc_config_base_redirect_uri:
+ description: |-
+ Configures the Ory Kratos Third Party / OpenID Connect base redirect URI
+
+ This governs the "selfservice.methods.oidc.config.base_redirect_uri" setting.
+ type: string
+ kratos_selfservice_methods_oidc_config_providers:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionThirdPartyProvider'
+ type: array
+ kratos_selfservice_methods_oidc_enabled:
+ description: |-
+ Configures whether Ory Kratos Third Party / OpenID Connect Login is enabled
+
+ This governs the "selfservice.methods.oidc.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_password_config_haveibeenpwned_enabled:
+ description: |-
+ Configures whether Ory Kratos Password HIBP Checks is enabled
+
+ This governs the "selfservice.methods.password.config.haveibeenpwned_enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_password_config_identifier_similarity_check_enabled:
+ description: |-
+ Configures whether Ory Kratos Password should disable the similarity policy.
+
+ This governs the "selfservice.methods.password.config.identifier_similarity_check_enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_password_config_ignore_network_errors:
+ description: |-
+ Configures whether Ory Kratos Password Should ignore HIBPWND Network Errors
+
+ This governs the "selfservice.methods.password.config.ignore_network_errors" setting.
+ type: boolean
+ kratos_selfservice_methods_password_config_max_breaches:
+ description: |-
+ Configures Ory Kratos Password Max Breaches Detection
+
+ This governs the "selfservice.methods.password.config.max_breaches" setting.
+ format: int64
+ type: integer
+ kratos_selfservice_methods_password_config_min_password_length:
+ description: |-
+ Configures the minimum length of passwords.
+
+ This governs the "selfservice.methods.password.config.min_password_length" setting.
+ format: int64
+ type: integer
+ kratos_selfservice_methods_password_enabled:
+ description: |-
+ Configures whether Ory Kratos Password Method is enabled
+
+ This governs the "selfservice.methods.password.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_profile_enabled:
+ description: |-
+ Configures whether Ory Kratos Profile Method is enabled
+
+ This governs the "selfservice.methods.profile.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_totp_config_issuer:
+ description: |-
+ Configures Ory Kratos TOTP Issuer
+
+ This governs the "selfservice.methods.totp.config.issuer" setting.
+ type: string
+ kratos_selfservice_methods_totp_enabled:
+ description: |-
+ Configures whether Ory Kratos TOTP Method is enabled
+
+ This governs the "selfservice.methods.totp.enabled" setting.
+ type: boolean
+ kratos_selfservice_methods_webauthn_config_passwordless:
+ description: |-
+ Configures whether Ory Kratos Webauthn is used for passwordless flows
+
+ This governs the "selfservice.methods.webauthn.config.passwordless" setting.
+ type: boolean
+ kratos_selfservice_methods_webauthn_config_rp_display_name:
+ description: |-
+ Configures the Ory Kratos Webauthn RP Display Name
+
+ This governs the "selfservice.methods.webauthn.config.rp.display_name" setting.
+ type: string
+ kratos_selfservice_methods_webauthn_config_rp_icon:
+ description: |-
+ Configures the Ory Kratos Webauthn RP Icon
+
+ This governs the "selfservice.methods.webauthn.config.rp.icon" setting.
+ Deprecated: This value will be ignored due to security considerations.
+ type: string
+ kratos_selfservice_methods_webauthn_config_rp_id:
+ description: |-
+ Configures the Ory Kratos Webauthn RP ID
+
+ This governs the "selfservice.methods.webauthn.config.rp.id" setting.
+ type: string
+ kratos_selfservice_methods_webauthn_config_rp_origins:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ kratos_selfservice_methods_webauthn_enabled:
+ description: |-
+ Configures whether Ory Kratos Webauthn is enabled
+
+ This governs the "selfservice.methods.webauthn.enabled" setting.
+ type: boolean
+ kratos_session_cookie_persistent:
+ description: |-
+ Configures the Ory Kratos Session Cookie Persistent Attribute
+
+ This governs the "session.cookie.persistent" setting.
+ type: boolean
+ kratos_session_cookie_same_site:
+ description: |-
+ Configures the Ory Kratos Session Cookie SameSite Attribute
+
+ This governs the "session.cookie.same_site" setting.
+ type: string
+ kratos_session_lifespan:
+ description: |-
+ Configures the Ory Kratos Session Lifespan
+
+ This governs the "session.lifespan" setting.
+ type: string
+ kratos_session_whoami_required_aal:
+ description: |-
+ Configures the Ory Kratos Session Whoami AAL requirement
+
+ This governs the "session.whoami.required_aal" setting.
+ type: string
+ kratos_session_whoami_tokenizer_templates:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionTokenizerTemplate'
+ type: array
+ name:
+ description: The project's name.
+ type: string
+ project_id:
+ description: The Revision's Project ID
+ format: uuid
+ type: string
+ project_revision_hooks:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionHook'
+ type: array
+ serve_admin_cors_allowed_origins:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ serve_admin_cors_enabled:
+ description: |-
+ Enable CORS headers on all admin APIs
+
+ This governs the "serve.admin.cors.enabled" setting.
+ type: boolean
+ serve_public_cors_allowed_origins:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ serve_public_cors_enabled:
+ description: |-
+ Enable CORS headers on all public APIs
+
+ This governs the "serve.public.cors.enabled" setting.
+ type: boolean
+ strict_security:
+ description: Whether the project should employ strict security measures.
+ Setting this to true is recommended for going into production.
+ type: boolean
+ updated_at:
+ description: Last Time Project's Revision was Updated
+ format: date-time
+ readOnly: true
+ type: string
+ required:
+ - name
+ type: object
+ normalizedProjectRevisionHook:
+ properties:
+ config_key:
+ description: The Hooks Config Key
+ type: string
+ created_at:
+ description: The Project's Revision Creation Date
+ format: date-time
+ readOnly: true
+ type: string
+ hook:
+ description: The Hook Type
+ type: string
+ id:
+ description: ID of the entry
+ format: uuid
+ type: string
+ project_revision_id:
+ description: The Revision's ID this schema belongs to
+ format: uuid
+ type: string
+ updated_at:
+ description: Last Time Project's Revision was Updated
+ format: date-time
+ readOnly: true
+ type: string
+ web_hook_config_auth_api_key_in:
+ description: Whether to send the API Key in the HTTP Header or as a HTTP
+ Cookie
+ example: header
+ type: string
+ web_hook_config_auth_api_key_name:
+ description: The name of the api key
+ example: X-API-Key
+ type: string
+ web_hook_config_auth_api_key_value:
+ description: The value of the api key
+ example: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
+ type: string
+ web_hook_config_auth_basic_auth_password:
+ description: The password to be sent in the HTTP Basic Auth Header
+ type: string
+ web_hook_config_auth_basic_auth_user:
+ description: The username to be sent in the HTTP Basic Auth Header
+ type: string
+ web_hook_config_auth_type:
+ description: HTTP Auth Method to use for the Web-Hook
+ type: string
+ web_hook_config_body:
+ description: "URI pointing to the JsonNet template used for Web-Hook payload\
+ \ generation. Only used for those HTTP methods, which support HTTP body\
+ \ payloads."
+ example: base64://ZnVuY3Rpb24oY3R4KSB7CiAgaWRlbnRpdHlfaWQ6IGlmIGN0eFsiaWRlbnRpdHkiXSAhPSBudWxsIHRoZW4gY3R4LmlkZW50aXR5LmlkLAp9=
+ type: string
+ web_hook_config_can_interrupt:
+ description: If enabled allows the web hook to interrupt / abort the self-service
+ flow. It only applies to certain flows (registration/verification/login/settings)
+ and requires a valid response format.
+ type: boolean
+ web_hook_config_method:
+ description: "The HTTP method to use (GET, POST, etc) for the Web-Hook"
+ example: POST
+ type: string
+ web_hook_config_response_ignore:
+ description: Whether to ignore the Web Hook response
+ type: boolean
+ web_hook_config_response_parse:
+ description: Whether to parse the Web Hook response
+ type: boolean
+ web_hook_config_url:
+ description: The URL the Web-Hook should call
+ example: https://www.example.org/web-hook-listener
+ type: string
+ required:
+ - config_key
+ - hook
+ type: object
+ normalizedProjectRevisionIdentitySchema:
+ properties:
+ created_at:
+ description: The Project's Revision Creation Date
+ format: date-time
+ readOnly: true
+ type: string
+ id:
+ description: The unique ID of this entry.
+ format: uuid
+ type: string
+ identity_schema:
+ $ref: '#/components/schemas/managedIdentitySchema'
+ identity_schema_id:
+ format: uuid4
+ nullable: true
+ type: string
+ import_id:
+ description: The imported (named) ID of the Identity Schema referenced in
+ the Ory Kratos config.
+ type: string
+ import_url:
+ description: |-
+ The ImportURL can be used to import an Identity Schema from a bse64 encoded string.
+ In the future, this key also support HTTPS and other sources!
+
+ If you import an Ory Kratos configuration, this would be akin to the `identity.schemas.#.url` key.
+
+ The configuration will always return the import URL when you fetch it from the API.
+ example: base64://ey...
+ type: string
+ is_default:
+ description: |-
+ If true sets the default schema for identities
+
+ Only one schema can ever be the default schema. If you
+ try to add two schemas with default to true, the
+ request will fail.
+ type: boolean
+ preset:
+ description: Use a preset instead of a custom identity schema.
+ type: string
+ project_revision_id:
+ description: The Revision's ID this schema belongs to
+ format: uuid
+ type: string
+ updated_at:
+ description: Last Time Project's Revision was Updated
+ format: date-time
+ readOnly: true
+ type: string
+ type: object
+ normalizedProjectRevisionIdentitySchemas:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionIdentitySchema'
+ type: array
+ normalizedProjectRevisionThirdPartyProvider:
+ properties:
+ additional_id_token_audiences:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ apple_private_key:
+ nullable: true
+ type: string
+ apple_private_key_id:
+ description: |-
+ Apple Private Key Identifier
+
+ Sign In with Apple Private Key Identifier needed for generating a JWT token for client secret
+ example: UX56C66723
+ type: string
+ apple_team_id:
+ description: |-
+ Apple Developer Team ID
+
+ Apple Developer Team ID needed for generating a JWT token for client secret
+ example: KP76DQS54M
+ type: string
+ auth_url:
+ description: |-
+ AuthURL is the authorize url, typically something like: https://example.org/oauth2/auth
+ Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
+ `provider` is set to `generic`.
+ example: https://www.googleapis.com/oauth2/v2/auth
+ type: string
+ azure_tenant:
+ description: |-
+ Tenant is the Azure AD Tenant to use for authentication, and must be set when `provider` is set to `microsoft`.
+
+ Can be either `common`, `organizations`, `consumers` for a multitenant application or a specific tenant like
+ `8eaef023-2b34-4da1-9baa-8bc8c9d6a490` or `contoso.onmicrosoft.com`.
+ example: contoso.onmicrosoft.com
+ type: string
+ client_id:
+ description: ClientID is the application's Client ID.
+ type: string
+ client_secret:
+ nullable: true
+ type: string
+ created_at:
+ description: The Project's Revision Creation Date
+ format: date-time
+ readOnly: true
+ type: string
+ id:
+ format: uuid
+ type: string
+ issuer_url:
+ description: |-
+ IssuerURL is the OpenID Connect Server URL. You can leave this empty if `provider` is not set to `generic`.
+ If set, neither `auth_url` nor `token_url` are required.
+ example: https://accounts.google.com
+ type: string
+ label:
+ description: Label represents an optional label which can be used in the
+ UI generation.
+ type: string
+ mapper_url:
+ description: |-
+ Mapper specifies the JSONNet code snippet which uses the OpenID Connect Provider's data (e.g. GitHub or Google
+ profile information) to hydrate the identity's data.
+ type: string
+ organization_id:
+ format: uuid4
+ nullable: true
+ type: string
+ project_revision_id:
+ description: The Revision's ID this schema belongs to
+ format: uuid
+ type: string
+ provider:
+ description: |-
+ Provider is either "generic" for a generic OAuth 2.0 / OpenID Connect Provider or one of:
+ generic
+ google
+ github
+ gitlab
+ microsoft
+ discord
+ slack
+ facebook
+ vk
+ yandex
+ apple
+ example: google
+ type: string
+ provider_id:
+ description: ID is the provider's ID
+ type: string
+ requested_claims:
+ title: "JSONRawMessage represents a json.RawMessage that works well with\
+ \ JSON, SQL, and Swagger."
+ type: object
+ scope:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ state:
+ description: |-
+ State indicates the state of the provider
+
+ Only providers with state `enabled` will be used for authentication
+ enabled ThirdPartyProviderStateEnabled
+ disabled ThirdPartyProviderStateDisabled
+ enum:
+ - enabled
+ - disabled
+ type: string
+ x-go-enum-desc: |-
+ enabled ThirdPartyProviderStateEnabled
+ disabled ThirdPartyProviderStateDisabled
+ subject_source:
+ nullable: true
+ type: string
+ token_url:
+ description: |-
+ TokenURL is the token url, typically something like: https://example.org/oauth2/token
+
+ Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
+ `provider` is set to `generic`.
+ example: https://www.googleapis.com/oauth2/v4/token
+ type: string
+ updated_at:
+ description: Last Time Project's Revision was Updated
+ format: date-time
+ readOnly: true
+ type: string
+ type: object
+ normalizedProjectRevisionTokenizerTemplate:
+ properties:
+ claims_mapper_url:
+ description: Claims mapper URL
+ type: string
+ created_at:
+ description: The Project's Revision Creation Date
+ format: date-time
+ readOnly: true
+ type: string
+ id:
+ description: The revision ID.
+ format: uuid
+ readOnly: true
+ type: string
+ jwks_url:
+ description: JSON Web Key URL
+ type: string
+ key:
+ description: The unique key of the template
+ type: string
+ project_revision_id:
+ description: The Revision's ID this schema belongs to
+ format: uuid
+ type: string
+ ttl:
+ default: 1m
+ description: Token time to live
+ example: 1h
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ updated_at:
+ description: Last Time Project's Revision was Updated
+ format: date-time
+ readOnly: true
+ type: string
+ type: object
+ normalizedProjectRevisionTokenizerTemplates:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionTokenizerTemplate'
+ type: array
+ normalizedProjects:
+ items:
+ $ref: '#/components/schemas/normalizedProject'
+ type: array
+ nullBool:
+ nullable: true
+ type: boolean
+ nullDuration:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ nullInt64:
+ nullable: true
+ type: integer
+ nullJsonRawMessage:
+ description: "NullJSONRawMessage represents a json.RawMessage that works well\
+ \ with JSON, SQL, and Swagger and is NULLable-"
+ nullable: true
+ type: object
+ nullString:
+ type: string
+ nullTime:
+ format: date-time
+ title: NullTime implements sql.NullTime functionality.
+ type: string
+ oAuth2Client:
+ description: |-
+ OAuth 2.0 Clients are used to perform OAuth 2.0 and OpenID Connect flows. Usually, OAuth 2.0 clients are
+ generated for applications which want to consume your OAuth 2.0 or OpenID Connect capabilities.
+ example:
+ metadata: "{}"
+ token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg
+ client_uri: client_uri
+ jwt_bearer_grant_access_token_lifespan: jwt_bearer_grant_access_token_lifespan
+ jwks: ""
+ logo_uri: logo_uri
+ created_at: 2000-01-23T04:56:07.000+00:00
+ registration_client_uri: registration_client_uri
+ allowed_cors_origins:
+ - allowed_cors_origins
+ - allowed_cors_origins
+ refresh_token_grant_access_token_lifespan: refresh_token_grant_access_token_lifespan
+ registration_access_token: registration_access_token
+ client_id: client_id
+ token_endpoint_auth_method: client_secret_basic
+ userinfo_signed_response_alg: userinfo_signed_response_alg
+ authorization_code_grant_id_token_lifespan: authorization_code_grant_id_token_lifespan
+ authorization_code_grant_refresh_token_lifespan: authorization_code_grant_refresh_token_lifespan
+ client_credentials_grant_access_token_lifespan: client_credentials_grant_access_token_lifespan
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ scope: scope1 scope-2 scope.3 scope:4
+ request_uris:
+ - request_uris
+ - request_uris
+ client_secret: client_secret
+ backchannel_logout_session_required: true
+ backchannel_logout_uri: backchannel_logout_uri
+ client_name: client_name
+ policy_uri: policy_uri
+ owner: owner
+ skip_consent: true
+ audience:
+ - audience
+ - audience
+ authorization_code_grant_access_token_lifespan: authorization_code_grant_access_token_lifespan
+ post_logout_redirect_uris:
+ - post_logout_redirect_uris
+ - post_logout_redirect_uris
+ grant_types:
+ - grant_types
+ - grant_types
+ subject_type: subject_type
+ refresh_token_grant_refresh_token_lifespan: refresh_token_grant_refresh_token_lifespan
+ redirect_uris:
+ - redirect_uris
+ - redirect_uris
+ sector_identifier_uri: sector_identifier_uri
+ frontchannel_logout_session_required: true
+ frontchannel_logout_uri: frontchannel_logout_uri
+ refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
+ implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
+ client_secret_expires_at: 0
+ implicit_grant_access_token_lifespan: implicit_grant_access_token_lifespan
+ access_token_strategy: access_token_strategy
+ jwks_uri: jwks_uri
+ request_object_signing_alg: request_object_signing_alg
+ tos_uri: tos_uri
+ contacts:
+ - contacts
+ - contacts
+ response_types:
+ - response_types
+ - response_types
+ properties:
+ access_token_strategy:
+ description: |-
+ OAuth 2.0 Access Token Strategy
+
+ AccessTokenStrategy is the strategy used to generate access tokens.
+ Valid options are `jwt` and `opaque`. `jwt` is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens
+ Setting the stragegy here overrides the global setting in `strategies.access_token`.
+ type: string
+ allowed_cors_origins:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ audience:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ authorization_code_grant_access_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ authorization_code_grant_id_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ authorization_code_grant_refresh_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ backchannel_logout_session_required:
+ description: |-
+ OpenID Connect Back-Channel Logout Session Required
+
+ Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout
+ Token to identify the RP session with the OP when the backchannel_logout_uri is used.
+ If omitted, the default value is false.
+ type: boolean
+ backchannel_logout_uri:
+ description: |-
+ OpenID Connect Back-Channel Logout URI
+
+ RP URL that will cause the RP to log itself out when sent a Logout Token by the OP.
+ type: string
+ client_credentials_grant_access_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ client_id:
+ description: |-
+ OAuth 2.0 Client ID
+
+ The ID is immutable. If no ID is provided, a UUID4 will be generated.
+ type: string
+ client_name:
+ description: |-
+ OAuth 2.0 Client Name
+
+ The human-readable name of the client to be presented to the
+ end-user during authorization.
+ type: string
+ client_secret:
+ description: |-
+ OAuth 2.0 Client Secret
+
+ The secret will be included in the create request as cleartext, and then
+ never again. The secret is kept in hashed format and is not recoverable once lost.
+ type: string
+ client_secret_expires_at:
+ description: |-
+ OAuth 2.0 Client Secret Expires At
+
+ The field is currently not supported and its value is always 0.
+ format: int64
+ type: integer
+ client_uri:
+ description: |-
+ OAuth 2.0 Client URI
+
+ ClientURI is a URL string of a web page providing information about the client.
+ If present, the server SHOULD display this URL to the end-user in
+ a clickable fashion.
+ type: string
+ contacts:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ created_at:
+ description: |-
+ OAuth 2.0 Client Creation Date
+
+ CreatedAt returns the timestamp of the client's creation.
+ format: date-time
+ type: string
+ frontchannel_logout_session_required:
+ description: |-
+ OpenID Connect Front-Channel Logout Session Required
+
+ Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be
+ included to identify the RP session with the OP when the frontchannel_logout_uri is used.
+ If omitted, the default value is false.
+ type: boolean
+ frontchannel_logout_uri:
+ description: |-
+ OpenID Connect Front-Channel Logout URI
+
+ RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query
+ parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the
+ request and to determine which of the potentially multiple sessions is to be logged out; if either is
+ included, both MUST be.
+ type: string
+ grant_types:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ implicit_grant_access_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ implicit_grant_id_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ jwks:
+ description: |-
+ OAuth 2.0 Client JSON Web Key Set
+
+ Client's JSON Web Key Set [JWK] document, passed by value. The semantics of the jwks parameter are the same as
+ the jwks_uri parameter, other than that the JWK Set is passed by value, rather than by reference. This parameter
+ is intended only to be used by Clients that, for some reason, are unable to use the jwks_uri parameter, for
+ instance, by native applications that might not have a location to host the contents of the JWK Set. If a Client
+ can use jwks_uri, it MUST NOT use jwks. One significant downside of jwks is that it does not enable key rotation
+ (which jwks_uri does, as described in Section 10 of OpenID Connect Core 1.0 [OpenID.Core]). The jwks_uri and jwks
+ parameters MUST NOT be used together.
+ jwks_uri:
+ description: |-
+ OAuth 2.0 Client JSON Web Key Set URL
+
+ URL for the Client's JSON Web Key Set [JWK] document. If the Client signs requests to the Server, it contains
+ the signing key(s) the Server uses to validate signatures from the Client. The JWK Set MAY also contain the
+ Client's encryption keys(s), which are used by the Server to encrypt responses to the Client. When both signing
+ and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced
+ JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both
+ signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used
+ to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST
+ match those in the certificate.
+ type: string
+ jwt_bearer_grant_access_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ logo_uri:
+ description: |-
+ OAuth 2.0 Client Logo URI
+
+ A URL string referencing the client's logo.
+ type: string
+ metadata:
+ title: "JSONRawMessage represents a json.RawMessage that works well with\
+ \ JSON, SQL, and Swagger."
+ type: object
+ owner:
+ description: |-
+ OAuth 2.0 Client Owner
+
+ Owner is a string identifying the owner of the OAuth 2.0 Client.
+ type: string
+ policy_uri:
+ description: |-
+ OAuth 2.0 Client Policy URI
+
+ PolicyURI is a URL string that points to a human-readable privacy policy document
+ that describes how the deployment organization collects, uses,
+ retains, and discloses personal data.
+ type: string
+ post_logout_redirect_uris:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ redirect_uris:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ refresh_token_grant_access_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ refresh_token_grant_id_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ refresh_token_grant_refresh_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ registration_access_token:
+ description: |-
+ OpenID Connect Dynamic Client Registration Access Token
+
+ RegistrationAccessToken can be used to update, get, or delete the OAuth2 Client. It is sent when creating a client
+ using Dynamic Client Registration.
+ type: string
+ registration_client_uri:
+ description: |-
+ OpenID Connect Dynamic Client Registration URL
+
+ RegistrationClientURI is the URL used to update, get, or delete the OAuth2 Client.
+ type: string
+ request_object_signing_alg:
+ description: |-
+ OpenID Connect Request Object Signing Algorithm
+
+ JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects
+ from this Client MUST be rejected, if not signed with this algorithm.
+ type: string
+ request_uris:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ response_types:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ scope:
+ description: |-
+ OAuth 2.0 Client Scope
+
+ Scope is a string containing a space-separated list of scope values (as
+ described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
+ can use when requesting access tokens.
+ example: scope1 scope-2 scope.3 scope:4
+ type: string
+ sector_identifier_uri:
+ description: |-
+ OpenID Connect Sector Identifier URI
+
+ URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a
+ file with a single JSON array of redirect_uri values.
+ type: string
+ skip_consent:
+ description: |-
+ SkipConsent skips the consent screen for this client. This field can only
+ be set from the admin API.
+ type: boolean
+ subject_type:
+ description: |-
+ OpenID Connect Subject Type
+
+ The `subject_types_supported` Discovery parameter contains a
+ list of the supported subject_type values for this server. Valid types include `pairwise` and `public`.
+ type: string
+ token_endpoint_auth_method:
+ default: client_secret_basic
+ description: |-
+ OAuth 2.0 Token Endpoint Authentication Method
+
+ Requested Client Authentication method for the Token Endpoint. The options are:
+
+ `client_secret_basic`: (default) Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` encoded in the HTTP Authorization header.
+ `client_secret_post`: Send `client_id` and `client_secret` as `application/x-www-form-urlencoded` in the HTTP body.
+ `private_key_jwt`: Use JSON Web Tokens to authenticate the client.
+ `none`: Used for public clients (native apps, mobile apps) which can not have secrets.
+ type: string
+ token_endpoint_auth_signing_alg:
+ description: |-
+ OAuth 2.0 Token Endpoint Signing Algorithm
+
+ Requested Client Authentication signing algorithm for the Token Endpoint.
+ type: string
+ tos_uri:
+ description: |-
+ OAuth 2.0 Client Terms of Service URI
+
+ A URL string pointing to a human-readable terms of service
+ document for the client that describes a contractual relationship
+ between the end-user and the client that the end-user accepts when
+ authorizing the client.
+ type: string
+ updated_at:
+ description: |-
+ OAuth 2.0 Client Last Update Date
+
+ UpdatedAt returns the timestamp of the last update.
+ format: date-time
+ type: string
+ userinfo_signed_response_alg:
+ description: |-
+ OpenID Connect Request Userinfo Signed Response Algorithm
+
+ JWS alg algorithm [JWA] REQUIRED for signing UserInfo Responses. If this is specified, the response will be JWT
+ [JWT] serialized, and signed using JWS. The default, if omitted, is for the UserInfo Response to return the Claims
+ as a UTF-8 encoded JSON object using the application/json content-type.
+ type: string
+ title: OAuth 2.0 Client
+ type: object
+ oAuth2ClientTokenLifespans:
+ description: Lifespans of different token types issued for this OAuth 2.0 Client.
+ properties:
+ authorization_code_grant_access_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ authorization_code_grant_id_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ authorization_code_grant_refresh_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ client_credentials_grant_access_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ implicit_grant_access_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ implicit_grant_id_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ jwt_bearer_grant_access_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ refresh_token_grant_access_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ refresh_token_grant_id_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ refresh_token_grant_refresh_token_lifespan:
+ nullable: true
+ pattern: "^[0-9]+(ns|us|ms|s|m|h)$"
+ type: string
+ title: OAuth 2.0 Client Token Lifespans
+ type: object
+ oAuth2ConsentRequest:
+ example:
+ requested_access_token_audience:
+ - requested_access_token_audience
+ - requested_access_token_audience
+ login_challenge: login_challenge
+ subject: subject
+ amr:
+ - amr
+ - amr
+ oidc_context:
+ login_hint: login_hint
+ ui_locales:
+ - ui_locales
+ - ui_locales
+ id_token_hint_claims:
+ key: ""
+ acr_values:
+ - acr_values
+ - acr_values
+ display: display
+ skip: true
+ request_url: request_url
+ acr: acr
+ context: "{}"
+ challenge: challenge
+ client:
+ metadata: "{}"
+ token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg
+ client_uri: client_uri
+ jwt_bearer_grant_access_token_lifespan: jwt_bearer_grant_access_token_lifespan
+ jwks: ""
+ logo_uri: logo_uri
+ created_at: 2000-01-23T04:56:07.000+00:00
+ registration_client_uri: registration_client_uri
+ allowed_cors_origins:
+ - allowed_cors_origins
+ - allowed_cors_origins
+ refresh_token_grant_access_token_lifespan: refresh_token_grant_access_token_lifespan
+ registration_access_token: registration_access_token
+ client_id: client_id
+ token_endpoint_auth_method: client_secret_basic
+ userinfo_signed_response_alg: userinfo_signed_response_alg
+ authorization_code_grant_id_token_lifespan: authorization_code_grant_id_token_lifespan
+ authorization_code_grant_refresh_token_lifespan: authorization_code_grant_refresh_token_lifespan
+ client_credentials_grant_access_token_lifespan: client_credentials_grant_access_token_lifespan
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ scope: scope1 scope-2 scope.3 scope:4
+ request_uris:
+ - request_uris
+ - request_uris
+ client_secret: client_secret
+ backchannel_logout_session_required: true
+ backchannel_logout_uri: backchannel_logout_uri
+ client_name: client_name
+ policy_uri: policy_uri
+ owner: owner
+ skip_consent: true
+ audience:
+ - audience
+ - audience
+ authorization_code_grant_access_token_lifespan: authorization_code_grant_access_token_lifespan
+ post_logout_redirect_uris:
+ - post_logout_redirect_uris
+ - post_logout_redirect_uris
+ grant_types:
+ - grant_types
+ - grant_types
+ subject_type: subject_type
+ refresh_token_grant_refresh_token_lifespan: refresh_token_grant_refresh_token_lifespan
+ redirect_uris:
+ - redirect_uris
+ - redirect_uris
+ sector_identifier_uri: sector_identifier_uri
+ frontchannel_logout_session_required: true
+ frontchannel_logout_uri: frontchannel_logout_uri
+ refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
+ implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
+ client_secret_expires_at: 0
+ implicit_grant_access_token_lifespan: implicit_grant_access_token_lifespan
+ access_token_strategy: access_token_strategy
+ jwks_uri: jwks_uri
+ request_object_signing_alg: request_object_signing_alg
+ tos_uri: tos_uri
+ contacts:
+ - contacts
+ - contacts
+ response_types:
+ - response_types
+ - response_types
+ login_session_id: login_session_id
+ requested_scope:
+ - requested_scope
+ - requested_scope
+ properties:
+ acr:
+ description: |-
+ ACR represents the Authentication AuthorizationContext Class Reference value for this authentication session. You can use it
+ to express that, for example, a user authenticated using two factor authentication.
+ type: string
+ amr:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ challenge:
+ description: |-
+ ID is the identifier ("authorization challenge") of the consent authorization request. It is used to
+ identify the session.
+ type: string
+ client:
+ $ref: '#/components/schemas/oAuth2Client'
+ context:
+ title: "JSONRawMessage represents a json.RawMessage that works well with\
+ \ JSON, SQL, and Swagger."
+ type: object
+ login_challenge:
+ description: |-
+ LoginChallenge is the login challenge this consent challenge belongs to. It can be used to associate
+ a login and consent request in the login & consent app.
+ type: string
+ login_session_id:
+ description: |-
+ LoginSessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)
+ this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)
+ this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back-
+ channel logout. It's value can generally be used to associate consecutive login requests by a certain user.
+ type: string
+ oidc_context:
+ $ref: '#/components/schemas/oAuth2ConsentRequestOpenIDConnectContext'
+ request_url:
+ description: |-
+ RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which
+ initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but
+ might come in handy if you want to deal with additional request parameters.
+ type: string
+ requested_access_token_audience:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ requested_scope:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ skip:
+ description: |-
+ Skip, if true, implies that the client has requested the same scopes from the same user previously.
+ If true, you must not ask the user to grant the requested scopes. You must however either allow or deny the
+ consent request using the usual API call.
+ type: boolean
+ subject:
+ description: |-
+ Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope
+ requested by the OAuth 2.0 client.
+ type: string
+ required:
+ - challenge
+ title: Contains information on an ongoing consent request.
+ type: object
+ oAuth2ConsentRequestOpenIDConnectContext:
+ example:
+ login_hint: login_hint
+ ui_locales:
+ - ui_locales
+ - ui_locales
+ id_token_hint_claims:
+ key: ""
+ acr_values:
+ - acr_values
+ - acr_values
+ display: display
+ properties:
+ acr_values:
+ description: |-
+ ACRValues is the Authentication AuthorizationContext Class Reference requested in the OAuth 2.0 Authorization request.
+ It is a parameter defined by OpenID Connect and expresses which level of authentication (e.g. 2FA) is required.
+
+ OpenID Connect defines it as follows:
+ > Requested Authentication AuthorizationContext Class Reference values. Space-separated string that specifies the acr values
+ that the Authorization Server is being requested to use for processing this Authentication Request, with the
+ values appearing in order of preference. The Authentication AuthorizationContext Class satisfied by the authentication
+ performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a
+ Voluntary Claim by this parameter.
+ items:
+ type: string
+ type: array
+ display:
+ description: |-
+ Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.
+ The defined values are:
+ page: The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.
+ popup: The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.
+ touch: The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.
+ wap: The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.
+
+ The Authorization Server MAY also attempt to detect the capabilities of the User Agent and present an appropriate display.
+ type: string
+ id_token_hint_claims:
+ additionalProperties: {}
+ description: |-
+ IDTokenHintClaims are the claims of the ID Token previously issued by the Authorization Server being passed as a hint about the
+ End-User's current or past authenticated session with the Client.
+ type: object
+ login_hint:
+ description: |-
+ LoginHint hints about the login identifier the End-User might use to log in (if necessary).
+ This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier)
+ and then wants to pass that value as a hint to the discovered authorization service. This value MAY also be a
+ phone number in the format specified for the phone_number Claim. The use of this parameter is optional.
+ type: string
+ ui_locales:
+ description: |-
+ UILocales is the End-User'id preferred languages and scripts for the user interface, represented as a
+ space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value
+ "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation),
+ followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested
+ locales are not supported by the OpenID Provider.
+ items:
+ type: string
+ type: array
+ title: Contains optional information about the OpenID Connect request.
+ type: object
+ oAuth2ConsentSession:
+ description: A completed OAuth 2.0 Consent Session.
+ example:
+ remember: true
+ consent_request:
+ requested_access_token_audience:
+ - requested_access_token_audience
+ - requested_access_token_audience
+ login_challenge: login_challenge
+ subject: subject
+ amr:
+ - amr
+ - amr
+ oidc_context:
+ login_hint: login_hint
+ ui_locales:
+ - ui_locales
+ - ui_locales
+ id_token_hint_claims:
+ key: ""
+ acr_values:
+ - acr_values
+ - acr_values
+ display: display
+ skip: true
+ request_url: request_url
+ acr: acr
+ context: "{}"
+ challenge: challenge
+ client:
+ metadata: "{}"
+ token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg
+ client_uri: client_uri
+ jwt_bearer_grant_access_token_lifespan: jwt_bearer_grant_access_token_lifespan
+ jwks: ""
+ logo_uri: logo_uri
+ created_at: 2000-01-23T04:56:07.000+00:00
+ registration_client_uri: registration_client_uri
+ allowed_cors_origins:
+ - allowed_cors_origins
+ - allowed_cors_origins
+ refresh_token_grant_access_token_lifespan: refresh_token_grant_access_token_lifespan
+ registration_access_token: registration_access_token
+ client_id: client_id
+ token_endpoint_auth_method: client_secret_basic
+ userinfo_signed_response_alg: userinfo_signed_response_alg
+ authorization_code_grant_id_token_lifespan: authorization_code_grant_id_token_lifespan
+ authorization_code_grant_refresh_token_lifespan: authorization_code_grant_refresh_token_lifespan
+ client_credentials_grant_access_token_lifespan: client_credentials_grant_access_token_lifespan
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ scope: scope1 scope-2 scope.3 scope:4
+ request_uris:
+ - request_uris
+ - request_uris
+ client_secret: client_secret
+ backchannel_logout_session_required: true
+ backchannel_logout_uri: backchannel_logout_uri
+ client_name: client_name
+ policy_uri: policy_uri
+ owner: owner
+ skip_consent: true
+ audience:
+ - audience
+ - audience
+ authorization_code_grant_access_token_lifespan: authorization_code_grant_access_token_lifespan
+ post_logout_redirect_uris:
+ - post_logout_redirect_uris
+ - post_logout_redirect_uris
+ grant_types:
+ - grant_types
+ - grant_types
+ subject_type: subject_type
+ refresh_token_grant_refresh_token_lifespan: refresh_token_grant_refresh_token_lifespan
+ redirect_uris:
+ - redirect_uris
+ - redirect_uris
+ sector_identifier_uri: sector_identifier_uri
+ frontchannel_logout_session_required: true
+ frontchannel_logout_uri: frontchannel_logout_uri
+ refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
+ implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
+ client_secret_expires_at: 0
+ implicit_grant_access_token_lifespan: implicit_grant_access_token_lifespan
+ access_token_strategy: access_token_strategy
+ jwks_uri: jwks_uri
+ request_object_signing_alg: request_object_signing_alg
+ tos_uri: tos_uri
+ contacts:
+ - contacts
+ - contacts
+ response_types:
+ - response_types
+ - response_types
+ login_session_id: login_session_id
+ requested_scope:
+ - requested_scope
+ - requested_scope
+ expires_at:
+ access_token: 2000-01-23T04:56:07.000+00:00
+ refresh_token: 2000-01-23T04:56:07.000+00:00
+ par_context: 2000-01-23T04:56:07.000+00:00
+ id_token: 2000-01-23T04:56:07.000+00:00
+ authorize_code: 2000-01-23T04:56:07.000+00:00
+ session:
+ access_token: ""
+ id_token: ""
+ grant_access_token_audience:
+ - grant_access_token_audience
+ - grant_access_token_audience
+ handled_at: 2000-01-23T04:56:07.000+00:00
+ grant_scope:
+ - grant_scope
+ - grant_scope
+ remember_for: 0
+ properties:
+ consent_request:
+ $ref: '#/components/schemas/oAuth2ConsentRequest'
+ expires_at:
+ $ref: '#/components/schemas/oAuth2ConsentSession_expires_at'
+ grant_access_token_audience:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ grant_scope:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ handled_at:
+ format: date-time
+ title: NullTime implements sql.NullTime functionality.
+ type: string
+ remember:
+ description: |-
+ Remember Consent
+
+ Remember, if set to true, tells ORY Hydra to remember this consent authorization and reuse it if the same
+ client asks the same user for the same, or a subset of, scope.
+ type: boolean
+ remember_for:
+ description: |-
+ Remember Consent For
+
+ RememberFor sets how long the consent authorization should be remembered for in seconds. If set to `0`, the
+ authorization will be remembered indefinitely.
+ format: int64
+ type: integer
+ session:
+ $ref: '#/components/schemas/acceptOAuth2ConsentRequestSession'
+ title: OAuth 2.0 Consent Session
+ type: object
+ oAuth2ConsentSessions:
+ description: List of OAuth 2.0 Consent Sessions
+ items:
+ $ref: '#/components/schemas/oAuth2ConsentSession'
+ type: array
+ oAuth2LoginRequest:
+ example:
+ requested_access_token_audience:
+ - requested_access_token_audience
+ - requested_access_token_audience
+ subject: subject
+ oidc_context:
+ login_hint: login_hint
+ ui_locales:
+ - ui_locales
+ - ui_locales
+ id_token_hint_claims:
+ key: ""
+ acr_values:
+ - acr_values
+ - acr_values
+ display: display
+ challenge: challenge
+ client:
+ metadata: "{}"
+ token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg
+ client_uri: client_uri
+ jwt_bearer_grant_access_token_lifespan: jwt_bearer_grant_access_token_lifespan
+ jwks: ""
+ logo_uri: logo_uri
+ created_at: 2000-01-23T04:56:07.000+00:00
+ registration_client_uri: registration_client_uri
+ allowed_cors_origins:
+ - allowed_cors_origins
+ - allowed_cors_origins
+ refresh_token_grant_access_token_lifespan: refresh_token_grant_access_token_lifespan
+ registration_access_token: registration_access_token
+ client_id: client_id
+ token_endpoint_auth_method: client_secret_basic
+ userinfo_signed_response_alg: userinfo_signed_response_alg
+ authorization_code_grant_id_token_lifespan: authorization_code_grant_id_token_lifespan
+ authorization_code_grant_refresh_token_lifespan: authorization_code_grant_refresh_token_lifespan
+ client_credentials_grant_access_token_lifespan: client_credentials_grant_access_token_lifespan
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ scope: scope1 scope-2 scope.3 scope:4
+ request_uris:
+ - request_uris
+ - request_uris
+ client_secret: client_secret
+ backchannel_logout_session_required: true
+ backchannel_logout_uri: backchannel_logout_uri
+ client_name: client_name
+ policy_uri: policy_uri
+ owner: owner
+ skip_consent: true
+ audience:
+ - audience
+ - audience
+ authorization_code_grant_access_token_lifespan: authorization_code_grant_access_token_lifespan
+ post_logout_redirect_uris:
+ - post_logout_redirect_uris
+ - post_logout_redirect_uris
+ grant_types:
+ - grant_types
+ - grant_types
+ subject_type: subject_type
+ refresh_token_grant_refresh_token_lifespan: refresh_token_grant_refresh_token_lifespan
+ redirect_uris:
+ - redirect_uris
+ - redirect_uris
+ sector_identifier_uri: sector_identifier_uri
+ frontchannel_logout_session_required: true
+ frontchannel_logout_uri: frontchannel_logout_uri
+ refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
+ implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
+ client_secret_expires_at: 0
+ implicit_grant_access_token_lifespan: implicit_grant_access_token_lifespan
+ access_token_strategy: access_token_strategy
+ jwks_uri: jwks_uri
+ request_object_signing_alg: request_object_signing_alg
+ tos_uri: tos_uri
+ contacts:
+ - contacts
+ - contacts
+ response_types:
+ - response_types
+ - response_types
+ session_id: session_id
+ skip: true
+ request_url: request_url
+ requested_scope:
+ - requested_scope
+ - requested_scope
+ properties:
+ challenge:
+ description: |-
+ ID is the identifier ("login challenge") of the login request. It is used to
+ identify the session.
+ type: string
+ client:
+ $ref: '#/components/schemas/oAuth2Client'
+ oidc_context:
+ $ref: '#/components/schemas/oAuth2ConsentRequestOpenIDConnectContext'
+ request_url:
+ description: |-
+ RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which
+ initiates the OAuth 2.0 Authorization Code or OAuth 2.0 Implicit flow. This URL is typically not needed, but
+ might come in handy if you want to deal with additional request parameters.
+ type: string
+ requested_access_token_audience:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ requested_scope:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ session_id:
+ description: |-
+ SessionID is the login session ID. If the user-agent reuses a login session (via cookie / remember flag)
+ this ID will remain the same. If the user-agent did not have an existing authentication session (e.g. remember is false)
+ this will be a new random value. This value is used as the "sid" parameter in the ID Token and in OIDC Front-/Back-
+ channel logout. It's value can generally be used to associate consecutive login requests by a certain user.
+ type: string
+ skip:
+ description: |-
+ Skip, if true, implies that the client has requested the same scopes from the same user previously.
+ If true, you can skip asking the user to grant the requested scopes, and simply forward the user to the redirect URL.
+
+ This feature allows you to update / set session information.
+ type: boolean
+ subject:
+ description: |-
+ Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope
+ requested by the OAuth 2.0 client. If this value is set and `skip` is true, you MUST include this subject type
+ when accepting the login request, or the request will fail.
+ type: string
+ required:
+ - challenge
+ - client
+ - request_url
+ - skip
+ - subject
+ title: Contains information on an ongoing login request.
+ type: object
+ oAuth2LogoutRequest:
+ example:
+ subject: subject
+ challenge: challenge
+ client:
+ metadata: "{}"
+ token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg
+ client_uri: client_uri
+ jwt_bearer_grant_access_token_lifespan: jwt_bearer_grant_access_token_lifespan
+ jwks: ""
+ logo_uri: logo_uri
+ created_at: 2000-01-23T04:56:07.000+00:00
+ registration_client_uri: registration_client_uri
+ allowed_cors_origins:
+ - allowed_cors_origins
+ - allowed_cors_origins
+ refresh_token_grant_access_token_lifespan: refresh_token_grant_access_token_lifespan
+ registration_access_token: registration_access_token
+ client_id: client_id
+ token_endpoint_auth_method: client_secret_basic
+ userinfo_signed_response_alg: userinfo_signed_response_alg
+ authorization_code_grant_id_token_lifespan: authorization_code_grant_id_token_lifespan
+ authorization_code_grant_refresh_token_lifespan: authorization_code_grant_refresh_token_lifespan
+ client_credentials_grant_access_token_lifespan: client_credentials_grant_access_token_lifespan
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ scope: scope1 scope-2 scope.3 scope:4
+ request_uris:
+ - request_uris
+ - request_uris
+ client_secret: client_secret
+ backchannel_logout_session_required: true
+ backchannel_logout_uri: backchannel_logout_uri
+ client_name: client_name
+ policy_uri: policy_uri
+ owner: owner
+ skip_consent: true
+ audience:
+ - audience
+ - audience
+ authorization_code_grant_access_token_lifespan: authorization_code_grant_access_token_lifespan
+ post_logout_redirect_uris:
+ - post_logout_redirect_uris
+ - post_logout_redirect_uris
+ grant_types:
+ - grant_types
+ - grant_types
+ subject_type: subject_type
+ refresh_token_grant_refresh_token_lifespan: refresh_token_grant_refresh_token_lifespan
+ redirect_uris:
+ - redirect_uris
+ - redirect_uris
+ sector_identifier_uri: sector_identifier_uri
+ frontchannel_logout_session_required: true
+ frontchannel_logout_uri: frontchannel_logout_uri
+ refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
+ implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
+ client_secret_expires_at: 0
+ implicit_grant_access_token_lifespan: implicit_grant_access_token_lifespan
+ access_token_strategy: access_token_strategy
+ jwks_uri: jwks_uri
+ request_object_signing_alg: request_object_signing_alg
+ tos_uri: tos_uri
+ contacts:
+ - contacts
+ - contacts
+ response_types:
+ - response_types
+ - response_types
+ rp_initiated: true
+ request_url: request_url
+ sid: sid
+ properties:
+ challenge:
+ description: |-
+ Challenge is the identifier ("logout challenge") of the logout authentication request. It is used to
+ identify the session.
+ type: string
+ client:
+ $ref: '#/components/schemas/oAuth2Client'
+ request_url:
+ description: RequestURL is the original Logout URL requested.
+ type: string
+ rp_initiated:
+ description: "RPInitiated is set to true if the request was initiated by\
+ \ a Relying Party (RP), also known as an OAuth 2.0 Client."
+ type: boolean
+ sid:
+ description: SessionID is the login session ID that was requested to log
+ out.
+ type: string
+ subject:
+ description: Subject is the user for whom the logout was request.
+ type: string
+ title: Contains information about an ongoing logout request.
+ type: object
+ oAuth2RedirectTo:
+ description: "Contains a redirect URL used to complete a login, consent, or\
+ \ logout request."
+ example:
+ redirect_to: redirect_to
+ properties:
+ redirect_to:
+ description: RedirectURL is the URL which you should redirect the user's
+ browser to once the authentication process is completed.
+ type: string
+ required:
+ - redirect_to
+ title: OAuth 2.0 Redirect Browser To
+ type: object
+ oAuth2TokenExchange:
+ description: OAuth2 Token Exchange Result
+ example:
+ access_token: access_token
+ refresh_token: refresh_token
+ scope: scope
+ id_token: id_token
+ token_type: token_type
+ expires_in: 0
+ properties:
+ access_token:
+ description: The access token issued by the authorization server.
+ type: string
+ expires_in:
+ description: |-
+ The lifetime in seconds of the access token. For
+ example, the value "3600" denotes that the access token will
+ expire in one hour from the time the response was generated.
+ format: int64
+ type: integer
+ id_token:
+ description: To retrieve a refresh token request the id_token scope.
+ type: string
+ refresh_token:
+ description: |-
+ The refresh token, which can be used to obtain new
+ access tokens. To retrieve it add the scope "offline" to your access token request.
+ type: string
+ scope:
+ description: The scope of the access token
+ type: string
+ token_type:
+ description: The type of the token issued
+ type: string
+ type: object
+ oidcConfiguration:
+ description: |-
+ Includes links to several endpoints (for example `/oauth2/token`) and exposes information on supported signature algorithms
+ among others.
+ example:
+ request_parameter_supported: true
+ claims_parameter_supported: true
+ backchannel_logout_supported: true
+ scopes_supported:
+ - scopes_supported
+ - scopes_supported
+ issuer: https://playground.ory.sh/ory-hydra/public/
+ userinfo_signed_response_alg:
+ - userinfo_signed_response_alg
+ - userinfo_signed_response_alg
+ authorization_endpoint: https://playground.ory.sh/ory-hydra/public/oauth2/auth
+ claims_supported:
+ - claims_supported
+ - claims_supported
+ userinfo_signing_alg_values_supported:
+ - userinfo_signing_alg_values_supported
+ - userinfo_signing_alg_values_supported
+ token_endpoint_auth_methods_supported:
+ - token_endpoint_auth_methods_supported
+ - token_endpoint_auth_methods_supported
+ backchannel_logout_session_supported: true
+ response_modes_supported:
+ - response_modes_supported
+ - response_modes_supported
+ id_token_signed_response_alg:
+ - id_token_signed_response_alg
+ - id_token_signed_response_alg
+ token_endpoint: https://playground.ory.sh/ory-hydra/public/oauth2/token
+ response_types_supported:
+ - response_types_supported
+ - response_types_supported
+ request_uri_parameter_supported: true
+ grant_types_supported:
+ - grant_types_supported
+ - grant_types_supported
+ end_session_endpoint: end_session_endpoint
+ revocation_endpoint: revocation_endpoint
+ userinfo_endpoint: userinfo_endpoint
+ frontchannel_logout_supported: true
+ require_request_uri_registration: true
+ code_challenge_methods_supported:
+ - code_challenge_methods_supported
+ - code_challenge_methods_supported
+ credentials_endpoint_draft_00: credentials_endpoint_draft_00
+ frontchannel_logout_session_supported: true
+ jwks_uri: "https://{slug}.projects.oryapis.com/.well-known/jwks.json"
+ credentials_supported_draft_00:
+ - types:
+ - types
+ - types
+ cryptographic_suites_supported:
+ - cryptographic_suites_supported
+ - cryptographic_suites_supported
+ cryptographic_binding_methods_supported:
+ - cryptographic_binding_methods_supported
+ - cryptographic_binding_methods_supported
+ format: format
+ - types:
+ - types
+ - types
+ cryptographic_suites_supported:
+ - cryptographic_suites_supported
+ - cryptographic_suites_supported
+ cryptographic_binding_methods_supported:
+ - cryptographic_binding_methods_supported
+ - cryptographic_binding_methods_supported
+ format: format
+ subject_types_supported:
+ - subject_types_supported
+ - subject_types_supported
+ id_token_signing_alg_values_supported:
+ - id_token_signing_alg_values_supported
+ - id_token_signing_alg_values_supported
+ registration_endpoint: https://playground.ory.sh/ory-hydra/admin/client
+ request_object_signing_alg_values_supported:
+ - request_object_signing_alg_values_supported
+ - request_object_signing_alg_values_supported
+ properties:
+ authorization_endpoint:
+ description: OAuth 2.0 Authorization Endpoint URL
+ example: https://playground.ory.sh/ory-hydra/public/oauth2/auth
+ type: string
+ backchannel_logout_session_supported:
+ description: |-
+ OpenID Connect Back-Channel Logout Session Required
+
+ Boolean value specifying whether the OP can pass a sid (session ID) Claim in the Logout Token to identify the RP
+ session with the OP. If supported, the sid Claim is also included in ID Tokens issued by the OP
+ type: boolean
+ backchannel_logout_supported:
+ description: |-
+ OpenID Connect Back-Channel Logout Supported
+
+ Boolean value specifying whether the OP supports back-channel logout, with true indicating support.
+ type: boolean
+ claims_parameter_supported:
+ description: |-
+ OpenID Connect Claims Parameter Parameter Supported
+
+ Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.
+ type: boolean
+ claims_supported:
+ description: |-
+ OpenID Connect Supported Claims
+
+ JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply
+ values for. Note that for privacy or other reasons, this might not be an exhaustive list.
+ items:
+ type: string
+ type: array
+ code_challenge_methods_supported:
+ description: |-
+ OAuth 2.0 PKCE Supported Code Challenge Methods
+
+ JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported
+ by this authorization server.
+ items:
+ type: string
+ type: array
+ credentials_endpoint_draft_00:
+ description: |-
+ OpenID Connect Verifiable Credentials Endpoint
+
+ Contains the URL of the Verifiable Credentials Endpoint.
+ type: string
+ credentials_supported_draft_00:
+ description: |-
+ OpenID Connect Verifiable Credentials Supported
+
+ JSON array containing a list of the Verifiable Credentials supported by this authorization server.
+ items:
+ $ref: '#/components/schemas/credentialSupportedDraft00'
+ type: array
+ end_session_endpoint:
+ description: |-
+ OpenID Connect End-Session Endpoint
+
+ URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.
+ type: string
+ frontchannel_logout_session_supported:
+ description: |-
+ OpenID Connect Front-Channel Logout Session Required
+
+ Boolean value specifying whether the OP can pass iss (issuer) and sid (session ID) query parameters to identify
+ the RP session with the OP when the frontchannel_logout_uri is used. If supported, the sid Claim is also
+ included in ID Tokens issued by the OP.
+ type: boolean
+ frontchannel_logout_supported:
+ description: |-
+ OpenID Connect Front-Channel Logout Supported
+
+ Boolean value specifying whether the OP supports HTTP-based logout, with true indicating support.
+ type: boolean
+ grant_types_supported:
+ description: |-
+ OAuth 2.0 Supported Grant Types
+
+ JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
+ items:
+ type: string
+ type: array
+ id_token_signed_response_alg:
+ description: |-
+ OpenID Connect Default ID Token Signing Algorithms
+
+ Algorithm used to sign OpenID Connect ID Tokens.
+ items:
+ type: string
+ type: array
+ id_token_signing_alg_values_supported:
+ description: |-
+ OpenID Connect Supported ID Token Signing Algorithms
+
+ JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token
+ to encode the Claims in a JWT.
+ items:
+ type: string
+ type: array
+ issuer:
+ description: |-
+ OpenID Connect Issuer URL
+
+ An URL using the https scheme with no query or fragment component that the OP asserts as its IssuerURL Identifier.
+ If IssuerURL discovery is supported , this value MUST be identical to the issuer value returned
+ by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this IssuerURL.
+ example: https://playground.ory.sh/ory-hydra/public/
+ type: string
+ jwks_uri:
+ description: |-
+ OpenID Connect Well-Known JSON Web Keys URL
+
+ URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate
+ signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs
+ to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use)
+ parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.
+ Although some algorithms allow the same key to be used for both signatures and encryption, doing so is
+ NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of
+ keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
+ example: "https://{slug}.projects.oryapis.com/.well-known/jwks.json"
+ type: string
+ registration_endpoint:
+ description: OpenID Connect Dynamic Client Registration Endpoint URL
+ example: https://playground.ory.sh/ory-hydra/admin/client
+ type: string
+ request_object_signing_alg_values_supported:
+ description: |-
+ OpenID Connect Supported Request Object Signing Algorithms
+
+ JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for Request Objects,
+ which are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. These algorithms are used both when
+ the Request Object is passed by value (using the request parameter) and when it is passed by reference
+ (using the request_uri parameter).
+ items:
+ type: string
+ type: array
+ request_parameter_supported:
+ description: |-
+ OpenID Connect Request Parameter Supported
+
+ Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.
+ type: boolean
+ request_uri_parameter_supported:
+ description: |-
+ OpenID Connect Request URI Parameter Supported
+
+ Boolean value specifying whether the OP supports use of the request_uri parameter, with true indicating support.
+ type: boolean
+ require_request_uri_registration:
+ description: |-
+ OpenID Connect Requires Request URI Registration
+
+ Boolean value specifying whether the OP requires any request_uri values used to be pre-registered
+ using the request_uris registration parameter.
+ type: boolean
+ response_modes_supported:
+ description: |-
+ OAuth 2.0 Supported Response Modes
+
+ JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports.
+ items:
+ type: string
+ type: array
+ response_types_supported:
+ description: |-
+ OAuth 2.0 Supported Response Types
+
+ JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID
+ Providers MUST support the code, id_token, and the token id_token Response Type values.
+ items:
+ type: string
+ type: array
+ revocation_endpoint:
+ description: |-
+ OAuth 2.0 Token Revocation URL
+
+ URL of the authorization server's OAuth 2.0 revocation endpoint.
+ type: string
+ scopes_supported:
+ description: |-
+ OAuth 2.0 Supported Scope Values
+
+ JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The server MUST
+ support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used
+ items:
+ type: string
+ type: array
+ subject_types_supported:
+ description: |-
+ OpenID Connect Supported Subject Types
+
+ JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
+ pairwise and public.
+ items:
+ type: string
+ type: array
+ token_endpoint:
+ description: OAuth 2.0 Token Endpoint URL
+ example: https://playground.ory.sh/ory-hydra/public/oauth2/token
+ type: string
+ token_endpoint_auth_methods_supported:
+ description: |-
+ OAuth 2.0 Supported Client Authentication Methods
+
+ JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are
+ client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0
+ items:
+ type: string
+ type: array
+ userinfo_endpoint:
+ description: |-
+ OpenID Connect Userinfo URL
+
+ URL of the OP's UserInfo Endpoint.
+ type: string
+ userinfo_signed_response_alg:
+ description: |-
+ OpenID Connect User Userinfo Signing Algorithm
+
+ Algorithm used to sign OpenID Connect Userinfo Responses.
+ items:
+ type: string
+ type: array
+ userinfo_signing_alg_values_supported:
+ description: |-
+ OpenID Connect Supported Userinfo Signing Algorithm
+
+ JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT].
+ items:
+ type: string
+ type: array
+ required:
+ - authorization_endpoint
+ - id_token_signed_response_alg
+ - id_token_signing_alg_values_supported
+ - issuer
+ - jwks_uri
+ - response_types_supported
+ - subject_types_supported
+ - token_endpoint
+ - userinfo_signed_response_alg
+ title: OpenID Connect Discovery Metadata
+ type: object
+ oidcUserInfo:
+ description: OpenID Connect Userinfo
+ example:
+ sub: sub
+ website: website
+ zoneinfo: zoneinfo
+ birthdate: birthdate
+ email_verified: true
+ gender: gender
+ profile: profile
+ phone_number_verified: true
+ preferred_username: preferred_username
+ given_name: given_name
+ locale: locale
+ middle_name: middle_name
+ picture: picture
+ updated_at: 0
+ name: name
+ nickname: nickname
+ phone_number: phone_number
+ family_name: family_name
+ email: email
+ properties:
+ birthdate:
+ description: "End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑\
+ 2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted.\
+ \ To represent only the year, YYYY format is allowed. Note that depending\
+ \ on the underlying platform's date related function, providing just year\
+ \ can result in varying month and day, so the implementers need to take\
+ \ this factor into account to correctly process the dates."
+ type: string
+ email:
+ description: "End-User's preferred e-mail address. Its value MUST conform\
+ \ to the RFC 5322 [RFC5322] addr-spec syntax. The RP MUST NOT rely upon\
+ \ this value being unique, as discussed in Section 5.7."
+ type: string
+ email_verified:
+ description: "True if the End-User's e-mail address has been verified; otherwise\
+ \ false. When this Claim Value is true, this means that the OP took affirmative\
+ \ steps to ensure that this e-mail address was controlled by the End-User\
+ \ at the time the verification was performed. The means by which an e-mail\
+ \ address is verified is context-specific, and dependent upon the trust\
+ \ framework or contractual agreements within which the parties are operating."
+ type: boolean
+ family_name:
+ description: "Surname(s) or last name(s) of the End-User. Note that in some\
+ \ cultures, people can have multiple family names or no family name; all\
+ \ can be present, with the names being separated by space characters."
+ type: string
+ gender:
+ description: End-User's gender. Values defined by this specification are
+ female and male. Other values MAY be used when neither of the defined
+ values are applicable.
+ type: string
+ given_name:
+ description: "Given name(s) or first name(s) of the End-User. Note that\
+ \ in some cultures, people can have multiple given names; all can be present,\
+ \ with the names being separated by space characters."
+ type: string
+ locale:
+ description: "End-User's locale, represented as a BCP47 [RFC5646] language\
+ \ tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code\
+ \ in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase,\
+ \ separated by a dash. For example, en-US or fr-CA. As a compatibility\
+ \ note, some implementations have used an underscore as the separator\
+ \ rather than a dash, for example, en_US; Relying Parties MAY choose to\
+ \ accept this locale syntax as well."
+ type: string
+ middle_name:
+ description: "Middle name(s) of the End-User. Note that in some cultures,\
+ \ people can have multiple middle names; all can be present, with the\
+ \ names being separated by space characters. Also note that in some cultures,\
+ \ middle names are not used."
+ type: string
+ name:
+ description: "End-User's full name in displayable form including all name\
+ \ parts, possibly including titles and suffixes, ordered according to\
+ \ the End-User's locale and preferences."
+ type: string
+ nickname:
+ description: "Casual name of the End-User that may or may not be the same\
+ \ as the given_name. For instance, a nickname value of Mike might be returned\
+ \ alongside a given_name value of Michael."
+ type: string
+ phone_number:
+ description: "End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED\
+ \ as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2)\
+ \ 687 2400. If the phone number contains an extension, it is RECOMMENDED\
+ \ that the extension be represented using the RFC 3966 [RFC3966] extension\
+ \ syntax, for example, +1 (604) 555-1234;ext=5678."
+ type: string
+ phone_number_verified:
+ description: "True if the End-User's phone number has been verified; otherwise\
+ \ false. When this Claim Value is true, this means that the OP took affirmative\
+ \ steps to ensure that this phone number was controlled by the End-User\
+ \ at the time the verification was performed. The means by which a phone\
+ \ number is verified is context-specific, and dependent upon the trust\
+ \ framework or contractual agreements within which the parties are operating.\
+ \ When true, the phone_number Claim MUST be in E.164 format and any extensions\
+ \ MUST be represented in RFC 3966 format."
+ type: boolean
+ picture:
+ description: "URL of the End-User's profile picture. This URL MUST refer\
+ \ to an image file (for example, a PNG, JPEG, or GIF image file), rather\
+ \ than to a Web page containing an image. Note that this URL SHOULD specifically\
+ \ reference a profile photo of the End-User suitable for displaying when\
+ \ describing the End-User, rather than an arbitrary photo taken by the\
+ \ End-User."
+ type: string
+ preferred_username:
+ description: "Non-unique shorthand name by which the End-User wishes to\
+ \ be referred to at the RP, such as janedoe or j.doe. This value MAY be\
+ \ any valid JSON string including special characters such as @, /, or\
+ \ whitespace."
+ type: string
+ profile:
+ description: URL of the End-User's profile page. The contents of this Web
+ page SHOULD be about the End-User.
+ type: string
+ sub:
+ description: Subject - Identifier for the End-User at the IssuerURL.
+ type: string
+ updated_at:
+ description: Time the End-User's information was last updated. Its value
+ is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z
+ as measured in UTC until the date/time.
+ format: int64
+ type: integer
+ website:
+ description: URL of the End-User's Web page or blog. This Web page SHOULD
+ contain information published by the End-User or an organization that
+ the End-User is affiliated with.
+ type: string
+ zoneinfo:
+ description: "String from zoneinfo [zoneinfo] time zone database representing\
+ \ the End-User's time zone. For example, Europe/Paris or America/Los_Angeles."
+ type: string
+ type: object
+ organization:
+ description: B2B SSO Organization
+ example:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ project_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ created_at: 2000-01-23T04:56:07.000+00:00
+ domains:
+ - domains
+ - domains
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ label: label
+ properties:
+ created_at:
+ description: The organization's creation date.
+ format: date-time
+ readOnly: true
+ type: string
+ domains:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ id:
+ description: The organization's ID.
+ format: uuid
+ type: string
+ label:
+ description: The organization's human-readable label.
+ type: string
+ project_id:
+ description: The project's ID.
+ format: uuid
+ type: string
+ updated_at:
+ description: The last time the organization was updated.
+ format: date-time
+ readOnly: true
+ type: string
+ required:
+ - created_at
+ - domains
+ - id
+ - label
+ - project_id
+ - updated_at
+ type: object
+ pagination:
+ properties:
+ page_size:
+ default: 250
+ description: |-
+ Items per page
+
+ This is the number of items per page to return.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ page_token:
+ default: "1"
+ description: |-
+ Next Page Token
+
+ The next page token.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ minimum: 1
+ type: string
+ type: object
+ paginationHeaders:
+ properties:
+ link:
+ description: |-
+ The link header contains pagination links.
+
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+
+ in: header
+ type: string
+ x-total-count:
+ description: |-
+ The total number of clients.
+
+ in: header
+ type: string
+ type: object
+ patchIdentitiesBody:
+ description: Patch Identities Body
+ properties:
+ identities:
+ description: |-
+ Identities holds the list of patches to apply
+
+ required
+ items:
+ $ref: '#/components/schemas/identityPatch'
+ type: array
+ type: object
+ performNativeLogoutBody:
+ description: Perform Native Logout Request Body
+ properties:
+ session_token:
+ description: |-
+ The Session Token
+
+ Invalidate this session token.
+ type: string
+ required:
+ - session_token
+ type: object
+ permissionsOnProject:
+ additionalProperties:
+ type: boolean
+ description: Get Permissions on Project Request Parameters
+ type: object
+ plans:
+ $ref: '#/components/schemas/Pricing'
+ postCheckPermissionBody:
+ description: Check Permission using Post Request Body
+ properties:
+ namespace:
+ description: Namespace to query
+ type: string
+ object:
+ description: Object to query
+ type: string
+ relation:
+ description: Relation to query
+ type: string
+ subject_id:
+ description: |-
+ SubjectID to query
+
+ Either SubjectSet or SubjectID can be provided.
+ type: string
+ subject_set:
+ $ref: '#/components/schemas/subjectSet'
+ type: object
+ postCheckPermissionOrErrorBody:
+ description: Post Check Permission Or Error Body
+ properties:
+ namespace:
+ description: Namespace to query
+ type: string
+ object:
+ description: Object to query
+ type: string
+ relation:
+ description: Relation to query
+ type: string
+ subject_id:
+ description: |-
+ SubjectID to query
+
+ Either SubjectSet or SubjectID can be provided.
+ type: string
+ subject_set:
+ $ref: '#/components/schemas/subjectSet'
+ type: object
+ project:
+ example:
+ workspace_id: workspace_id
+ name: name
+ cors_admin:
+ origins:
+ - origins
+ - origins
+ enabled: true
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ services:
+ identity:
+ config: "{}"
+ permission:
+ config: "{}"
+ oauth2:
+ config: "{}"
+ state: running
+ cors_public:
+ origins:
+ - origins
+ - origins
+ enabled: true
+ slug: slug
+ revision_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ properties:
+ cors_admin:
+ $ref: '#/components/schemas/projectCors'
+ cors_public:
+ $ref: '#/components/schemas/projectCors'
+ id:
+ description: The project's ID.
+ format: uuid
+ readOnly: true
+ type: string
+ name:
+ description: The name of the project.
+ type: string
+ revision_id:
+ description: The configuration revision ID.
+ format: uuid
+ readOnly: true
+ type: string
+ services:
+ $ref: '#/components/schemas/projectServices'
+ slug:
+ description: The project's slug
+ readOnly: true
+ type: string
+ state:
+ description: |-
+ The state of the project.
+ running Running
+ halted Halted
+ deleted Deleted
+ enum:
+ - running
+ - halted
+ - deleted
+ readOnly: true
+ type: string
+ x-go-enum-desc: |-
+ running Running
+ halted Halted
+ deleted Deleted
+ workspace_id:
+ format: uuid4
+ nullable: true
+ type: string
+ required:
+ - id
+ - name
+ - revision_id
+ - services
+ - slug
+ - state
+ type: object
+ projectApiKey:
+ example:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ project_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ owner_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ name: name
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ properties:
+ created_at:
+ description: The token's creation date
+ format: date-time
+ readOnly: true
+ type: string
+ id:
+ description: The token's ID.
+ format: uuid
+ readOnly: true
+ type: string
+ name:
+ description: |-
+ The Token's Name
+
+ Set this to help you remember, for example, where you use the token.
+ type: string
+ owner_id:
+ description: The token's owner
+ format: uuid
+ readOnly: true
+ type: string
+ project_id:
+ description: The Token's Project ID
+ format: uuid
+ readOnly: true
+ type: string
+ updated_at:
+ description: The token's last update date
+ format: date-time
+ readOnly: true
+ type: string
+ value:
+ description: The token's value
+ readOnly: true
+ type: string
+ required:
+ - id
+ - name
+ - owner_id
+ type: object
+ projectApiKeys:
+ items:
+ $ref: '#/components/schemas/projectApiKey'
+ type: array
+ projectBranding:
+ properties:
+ created_at:
+ description: The Customization Creation Date
+ format: date-time
+ readOnly: true
+ type: string
+ default_theme:
+ $ref: '#/components/schemas/projectBrandingTheme'
+ id:
+ description: The customization ID.
+ format: uuid
+ readOnly: true
+ type: string
+ project_id:
+ description: The Project's ID this customization is associated with
+ format: uuid
+ type: string
+ themes:
+ items:
+ $ref: '#/components/schemas/projectBrandingTheme'
+ title: ProjectBrandingThemes is a list of ProjectBrandingTheme.
+ type: array
+ updated_at:
+ description: Last Time Branding was Updated
+ format: date-time
+ readOnly: true
+ type: string
+ required:
+ - created_at
+ - default_theme
+ - id
+ - project_id
+ - themes
+ - updated_at
+ title: ProjectBranding holds all settings for customizing the Ory Account Experience.
+ type: object
+ projectBrandingColors:
+ properties:
+ accent_default_color:
+ description: AccentDefaultColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ accent_disabled_color:
+ description: AccentDisabledColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ accent_emphasis_color:
+ description: AccentEmphasisColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ accent_muted_color:
+ description: AccentMutedColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ accent_subtle_color:
+ description: AccentSubtleColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ background_canvas_color:
+ description: BackgroundCanvasColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ background_subtle_color:
+ description: BackgroundSubtleColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ background_surface_color:
+ description: BackgroundSurfaceColor is a hex color code used by the Ory
+ Account Experience theme.
+ type: string
+ border_default_color:
+ description: BorderDefaultColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ error_default_color:
+ description: ErrorDefaultColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ error_emphasis_color:
+ description: ErrorEmphasisColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ error_muted_color:
+ description: ErrorMutedColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ error_subtle_color:
+ description: ErrorSubtleColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ foreground_default_color:
+ description: ForegroundDefaultColor is a hex color code used by the Ory
+ Account Experience theme.
+ type: string
+ foreground_disabled_color:
+ description: ForegroundDisabledColor is a hex color code used by the Ory
+ Account Experience theme.
+ type: string
+ foreground_muted_color:
+ description: ForegroundMutedColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ foreground_on_accent_color:
+ description: ForegroundOnAccentColor is a hex color code used by the Ory
+ Account Experience theme.
+ type: string
+ foreground_on_dark_color:
+ description: ForegroundOnDarkColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ foreground_on_disabled_color:
+ description: ForegroundOnDisabledColor is a hex color code used by the Ory
+ Account Experience theme.
+ type: string
+ foreground_subtle_color:
+ description: ForegroundSubtleColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ input_background_color:
+ description: InputBackgroundColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ input_disabled_color:
+ description: InputDisabledColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ input_placeholder_color:
+ description: InputPlaceholderColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ input_text_color:
+ description: InputTextColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ primary_color:
+ description: Primary color is an hsla color value used to derive the other
+ colors from for the Ory Account Experience theme.
+ type: string
+ secondary_color:
+ description: Secondary color is a hsla color code used to derive the other
+ colors from for the Ory Account Experience theme.
+ type: string
+ success_emphasis_color:
+ description: SuccessEmphasisColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ text_default_color:
+ description: TextDefaultColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ text_disabled_color:
+ description: TextDisabledColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ title: ProjectBrandingColors are the colors used by the Ory Account Experience
+ theme.
+ type: object
+ projectBrandingTheme:
+ properties:
+ accent_default_color:
+ description: AccentDefaultColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ accent_disabled_color:
+ description: AccentDisabledColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ accent_emphasis_color:
+ description: AccentEmphasisColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ accent_muted_color:
+ description: AccentMutedColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ accent_subtle_color:
+ description: AccentSubtleColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ background_canvas_color:
+ description: BackgroundCanvasColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ background_subtle_color:
+ description: BackgroundSubtleColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ background_surface_color:
+ description: BackgroundSurfaceColor is a hex color code used by the Ory
+ Account Experience theme.
+ type: string
+ border_default_color:
+ description: BorderDefaultColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ created_at:
+ description: The Customization Creation Date.
+ format: date-time
+ readOnly: true
+ type: string
+ error_default_color:
+ description: ErrorDefaultColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ error_emphasis_color:
+ description: ErrorEmphasisColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ error_muted_color:
+ description: ErrorMutedColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ error_subtle_color:
+ description: ErrorSubtleColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ favicon_type:
+ description: |-
+ Favicon Type
+ The Favicon mime type.
+ type: string
+ favicon_url:
+ description: |-
+ Favicon URL
+ Favicon can be an https:// or base64:// URL. If the URL is not allowed, the favicon will be stored inside the Ory Network storage bucket.
+ type: string
+ foreground_default_color:
+ description: ForegroundDefaultColor is a hex color code used by the Ory
+ Account Experience theme.
+ type: string
+ foreground_disabled_color:
+ description: ForegroundDisabledColor is a hex color code used by the Ory
+ Account Experience theme.
+ type: string
+ foreground_muted_color:
+ description: ForegroundMutedColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ foreground_on_accent_color:
+ description: ForegroundOnAccentColor is a hex color code used by the Ory
+ Account Experience theme.
+ type: string
+ foreground_on_dark_color:
+ description: ForegroundOnDarkColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ foreground_on_disabled_color:
+ description: ForegroundOnDisabledColor is a hex color code used by the Ory
+ Account Experience theme.
+ type: string
+ foreground_subtle_color:
+ description: ForegroundSubtleColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ id:
+ description: The customization theme ID.
+ format: uuid
+ readOnly: true
+ type: string
+ input_background_color:
+ description: InputBackgroundColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ input_disabled_color:
+ description: InputDisabledColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ input_placeholder_color:
+ description: InputPlaceholderColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ input_text_color:
+ description: InputTextColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ logo_type:
+ description: |-
+ Logo Type
+ The Logo mime type.
+ type: string
+ logo_url:
+ description: |-
+ Logo URL
+ Logo can be an https:// or base64:// URL. If the URL is not allowed, the logo will be stored inside the Ory Network storage bucket.
+ type: string
+ name:
+ description: The customization theme name.
+ type: string
+ primary_color:
+ description: Primary color is an hsla color value used to derive the other
+ colors from for the Ory Account Experience theme.
+ type: string
+ project_branding_id:
+ description: The ProjectBranding ID this customization is associated with.
+ format: uuid
+ type: string
+ secondary_color:
+ description: Secondary color is a hsla color code used to derive the other
+ colors from for the Ory Account Experience theme.
+ type: string
+ success_emphasis_color:
+ description: SuccessEmphasisColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ text_default_color:
+ description: TextDefaultColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ text_disabled_color:
+ description: TextDisabledColor is a hex color code used by the Ory Account
+ Experience theme.
+ type: string
+ updated_at:
+ description: Last Time Branding was Updated.
+ format: date-time
+ readOnly: true
+ type: string
+ required:
+ - created_at
+ - id
+ - name
+ - project_branding_id
+ - updated_at
+ title: ProjectBrandingTheme represents a Theme for the Ory Account Experience.
+ type: object
+ projectBrandingThemes:
+ items:
+ $ref: '#/components/schemas/projectBrandingTheme'
+ title: ProjectBrandingThemes is a list of ProjectBrandingTheme.
+ type: array
+ projectCors:
+ example:
+ origins:
+ - origins
+ - origins
+ enabled: true
+ properties:
+ enabled:
+ description: Whether CORS is enabled for this endpoint.
+ type: boolean
+ origins:
+ description: "The allowed origins. Use `*` to allow all origins. A wildcard\
+ \ can also be used in the subdomain, i.e. `https://*.example.com` will\
+ \ allow all origins on all subdomains of `example.com`."
+ items:
+ type: string
+ type: array
+ type: object
+ projectHost:
+ properties:
+ host:
+ description: The project's host.
+ type: string
+ id:
+ description: The mapping's ID.
+ format: uuid
+ readOnly: true
+ type: string
+ project_id:
+ description: The Revision's Project ID
+ format: uuid
+ type: string
+ required:
+ - host
+ - id
+ - project_id
+ type: object
+ projectMember:
+ $ref: '#/components/schemas/cloudAccount'
+ projectMembers:
+ items:
+ $ref: '#/components/schemas/projectMember'
+ type: array
+ projectMetadata:
+ example:
+ subscription_id: subscription_id
+ workspace_id: workspace_id
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ hosts:
+ - hosts
+ - hosts
+ name: name
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: running
+ slug: slug
+ subscription_plan: subscription_plan
+ properties:
+ created_at:
+ description: The Project's Creation Date
+ format: date-time
+ type: string
+ hosts:
+ items:
+ type: string
+ title: "StringSliceJSONFormat represents []string{} which is encoded to/from\
+ \ JSON for SQL storage."
+ type: array
+ id:
+ description: The project's ID.
+ format: uuid
+ readOnly: true
+ type: string
+ name:
+ description: The project's name if set
+ type: string
+ slug:
+ description: The project's slug
+ readOnly: true
+ type: string
+ state:
+ description: |-
+ The state of the project.
+ running Running
+ halted Halted
+ deleted Deleted
+ enum:
+ - running
+ - halted
+ - deleted
+ type: string
+ x-go-enum-desc: |-
+ running Running
+ halted Halted
+ deleted Deleted
+ subscription_id:
+ format: uuid4
+ nullable: true
+ type: string
+ subscription_plan:
+ nullable: true
+ type: string
+ updated_at:
+ description: Last Time Project was Updated
+ format: date-time
+ type: string
+ workspace_id:
+ format: uuid4
+ nullable: true
+ type: string
+ required:
+ - created_at
+ - hosts
+ - id
+ - name
+ - state
+ - updated_at
+ type: object
+ projectMetadataList:
+ items:
+ $ref: '#/components/schemas/projectMetadata'
+ type: array
+ projectRevisionHooks:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionHook'
+ type: array
+ projectRevisionIdentitySchemas:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionIdentitySchema'
+ type: array
+ projectRevisionThirdPartyLoginProviders:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevisionThirdPartyProvider'
+ type: array
+ projectRevisions:
+ items:
+ $ref: '#/components/schemas/normalizedProjectRevision'
+ type: array
+ projectServiceIdentity:
+ example:
+ config: "{}"
+ properties:
+ config:
+ type: object
+ required:
+ - config
+ type: object
+ projectServiceOAuth2:
+ example:
+ config: "{}"
+ properties:
+ config:
+ type: object
+ required:
+ - config
+ type: object
+ projectServicePermission:
+ example:
+ config: "{}"
+ properties:
+ config:
+ type: object
+ required:
+ - config
+ type: object
+ projectServices:
+ example:
+ identity:
+ config: "{}"
+ permission:
+ config: "{}"
+ oauth2:
+ config: "{}"
+ properties:
+ identity:
+ $ref: '#/components/schemas/projectServiceIdentity'
+ oauth2:
+ $ref: '#/components/schemas/projectServiceOAuth2'
+ permission:
+ $ref: '#/components/schemas/projectServicePermission'
+ type: object
+ projects:
+ items:
+ $ref: '#/components/schemas/project'
+ type: array
+ quotaUsage:
+ properties:
+ additional_price:
+ description: The additional price per unit in cents.
+ format: int64
+ type: integer
+ can_use_more:
+ type: boolean
+ feature:
+ description: |2-
+
+ region_eu RegionEU
+ region_us RegionUS
+ region_apac RegionAPAC
+ region_global RegionGlobal
+ production_projects ProductionProjects
+ daily_active_users DailyActiveUsers
+ custom_domains CustomDomains
+ event_streams EventStreams
+ sla SLA
+ collaborator_seats CollaboratorSeats
+ edge_cache EdgeCache
+ branding_themes BrandingThemes
+ zendesk_support ZendeskSupport
+ project_metrics ProjectMetrics
+ project_metrics_time_window ProjectMetricsTimeWindow
+ project_metrics_events_history ProjectMetricsEventsHistory
+ organizations Organizations
+ rop_grant ResourceOwnerPasswordGrant
+ rate_limit_tier RateLimitTier
+ session_rate_limit_tier RateLimitTierSessions
+ identities_list_rate_limit_tier RateLimitTierIdentitiesList
+ enum:
+ - region_eu
+ - region_us
+ - region_apac
+ - region_global
+ - production_projects
+ - daily_active_users
+ - custom_domains
+ - event_streams
+ - sla
+ - collaborator_seats
+ - edge_cache
+ - branding_themes
+ - zendesk_support
+ - project_metrics
+ - project_metrics_time_window
+ - project_metrics_events_history
+ - organizations
+ - rop_grant
+ - rate_limit_tier
+ - session_rate_limit_tier
+ - identities_list_rate_limit_tier
+ type: string
+ x-go-enum-desc: |-
+ region_eu RegionEU
+ region_us RegionUS
+ region_apac RegionAPAC
+ region_global RegionGlobal
+ production_projects ProductionProjects
+ daily_active_users DailyActiveUsers
+ custom_domains CustomDomains
+ event_streams EventStreams
+ sla SLA
+ collaborator_seats CollaboratorSeats
+ edge_cache EdgeCache
+ branding_themes BrandingThemes
+ zendesk_support ZendeskSupport
+ project_metrics ProjectMetrics
+ project_metrics_time_window ProjectMetricsTimeWindow
+ project_metrics_events_history ProjectMetricsEventsHistory
+ organizations Organizations
+ rop_grant ResourceOwnerPasswordGrant
+ rate_limit_tier RateLimitTier
+ session_rate_limit_tier RateLimitTierSessions
+ identities_list_rate_limit_tier RateLimitTierIdentitiesList
+ feature_available:
+ type: boolean
+ included:
+ format: int64
+ type: integer
+ used:
+ format: int64
+ type: integer
+ required:
+ - additional_price
+ - can_use_more
+ - feature
+ - feature_available
+ - included
+ - used
+ type: object
+ recoveryCodeForIdentity:
+ description: Used when an administrator creates a recovery code for an identity.
+ example:
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ recovery_code: recovery_code
+ recovery_link: recovery_link
+ properties:
+ expires_at:
+ description: |-
+ Expires At is the timestamp of when the recovery flow expires
+
+ The timestamp when the recovery code expires.
+ format: date-time
+ type: string
+ recovery_code:
+ description: RecoveryCode is the code that can be used to recover the account
+ type: string
+ recovery_link:
+ description: |-
+ RecoveryLink with flow
+
+ This link opens the recovery UI with an empty `code` field.
+ type: string
+ required:
+ - recovery_code
+ - recovery_link
+ title: Recovery Code for Identity
+ type: object
+ recoveryFlow:
+ description: |-
+ This request is used when an identity wants to recover their account.
+
+ We recommend reading the [Account Recovery Documentation](../self-service/flows/password-reset-account-recovery)
+ example:
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ ui:
+ nodes:
+ - meta:
+ label:
+ context: "{}"
+ id: 0
+ text: text
+ type: info
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ attributes: null
+ type: text
+ group: default
+ - meta:
+ label:
+ context: "{}"
+ id: 0
+ text: text
+ type: info
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ attributes: null
+ type: text
+ group: default
+ method: method
+ action: action
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ continue_with:
+ - null
+ - null
+ active: active
+ return_to: return_to
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: ""
+ type: type
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ request_url: request_url
+ properties:
+ active:
+ description: |-
+ Active, if set, contains the recovery method that is being used. It is initially
+ not set.
+ type: string
+ continue_with:
+ description: Contains possible actions that could follow this flow
+ items:
+ $ref: '#/components/schemas/continueWith'
+ type: array
+ expires_at:
+ description: |-
+ ExpiresAt is the time (UTC) when the request expires. If the user still wishes to update the setting,
+ a new request has to be initiated.
+ format: date-time
+ type: string
+ id:
+ description: |-
+ ID represents the request's unique ID. When performing the recovery flow, this
+ represents the id in the recovery ui's query parameter: http://?request=
+ format: uuid
+ type: string
+ issued_at:
+ description: IssuedAt is the time (UTC) when the request occurred.
+ format: date-time
+ type: string
+ request_url:
+ description: |-
+ RequestURL is the initial URL that was requested from Ory Kratos. It can be used
+ to forward information contained in the URL's path or query for example.
+ type: string
+ return_to:
+ description: ReturnTo contains the requested return_to URL.
+ type: string
+ state:
+ description: |-
+ State represents the state of this request:
+
+ choose_method: ask the user to choose a method (e.g. recover account via email)
+ sent_email: the email has been sent to the user
+ passed_challenge: the request was successful and the recovery challenge was passed.
+ type:
+ description: The flow type can either be `api` or `browser`.
+ title: Type is the flow type.
+ type: string
+ ui:
+ $ref: '#/components/schemas/uiContainer'
+ required:
+ - expires_at
+ - id
+ - issued_at
+ - request_url
+ - state
+ - type
+ - ui
+ title: A Recovery Flow
+ type: object
+ recoveryFlowState:
+ description: |-
+ The state represents the state of the recovery flow.
+
+ choose_method: ask the user to choose a method (e.g. recover account via email)
+ sent_email: the email has been sent to the user
+ passed_challenge: the request was successful and the recovery challenge was passed.
+ enum:
+ - choose_method
+ - sent_email
+ - passed_challenge
+ title: Recovery Flow State
+ type: string
+ recoveryIdentityAddress:
+ example:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ properties:
+ created_at:
+ description: CreatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ id:
+ format: uuid
+ type: string
+ updated_at:
+ description: UpdatedAt is a helper struct field for gobuffalo.pop.
+ format: date-time
+ type: string
+ value:
+ type: string
+ via:
+ title: RecoveryAddressType must not exceed 16 characters as that is the
+ limitation in the SQL Schema.
+ type: string
+ required:
+ - id
+ - value
+ - via
+ type: object
+ recoveryLinkForIdentity:
+ description: Used when an administrator creates a recovery link for an identity.
+ example:
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ recovery_link: recovery_link
+ properties:
+ expires_at:
+ description: |-
+ Recovery Link Expires At
+
+ The timestamp when the recovery link expires.
+ format: date-time
+ type: string
+ recovery_link:
+ description: |-
+ Recovery Link
+
+ This link can be used to recover the account.
+ type: string
+ required:
+ - recovery_link
+ title: Identity Recovery Link
+ type: object
+ registrationFlow:
+ example:
+ active: null
+ return_to: return_to
+ session_token_exchange_code: session_token_exchange_code
+ type: type
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ request_url: request_url
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ oauth2_login_request:
+ requested_access_token_audience:
+ - requested_access_token_audience
+ - requested_access_token_audience
+ subject: subject
+ oidc_context:
+ login_hint: login_hint
+ ui_locales:
+ - ui_locales
+ - ui_locales
+ id_token_hint_claims:
+ key: ""
+ acr_values:
+ - acr_values
+ - acr_values
+ display: display
+ challenge: challenge
+ client:
+ metadata: "{}"
+ token_endpoint_auth_signing_alg: token_endpoint_auth_signing_alg
+ client_uri: client_uri
+ jwt_bearer_grant_access_token_lifespan: jwt_bearer_grant_access_token_lifespan
+ jwks: ""
+ logo_uri: logo_uri
+ created_at: 2000-01-23T04:56:07.000+00:00
+ registration_client_uri: registration_client_uri
+ allowed_cors_origins:
+ - allowed_cors_origins
+ - allowed_cors_origins
+ refresh_token_grant_access_token_lifespan: refresh_token_grant_access_token_lifespan
+ registration_access_token: registration_access_token
+ client_id: client_id
+ token_endpoint_auth_method: client_secret_basic
+ userinfo_signed_response_alg: userinfo_signed_response_alg
+ authorization_code_grant_id_token_lifespan: authorization_code_grant_id_token_lifespan
+ authorization_code_grant_refresh_token_lifespan: authorization_code_grant_refresh_token_lifespan
+ client_credentials_grant_access_token_lifespan: client_credentials_grant_access_token_lifespan
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ scope: scope1 scope-2 scope.3 scope:4
+ request_uris:
+ - request_uris
+ - request_uris
+ client_secret: client_secret
+ backchannel_logout_session_required: true
+ backchannel_logout_uri: backchannel_logout_uri
+ client_name: client_name
+ policy_uri: policy_uri
+ owner: owner
+ skip_consent: true
+ audience:
+ - audience
+ - audience
+ authorization_code_grant_access_token_lifespan: authorization_code_grant_access_token_lifespan
+ post_logout_redirect_uris:
+ - post_logout_redirect_uris
+ - post_logout_redirect_uris
+ grant_types:
+ - grant_types
+ - grant_types
+ subject_type: subject_type
+ refresh_token_grant_refresh_token_lifespan: refresh_token_grant_refresh_token_lifespan
+ redirect_uris:
+ - redirect_uris
+ - redirect_uris
+ sector_identifier_uri: sector_identifier_uri
+ frontchannel_logout_session_required: true
+ frontchannel_logout_uri: frontchannel_logout_uri
+ refresh_token_grant_id_token_lifespan: refresh_token_grant_id_token_lifespan
+ implicit_grant_id_token_lifespan: implicit_grant_id_token_lifespan
+ client_secret_expires_at: 0
+ implicit_grant_access_token_lifespan: implicit_grant_access_token_lifespan
+ access_token_strategy: access_token_strategy
+ jwks_uri: jwks_uri
+ request_object_signing_alg: request_object_signing_alg
+ tos_uri: tos_uri
+ contacts:
+ - contacts
+ - contacts
+ response_types:
+ - response_types
+ - response_types
+ session_id: session_id
+ skip: true
+ request_url: request_url
+ requested_scope:
+ - requested_scope
+ - requested_scope
+ transient_payload: "{}"
+ ui:
+ nodes:
+ - meta:
+ label:
+ context: "{}"
+ id: 0
+ text: text
+ type: info
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ attributes: null
+ type: text
+ group: default
+ - meta:
+ label:
+ context: "{}"
+ id: 0
+ text: text
+ type: info
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ attributes: null
+ type: text
+ group: default
+ method: method
+ action: action
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ oauth2_login_challenge: oauth2_login_challenge
+ organization_id: organization_id
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: ""
+ properties:
+ active:
+ $ref: '#/components/schemas/identityCredentialsType'
+ expires_at:
+ description: |-
+ ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to log in,
+ a new flow has to be initiated.
+ format: date-time
+ type: string
+ id:
+ description: |-
+ ID represents the flow's unique ID. When performing the registration flow, this
+ represents the id in the registration ui's query parameter: http:///?flow=
+ format: uuid
+ type: string
+ issued_at:
+ description: IssuedAt is the time (UTC) when the flow occurred.
+ format: date-time
+ type: string
+ oauth2_login_challenge:
+ description: |-
+ Ory OAuth 2.0 Login Challenge.
+
+ This value is set using the `login_challenge` query parameter of the registration and login endpoints.
+ If set will cooperate with Ory OAuth2 and OpenID to act as an OAuth2 server / OpenID Provider.
+ type: string
+ oauth2_login_request:
+ $ref: '#/components/schemas/oAuth2LoginRequest'
+ organization_id:
+ format: uuid4
+ nullable: true
+ type: string
+ request_url:
+ description: |-
+ RequestURL is the initial URL that was requested from Ory Kratos. It can be used
+ to forward information contained in the URL's path or query for example.
+ type: string
+ return_to:
+ description: ReturnTo contains the requested return_to URL.
+ type: string
+ session_token_exchange_code:
+ description: |-
+ SessionTokenExchangeCode holds the secret code that the client can use to retrieve a session token after the flow has been completed.
+ This is only set if the client has requested a session token exchange code, and if the flow is of type "api",
+ and only on creating the flow.
+ type: string
+ state:
+ description: |-
+ State represents the state of this request:
+
+ choose_method: ask the user to choose a method (e.g. registration with email)
+ sent_email: the email has been sent to the user
+ passed_challenge: the request was successful and the registration challenge was passed.
+ transient_payload:
+ description: TransientPayload is used to pass data from the registration
+ to a webhook
+ type: object
+ type:
+ description: The flow type can either be `api` or `browser`.
+ title: Type is the flow type.
+ type: string
+ ui:
+ $ref: '#/components/schemas/uiContainer'
+ required:
+ - expires_at
+ - id
+ - issued_at
+ - request_url
+ - state
+ - type
+ - ui
+ type: object
+ registrationFlowState:
+ description: |-
+ choose_method: ask the user to choose a method (e.g. registration with email)
+ sent_email: the email has been sent to the user
+ passed_challenge: the request was successful and the registration challenge was passed.
+ enum:
+ - choose_method
+ - sent_email
+ - passed_challenge
+ title: 'State represents the state of this request:'
+ type: string
+ rejectOAuth2Request:
+ properties:
+ error:
+ description: |-
+ The error should follow the OAuth2 error format (e.g. `invalid_request`, `login_required`).
+
+ Defaults to `request_denied`.
+ type: string
+ error_debug:
+ description: |-
+ Debug contains information to help resolve the problem as a developer. Usually not exposed
+ to the public but only in the server logs.
+ type: string
+ error_description:
+ description: Description of the error in a human readable format.
+ type: string
+ error_hint:
+ description: Hint to help resolve the error.
+ type: string
+ status_code:
+ description: |-
+ Represents the HTTP status code of the error (e.g. 401 or 403)
+
+ Defaults to 400
+ format: int64
+ type: integer
+ title: The request payload used to accept a login or consent request.
+ type: object
+ relationQuery:
+ description: Relation Query
+ properties:
+ namespace:
+ description: Namespace to query
+ type: string
+ object:
+ description: Object to query
+ type: string
+ relation:
+ description: Relation to query
+ type: string
+ subject_id:
+ description: |-
+ SubjectID to query
+
+ Either SubjectSet or SubjectID can be provided.
+ type: string
+ subject_set:
+ $ref: '#/components/schemas/subjectSet'
+ type: object
+ relationship:
+ description: Relationship
+ example:
+ subject_id: subject_id
+ namespace: namespace
+ object: object
+ relation: relation
+ subject_set:
+ namespace: namespace
+ object: object
+ relation: relation
+ properties:
+ namespace:
+ description: Namespace of the Relation Tuple
+ type: string
+ object:
+ description: Object of the Relation Tuple
+ type: string
+ relation:
+ description: Relation of the Relation Tuple
+ type: string
+ subject_id:
+ description: |-
+ SubjectID of the Relation Tuple
+
+ Either SubjectSet or SubjectID can be provided.
+ type: string
+ subject_set:
+ $ref: '#/components/schemas/subjectSet'
+ required:
+ - namespace
+ - object
+ - relation
+ type: object
+ relationshipNamespaces:
+ description: Relationship Namespace List
+ example:
+ namespaces:
+ - name: name
+ - name: name
+ properties:
+ namespaces:
+ items:
+ $ref: '#/components/schemas/namespace'
+ type: array
+ type: object
+ relationshipPatch:
+ description: Payload for patching a relationship
+ properties:
+ action:
+ enum:
+ - insert
+ - delete
+ type: string
+ x-go-enum-desc: |-
+ insert ActionInsert
+ delete ActionDelete
+ relation_tuple:
+ $ref: '#/components/schemas/relationship'
+ type: object
+ relationships:
+ description: Paginated Relationship List
+ example:
+ next_page_token: next_page_token
+ relation_tuples:
+ - subject_id: subject_id
+ namespace: namespace
+ object: object
+ relation: relation
+ subject_set:
+ namespace: namespace
+ object: object
+ relation: relation
+ - subject_id: subject_id
+ namespace: namespace
+ object: object
+ relation: relation
+ subject_set:
+ namespace: namespace
+ object: object
+ relation: relation
+ properties:
+ next_page_token:
+ description: |-
+ The opaque token to provide in a subsequent request
+ to get the next page. It is the empty string iff this is
+ the last page.
+ type: string
+ relation_tuples:
+ items:
+ $ref: '#/components/schemas/relationship'
+ type: array
+ type: object
+ revisionCourierChannels:
+ items:
+ $ref: '#/components/schemas/NormalizedProjectRevisionCourierChannel'
+ type: array
+ schemaPatch:
+ properties:
+ data:
+ description: The json schema
+ type: object
+ name:
+ description: The user defined schema name
+ type: string
+ required:
+ - data
+ - name
+ type: object
+ selfServiceFlowExpiredError:
+ description: Is sent when a flow is expired
+ properties:
+ error:
+ $ref: '#/components/schemas/genericError'
+ expired_at:
+ description: When the flow has expired
+ format: date-time
+ type: string
+ since:
+ description: |-
+ A Duration represents the elapsed time between two instants
+ as an int64 nanosecond count. The representation limits the
+ largest representable duration to approximately 290 years.
+ format: int64
+ type: integer
+ use_flow_id:
+ description: The flow ID that should be used for the new flow as it contains
+ the correct messages.
+ format: uuid
+ type: string
+ type: object
+ selfServiceFlowType:
+ description: The flow type can either be `api` or `browser`.
+ title: Type is the flow type.
+ type: string
+ session:
+ description: A Session
+ example:
+ tokenized: tokenized
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ devices:
+ - location: location
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ ip_address: ip_address
+ user_agent: user_agent
+ - location: location
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ ip_address: ip_address
+ user_agent: user_agent
+ authentication_methods:
+ - completed_at: 2000-01-23T04:56:07.000+00:00
+ method: link_recovery
+ provider: provider
+ organization: organization
+ aal: null
+ - completed_at: 2000-01-23T04:56:07.000+00:00
+ method: link_recovery
+ provider: provider
+ organization: organization
+ aal: null
+ authenticator_assurance_level: null
+ identity:
+ traits: ""
+ credentials:
+ key:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ identifiers:
+ - identifiers
+ - identifiers
+ created_at: 2000-01-23T04:56:07.000+00:00
+ type: null
+ config: "{}"
+ version: 0
+ state_changed_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ recovery_addresses:
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ metadata_admin: "{}"
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ verifiable_addresses:
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ organization_id: organization_id
+ schema_id: schema_id
+ schema_url: schema_url
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ metadata_public: "{}"
+ authenticated_at: 2000-01-23T04:56:07.000+00:00
+ active: true
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ properties:
+ active:
+ description: Active state. If false the session is no longer active.
+ type: boolean
+ authenticated_at:
+ description: |-
+ The Session Authentication Timestamp
+
+ When this session was authenticated at. If multi-factor authentication was used this
+ is the time when the last factor was authenticated (e.g. the TOTP code challenge was completed).
+ format: date-time
+ type: string
+ authentication_methods:
+ description: A list of authenticators which were used to authenticate the
+ session.
+ items:
+ $ref: '#/components/schemas/sessionAuthenticationMethod'
+ title: List of (Used) AuthenticationMethods
+ type: array
+ authenticator_assurance_level:
+ $ref: '#/components/schemas/authenticatorAssuranceLevel'
+ devices:
+ description: Devices has history of all endpoints where the session was
+ used
+ items:
+ $ref: '#/components/schemas/sessionDevice'
+ type: array
+ expires_at:
+ description: |-
+ The Session Expiry
+
+ When this session expires at.
+ format: date-time
+ type: string
+ id:
+ description: Session ID
+ format: uuid
+ type: string
+ identity:
+ $ref: '#/components/schemas/identity'
+ issued_at:
+ description: |-
+ The Session Issuance Timestamp
+
+ When this session was issued at. Usually equal or close to `authenticated_at`.
+ format: date-time
+ type: string
+ tokenized:
+ description: |-
+ Tokenized is the tokenized (e.g. JWT) version of the session.
+
+ It is only set when the `tokenize` query parameter was set to a valid tokenize template during calls to `/session/whoami`.
+ type: string
+ required:
+ - id
+ type: object
+ sessionAuthenticationMethod:
+ description: A singular authenticator used during authentication / login.
+ example:
+ completed_at: 2000-01-23T04:56:07.000+00:00
+ method: link_recovery
+ provider: provider
+ organization: organization
+ aal: null
+ properties:
+ aal:
+ $ref: '#/components/schemas/authenticatorAssuranceLevel'
+ completed_at:
+ description: When the authentication challenge was completed.
+ format: date-time
+ type: string
+ method:
+ enum:
+ - link_recovery
+ - code_recovery
+ - password
+ - code
+ - totp
+ - oidc
+ - webauthn
+ - lookup_secret
+ - v0.6_legacy_session
+ title: The method used
+ type: string
+ organization:
+ description: The Organization id used for authentication
+ type: string
+ provider:
+ description: OIDC or SAML provider id used for authentication
+ type: string
+ title: AuthenticationMethod identifies an authentication method
+ type: object
+ sessionAuthenticationMethods:
+ description: A list of authenticators which were used to authenticate the session.
+ items:
+ $ref: '#/components/schemas/sessionAuthenticationMethod'
+ title: List of (Used) AuthenticationMethods
+ type: array
+ sessionDevice:
+ description: Device corresponding to a Session
+ example:
+ location: location
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ ip_address: ip_address
+ user_agent: user_agent
+ properties:
+ id:
+ description: Device record ID
+ format: uuid
+ type: string
+ ip_address:
+ description: IPAddress of the client
+ type: string
+ location:
+ description: Geo Location corresponding to the IP Address
+ type: string
+ user_agent:
+ description: UserAgent of the client
+ type: string
+ required:
+ - id
+ type: object
+ setActiveProjectInConsoleBody:
+ description: Set active project in the Ory Network Console Request Body
+ properties:
+ project_id:
+ description: |-
+ Project ID
+
+ The Project ID you want to set active.
+
+ format: uuid
+ type: string
+ required:
+ - project_id
+ type: object
+ setCustomDomainBody:
+ description: Update Custom Hostname Body
+ properties:
+ cookie_domain:
+ description: The domain where cookies will be set. Has to be a parent domain
+ of the custom hostname to work.
+ type: string
+ cors_allowed_origins:
+ description: CORS Allowed origins for the custom hostname.
+ items:
+ type: string
+ type: array
+ cors_enabled:
+ description: CORS Enabled for the custom hostname.
+ type: boolean
+ custom_ui_base_url:
+ description: The custom UI base URL where the UI will be exposed.
+ type: string
+ hostname:
+ description: The custom hostname where the API will be exposed.
+ type: string
+ type: object
+ setEventStreamBody:
+ description: Update Event Stream Body
+ properties:
+ role_arn:
+ description: The AWS IAM role ARN to assume when publishing to the SNS topic.
+ type: string
+ topic_arn:
+ description: The AWS SNS topic ARN.
+ type: string
+ type:
+ description: "The type of the event stream (AWS SNS, GCP Pub/Sub, etc)."
+ enum:
+ - sns
+ type: string
+ required:
+ - role_arn
+ - topic_arn
+ - type
+ type: object
+ setProject:
+ properties:
+ cors_admin:
+ $ref: '#/components/schemas/projectCors'
+ cors_public:
+ $ref: '#/components/schemas/projectCors'
+ name:
+ description: The name of the project.
+ type: string
+ services:
+ $ref: '#/components/schemas/projectServices'
+ required:
+ - cors_admin
+ - cors_public
+ - name
+ - services
+ type: object
+ setProjectBrandingThemeBody:
+ properties:
+ favicon_type:
+ description: Favicon Type
+ type: string
+ favicon_url:
+ description: Favicon URL
+ type: string
+ logo_type:
+ description: Logo type
+ type: string
+ logo_url:
+ description: Logo URL
+ type: string
+ name:
+ description: Branding name
+ type: string
+ theme:
+ $ref: '#/components/schemas/projectBrandingColors'
+ title: SetProjectBrandingThemeBody is the request body for the set project branding
+ theme endpoint.
+ type: object
+ settingsFlow:
+ description: |-
+ This flow is used when an identity wants to update settings
+ (e.g. profile data, passwords, ...) in a selfservice manner.
+
+ We recommend reading the [User Settings Documentation](../self-service/flows/user-settings)
+ example:
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ ui:
+ nodes:
+ - meta:
+ label:
+ context: "{}"
+ id: 0
+ text: text
+ type: info
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ attributes: null
+ type: text
+ group: default
+ - meta:
+ label:
+ context: "{}"
+ id: 0
+ text: text
+ type: info
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ attributes: null
+ type: text
+ group: default
+ method: method
+ action: action
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ identity:
+ traits: ""
+ credentials:
+ key:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ identifiers:
+ - identifiers
+ - identifiers
+ created_at: 2000-01-23T04:56:07.000+00:00
+ type: null
+ config: "{}"
+ version: 0
+ state_changed_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ recovery_addresses:
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ metadata_admin: "{}"
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ verifiable_addresses:
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ organization_id: organization_id
+ schema_id: schema_id
+ schema_url: schema_url
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ metadata_public: "{}"
+ continue_with:
+ - null
+ - null
+ active: active
+ return_to: return_to
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: ""
+ type: type
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ request_url: request_url
+ properties:
+ active:
+ description: |-
+ Active, if set, contains the registration method that is being used. It is initially
+ not set.
+ type: string
+ continue_with:
+ description: |-
+ Contains a list of actions, that could follow this flow
+
+ It can, for example, contain a reference to the verification flow, created as part of the user's
+ registration.
+ items:
+ $ref: '#/components/schemas/continueWith'
+ type: array
+ expires_at:
+ description: |-
+ ExpiresAt is the time (UTC) when the flow expires. If the user still wishes to update the setting,
+ a new flow has to be initiated.
+ format: date-time
+ type: string
+ id:
+ description: |-
+ ID represents the flow's unique ID. When performing the settings flow, this
+ represents the id in the settings ui's query parameter: http://?flow=
+ format: uuid
+ type: string
+ identity:
+ $ref: '#/components/schemas/identity'
+ issued_at:
+ description: IssuedAt is the time (UTC) when the flow occurred.
+ format: date-time
+ type: string
+ request_url:
+ description: |-
+ RequestURL is the initial URL that was requested from Ory Kratos. It can be used
+ to forward information contained in the URL's path or query for example.
+ type: string
+ return_to:
+ description: ReturnTo contains the requested return_to URL.
+ type: string
+ state:
+ description: |-
+ State represents the state of this flow. It knows two states:
+
+ show_form: No user data has been collected, or it is invalid, and thus the form should be shown.
+ success: Indicates that the settings flow has been updated successfully with the provided data.
+ Done will stay true when repeatedly checking. If set to true, done will revert back to false only
+ when a flow with invalid (e.g. "please use a valid phone number") data was sent.
+ type:
+ description: The flow type can either be `api` or `browser`.
+ title: Type is the flow type.
+ type: string
+ ui:
+ $ref: '#/components/schemas/uiContainer'
+ required:
+ - expires_at
+ - id
+ - identity
+ - issued_at
+ - request_url
+ - state
+ - type
+ - ui
+ title: Flow represents a Settings Flow
+ type: object
+ settingsFlowState:
+ description: |-
+ show_form: No user data has been collected, or it is invalid, and thus the form should be shown.
+ success: Indicates that the settings flow has been updated successfully with the provided data.
+ Done will stay true when repeatedly checking. If set to true, done will revert back to false only
+ when a flow with invalid (e.g. "please use a valid phone number") data was sent.
+ enum:
+ - show_form
+ - success
+ title: 'State represents the state of this flow. It knows two states:'
+ type: string
+ stripeCustomer:
+ properties:
+ id:
+ type: string
+ type: object
+ subjectSet:
+ example:
+ namespace: namespace
+ object: object
+ relation: relation
+ properties:
+ namespace:
+ description: Namespace of the Subject Set
+ type: string
+ object:
+ description: Object of the Subject Set
+ type: string
+ relation:
+ description: Relation of the Subject Set
+ type: string
+ required:
+ - namespace
+ - object
+ - relation
+ type: object
+ subscription:
+ properties:
+ created_at:
+ format: date-time
+ readOnly: true
+ type: string
+ currency:
+ description: |-
+ The currency of the subscription. To change this, a new subscription must be created.
+ usd USD
+ eur Euro
+ enum:
+ - usd
+ - eur
+ readOnly: true
+ type: string
+ x-go-enum-desc: |-
+ usd USD
+ eur Euro
+ current_interval:
+ description: |-
+ The currently active interval of the subscription
+ monthly Monthly
+ yearly Yearly
+ enum:
+ - monthly
+ - yearly
+ readOnly: true
+ type: string
+ x-go-enum-desc: |-
+ monthly Monthly
+ yearly Yearly
+ current_plan:
+ description: The currently active plan of the subscription
+ readOnly: true
+ type: string
+ customer_id:
+ description: The ID of the stripe customer
+ readOnly: true
+ type: string
+ id:
+ description: The ID of the subscription
+ format: uuid
+ readOnly: true
+ type: string
+ interval_changes_to:
+ nullable: true
+ type: string
+ ongoing_stripe_checkout_id:
+ nullable: true
+ type: string
+ payed_until:
+ description: Until when the subscription is payed
+ format: date-time
+ readOnly: true
+ type: string
+ plan_changes_at:
+ format: date-time
+ type: string
+ plan_changes_to:
+ nullable: true
+ type: string
+ status:
+ description: |-
+ For `collection_method=charge_automatically` a subscription moves into `incomplete` if the initial payment attempt fails. A subscription in this state can only have metadata and default_source updated. Once the first invoice is paid, the subscription moves into an `active` state. If the first invoice is not paid within 23 hours, the subscription transitions to `incomplete_expired`. This is a terminal state, the open invoice will be voided and no further invoices will be generated.
+
+ A subscription that is currently in a trial period is `trialing` and moves to `active` when the trial period is over.
+
+ If subscription `collection_method=charge_automatically`, it becomes `past_due` when payment is required but cannot be paid (due to failed payment or awaiting additional user actions). Once Stripe has exhausted all payment retry attempts, the subscription will become `canceled` or `unpaid` (depending on your subscriptions settings).
+
+ If subscription `collection_method=send_invoice` it becomes `past_due` when its invoice is not paid by the due date, and `canceled` or `unpaid` if it is still not paid by an additional deadline after that. Note that when a subscription has a status of `unpaid`, no subsequent invoices will be attempted (invoices will be created, but then immediately automatically closed). After receiving updated payment information from a customer, you may choose to reopen and pay their closed invoices.
+ title: "Possible values are `incomplete`, `incomplete_expired`, `trialing`,\
+ \ `active`, `past_due`, `canceled`, or `unpaid`."
+ type: string
+ updated_at:
+ format: date-time
+ readOnly: true
+ type: string
+ required:
+ - created_at
+ - currency
+ - current_interval
+ - current_plan
+ - customer_id
+ - id
+ - interval_changes_to
+ - payed_until
+ - plan_changes_to
+ - status
+ - updated_at
+ type: object
+ successfulCodeExchangeResponse:
+ description: The Response for Registration Flows via API
+ properties:
+ session:
+ $ref: '#/components/schemas/session'
+ session_token:
+ description: |-
+ The Session Token
+
+ A session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization
+ Header:
+
+ Authorization: bearer ${session-token}
+
+ The session token is only issued for API flows, not for Browser flows!
+ type: string
+ required:
+ - session
+ type: object
+ successfulNativeLogin:
+ description: The Response for Login Flows via API
+ example:
+ session_token: session_token
+ session:
+ tokenized: tokenized
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ devices:
+ - location: location
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ ip_address: ip_address
+ user_agent: user_agent
+ - location: location
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ ip_address: ip_address
+ user_agent: user_agent
+ authentication_methods:
+ - completed_at: 2000-01-23T04:56:07.000+00:00
+ method: link_recovery
+ provider: provider
+ organization: organization
+ aal: null
+ - completed_at: 2000-01-23T04:56:07.000+00:00
+ method: link_recovery
+ provider: provider
+ organization: organization
+ aal: null
+ authenticator_assurance_level: null
+ identity:
+ traits: ""
+ credentials:
+ key:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ identifiers:
+ - identifiers
+ - identifiers
+ created_at: 2000-01-23T04:56:07.000+00:00
+ type: null
+ config: "{}"
+ version: 0
+ state_changed_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ recovery_addresses:
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ metadata_admin: "{}"
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ verifiable_addresses:
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ organization_id: organization_id
+ schema_id: schema_id
+ schema_url: schema_url
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ metadata_public: "{}"
+ authenticated_at: 2000-01-23T04:56:07.000+00:00
+ active: true
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ properties:
+ session:
+ $ref: '#/components/schemas/session'
+ session_token:
+ description: |-
+ The Session Token
+
+ A session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization
+ Header:
+
+ Authorization: bearer ${session-token}
+
+ The session token is only issued for API flows, not for Browser flows!
+ type: string
+ required:
+ - session
+ type: object
+ successfulNativeRegistration:
+ description: The Response for Registration Flows via API
+ example:
+ session_token: session_token
+ identity:
+ traits: ""
+ credentials:
+ key:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ identifiers:
+ - identifiers
+ - identifiers
+ created_at: 2000-01-23T04:56:07.000+00:00
+ type: null
+ config: "{}"
+ version: 0
+ state_changed_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ recovery_addresses:
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ metadata_admin: "{}"
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ verifiable_addresses:
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ organization_id: organization_id
+ schema_id: schema_id
+ schema_url: schema_url
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ metadata_public: "{}"
+ session:
+ tokenized: tokenized
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ devices:
+ - location: location
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ ip_address: ip_address
+ user_agent: user_agent
+ - location: location
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ ip_address: ip_address
+ user_agent: user_agent
+ authentication_methods:
+ - completed_at: 2000-01-23T04:56:07.000+00:00
+ method: link_recovery
+ provider: provider
+ organization: organization
+ aal: null
+ - completed_at: 2000-01-23T04:56:07.000+00:00
+ method: link_recovery
+ provider: provider
+ organization: organization
+ aal: null
+ authenticator_assurance_level: null
+ identity:
+ traits: ""
+ credentials:
+ key:
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ identifiers:
+ - identifiers
+ - identifiers
+ created_at: 2000-01-23T04:56:07.000+00:00
+ type: null
+ config: "{}"
+ version: 0
+ state_changed_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ recovery_addresses:
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ - updated_at: 2000-01-23T04:56:07.000+00:00
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ via: via
+ metadata_admin: "{}"
+ updated_at: 2000-01-23T04:56:07.000+00:00
+ verifiable_addresses:
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ - updated_at: 2014-01-01T23:28:56.782Z
+ verified_at: 2000-01-23T04:56:07.000+00:00
+ verified: true
+ created_at: 2014-01-01T23:28:56.782Z
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ value: value
+ status: status
+ via: email
+ organization_id: organization_id
+ schema_id: schema_id
+ schema_url: schema_url
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ state: null
+ metadata_public: "{}"
+ authenticated_at: 2000-01-23T04:56:07.000+00:00
+ active: true
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ issued_at: 2000-01-23T04:56:07.000+00:00
+ continue_with:
+ - null
+ - null
+ properties:
+ continue_with:
+ description: |-
+ Contains a list of actions, that could follow this flow
+
+ It can, for example, this will contain a reference to the verification flow, created as part of the user's
+ registration or the token of the session.
+ items:
+ $ref: '#/components/schemas/continueWith'
+ type: array
+ identity:
+ $ref: '#/components/schemas/identity'
+ session:
+ $ref: '#/components/schemas/session'
+ session_token:
+ description: |-
+ The Session Token
+
+ This field is only set when the session hook is configured as a post-registration hook.
+
+ A session token is equivalent to a session cookie, but it can be sent in the HTTP Authorization
+ Header:
+
+ Authorization: bearer ${session-token}
+
+ The session token is only issued for API flows, not for Browser flows!
+ type: string
+ required:
+ - identity
+ type: object
+ successfulProjectUpdate:
+ example:
+ warnings:
+ - code: 0
+ message: message
+ - code: 0
+ message: message
+ project:
+ workspace_id: workspace_id
+ name: name
+ cors_admin:
+ origins:
+ - origins
+ - origins
+ enabled: true
+ id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ services:
+ identity:
+ config: "{}"
+ permission:
+ config: "{}"
+ oauth2:
+ config: "{}"
+ state: running
+ cors_public:
+ origins:
+ - origins
+ - origins
+ enabled: true
+ slug: slug
+ revision_id: 046b6c7f-0b8a-43b9-b35d-6489e6daee91
+ properties:
+ project:
+ $ref: '#/components/schemas/project'
+ warnings:
+ description: |-
+ Import Warnings
+
+ Not all configuration items can be imported to the Ory Network. For example,
+ setting the port does not make sense because the Ory Network provides the runtime
+ and networking.
+
+ This field contains warnings where configuration keys were found but can not
+ be imported. These keys will be ignored by the Ory Network. This field will help
+ you understand why certain configuration keys might not be respected!
+ items:
+ $ref: '#/components/schemas/Warning'
+ type: array
+ required:
+ - project
+ - warnings
+ type: object
+ tokenPagination:
+ properties:
+ page_size:
+ default: 250
+ description: |-
+ Items per page
+
+ This is the number of items per page to return.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ format: int64
+ maximum: 1000
+ minimum: 1
+ type: integer
+ page_token:
+ default: "1"
+ description: |-
+ Next Page Token
+
+ The next page token.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ minimum: 1
+ type: string
+ type: object
+ tokenPaginationHeaders:
+ properties:
+ link:
+ description: |-
+ The link header contains pagination links.
+
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+
+ in: header
+ type: string
+ x-total-count:
+ description: |-
+ The total number of clients.
+
+ in: header
+ type: string
+ type: object
+ tokenPaginationRequestParameters:
+ description: |-
+ The `Link` HTTP header contains multiple links (`first`, `next`, `last`, `previous`) formatted as:
+ `; rel="{page}"`
+
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ properties:
+ page_size:
+ default: 250
+ description: |-
+ Items per Page
+
+ This is the number of items per page to return.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ format: int64
+ maximum: 500
+ minimum: 1
+ type: integer
+ page_token:
+ default: "1"
+ description: |-
+ Next Page Token
+
+ The next page token.
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ minimum: 1
+ type: string
+ title: Pagination Request Parameters
+ type: object
+ tokenPaginationResponseHeaders:
+ description: |-
+ The `Link` HTTP header contains multiple links (`first`, `next`, `last`, `previous`) formatted as:
+ `; rel="{page}"`
+
+ For details on pagination please head over to the [pagination documentation](https://www.ory.sh/docs/ecosystem/api-design#pagination).
+ properties:
+ link:
+ description: |-
+ The Link HTTP Header
+
+ The `Link` header contains a comma-delimited list of links to the following pages:
+
+ first: The first page of results.
+ next: The next page of results.
+ prev: The previous page of results.
+ last: The last page of results.
+
+ Pages are omitted if they do not exist. For example, if there is no next page, the `next` link is omitted. Examples:
+
+ ; rel="first",; rel="next",; rel="prev",; rel="last"
+ type: string
+ x-total-count:
+ description: |-
+ The X-Total-Count HTTP Header
+
+ The `X-Total-Count` header contains the total number of items in the collection.
+ format: int64
+ type: integer
+ title: Pagination Response Header
+ type: object
+ trustOAuth2JwtGrantIssuer:
+ description: Trust OAuth2 JWT Bearer Grant Type Issuer Request Body
+ properties:
+ allow_any_subject:
+ description: The "allow_any_subject" indicates that the issuer is allowed
+ to have any principal as the subject of the JWT.
+ type: boolean
+ expires_at:
+ description: "The \"expires_at\" indicates, when grant will expire, so we\
+ \ will reject assertion from \"issuer\" targeting \"subject\"."
+ format: date-time
+ type: string
+ issuer:
+ description: The "issuer" identifies the principal that issued the JWT assertion
+ (same as "iss" claim in JWT).
+ example: https://jwt-idp.example.com
+ type: string
+ jwk:
+ $ref: '#/components/schemas/jsonWebKey'
+ scope:
+ description: "The \"scope\" contains list of scope values (as described\
+ \ in Section 3.3 of OAuth 2.0 [RFC6749])"
+ example:
+ - openid
+ - offline
+ items:
+ type: string
+ type: array
+ subject:
+ description: The "subject" identifies the principal that is the subject
+ of the JWT.
+ example: mike@example.com
+ type: string
+ required:
+ - expires_at
+ - issuer
+ - jwk
+ - scope
+ type: object
+ trustedOAuth2JwtGrantIssuer:
+ description: OAuth2 JWT Bearer Grant Type Issuer Trust Relationship
+ example:
+ public_key:
+ set: https://jwt-idp.example.com
+ kid: 123e4567-e89b-12d3-a456-426655440000
+ expires_at: 2000-01-23T04:56:07.000+00:00
+ subject: mike@example.com
+ scope:
+ - openid
+ - offline
+ created_at: 2000-01-23T04:56:07.000+00:00
+ id: 9edc811f-4e28-453c-9b46-4de65f00217f
+ allow_any_subject: true
+ issuer: https://jwt-idp.example.com
+ properties:
+ allow_any_subject:
+ description: The "allow_any_subject" indicates that the issuer is allowed
+ to have any principal as the subject of the JWT.
+ type: boolean
+ created_at:
+ description: "The \"created_at\" indicates, when grant was created."
+ format: date-time
+ type: string
+ expires_at:
+ description: "The \"expires_at\" indicates, when grant will expire, so we\
+ \ will reject assertion from \"issuer\" targeting \"subject\"."
+ format: date-time
+ type: string
+ id:
+ example: 9edc811f-4e28-453c-9b46-4de65f00217f
+ type: string
+ issuer:
+ description: The "issuer" identifies the principal that issued the JWT assertion
+ (same as "iss" claim in JWT).
+ example: https://jwt-idp.example.com
+ type: string
+ public_key:
+ $ref: '#/components/schemas/trustedOAuth2JwtGrantJsonWebKey'
+ scope:
+ description: "The \"scope\" contains list of scope values (as described\
+ \ in Section 3.3 of OAuth 2.0 [RFC6749])"
+ example:
+ - openid
+ - offline
+ items:
+ type: string
+ type: array
+ subject:
+ description: The "subject" identifies the principal that is the subject
+ of the JWT.
+ example: mike@example.com
+ type: string
+ type: object
+ trustedOAuth2JwtGrantIssuers:
+ description: OAuth2 JWT Bearer Grant Type Issuer Trust Relationships
+ items:
+ $ref: '#/components/schemas/trustedOAuth2JwtGrantIssuer'
+ type: array
+ trustedOAuth2JwtGrantJsonWebKey:
+ description: OAuth2 JWT Bearer Grant Type Issuer Trusted JSON Web Key
+ example:
+ set: https://jwt-idp.example.com
+ kid: 123e4567-e89b-12d3-a456-426655440000
+ properties:
+ kid:
+ description: The "key_id" is key unique identifier (same as kid header in
+ jws/jwt).
+ example: 123e4567-e89b-12d3-a456-426655440000
+ type: string
+ set:
+ description: The "set" is basically a name for a group(set) of keys. Will
+ be the same as "issuer" in grant.
+ example: https://jwt-idp.example.com
+ type: string
+ type: object
+ uiContainer:
+ description: Container represents a HTML Form. The container can work with both
+ HTTP Form and JSON requests
+ example:
+ nodes:
+ - meta:
+ label:
+ context: "{}"
+ id: 0
+ text: text
+ type: info
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ attributes: null
+ type: text
+ group: default
+ - meta:
+ label:
+ context: "{}"
+ id: 0
+ text: text
+ type: info
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ attributes: null
+ type: text
+ group: default
+ method: method
+ action: action
+ messages:
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ - context: "{}"
+ id: 0
+ text: text
+ type: info
+ properties:
+ action:
+ description: "Action should be used as the form action URL `